Having problems with message search?
Questions:
(1) If a vendor is a business associate, are there any additional requirements necessary to ensure vendor access to the system (and ePHI) is appropriate. Should these vendors sign a user/access agreement stating they will only use the account when contacted for support or other issues?
(2). Does anyone provide restrictions to these vendors from accessing systems 24 hours each day, seven days a week? If so, how do you do this? (ie. disable account until needed).
(3). If a vendor does have access to a system 24 hours per day, does the Business Associate agreement insure if there are any security breaches or incidents the vendor can be held liable?
(4). How are vendor user accounts provided? If a vendor organization is sharing one user account, what procedures are in place to ensure accountability of the access?
(2). Does anyone provide restrictions to these vendors from accessing systems 24 hours each day, seven days a week? If so, how do you do this? (ie. disable account until needed).
(3). If a vendor does have access to a system 24 hours per day, does the Business Associate agreement insure if there are any security breaches or incidents the vendor can be held liable?
(4). How are vendor user accounts provided? If a vendor organization is sharing one user account, what procedures are in place to ensure accountability of the access?
Response: These are all good questions. And should be part of your baseline gap assessment survey questions. The survey should have survey questions at the organization level to determine policy, and survey questions at the department and system level should determine gaps of procedure, implementation and audit. Any mitigation should be documented. 45 CFR 164.308(b)(1) requires the CE to obtain assurances from the BA that they will abide by the agreement to safeguard confidentiality, integrity, and availability of the ePHI. I have found that maintenance and configuration management may be the biggest issue when it comes to vendors that have the capability to implement updates, revisions, and perform flaw remediation.
I have provided some excerpts from DRAFT NIST SP 800-53 Recommended Security Controls for Federal Systems
(http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf ) on system maintenance and flaw remediation. There are many more security controls that might apply to your specific organization. I recommend that at least one person in your organization familiarize themselves with NIST SP 800-53. You will notice that each of the security controls have three strengths or robustness (basic, moderate, high). The strength of a security control may be based on the impact the organization would face should a threat source exploit a vulnerability. NIST determines this impact risk as security categorization. There are 3 impact levels (low, medium, high). For the NIST impact determination tools and more information on security categorization, see FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
(http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf). NIST provides the strength of a security to mitigate risk appropriate for the security categorization. It will be difficult to determine "reasonable and appropriate" safeguards to mitigate risk. NIST provides guidance on the appropriate part, the CE will have to determine what is reasonable. If you are unfamiliar with the NIST enterprise-wide security risk management program, or how to use NIST SP 800-53, I have put together an audio/video recording that presents a high-level overview. This presentation spends about 30 minutes on how to use and navigate through NIST security controls found in NIST SP 800-53. This presentation is free, is available via the internet, and may be accessed via the link below:
http://www.placeware.com/cc/complyassistant/view?id=NZTQJ4
Requires Name, No password, then email address and Company Name. (1 hour 2O min).
Requires Name, No password, then email address and Company Name. (1 hour 2O min).
For high-speed and broadband connections choose the 2nd file option. It is called "Microsoft Office Live Meeting Replay: Windows MediaTM - formatted streamed audio & video". When the windows media window opens you can right click on the window, then click on zoom, and then click on full screen.
For 56K modems, your bandwidth will not support video. You can choose the 1st file option. It is called "Basic recording with Windows Media TM formatted streamed audio". You can listen to the recording.This may not be very helpful. If you can get to a PC with high-speed internet access, I would recommend viewing it this way.
Call MicroSoft Live Meeting 1-866-493-2825 (toll free in the US) if you have problems accessing the recording.
Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
------------------------------------------------------------------------------
A selection of security controls from DRAFT NIST SP 800-53:
OPERATIONAL CONTROLS
FAMILY:
HARDWARE AND SOFTWARE MAINTENANCE (MA)
MA-1 PERIODIC MAINTENANCE
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to conduct periodic on-site and off-site maintenance
of the information system and of the physical plant within which this information system resides.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.3, 10.2.1, 10.2.2; FISCAM: SC-2.4, SC-2.4, SS-3.1, SS-3.2, CC-2.1;
ISO-17799: 7.2.4, 7.3.2; DCID 6/3: Maint-a, 8.B.8.c(1), 8.B.8.c(2), 8.B.8.c(3), 8.B.8.c(7), 8.B.8.c(8);
CMS: 2.2.30, 5.9.10, 5.9.1
1]
MA-1.b
BASIC CONTROL: Comprehensive maintenance testing procedures exist that systematically sched-ule
information system hardware for periodic maintenance inspections and testing to ensure the
equipment operates within design specifications and is properly calibrated. Routine periodic hard-ware
preventive maintenance is scheduled and performed in accordance with vendor specifications
and in a manner that minimizes the impact on operations. Repairs and modifications to the physi-cal
components of a facility that are related to security (e.g., hardware, walls, doors, and locks) are
documented. Regular and unscheduled hardware maintenance performed is documented. A main-tenance
log is maintained and includes: (i) the date and time of maintenance; (ii) name of the indi-vidual
performing the maintenance; (iii) name of escort; and (iv) a description of the type of main-tenance
performed to include identification of replacement parts. Maintenance of information sys-tems
is performed on-site whenever possible. If information systems or system components are to
be removed from the facility for repair, any component containing non-volatile memory is sani-tized
or appropriate\ cleared and its release is explicitly approved by an appropriate organization
official. Maintenance changes that impact the security of the information system receive a con-figuration
management review. After maintenance is performed on the information system, the se-curity
features are checked to assure that they are still functioning properly. Maintenance is per-formed
in a manner that maintains security.
MA-1.e
ENHANCED CONTROL (Add to basic control):
Problems and delays encountered, the reason and elapsed time for resolution are recorded and ana-lyzed
to identify recurring patterns or trends. Management periodically reviews and compares the
service performance achieved with goals and surveys user departments to see if their needs are be-ing
met. Procedures include checks to be performed and assigned responsibilities for conducting
these checks to periodically ensure that the procedures are being correctly applied and consistently
followed.
MA-1.s
STRONG CONTROL: To be defined.
MA-2 MAINTENANCE TOOLS
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to control and monitor the use of maintenance
tools.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.3, 11.2.4; DCID 6/3: Maint-c, 8.B.8.c(4), 8.B.8.c(5), 8.B.8.c(6)
(all
)]
MA-2.b
BASIC CONTROL: Introduction of network analyzers (e.g., sniffers) that allow maintenance person-nel
the capability to monitor the content of network traffic are approved by an appropriate organi-zation
official prior to being introduced into an information system. If maintenance personnel
bring diagnostic test programs (e.g., software/firmware used for maintenance or diagnostics) into a
facility, the media containing the programs are checked for malicious code before the media is
connected to the information system.
MA-2.e
ENHANCED CONTROL (Add to basic control):
Before leaving the facility, the media are checked to assure that no organizational information has
been written on it. All diagnostic equipment and other devices carried into a facility by mainte-nance
personnel are handled as follows: (i) all diagnostic and test equipment is inspected for obvi-ous
improper modification; (ii) maintenance equipment that has the capability of retaining infor-mation
is appropriately sanitized before being released; (iii) if the equipment cannot be sanitized,
the equipment remains within the facility or is destroyed, unless explicit exception is authorized
by an appropriate organization official. Replacement components that are brought into the facility
for the purpose of swapping with facility components are allowed. However, any component
placed into an information system remains in the facility until proper release procedures are com-pleted.
Any component that is not placed in an information system may be released from the facil-ity.
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
MA-2.s
STRONG CONTROL: To be defined.
MA-3 REMOTE MAINTENANCE
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to provide additional controls on remotely exe-cuted
maintenance.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.1; FISCAM: SS-3.1, AC-1; ISO-17799: 9.4.5; DCID 6/3: Maint-d,
8.B.8.d(all
)]
MA-3.b
BASIC CONTROL: Installation and use of remote diagnostic links are specifically addressed in the
security plan and agreed to by the authorizing official. Remote diagnostic or maintenance services
are acceptable if performed by a service or organization that implements for its own information
system the same level of security as that implemented on the information system being serviced.
The communications links connecting the components of the information system, associated in-formation
communications, and networks are protected in accordance with the FIPS Publication
199 security category of the information that may be transmitted over the link. If remote diagnos-tic
or maintenance services are required from a service or organization that does not implement for
its own information system the same level of security as that implemented on the system being
serviced, the system being serviced is sanitized and physically separated from other information
systems prior to the connection of the remote access line. If the information system cannot be sani-tized
(e.g., due to a system failure), remote maintenance is not allowed. Unless an exception has
been granted by an appropriate organization official, maintenance personnel accessing the infor-mation
system at the remote site are cleared to the highest FIPS Publication 199 security category
of information processed on that system, even if the system was downgraded/sanitized prior to
remote access. An audit log is maintained of all remote maintenance, diagnostic, and service
transactions including all commands performed and all responses. The log is periodically reviewed
by an appropriate organization official. Other techniques to consider for improving the security of
remote maintenance include: (i) encryption and decryption of diagnostic communications; (ii)
strong identification and authentication techniques, such as tokens; (iii) and remote disconnect
verification. Where possible, remote sessions involve an interactive window for coordination with
information security official responsible for the system being serviced. When the remote mainte-nance
has been completed, all sessions are terminated and the remote connection is also termi-nated.
Authenticators (e.g.,, passwords) used during remote maintenance are changed following
each remote maintenance service.
MA-3.e
ENHANCED CONTROL (Add to basic control):
Keystroke monitoring is performed on all remote diagnostic or maintenance services. A techni-cally
qualified person reviews the maintenance log, and if appropriate, the audit log to assure the
detection of unauthorized changes. Maintenance technicians responsible for performing remote
diagnosis/maintenance are advised (e.g., contractually, verbally, or by banner) prior to remote di-agnostics/
maintenance activities that keystroke monitoring will be performed. Procedures include
checks to be performed and assigned responsibilities for conducting these checks to periodically
ensure that the procedures are being correctly applied and consistently followed.
MA-3.s
STRONG CONTROL: To be defined.
MA-4 MAINTENANCE PERSONNEL
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to control the authorization of an individual to
perform maintenance.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.1, 10.1.3; FISCAM: SS-3.1; DOD 8500: PRMP-2; DCID 6/3:
8.B.8.a(all), 8.B.8.b(all
)]
MA-4.b
BASIC CONTROL: The list of authorized maintenance personnel is documented. Only personnel
authorized to do so perform maintenance on the information system. Except as authorized by the
authorizing official, personnel who perform maintenance on the information system are authorized
access to the highest FIPS Publication 199 security category of information processed on that sys-tem.
Such personnel who perform maintenance or diagnostics on an information system do not re-quire
an escort, unless need-to-know controls must be enforced. However, a facility employee
who is authorized to access the highest FIPS Publication 199 security category of information and,
when possible, technically knowledgeable, is present within the area where the maintenance is be-ing
performed to assure that the proper security procedures are being followed. Foreign nationals
(with proper authorizations) may be utilized as maintenance personnel for those information sys-tems
jointly owned and operated by the US and a foreign allied government, or those owned and
operated by foreign allied governments. Approvals, consents, and detailed operational conditions
are fully documented within a Memorandum of Agreement. A person not authorized access to the
information system may be used to perform maintenance on the system provided an escort who is
authorized access and is technically qualified monitors and records that person’s activities in a
maintenance log.
MA-4.e
ENHANCED CONTROL (Add to basic control):
Prior to maintenance, the information system is completely cleared and all nonvolatile information
storage media removed or physically disconnected and secured. When an information system
cannot be cleared, approved procedures are enforced to deny the maintenance personnel visual and
electronic access to any organization information that is contained on the system. Procedures in-clude
checks to be performed and assigned responsibilities for conducting these checks to periodi-cally
ensure that the procedures are being correctly applied and consistently followed.
MA-4.s
STRONG CONTROL (Add to basic control; bold text represents change from enhanced control):
Prior to maintenance, the information system is completely cleared and all nonvolatile information
storage media removed or physically disconnected and secured. When an information system
cannot be cleared, approved procedures are enforced to deny the maintenance personnel visual and
electronic access to any organization information that is contained on the system.
For US-owned
and operated information systems, maintenance personnel must be US citizens. A separate
copy of the operating system and application software, including any micro-coded floppy
disks, cassettes, or optical disks that are integral to the information, that has not been used
in the processing of organizational information is used for all maintenance operations per-formed
by personnel not authorized access to information processed by the system. The
copy is labeled "For Maintenance Only" and protected in accordance with procedures estab-lished
in the security plan.
Procedures include checks to be performed and assigned responsibili-ties
for conducting these checks to periodically ensure that the procedures are being correctly ap-plied
and consistently followed.
MA-5 TIMELY MAINTENANCE
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to ensure that maintenance services and parts are
available in a timely manner.
CONTROL MAPPIN
G: [DCID 6/3: Maint-b; DOD 8500: COMS-2, COPS-2; CMS: 9.9.8, 5.9.9; FISCAM:
SC-2.
4]
MA-5.b
BASIC CONTROL: Spare or backup hardware is used to provide a high level of information system
availability for organization applications. Maintenance support and critical maintenance spares
and spare parts for [Assignment: list of key information system assets] can be obtained within [As-signment:
time period (e.g., twenty-four hours)] of failure.
MA-5.e
ENHANCED CONTROL (Add to basic control):
Maintenance support and critical maintenance spares and spare parts for
all information system
assets
can be obtained within [Assignment: time period (e.g., twenty-four hours)] of failure. Pro-cedures
include checks to be performed and assigned responsibilities for conducting these checks
to periodically ensure that the procedures are being correctly applied and consistently followed.
MA-5.s
STRONG CONTROL: To be defined.
MA-6 MAINTENANCE SCHEDULING
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to schedule maintenance operations and accom-modate
unscheduled maintenance with minimal mission impact.
CONTROL MAPPIN
G: [NIST 800-26: 10.2.8, 10.2.11, 10.2.12; FISCAM: CC-2.2, SC-2.1, SC-2.4; CMS:
3.4.4, 5.9.5, 5.9.
6]
MA-6.b
BASIC CONTROL: Changes of hardware equipment and related software are scheduled to minimize
the impact on operations and users, thus allowing for adequate testing. A retrievable, exact copy of
electronic information exists before movement of equipment used to process such information.
Advance notification on hardware changes is given to users so that service is not unexpectedly in-terrupted.
Emergency change requests are approved by management either prior or after the fact.
Flexibility exists in the organization’s operations to accommodate regular and a reasonable
amount of unscheduled hardware maintenance. Version control is maintained and contingency
plans are updated after any changes.
MA-6.e
ENHANCED CONTROL (Add to basic control):
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
MA-6.s
STRONG CONTROL: To be defined.
FAMILY:
SYSTEM AND INFORMATION INTEGRITY (SI)
SI-1 FLAW REMEDIATION PROCESS
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to facilitate flaw remediation for the information
system.
CONTROL MAPPIN
G: [NIST 800-26: 10.3.2, 11.1.1, 11.1.2, 11.1.2, 11.2.2, 11.2.7; FISCAM: SS-2.2, CM-5;
ISO-17799: 6.3.2, 6.3.3, 8.3.1, 8.4.3; DCID 6/3: Integrty2, F.2(all); CMS: 2.1.7, 3.5.3; DOD 8500: DCCT-
1]
SI-1.b
BASIC CONTROL: Significant weaknesses in the operational information system are reported and
effective remedial actions are taken. This includes the following:
Patch Management
Systems affected by recently announced software vulnerabilities are identified. Patches are in-stalled
on a timely basis and tested for effectiveness and potential side effects on the organiza-tion’s
information systems. There is verification that patches, service packs, and hot fixes are ap-propriately
installed on affected systems.
System Software Problems
A log is used to record the problem, the name of the individual assigned to analyze the problem,
and how the problem was resolved.
Malicious Code Screening
As needed, incoming information is reviewed for viruses and other malicious code. Anti-viral
mechanisms are used to detect and eradicate viruses transported by e-mail or attachments. The in-formation
system is automatically safeguarded from virus infections from other sources as well
(e.g., central choke points where diskettes are scanned for viruses prior to distribution). There is
timely updating of those mechanisms intended to prevent the introduction of malicious code (e.g.,
updating anti-viral software).
Miscellaneous
Software is up-to-date (latest versions of service packs, patches, and hot fixes are installed). Secu-rity
weaknesses are being reported and acted upon. Software malfunctions are being reported and
acted upon. Hardware fault control routines are logged to indicate all detected errors and deter-mine
if recovery from the malfunction is possible.
SI-1.e
ENHANCED CONTROL (Add to basic control):
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
SI-1.s
STRONG CONTROL: To be defined.
SI-2 PERSONNEL SUPERVISION
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to ensure adequate supervision of personnel and
review of their activities.
CONTROL MAPPIN
G: [NIST 800-26: 17.1.6, 17.1.8; FISCAM: AC-4.3, SD-2.2; ISO-17799: 8.4.2; CMS:
1.10.2, 4.2.2, 4.2.4, 4.4.
2]
SI-2.b
BASIC CONTROL: Active supervision and review are provided for all personnel, including each
shift for computer operations. Staff’s performance is monitored on a periodic basis and controlled
to ensure that objectives laid out in job descriptions are carried out. Supervisors routinely review
user activity logs for incompatible actions and investigate any abnormalities. All mission/business
partners are reviewed for compliance with information systems security requirements.
SI-2.e
ENHANCED CONTROL (Add to basic control):
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
SI-2.s
STRONG CONTROL: To be defined.
SI-3 PROCEDURAL REVIEW
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are periodi-cally
reviewed.
CONTROL MAPPIN
G: [NIST 800-26: 2.1.1, 6.1.2, 6.1.3; FISCAM: SP-5.1, SD-1, SD-1.1, SD-2.2; ISO-17799:
3.1.2; CMS: 3.1.2, 4.4.1; DOD 8500: DCAR-
1]
SI-3.b
BASIC CONTROL: A review is conducted every [Assignment: time period (e.g., twelve months)] that
comprehensively evaluates existing security policies and procedures to ensure procedural consis-tency
and to ensure that they fully support the goal of enabling mission accomplishment. Access
authorizations are periodically reviewed for incompatible functions. Management reviews are per-formed
to determine that control techniques for segregating incompatible duties are functioning as
intended and that the control techniques in place are maintaining risks within acceptable levels.
SI-3.e
ENHANCED CONTROL: To be defined.
SI-3.s
STRONG CONTROL: To be defined.
SI-4 SOFTWARE AND INFORMATION INTEGRITY
CONTROL OBJECTIV
E: In accordance with organizational policy, automated mechanisms are in
place and detailed supporting procedures are developed, documented, and effectively implemented
to both protect against and to detect unauthorized changes to software.
CONTROL MAPPIN
G: [NIST 800-26: 11.2.1, 11.2.4, 11.2.5, 11.2.9; ISO-17799: 8.7.6, 10.3.3; DCID 6/3: In-tegrty1,
Integrty2, SysAssur1-b, SysAssur2, 7.B.2.a(1); DOD 8500: ECND-2, ECTM -2; FISCAM: AC-
4]
SI-4.b
BASIC CONTROL: Integrity verification applications are available on the information system to look
for evidence of information tampering, errors, and omissions. Tools for automatically monitoring
the integrity of the information system and the applications it hosts are implemented. Good engi-neering
practice with regard to commercial off-the-shelf integrity mechanisms, such as parity
checks and cyclical redundancy checks are employed. The operating system's operational status
and restart integrity is protected during and after shutdowns. Mechanisms prohibit users from
modifying the functional capabilities of boundary protection devices such as firewalls, gateways,
and routers. There is limited write access to information system security capabilities (that is., the
hardware, software, and firmware that perform operating system or security functions and the
hardware, software, and firmware that must be relied upon in order for the system security func-tionality
to operated correctly).
SI-4.e
ENHANCED CONTROL (Add to basic control):
Message authentication codes, cryptographic hashes, digital signatures and digitally signed time-stamps
or notarizations are implemented using current standards (i.e., FIPS 198 HMAC, AES-MAC,
FIPS 180-2, FIPS 186-3) or subsequently adopted standards, for ensuring the integrity of
stored or archived file
s. Supporting procedures include checks to be performed and assigned re-sponsibilities
for conducting these checks to periodically ensure that the mechanisms are properly
configured and the procedures are being correctly applied and consistently followed.
SI-4.s
STRONG CONTROL: To be defined.
Offline 
Send Email