Minimum Security Standards for Systems with HIPAA Data
MINIMUM STANDARDS
Note that the implementation specifications provided in the Security and Privacy rules may be addressable or required Some standards do not have any implementation specifications. These standards are just the minimum for HIPAA compliance. In some cases, additional controls may be necessary to comply with university policy. All devices must also meet the Minimum Security Standards for Systems.
ADMINISTRATIVE SAFEGUARDS
|
Standard: Security Management {{§164.308 (a)(1)}}
Implement policies and procedures to prevent, detect, contain, and correct security
violations.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities
to the confidentiality, integrity, and availability of electronic protected health
information held. {{UNT Health note: This assessment is required annually. }}
|
Required
|
§164.308 (a)(1)(ii)(A)
|
|
Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable
and appropriate level.
These measures must, at a minimum:
|
Required
|
§164.308 (a)(1)(ii)(B)
|
|
Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with the
security policies and procedures.
|
Required
|
§164.308 (a)(1)(ii)(C)
|
|
Information system activity review: Implement procedures to regularly review records of information system activity,
such as audit logs, access reports, and security incident tracking reports.
|
Required
|
§164.308 (a)(1)(ii)(D)
|
|
Standard: Assign Security Responsibility {{§164.308 (a)(2)}}
Identify the security official who is responsible for the development and implementation
of required policies and procedures.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Workforce Security {{§164.308 (a)(3)}}
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under §164.308 (a)(4), and to prevent those workforce members who do not have access under §164.308 (a)(4) of the HIPAA Security Rule from obtaining access to electronic protected health information. |
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Authorization and/or supervision: Implement procedures for the authorization and/or supervision of workforce members
who work with electronic protected health information or in locations where it might
be accessed.
|
Addressable
|
§164.308 (a)(3)(ii)(A)
|
|
Workforce clearance procedure: Implement procedures to determine that the access of a workforce member to electronic
protected health information is appropriate.
|
Addressable
|
§164.308 (a)(3)(ii)(B)
|
|
Termination procedures: Implement procedures for terminating access to electronic protected health information
when the employment of a workforce member ends or as required by determinations made
as specified in §164.308 (a)(3)(ii)(B).
|
Addressable
|
§164.308 (a)(3)(ii)(C)
|
|
Standard: Information Access Management {{§164.308 (a)(4)}}
Implement policies and procedures for authorizing access to electronic protected health
information that are consistent with the applicable requirements of Subpart E of the HIPAA Privacy Rule.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Access authorization: Implement policies and procedures for granting access to electronic protected health
information, for example, through access to a workstation, transaction, program, process,
or other mechanism.
|
Addressable
|
§164.308 (a)(4)(ii)(B)
|
|
Access establishment and modification: Implement policies and procedures that, based upon access authorization policies,
establish, document, review, and modify a user’s right of access to a workstation,
transaction, program, or process.
|
Addressable
|
§164.308 (a)(4)(ii)(C)
|
|
Standard: Security Awareness and Training {{§164.308 (a)(5)}}
Implement a security awareness and training program for all members of its workforce (including management). |
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Implement a security awareness and training program that, at a minimum, covers:
|
Addressable
|
§164.308 (a)(5)(ii)(A-D)
|
|
Standard: Security Incident Procedures {{§164.308 (a)(6)}}
Implement policies and procedures to address security incidents.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent
practicable, harmful effects of security incidents that are known to the covered entity;
and document security incidents and their outcomes. {{UNT Health note: All incidents
must be reported immediately to the Information Security Office (informationsecurity@unthealth.edu).}}
|
Required
|
§164.308 (a)(6)(ii)(A)
|
|
Standard: Contingency Plan {{§164.308 (a)(7)}}
Establish (and implement as needed) policies and procedures for responding to an emergency
or other occurrence (for example, fire, vandalism, system failure, and natural disaster)
that damages systems that contain electronic protected health information.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies
of electronic protected health information.
|
Required
|
§164.308 (a)(7)(ii)(A)
|
|
Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data.
|
Required
|
§164.308 (a)(7)(ii)(B)
|
|
Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical
business processes for protection of the security of electronic protected health information
while operating in emergency mode.
|
Required
|
§164.308 (a)(7)(ii)(C)
|
|
Testing and revision procedures: Implement procedures for periodic testing and revision of contingency plans.
|
Addressable
|
§164.308 (a)(7)(ii)(D)
|
|
Applications and data criticality analysis: Assess the relative criticality of specific applications and data in support of other
contingency plan components.
|
Addressable
|
§164.308 (a)(7)(ii)(E)
|
|
Standard: Evaluation {{§164.308 (a)(8)}}
Perform a periodic technical and nontechnical evaluation, based initially upon the
standards implemented under this rule and subsequently, in response to environmental
or operational changes affecting the security of electronic protected health information,
that establishes the extent to which the security policies and procedures meet the
requirements of §164.308 (a).
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Business Associate Contracts and Other Arrangements {{§164.308 (b)(1)}}
A covered entity, in accordance with §164.306, may permit a business associate to
create, receive, maintain, or transmit electronic protected health information on
the covered entity’s behalf only if the covered entity obtains satisfactory assurances,
in accordance with §164.314 (a) that the business associate will appropriately safeguard
the information.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Written contract or other arrangement: Document the satisfactory assurances required through a written contract or other
arrangement with the business associate that meets the applicable requirements of
§164.314 (a).
|
Required
|
§164.308 (b)(4)
|
PHYSICAL SAFEGUARDS
|
Standard: Facility Access Controls {{§164.310 (a)}}
Implement policies and procedures to limit physical access to its electronic information
systems and the facility or facilities in which they are housed, while ensuring that
properly authorized access is allowed.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Contingency operations: Establish (and implement as needed) procedures that allow facility access in support
of restoration of lost data under the disaster recovery plan and emergency mode operations
plan in the event of an emergency.
|
Addressable
|
§164.310 (a)(2)(i)
|
|
Facility security plan: Implement policies and procedures to safeguard the facility and the equipment therein
from unauthorized physical access, tampering, and theft.
|
Addressable
|
§164.310 (a)(2)(ii)
|
|
Access control and validation procedures: Implement procedures to control and validate a person’s access to facilities based
on their role or function, including visitor control, and control of access to software
programs for testing and revision.
|
Addressable
|
§164.310 (a)(2)(iii)
|
|
Maintenance records: Implement policies and procedures to document repairs and modifications to the physical
components of a facility which are related to security (for example, hardware, walls,
doors, and locks).
|
Addressable
|
§164.310 (a)(2)(iv)
|
|
Standard: Workstation Use {{§164.310 (b)}}
Implement policies and procedures that specify the proper functions to be performed,
the manner in which those functions are to be performed, and the physical attributes
of the surroundings of a specific workstation or class of workstation that can access
electronic protected health information.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Workstation Security {{§164.310 (c)}}
Implement physical safeguards for all workstations that access electronic protected
health information, to restrict access to authorized users.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Device and Media Controls {{§164.310 (d)}}
Implement policies and procedures that govern the receipt and removal of hardware
and electronic media that contain electronic protected health information into and
out of a facility, and the movement of these items within the facility.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Disposal: Implement policies and procedures to address the final disposition of electronic
protected health information, and/or the hardware or electronic media on which it
is stored.
|
Required
|
§164.310 (d)(2)(i)
|
|
Media re-use: Implement procedures for removal of electronic protected health information from
electronic media before the media are made available for re-use.
|
Required
|
§164.310 (d)(2)(ii)
|
|
Accountability: Maintain a record of the movements of hardware and electronic media and any person
responsible therefore.
|
Addressable
|
§164.310 (d)(2)(iii)
|
|
Data backup and storage: Create a retrievable, exact copy of electronic protected health information, when
needed, before movement of equipment.
|
Addressable
|
§164.310 (d)(2)(iv)
|
TECHNICAL SAFEGUARDS
|
Standard: Access Control {{§164.312 (a)}}
Implement technical policies and procedures for electronic information systems that
maintain electronic protected health information to allow access only to those persons
or software programs that have been granted access rights as specified in §164.308(a)(4).
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Unique user identification: Assign a unique name and/or number for identifying and tracking user identity.
|
Required
|
§164.312 (a)(2)(i)
|
|
Emergency access procedure: Establish (and implement as needed) procedures for obtaining necessary electronic
protected health information during an emergency.
|
Required
|
§164.312 (a)(2)(ii)
|
|
Automatic logoff: Implement electronic procedures that terminate an electronic session after a predetermined
time of inactivity.
|
Addressable
|
§164.312 (a)(2)(iii)
|
|
Encryption and decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.
{{UNT Health note: Only encryption methods/products listed at Approved Encryption Methods are compliant with policy. The use of any other encryption methods/products not listed
is only permissible with an approved Security Exception Request. All devices used to store confidential (Category I) university data must be encrypted
using an approved method.}}
|
Addressable
|
§164.312 (a)(2)(iv)
|
|
Standard: Audit Controls {{§164.312 (b)}}
Implement hardware, software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use electronic protected health information.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Integrity {{§164.312 (c)}}
Implement policies and procedures to protect electronic protected health information
from improper alteration or destruction.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Mechanism to authenticate electronic protected health information: Implement electronic mechanisms to corroborate that electronic protected health information
has not been altered or destroyed in an unauthorized manner.
|
Addressable
|
§164.312 (c)(2)
|
|
Standard: Person or Entity Authentication {{§164.312 (d)}}
Implement procedures to verify that a person or entity seeking access to electronic
protected health information is the one claimed.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Transmission Security {{§164.312 (e)}}
Implement technical security measures to guard against unauthorized access to electronic
protected health information that is being transmitted over an electronic communications
network.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Integrity controls: Implement security measures to ensure that electronically transmitted electronic
protected health information is not improperly modified without detection until disposed
of.
|
Addressable
|
|
|
Encryption: Implement a mechanism to encrypt electronic protected health information whenever
deemed appropriate. {{UNT Health note: Section 10.2.2.1 of the UNT System Information Security Handbook mandates that all confidential (Category I) institutional data be encrypted in transmission
over a network. Exceptions are only permissible with an approved Security Exception Request.}}
|
Required by
institutional policy
|
POLICIES AND PROCEDURES; DOCUMENTATION REQUIREMENTS
|
Standard: Policies and Procedures {{§164.316 (a)}}
Implement reasonable and appropriate policies and procedures to comply with the standards,
implementation specifications, or other requirements of this subpart, taking into
account those factors specified in §164.306 (b)(2)(i), (ii), (iii), and (iv). This
standard is not to be construed to permit or excuse an action that violates any other
standard, implementation specification, or other requirements of this subpart. A covered
entity may change its policies and procedures at any time, provided that the changes
are documented and are implemented in accordance with this subpart.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
N/A
|
|
Standard: Documentation {{§164.316 (b)(1)}}
(i) Maintain the policies and procedures implemented to comply with this subpart in
written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented,
maintain a written (which may be electronic) record of the action, activity, or assessment.
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Time limit: Retain the documentation required by paragraph (b)(1) of this section for 6 years
from the date of its creation or the date when it last was in effect, whichever is
later. {{UNT Health note: Records should not be kept longer than is required. When
no longer required, records must be destroyed or erased in a secure manner.}}
|
Required
|
§164.316 (b)(2)(i)
|
|
Availability: Make documentation available to those persons responsible for implementing the procedures
to which the documentation pertains.
|
Required
|
§164.316 (b)(2)(ii)
|
|
Updates: Review documentation periodically, and update as needed, in response to environmental
or operational changes affecting the security of the electronic protected health information.
|
Required
|
§164.316 (b)(2)(iii)
|
UNT Health SPECIFIC POLICY REQUIREMENTS FOR CATEGORY I SYSTEMS
|
Standard: Backups
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Backups must be verified at least monthly, either through automated verification,
through customer restores, or through trial restores.
|
Required
|
MSS 4.1.2
|
|
Standard: Change Management
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
There must be a change control process for systems configuration. This process must
be documented.
|
Required
|
MSS 4.2.1
|
|
System changes should be evaluated prior to being applied in a production environment.
|
Required
|
MSS 4.2.2
|
|
Patches must be tested prior to installation in the production environment if a test
environment is available.
|
Addressable
|
MSS 4.2.3
|
|
Standard: Computer Virus Prevention
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Anti-virus software must be installed and enabled.
|
Required
|
MSS 4.3.1
|
|
Install and enable anti-spyware software. Installing and enabling anti-spyware software
is required if the machine is used by administrators to browse Web sites not specifically
related to the administration of the machine.
|
Addressable
|
MSS 4.3.2
|
|
Anti-virus and, if applicable, anti-spyware software should be configured to update
signatures at least daily.
|
Required
|
MSS 4.3.3
|
|
Systems administrators should maintain and keep available a description of the standard
configuration of anti-virus software.
|
Required
|
MSS 4.3.4
|
|
Standard: System Hardening
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
Systems must be set up in a protected network environment or by using a method that
assures the system is not accessible via a potentially hostile network until it is
secured.
|
Required
|
MSS 4.5.1
|
|
Operating system and application services security patches should be installed expediently
and in a manner consistent with change management procedures.
|
Required
|
MSS 4.5.2
|
|
If automatic notification of new patches is available, that option should be enabled.
|
Required
|
MSS 4.5.3
|
|
Services, applications, and user accounts that are not being utilized should be disabled
or uninstalled.
|
Required
|
MSS 4.5.4
|
|
Methods should be enabled to limit connections to services running on the host to
only the authorized users of the service. Software firewalls, hardware firewalls,
and service configuration are a few of the methods that may be employed.
|
Required
|
MSS 4.5.5
|
|
If the operating system supports it, integrity checking of critical operating system
files should be enabled and tested. Third-party tools may also be used to implement
this.
|
Required
|
MSS 4.5.8
|
|
Integrity checking of system accounts, group memberships, and their associated privileges
should be enabled and tested.
|
Required
|
MSS 4.5.9
|
|
The required system warning banner complying with Section 12.2.7 of the UNT System
Information Security Handbook should be installed.
|
Required
|
MSS 4.5.10
|
|
Whenever possible, all non-removable or (re-) writable media must be configured with
file systems that support access control.
|
Required
|
MSS 4.5.11
|
|
Strong password requirements will be enabled. Passwords must comply with of the UNT
Health Information Security Policy
|
Required
|
MSS 4.5.13
|
|
Apply the principle of least privilege to user, administrator, and system accounts.
|
Required
|
MSS 4.5.14
|
|
Standard: Security Monitoring
|
|
Implementation Specification
|
Type
|
Reference
|
|---|---|---|
|
If the operating system comes with a means to log activity, enabling and testing of
those controls is required.
|
Required
|
MSS 4.6.1
|
|
Operating system and service log monitoring and analysis should be performed routinely.
This process should be documented.
|
Required
|
MSS 4.6.2
|
|
The systems administrator must follow a documented backup strategy for security logs
(for example, account management, access control, data integrity, etc.). Security
logs should retain at least 14 days of relevant log information (data retention requirements
for specific data should be considered).
|
Required
|
MSS 4.6.3
|
|
All administrator or root access must be logged.
|
Required
|
MSS 4.6.4
|
SECURITY REVIEW FOR NEW SOFTWARE AND APPLIANCES
Departments evaluating the implementation of new software or appliances involving HIPAA protected data should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products.