Biomedical Security Checklist
advertisement
HIPAA Security Checklist for Clinical Technology Equipment Device Model Manufacturer Document ID Today’s Date Device Category Software Version Software Release Date Operating System Contact Name Contact Title Department Other Contact Company Name Telephone # 2nd Tele email The HIPAA Security Rule requires Kaiser Permanente to implement reasonable security controls on its Clinical Technology devices and computer systems. To assist Kaiser Permanente in determining the technical security measures available on your system, we are seeking the following information. A. Does the device generate, process or store electronic Protected Health Information (ePHI)? ______ User Accounts Can each individual user be uniquely identified by the device? Is the device capable of granting user rights, based upon user job responsibilities, for the following actions: (respond Y/N to each item) Create data Read data Update data Delete data YES NO YES NO 11 12 Passwords Does this device support user passwords? (This question refers to the interaction between a clinical user and the application/device.) Can the device be configured to require passwords of at least 6 characters? Is the device configurable to enforce entry of passwords containing at least one alpha and one numeric character? Can the device be configured to mask the password on the screen? Can the device be configured to require the storage of passwords in encrypted or hashed format, instead of readable text? Log-On Can the device be configured to suspend user access after a defined number of consecutive, unsuccessful logon attempts of no more than 5 attempts? Is the device configurable to force passwords to be changed at first login if the password is reset by a system administrator or help desk? Can the device be configured to use current network logon access controls, i.e. user name and password? Inactive Sessions Is the system configurable to interrupt inactive sessions after a defined period of inactivity? Once an inactive session is interrupted, is a password required to re-establish the session? YES NO 13 Audit Trail Can unsuccessful login attempts and access violations within the device be logged? 1 2 2a 2b 2c 2d 3 4 5 6 7 8 9 10 D:\106757293.doc YES NO YES NO HIPAA Security Checklist for New Clinical Technology Equipment 14 14a 14b 14c 14d 14e 14f 15 15a 15b 15c 15d 15e 16 17 18 18a 18b 18c 19 19a 19b 20 21 22 23 24 25 26 27 28 29 30 31 32 33 Can successful login attempts by individuals and other systems be logged for the following actions: (respond Y/N to each item) Read data Create data Update data Delete data Transmit data Print data Are all audit logs identified by a unique record number or event activity report? If yes, does it include the following: Unique user identifier? Time and date? Originating source? Content (type of data being accessed)? User’s system logon and logoff with automatic date and time stamp? Can system administrative activities be logged? Is the device able to produce detailed audit logs for the info from questions 14 & 15 above? Are these audit logs protected against the following: (respond Y/N to each item) Unauthorized access Modifications Deletions Are these audit records readily available for: 90 days Archived for a minimum of 1 year? System Administration Is your device network capable? Is your device network dependent? See definitions. Are system administration functions only available to designated system administrators? Can the device be configured to prevent remote administration or remote management services or tools from bypassing device access controls? Integrity Are controls in place to ensure that data is not altered or destroyed? Is the device capable of preventing unauthorized changes to its programs or data? Is the device capable of data backup? Can backup be done through removable media? Is an automatic network-based backup configurable? YES NO Security Does the system support anti-virus software and updates to that software? Does the device have the capability to protect data during a power failure or other emergency? Can the device be configured to encrypt ePHI if it is transmitted via a network or removable media? Can the device be configured to encrypt ePHI that is stored on the device? If your device supports encryption, describe how. (This field is open-ended.) YES NO D:\106757293.doc YES NO HIPAA Security Checklist for New Clinical Technology Equipment Definitions Access violation log Admin functions controlled Administrative functions logged Audit log protection Audit Logon time Audit logs Contact name Data backup Data Integrity Device Category Device Model Document ID ePHI Encryption standard End-user password Exempt First logon Inactive sessions Inactivity timeout Manufacturer Mask password Network dependent Network domain access controls Operating System Password complexity Password Length Password storage Password visibility RACF Remote access control Security info protected Software Version System integrity Unique audit logs Unique Identifier Unsuccessful logon User passwords User rights D:\106757293.doc Does the device log unauthorized attempts to access data? How does the device keep users from using system administrator functions? Does the device record systems admin access and changes as well? This does not mean the biomed's service records, but the user’s systems admin. If audit logs are created, how long does the device automatically keep them? Does the audit log include a date and time entry for logon and logoff? Does the device maintain an audit log of all user activity in the areas identified? For a networked device that communicates with other devices or systems, does the device track which of these other devices engage in the identified activities? Who is filling out this form? Does the device use any automatic methods to store data? Examples of data integrity controls include checksum, read-back, hash counts, record counts, file update totals, input data checks. Recommend the use of ECRI’s Universal Medical Device Nomenclature System. What is the model name or number? This is an optional box for vendors’ convenience. Electronic Patient Health Information consists of individually identifiable information about a member’s/patient’s past, present or future physical or mental health condition; including, name, address, MRN, age related dates, telephone numbers, SSN’s, health plan beneficiary numbers, URLs, IP addresses, biometric identifiers, including finger and voice prints. Do you support 128 or 256 bit encryption? Field will accept text in the answer field. An end-user is the technician or medical person who uses the equipment. Is the purpose of the device to continuously monitor and display physiological data to multiple staff in acute care settings? Is this device used in CCU/ICU/NICU/PICU/PACU, Surgery/OR, ED, Labor & Delivery? Generally, this equipment does not store ePHI, but transmits it to systems/devices that store and process the ePHI. If a user’s password has been changed by a system administrator, does the device have the ability to force the user to create an individual password at first logon? If the user does not interact with the device (press keyboard, move mouse, etc) for a defined period of time, does the device stop displaying the screen contents? If the device will interrupt inactive sessions, can you define the amount of time you wish? Who is the manufacturer of this system? i.e. Philips Can the user’s passwords be changed into non-readable text while being typed? Is the information kept on a central server? If the user logons onto a Kaiser network (with logon and password) to gain access to the device in question, can the device be configured to recognize the KP network logon/password or must the user have a separate logon and password to access the device? What operating system does this system use? Can the device be configured to require that a user select a password that combines alpha characters, numbers, and/or symbols? Does the device have the ability to block passwords less than 6 characters long? When a user establishes their logon and password, does the device store that information in a file that is in clear readable text (for a system administrator, for example) or does the password file encrypt the data so that it is not readily detectable? Can the device display passwords as hashed or equivalent so they don't display as text? Resource Access Control Facility, IBM mainframe security software. When someone remotely accesses the system for administration or service activity, are they required to go through a logon process just like any other user? How does the device keep users from manipulating all auditing records? What version of the application software does this form refer to? Does the system track and log unauthorized attempts to break into the system? Does the audit log maintain uniquely identified records associated with the user’s id creating the audit entry? For users, this means having individual logon and password that associates the user with the work they perform on the system. Users are operators of the equipment, not service techs. If someone repeatedly tries unsuccessfully to logon (doesn’t know the correct password) will the system lock-out further logon attempts from that account? Does this device have a vendor supplied feature for individual passwords? Can the vendor configure individual password features for the medical device application? Once it is booted up is there a way to establish user passwords? Can the device be configured to assign different users specific functions within the system based on their work assignments?
