Administrative Safeguards - Information System Activity Review



|Policy # 8 | |

|Policy Title |Information System Review |

|Effective Date |September 16, 2013 |

|Revision Date | |

|Related Entities |45 CFR 164.308 (a)(1) |

Purpose:

The Mennonite Home is committed to conducting a periodic internal system review of records to minimize violations to electronically protected health information.

The Mennonite Home will assess systems for potential risks and vulnerability to EPHI in its possession and develop, implement and maintain appropriate administrative, physical and technical security measures per CFR 45 § 164.308.

Policy:

1. The stated policies and procedures apply to all electronic protected health information.

2. An internal review of records will be conducted annually.

Procedure:

1. The community shall assign a person to oversee the community’s information system’s activities.

2. The community shall prepare an audit control tool or utilize the tool of an outside resource hired for the purpose of an Information System Review.

3. Each audited item shall be examined for security-significant events with respect to The Mennonite Home’s security. The review, at a minimum, should include:

A. Logins – Log-in reports shall be reviewed to determine successful and unsuccessful logins to ensure that only appropriate system access is gained. Significant areas include multiple failed login attempts, account lockouts and unauthorized accesses.

B. File Access – File Access attempts shall be reviewed for successful and unsuccessful file access to ensure that only appropriate files are accessed by appropriate level personnel.

C. Security Incidents – An examination of records from security devices e.g. intrusion detection systems or system audit logs shall be made. Security incidents are events that constitute administrator/root or user level compromises, malicious logic [i.e. virus, worms, or Trojans] incidents, unsuccessful compromise attempts, denial of service, or scanning/probing incidents. Software tools should be examined for specific events and trends.

D. A review of applicable records, access removal, initial handling and disposal of system hardware, software and media containing patient data shall be done per the organization’s HIPAA policies.

E. All significant findings and recommendations shall be forwarded to the appropriate Mennonite Home’s management team. In addition, these reports shall be protected in accordance with the measures identified during preparation.

4. A written report shall include all findings. The report should include the reviewer’s name, contact information, the date and time of performance, component information [such as host ID, IP address, component type, component owner, etc] and significant findings requiring additional action [e.g. further investigation, sanctioning, training, program adjustment/modification].

5. Follow-up should include:

A. Findings and recommendations shall be incorporated in The Mennonite Home’s security training program.

B. Adjustments to the administrative, physical and technical safeguards shall be made.

C. Review findings should be addressed in the Risk Management process. Established policies and procedure including information regarding information systems shall be documented and maintained in a current manner.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download