SpiraTeam HIPAA Compliance Checklist

advertisement
Inflectra Corporation
8121 Georgia Ave, Suite 504
Silver Spring. MD 20910-4957
+1 202.558.6885
www.inflectra.com
SpiraTeam HIPAA Compliance Checklist
Health Insurance Portability and Accountability Act
May 25th, 2015
Abstract
If you are choosing an Application Lifecycle Management (ALM) solution in the Healthcare industry, if you
are a ‘covered entity’ an absolute requirement is to make sure the software you choose is HIPAA
compliant. HIPAA is the Health Insurance Portability and Accountability Act of 1996. These two rules are
otherwise known as the ‘Standards for Privacy of Individually Identifiable Health Information’(Privacy
Rule) and the ‘Security Standards for the Protection of Electronic Protected Health Information’(Security
Rule).
Because the software is most likely going to be managing sensitive client data, you cannot risk having it
in an unsafe or vulnerable system. So what makes software HIPAA compliant? Read on to find out how
SpiraTeam is HIPAA compliant and use this checklist as a guide to ensure that you have implement
SpiraTeam in a HIPAA compliant manner.
What does HIPAA Compliant Actually Mean?
Firstly, how do you find a HIPAA-compliant software package? Well technically speaking you can't,
because no such thing exists.
It's you, as an organization, that's HIPAA compliant, and no software application is going to magically
make you that way. HIPAA defines a large set of policies and procedures, many of which have nothing to
do with technology. What the software package can do is provides features suggested by HIPAA
guidelines, and implement the necessary HIPAA policies and best practices that your organization has
set up to protect your data using these provided features.
HIPAA Requirements
Under HIPAA Security requirements there are specific provisions for administrative safeguards, physical
safeguards, and access control.
1. Administrative Safeguards [142.308 (A)]
Administrative safeguards are administrative actions, policies and procedures, to manage the selection,
development, implementation, and maintenance of security measures to protect Protected Health
Information (PHI) and to manage the conduct of the Covered Entity's workforce in relation to the
protection of that information.
1.1. Security Management Process
The first standard under Administrative Safeguards section is the Security Management Process. This
standard requires covered entities to: “Implement policies and procedures to prevent, detect, contain and
correct security violations.”
Inflectra has a documented Information Security Policies and Process which has been developed in line
with the PCI-DSS information security standard for credit card payment providers. A copy of this
document will be provided to customers upon prior execution of the Inflectra confidentiality agreement.
1.2. Assigned Security Responsibility
The second standard in the Administrative Safeguards section is Assigned Security Responsibility. The
purpose of this standard is to identify who will be operationally responsible for assuring that the covered
entity complies with the Security Rule.
In most cases Inflectra is not itself handling PHI data but is providing a service or product being used by a
covered entity that is. Therefore the Inflectra quality assurance manager is the responsible person and
would work with the appropriate point of contact at the covered entity.
© Copyright 2015, Inflectra Corporation
Page 2 of 7
This document contains Inflectra proprietary information
1.3. Workforce Security
The third standard is Workforce Security, which states that covered entities must: “Implement policies and
procedures to ensure that all members of its workforce have appropriate access to electronic protected
health information, as provided under [the Information Access Management standard], and to prevent
those workforce members who do not have access under [the Information Access Management standard]
from obtaining access to electronic protected health information.”
Inflectra has a documented workforce security set of policies, including the hiring, termination and
monitoring of employees and contractors.
1.4. Information Access Management
The fourth standard in the Administrative Safeguards section is Information Access Management.
Covered entities are required to: “Implement policies and procedures for authorizing access to electronic
protected health information that are consistent with the applicable requirements of subpart E of this part
[the Privacy Rule].”
Inflectra has a documented process in place for accessing systems that could contain PHI, either
customer application instances (hosted only) or support session information (hosted and download).
Inflectra has a documented set of policies regarding access to the various Inflectra information systems to
ensure a consistent authorization process is in place.
1.5. Security Awareness and Training
Regardless of the Administrative Safeguards a covered entity implements, those safeguards will not
protect the PHI if the workforce is unaware of its role in adhering to and enforcing them. Many security
risks and vulnerabilities within covered entities are internal. This is why the next standard, Security
Awareness and Training, is so important.
Inflectra has implemented the following best practices for security awareness and training: Periodically
sending updates and reminders about security and privacy policies to employees/contractors, having
procedures for guarding against, detecting, and reporting malicious software, ensuring that there are
procedures for creating, changing, and protecting passwords, and monitoring of logins to systems and
reporting of discrepancies.
1.6. Security Incident Procedures
The next standard is Security Incident Procedures, which states that covered entities must: “Implement
policies and procedures to address security incidents.” The purpose of this standard is to require covered
entities to address security incidents within their environment. Addressing security incidents is an integral
part of the overall security program. Implementing the Security Rule standards will reduce the type and
amount of security incidents a covered entity encounters, but security incidents will occur. Even covered
entities with detailed security policies and procedures and advanced technology will have security
incidents
Inflectra has a documented Information Security Policies and Process which has been developed in line
with the PCI-DSS information security standard for credit card payment providers. A copy of this
document will be provided to customers upon prior execution of the Inflectra confidentiality agreement.
1.7. Contingency Plan
The purpose of contingency planning is to establish strategies for recovering access to EPHI should the
organization experience an emergency or other occurrence, such as a power outage and/or disruption of
critical business operations. The goal is to ensure that organizations have their EPHI available when it is
needed. The Contingency Plan standard requires that covered entities: “Establish (and implement as
needed) policies and procedures for responding to an emergency or other occurrence (for example, fire,
© Copyright 2015, Inflectra Corporation
Page 3 of 7
This document contains Inflectra proprietary information
vandalism, system failure, and natural disaster) that damages systems that contain electronic protected
health information.”
Inflectra has a documented Disaster Recovery Plan for both its office locations and also datacenters
where internal and customer data is stored. A copy of this document will be provided to customers upon
prior execution of the Inflectra confidentiality agreement.
© Copyright 2015, Inflectra Corporation
Page 4 of 7
This document contains Inflectra proprietary information
2. Physical Safeguards [142.308 (b)]
Physical safeguards are physical measures, policies, and procedures to protect a Covered Entity's
electronic information systems and related buildings and equipment, from natural and environmental
hazards, and unauthorized intrusion.
For customers hosted in a cloud environment, the physical safeguards cover both the location where the
software is hosted and also the company’s support facilities where the employees supporting the service
reside.
2.1. Facility Security Plan
Facility security plans must document the use of physical access controls. These controls must ensure
that only authorized individuals have access to facilities and equipment that contain PHI. In general,
physical access controls allow individuals with legitimate business needs to obtain access to the facility
and deny access to those without legitimate business needs. Procedures must also be used to prevent
tampering and theft of PHI and related equipment.
Inflectra has a robust Facility Security Plan for both its own office locations (used for both on-premise and
hosted customers) and the datacenters that it uses to host its cloud service. The appropriate
documentation detailing the safeguards and the security plan can be provided to customers upon
execution of the standard Inflectra confidentiality agreement.
2.2. Data Backup and Storage
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity,
the covered entity must “create a retrievable, exact copy of electronic protected health information, when
needed, before movement of equipment.”
Inflectra has a robust backup and storage mechanism in place for all its internal corporate data, its
customer data, the source code of the applications it supports and the customer instances of its
applications (hosted/cloud customers only). The mechanism utilizes industry best practices for backup
and archive, with the data stored in a physically remote location from all Inflectra offices and datacenters.
© Copyright 2015, Inflectra Corporation
Page 5 of 7
This document contains Inflectra proprietary information
3. Technical Safeguards [142.308 (c)]
Technical safeguards mean technology and the policy and procedures for its use that protect electronic
health information and control access to it.
3.1. Unique user identification
All users of the software must have a unique way of being identified so that all changes can be tracked
backed to them and to make sure that the application security can be enforced for specific users. Ideally
the user management should be centralized by the ‘covered entity’ so that all software applications can
use a single set of users, passwords and identifiers. This reduces the likelihood that certain individuals
erroneously have access to the data.
SpiraTeam provides a robust user management capability of its own, with each user having a unique ID
as well as the ability for administrators to specify password complexity rules and other security
parameters. In addition, SpiraTeam provides a single-sign-on capability using the Lightweight Directory
Access Protocol (LDAP) so that SpiraTeam can delegate the user management and access identification
to the covered entity’s existing user management directory.
3.2. Automatic Log off
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity,
the covered entity must: “Implement electronic procedures that terminate an electronic session after a
predetermined time of inactivity.”
As a general practice, users should logoff the system they are working on when their workstation is
unattended. However, there will be times when workers may not have the time, or will not remember, to
log off a workstation. Automatic logoff is an effective way to prevent unauthorized users from accessing
PHI on a workstation when it is left unattended for a period of time.
SpiraTeam, KronoDesk and the Inflectra website all provide an automated logoff facility where the user
will be logged-off after predetermined amount of inactivity. In the case of SpiraTeam and KronoDesk, the
time interval for this automated logoff is configurable by the covered entity.
3.3. Limiting Access and Use to the Minimum Necessary.
Under the regulations this is described as "covered entity must develop and implement policies and
procedures that restrict access and uses of protected health information based on the specific roles of the
members of their workforce. These policies and procedures must identify the persons, or classes of
persons, in the workforce who need access to protected health information to carry out their duties, the
categories of protected health information to which access is needed, and any conditions under which
they need the information to do their jobs.”
What this means for ALM software is that it must provide the ability to create access levels and user roles
to group employees into so that you can restrict access to PHI that is not necessary for them to do their
job.
SpiraTeam facilitates this by providing extensible and powerful role-based security that allows you to
define very granular roles rather than having to live with a default set provided by the vendor. SpiraTeam
lets you implement these roles per project so that a user only is granted the minimum necessary
permissions to perform their tasks on each and every project.
3.3. Encryption / Decryption
HIPAA requires you to secure your data, although it does not explicitly state what methods, algorithms
should be used. At a minimum the data transmission between the users and the application should be
© Copyright 2015, Inflectra Corporation
Page 6 of 7
This document contains Inflectra proprietary information
encrypted and all security information (passwords, security questions/answers) should be one-way
hashed and salted. For further protection, the entire database could be encrypted at rest.
By default, SpiraTeam one-way hashes all passwords and other security information using the SHA1
algorithm together with an appropriate SALT. In addition when you use the Inflectra hosted cloud service,
all communications to the service are via. 256-bit SSL/TLS encrypted connections. For those customers
hosting on premise, Inflectra provides recommendations on how to implement the same level of
encryption and also provides mechanisms for encrypting the data at rest using SQL Server Transparent
Data Encryption (TDE) services.
4. Other Considerations
4.1. Audit Logging & History Tracking
One of the clearest HIPAA requirements is that organizations keep an audit log of who did what in the
software package. It's important that your package be able to track which person accessed which record
(down to the client level) on what date, and whether he or she viewed it, updated it, or deleted it. (This
rule implies that all users need a distinct username and password to access organizational software.)
It's also very desirable to be able to track what each user changed specifically ― for instance, to be able
to see the value of a field both before and after he or she changed it ― although experts' opinions vary on
whether this is strictly required under the HIPAA guidelines.
SpiraTeam provides a robust history change tracking system out of the box that allows you to view all of
the changes made to a specific artifact by all users in the system and also the reverse view, looking at all
the changes made by a specific user across all of the artifacts in the system. This functionality is further
reinforced in v5.0 of SpiraTeam with the introduction of CFR Part 11 compliant digital signatures.
4.2. Business Associate Agreement
In addition to these software requirements, it's imperative to have a Business Associate Agreement (BAA)
with any stakeholder you work with to protect the PHI of the clients you serve. BAAs typically state that
the software vendor will uphold the same policies and procedures that your organization does in order to
protect the privacy and security of your data.
Inflectra is happy to work with customers to put HIPAA BAAs in place as part of our software support
contracts. We have worked with many healthcare customers in the past and where necessary, executed
BAAs as required by the covered entity.
© Copyright 2015, Inflectra Corporation
Page 7 of 7
This document contains Inflectra proprietary information
Download