Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 17 ADMINISTRATIVE MANUAL APPROVED BY:

POLICY # 17
LOG-IN MONITORING
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement….Procedures for monitoring log-in attempts and reporting
discrepancies…..”
Policy Summary:
Sindecuse Health Center (SHC) must provide regular training and
awareness to its workforce members about its process for monitoring login attempts and reporting discrepancies.
Purpose:
This policy reflects SHC’s commitment to regularly train and remind its
workforce members about its process for monitoring log-in attempts and
reporting discrepancies.
Policy:
1. SHC must develop, implement, and regularly review a formal,
documented process for monitoring log-in attempts and reporting
discrepancies. All SHC workforce members must be regularly trained
and reminded about this process.
2. Access to all SHC information systems must be via a secure log-in
process. At a minimum, the process must:





Not display information system or application identifying
information until the log-in process has been successfully
completed.
Display a notice that the computer must only be accessed by
authorized users.
Not provide help messages during the log-in procedure that
would assist an unauthorized user.
Validate log-in information only when all data has been inputted.
If an error arises, the system must not indicate which part of the
data is correct or incorrect.
Limit the number of unsuccessful log-in attempts allowed.
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
LOG-IN MONITORING
3. SHC information systems’ log-in process must include the ability to:




Record unsuccessful log-in attempts.
After a specific number of failed log-in attempts, enforce a time
delay before further log-in attempts are allowed or reject any
further attempts without authorization from an appropriate SHC
employee.
Limit the maximum time allowed for the log-in procedure.
Display the following information on completion of a successful
log-in:
 Date and time of the previous successful log-in.
4. At a minimum, SHC log-in monitoring training and awareness must
cover topics including, but not limited to:



How to effectively use SHC’s secure log-in processes.
How to detect log-in discrepancies.
How to report log-in discrepancies.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Security Awareness
and Training Standard
Regulatory
Reference:
45 CFR 164.308(a)(5)(ii)(C)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
LOG-IN MONITORING
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Password Management
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
Instructions for Students Completing Course Evaluations 1. Access
Instructions for Students Completing Course Evaluations 1. Access
programming project on AOP
programming project on AOP
Download