Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Comp8 unit6b lecture_slides
Ähnlich wie Comp8 unit6b lecture_slides (20)
Mehr von CMDLMS
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Comp8 unit6b lecture_slides
- 1. Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture b This material (Comp 8 Unit 6) was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024. This material was updated in 2016 by The University of Texas Health Science Center at Houston under Award Number 90WT0006. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
- 2. System Security Procedures and Standards Learning Objectives 1. Identify regulatory requirements for EHRs (lecture a) 2. Provide training for system users regarding the methods and importance of security compliance (lecture a) 3. Identify administrative, physical, and technical safeguards for system security and regulatory compliance (lectures a, b) 4. Identify best practices for system security (lecture b) 5. Identify best practices for risk / contingency management (lecture b) 2
- 3. Technical Safeguards: Access Control • Technical Safeguards include – Access controls – Audit controls – Integrity controls – Transmission security • Most effective: layered approach. – Multiple technologies employed concurrently. • Access controls begin with authorization: – Which persons or groups have been authorized to access ePHI? – Can be implemented with o AD (Active Directory), LDAP (Lightweight Directory Access Protocol) o Vendor-specific controls usually part of EHR (Summary of the HIPAA Security Rule, n.d.) 3
- 4. Technical Safeguards: Audit Control • Hardware/software/procedural mechanisms to record & examine access & other activity • Data to be logged can vary depending on level of access controls to ePHI data. • In general, servers should use OS system logging tools to track: – Who accessed (or tried to access) server. – What data/databases were accessed, any changes made. (Summary of the HIPAA Security Rule, n.d.) 4
- 5. Technical Safeguards: Audit Control(cont’d) • EHR should also support logging: – User access – Patient data accessed – Sign-on failures – Data changes made • Periodic proactive audits (sampling) – Consider for higher-risk patient populations (e.g., employees) or after publicized events – To deter abuse, make users aware. • Reactive audits triggered by defined event (University of Wisconsin-Madison, 2004) 5
- 6. Technical Safeguards: Integrity Control ePHI data must not be altered or destroyed improperly. This should be ensured through proper – Policies – Procedures – Electronic measures and controls o Network access o Computer or Server access o Database access (Summary of the HIPAA Security Rule, n.d.) 6
- 7. Technical Safeguards: Transmission Security Transmission security technologies can include • VPNs, Firewalls, VLANs, Intrusion Detection Network transmissions of ePHI must guard against unauthorized access • Eavesdropping on traffic required access to network medium Offsite access and connections are especially vulnerable • Should be limited and tightly regulated • Use Virtual Private Network (VPN) to encase traffic – Uses encryption, authentication, authorization to protect data. – Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec), OpenVPN, Cisco AnyConnect or similar, but NOT Point-to-Point Tunneling Protocol (PPTP) (Summary of the HIPAA Security Rule, n.d.) 7
- 8. What is a Virtual Private Network (VPN)? Image Courtesy of Scott Neal. 8
- 9. Technical Safeguards: Firewall • Inspects incoming network traffic; permits or denies access based on criteria. • Hardware- or software-driven. • Blocks ports through which intruders can gain access (e.g., port 80, which regulates web traffic). • Most commonly placed on network perimeter (network-based) or network device (host-based). • EHR will require certain ports to remain open. (Summary of the HIPAA Security Rule, n.d.) 9
- 10. Firewalls Image Courtesy of Scott Neal. 10
- 11. Technical Safeguards: Virtual Local Area Network (VLAN) • Divides networks administratively – Multiple VLANs can separate devices and data, so that sensitive traffic is unseen by non- authorized devices – One physical network, multiple virtual networks – One example VLAN setup: o Administration (Internet access, appointments) o Voice (IP Phones and teleconferencing) o Labs (EHR access and lab equipment) o MedData (EHR access, billing, insurance, clinic data) 11
- 12. Technical Safeguards: Intrusion Detection System (IDS) • Monitors networks or systems for malicious activities or policy violations. • Logs such activity and notifies administrator. • Advanced systems can take preemptive actions to stop activities (Intrusion Prevention System, or IPS). 12
- 13. Common Security Vulnerabilities and Breaches According to the TCP/IP Core Networking Guide from Microsoft: • Inside jobs, social engineering • Brute force • Eavesdropping, sniffing, snooping • Data modification • Identity spoofing • Password-based attacks • Denial of service attacks • Man in the middle attacks • Application layer attacks (Microsoft/TechNet, n.d.) 13
- 14. Server & Computer Security Tips • Install firewall, IDS, & monitoring tools to monitor & protect all servers using/storing ePHI • Strong policies for tracking ePHI, and limiting transmission or storage to only approved systems. • Hide or remove default or guest accounts • Provide a method for generating and verifying strong passwords • Monitor user account usage. Disable unused accounts. • Antivirus software, with updates • Attack surface reduction: turn off unneeded server applications & reduce attack surface. • Review and verify vendor recommendation for secure configuration • Create security baseline: scan and verify implementation • Install service packs within 48 hours of release. • Lock down database applications, regularly install updates. (Password Strength, 2012) 14
- 15. Server & Computer Updates and Security Baseline • System updates and service packs – Automatic and immediate for Internet connected systems – Test and verify before patching critical systems – Note: many networked medical devices are only supported by the vendor with specific software of configurations. Check with the system vendor before installing patches on patient medical devices. • Create security baseline: scan and verify implementation • Database applications will have their own updates and patching procedures 15
- 16. Contingency Plans • Back-up and Storage of critical data • Plan to restore systems • List of Emergency Contacts • Contingency plan for temporary office space • Maintaining secure offsite data storage • Criteria for activating contingency plan (Hartley, 2005) 16
- 17. Contingency Plans (cont’d) • Written plans – Risk analysis/assessment – Database backup – Database secure storage – Data restore plan – Disaster recovery plan – Critical incident response plan • Software inventory • Hardware inventory • Logs: transmission points 17
- 18. Data Backup Policy • Data integrity just as important as confidentiality. • Backing up critical files, including patient or EHR databases, helps ensure data recovery after catastrophic failure or security breach. • Determine procedures, hardware, and software required for reliable & efficient backup of production databases. 18
- 19. Secure Data Storage & Restore Policies • Data most susceptible to corruption or loss in state of rest (90% of the time). • Databases need particularly thorough analysis for risks. • Detailed guidelines for securing and safely restoring data stored on network. 19
- 20. Disaster Recovery & Critical Incident Response Plans • Address emergencies requiring immediate intervention to protect network or restore operational status after catastrophe. • Based on original risk analysis. • Outlines elements, procedures, & people needed to restore network or mitigate imminent threat in timely manner. 20
- 21. Hardware & Software Inventories • Hardware inventory – Loss of hardware can mean a loss much greater than just replacement cost. – Helps ensure equipment properly locked down and secure. • Software inventory – Provides insight to manage/mitigate risks to network from software vulnerability. – Facilitates proper software management practices, patching. 21
- 22. Logs: Transmission Points • Effective logging and monitoring strategy is critical to network security. • Logs can be overwhelmingly large. Determine which data need stringent monitoring (e.g., who is accessing); begin by concentrating efforts there. • Written plan of what is logged & why, with procedures for auditing & record of accountability to ensure compliance. 22
- 23. System Security Procedures and Standards Summary • Technical safeguards for ePHI are those automatically enforced by systems • System vulnerabilities exist, but application of best practices for system security will reduce exposure and risk • Risk and contingency plan development is a critical step in ensuring secure operation of EHR systems and regulatory compliance 23
- 24. System Security Procedures and Standards ReferenceReference: Common Types of Network Attacks. (n.d.) Microsoft Windows TCP/IP Core Networking Guide. Distributed Systems Guide, Windows 2000 Server . http://technet.microsoft.com/en- us/library/cc959354.aspx Health Information Privacy - Summary of the HIPAA Security Rule. (n.d.). Retrieved February 8, 2012, from U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html How to Implement EHRs. (2013, April 3). Retrieved June 30, 2016, from https://www.healthit.gov/providers-professionals/ehr-implementation-steps Password Strength (n.d.). Retrieved January 12, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords Images: Slide 8: VPN example, 2012. Provided by Scott Neal Slide 10: Firewall example, 2012. Provided by Scott and Nolan Neal 24
- 25. Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture b This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024. This material was updated in 2016 by The University of Texas Health Science Center at Houston under Award Number 90WT0006. 25
Hinweis der Redaktion
- Welcome to Installation and Maintenance of Health IT Systems, System Security Procedures and Standards. This is Lecture b This component Installation and Maintenance of Health IT Systems covers fundamentals of selection, installation, and maintenance of typical Electronic Health Records (EHR) systems.
- The objectives for this unit System Security Procedures and Standards are to: Identify regulatory requirements for EHRs Provide training for system users regarding the methods and importance of security compliance Identify administrative, physical, and technical safeguards for system security and regulatory compliance Identify best practices for system security Identify best practices for risk / contingency management This lecture finalizes the discussion of regulatory requirements by introducing technical safeguards and some best practices for system security and risk management that you can use to protect your infrastructure.
- HIPAA demands that sufficient measures be put into place at the technical level to guard healthcare data from all reasonable means of attack and unwanted disclosure. Technical safeguards address access controls, audit controls, integrity controls, and transmission security. The access control technical requirement mandates that “a covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information.” From a technical perspective, there are several tools that assist administrators with administering this process. Effective security practices embrace a layered approach to providing security to a network. That is, several different technologies are employed concurrently to protect the network instead of relying solely on one approach. That way, if an attacker finds his way through one layer, he still has to overcome additional obstacles before he is successful. This would be the equivalent to adding a security alarm and dogs at your home instead of simply relying on the deadbolt lock to dissuade intruders. One such tool is Active Directory, or AD. AD allows administrators to assign policies, deploy software, and apply access roles, based on users or user groups, to an organization’s network. It does this by storing information and settings about users and resources in a central database. Active Directory networks are very scalable and are seen from small installations, with a few computers, users, and printers, to large organizations with tens of thousands of users. Active Directory uses a protocol called LDAP (Lightweight Directory Access Protocol) to allow connectivity and control access to a wide variety of management and query applications. It may be possible for your vendor to adapt your EHR system to use Active Directory to help you manage access if the software is not already configured to do so. For instance, when a new physician begins at the organization, her access would be partially governed by what Active Directory group her account was added to. Regardless, your vendor’s product should come with a set of access controls already built into the software. Be sure to have a candid conversation about how these controls work and be certain they will work in a manner consistent with the roles your organization uses for administering ePHI data.
- Other technical safeguards include utilizing hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI. We call this audit control, and it is implemented through activity logging. What actually needs to be logged depends on the level of access controls to the ePHI data. However, there are some pretty consistent items. In general, your servers should use OS system logging tools to log: Who accessed, or tried to access the server; and What data or databases were successfully accessed and any changes made.
- Your EHR software should support logging user access, logging data accessed, logging sign-on failures, and any changes to the data Proactive audits should be performed periodically, with the intent of sampling the data set to look for possible inappropriate use or activity. Log sampling does not have to be random. Proactive audits can sample from the entire log population or from areas known to be of higher risk. For example, when reviewing access logs to patient records, it may be appropriate to intentionally sample from the population of employee patients, as well as from the patient population as a whole. Proactive auditing can serve as a deterrent to would-be voyeurs. Therefore, it is important that system users be aware that proactive auditing takes place. Reactive audits are performed whenever a defined event triggers the need for an audit. An "event" might be a patient or employee complaint or a security system alarm. It is also advisable to audit appropriate logs when unusual or extreme situations occur, such as a highly publicized accident involving victims treated at your facility, an illness of an employee known to coworkers with access to systems containing the employee's PHI, or the involuntary termination of an employee.
- Your EHR software must have policies, procedures, and electronic controls to ensure that e-PHI is not improperly altered or destroyed. This should be automatic and verifiable, as the previous slides indicated. The electronic measures may be implemented at the network level through transmission security, at the operating system level through authentication and authorization controls, or at the patient record level through database authentication and data integrity controls – preferably a combination of all three.
- Since ePHI is transmitted over networks, security measures and restrictions must be in place to guard against unauthorized access to those networks. Offsite access of ePHI poses a particularly hazardous risk. In some instances, the use of offsite access can be disallowed completely; for many healthcare institutions, however, it is unacceptable to restrict access by other healthcare institutions or physicians who may be practicing offsite but have a valid need to access these records. In any case, offsite access should be strictly controlled, and any data being transmitted from your site to another offsite location should be adequately protected by the use of encryption and VPN (Virtual Private Networks). A VPN uses encryption, authentication, and authorization to protect data as it is routed through the Internet. VPN connections may use protocols such as L2TP/IPSec, OpenVPN, or Cisco’s client implementations . However, Microsoft’s PPTP VPN implementation has vulnerabilities that make it ill-suited for ePHI transmission.
- Here’s a graphical illustration of VPN, used for transmitting data over the internet between the VPN router and the VPN client on a user’s machine. By using the internet as a connection medium, VPN can adequately protect your data while saving the cost of long-distance phone service and hardware costs associated with using dial-up or leased line connections.
- Another way to help prevent unwanted access is through the use of firewalls. A firewall is a dedicated appliance or software running on a computer which inspects network traffic passing through it and denies or permits passage based on a set of rules or criteria. It does this by controlling access to ports. Ports are essentially communications channels that applications need to communicate with one another. Some ports are pretty common, such as port 80 which regulates web traffic. Firewalls represent an important front line element to thwart unwanted access and help ensure HIPAA compliance. It is normally placed between the protected network, where ePHI is housed, and the unprotected network, and it acts like a gate to protect assets. A firewall’s basic task is to protect computer networks where they meet at different trust levels. For example, you very often see a firewall between the internet traffic and internal network traffic. Many servers and workstations also have firewalls to provide yet another level of protection. It’s important to note that your EHR system will require certain ports to remain open on your firewall to work properly. Work with your vendor to ensure proper ports are left open.
- As this picture illustrates, firewalls can be placed anywhere the network transitions from a less trusted segment to a more trusted segment. In this instance, the first firewall – the network firewall – allows some communications through as determined by the overall network needs. The second firewall – the computer firewall – is then tailored further, reducing traffic to and from the computer system to only those applications installed and running on the system itself.
- Another tool is the VLAN or Virtual Local Area Network. This is an administrative division on network equipment to separate devices and data, such that the data cannot be intercepted by a device on a separate VLAN. Modern telephones that operate over IP networks (IP phones or VOIP phones) often are configured and managed on a separate VLAN. Additionally, non-sensitive data for appointments, Internet access, and general office use can be on a VLAN with less onerous controls than a VLAN with ePHI data. Lab devices that require network communication can be separated from employee workstations to reduce the risk of computer virus transmission.
- Another tool to prevent unwanted access is the Intrusion Detection System, or IDS. An IDS is a device or application that monitors the network (or the system it’s installed on) for malicious activities, based on pre-defined patterns or policies, and reports such activities to the network administrator. Some systems actually take it a step further through preemptive actions to stop detected activities until the administrator intervenes or for a certain duration of time. These systems are known as Intrusion Prevention Systems (IPS).
- There are many different ways in which your system could be breached, allowing for the compromise of your sensitive data. Let’s list a few of the more common approaches, as outlined by the Microsoft TCP/IP core networking guide: The inside job: An overwhelming majority of network security issues center around the organization's own workforce. Lack of policy understanding, laziness, or disgruntlement among workers are always threats. Training employees on the hazards of mishandling sensitive data and the importance of following both legal regulations and your organization's policies will help mitigate this risk. Social engineering is the process where someone is tricked into divulging information that allows an attacker to infiltrate a network. The most common attempt centers around pretending to be a network administrator needing the user’s password to repair something in the system. Brute force attacks are just what they seem. An evildoer identifies a server on the network, perhaps by scanning for the remote desktop port, then attempts to break into the system using the administrator account and runs specialized utilities that will try an endless number of passwords until it cracks the password. Eavesdropping: The majority of network communications occur in an unsecured or "clear text" format. An attacker who has gained access to your network can "listen in" on the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. Eavesdropping is generally the biggest security problem that administrators face in an enterprise environment. Enabling strong encryption services on your sensitive data as it traverses the network can mitigate this risk. Note that gaining access to a network will depend on the type of network medium – a wireless network could be accessed without requiring physical contact, thus requiring additional security measures. Access to wired networks can depend somewhat more on physical security controls. Data modification: An attacker can modify the data in the packet without the knowledge of the sender or receiver. This can lead to erasure or corrupted data. Identity spoofing: Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed. Try not to use IP addresses as a method of ensuring connectivity to a particular device. Ensure that the device MAC addresses are utilized for connecting to a domain. Password-based attacks: Failure to use strong passwords or, whenever possible, multi-factor identification (requiring more than one method of identification to authenticate to a network) can lead to account compromises, potentially compromising data. Denial of service attacks: Though these attacks don’t usually intercept data, they can render a network virtually useless by overloading the infrastructure with unwanted traffic. Man in the middle attack: Someone figures out a way to intercept the network traffic and captures it before sending it along to the reader. This is often the result of a compromised encryption key. Utilizing 256-bit or stronger encryption on VPN, wireless, and other communication can help offset this risk. Application layer attacks: This attack targets application servers by causing a fault in a server's operating system or applications. Once compromised, the attacker gains the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of the application, system, or network, leaving data vulnerable.
- Servers and computers containing sensitive data, such as ePHI, are particularly attractive targets to attack. In addition to installing a firewall, intrusion detection system (IDS), and advanced logging tools, there are additional safeguards you should take: Administrative: Enact and enforce policy that ensures that all users needing access to ePHI understand that all ePHI data must be stored on approved and protected network systems only. Taking patient data home on a physician’s personal laptop should raise alarms! Ensure that all local users to the systems are approved for accessing ePHI, and remove or disable any local accounts, such as the guest account, that are not needed. Be sure to rename the default administrator and guest accounts as well. Default configurations and passwords are an all too frequently overlooked problem, especially on equipment such as a networked lab device. Strong passwords can be difficult to create and track. Provide a recommended process for effective strong password generation, and enable automatic password strength checking. Monitor usage for user accounts, and disable unused accounts to prevent them from being compromised without awareness. Technical: Install an effective antivirus / anti-malware system and ensure it stays updated. Attack surface is the set of services running on a server that are potential vectors of attack. A given server may not be obviously vulnerable today, but new exploits may be developed tomorrow. An unneeded service that is not running or available cannot be used by an attacker. Configure the server with coordination with your software vendor to ensure proper application performance. For Windows, this tool is called the Security Configuration Wizard. Create a security baseline for your servers. For windows deployments, Microsoft has a tool designed for the creation of security baselines specific to the server software you are using. For more details search for “Microsoft Security Baseline Analyzer”. Remember to test and install the latest service packs and security releases for your server. 48 hours after release is a good standard to adhere to. Database applications need additional safeguards in place. Be sure to research your particular database applications and remember to lock down and install all patches for these applications.
- Updates and service packs often provide security fixes for operating systems, applications, databases, and embedded systems. Any device connected to open networks should be patched as soon as the fix is available – automated update services are one way to ensure this. For critical systems containing ePHI or core business data (that would halt business if unavailable) testing and verification should be performed in test environments before moving to production systems. Note that specialized medical equipment may have its own operating system, applications, and configuration. If the underlying operating system is vulnerable to an attack, do not immediately assume that a patch should be deployed. Some of these systems have only been certified or are only supported in specific configurations. Check with the system vendor before applying any patches or fixes in this environment, but during the vulnerable period, try to implement specific monitoring for attacks directed towards the newly discovered vulnerability. Create a security baseline for your servers. For windows deployments, Microsoft has a tool called “Microsoft Security Baseline Analyzer” that is designed for the creation of security baselines specific to the server software you are using. In general, a security baseline is a periodic record of system parameters (like software versions and configuration details) that can be compared to determine if any vulnerabilities have been newly discovered. These lists should be updated periodically and compared against publicly known exploits and vulnerabilities. Database applications need additional safeguards in place. Be sure to research your particular database applications and remember to lock down and install all patches for these applications as recommended by your vendor.
- Ensuring your data is protected from natural and technical threats is just as important as ensuring data is not compromised through malicious intent. In the event something catastrophic does occur, plans must be in place to ensure the network, along with its valuable data, can be returned to operating status with a minimal amount of downtime. This means ensuring data is reliably and securely backed up, along with a disaster recovery plan containing an emergency contact list of critical players and stakeholders in the organization who will be needed to make decisions and assist with the technical components of restoring the network. These plans should include contingencies for: The offsite storage of data and the prompt return and restoration of the data from backup. Plans for relocation of infrastructure resources, or the operation as a whole, until repairs can be affected.
- These plans should be put in writing BEFORE an incident develops: Written Plans Risk analysis or assessment Database backup Database secure storage Data restore plan Disaster recovery plan Critical incident response plan Software Inventory Hardware Inventory Logs - transmission points Let’s take a few moments to look at each of these plans in a little more detail. We’ve already discussed the risk analysis, or risk assessment, in the first half of this Unit, so we’ll start with database backup.
- Ensuring integrity of data is just as important as ensuring its confidentiality. Loss or corruption of data means a costly loss of productivity because of the effort required to, at a minimum, recreate the data. Backing up data files, including patient or EHR databases, helps ensure data can be recovered in the event of data corruption, a catastrophic failure, or security breach. The purpose of a data backup policy is to set into motion a method for implementing a backup strategy and procedures that adequately addresses the needs of the institution and maintains compliance with regulations. This strategy includes what data will be backed up and how often, as well as how to ensure these archives will be secured but easily accessible if needed. The policy also outlines the hardware and software required to ensure reliable and efficient backup of these production databases.
- Data spend over 90% of their time at rest where they are more susceptible to corruption or loss than in any other state. The Secure Data Storage and Restore policies outline specific protocols which must be adhered to in order to mitigate risks associated with short- or long-term data storage. In particular, databases require extra attention when it comes to security. Each production database housing data, particularly healthcare data, should be evaluated to determine the best method for securing the resident data and ensuring access to the database is properly administered and in compliance with regulations. Likewise, if special protocols are needed for restoring the database, or datasets within those databases, a plan of action should be spelled out for how this process works.
- Disaster Recovery and Critical Incident Response plans are designed to address emergencies requiring immediate intervention to protect the network or restore the network to operational status after a catastrophic event. Based upon your risk analysis, these plans provide a step by step guide to identify and recover from each of the potential threats identified in the original analysis. They identify the key players or teams needed to perform the recovery process, outline the types of hardware needed and the vendors who supply them, pinpoint alternate facilities in the event your facility cannot be accessed, and provide detailed procedures to bring the network back to operational status and restore the integrity of the data.
- Maintaining inventories for both hardware and software used on the network is just as important as securing the data. Maintaining an up-to-date hardware inventory not only helps you as you plan out hardware and software upgrades and other administrative tasks, it also ensures your inventory is properly “locked down” and accounted for. This is essential from a security perspective. Why would you worry about a hacker creeping through the network if someone could just walk in and steal the data directly from the hardware where the data is stored? Likewise, keep a current inventory of the applications being used on your network. This will provide additional insight needed to properly manage and mitigate security risks related to software vulnerabilities. It will also facilitate proper patching and issue mitigation.
- As we pointed out earlier, monitoring is an important part of security. Often, log monitoring is taken for granted. Your IT systems are capable of monitoring and logging nearly every activity that occurs. An effective logging and monitoring strategy means understanding what to log and what to look for, and devising a method for effectively managing and monitoring vast amounts of data. This is critical for network security. Logs can quickly grow to hundreds of thousands of cryptic entries that, without some sort of strategy or management system in place, would surely overwhelm even the mightiest of IT gurus. Start with identifying what data requires more stringent monitoring. At the very least, you will want to know who is trying to access the data or critical hardware components and were they successful. You can also track the movement of this critical data, though expect extremely large logs from this type of audit process. It’s important to devise a written plan summarizing what is logged and why, along with the appropriate procedures to audit the logs effectively. Create a written record of accountability for the reviewer(s) to ensure compliance with the policy.
- This concludes System Security Procedures and Standards. We have only scratched the surface of all the security measures that can be implemented with an EHR system. We’ve talked about several aspects of ePHI regulation, along with various administrative, physical, and technical safeguards available to assist you in protecting your infrastructure. Types of system vulnerabilities have been introduced, along with best practices for securing systems against those vulnerabilities. Finally, risk assessment and contingency plan development will help ensure secure operation and regulatory compliance. Much of what you will do will hinge on the type, topology, and operating systems utilized on your infrastructure, along with ensuring compliance with regulatory and organizational policies. Security is a continuing process of adaptation to emerging threat. If you’re not comfortable with always learning something new, this field is not for you.
- No audio.
- No Audio. Ten Seconds of Silence.