12.5 DEVICE AND MEDIA CONTROLS

Previous page
Table of content
Next page

12.5 DEVICE AND MEDIA CONTROLS

Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

The sale, transfer, or disposal of computers, software or other electronic devices and media can create information security risks for a covered entity. These risks are related to potential violation of software license agreements, unauthorized disclosure of confidential healthcare information, sensitive trade secrets, copyrights, and other intellectual property that might be stored on the hard disks and other storage media.

Many covered entities do not enforce strict control over movement of equipment and electronic media on, off and within their facilities, especially to laptops, PDA and other handheld, portable medical devices. Without adequate physical controls in place, it would be very difficult for a covered entity to ensure their ePHI is not disclosed in an unauthorized manner. Therefore, this standard requires all covered entities to establish and implement policies and procedures to reduce risks associated with this security gap to a reasonable and appropriate level that is acceptable to the organization. This standard applies to all equipment and electronic media that would include contractors or consultants ' personal devices that are used for the covered entity's work, as long as ePHI is contained within. This standard goes beyond normal expectations of applying security controls on the receipt and removal of these items into and out of a facility and requires the governance of the movement of these items within the facility,

Given the proliferation of laptops, PDA and handhold devices with wireless capability in the healthcare corporate environments, it is unrealistic to have policies and procedures actually implemented and enforce device and media control requirements if hundreds of devices and media come and go daily in large organizations. Large covered entities should explore technical solutions to support this important direction. For example, a covered entity can implement a centralized bar code system in their physical entrance area to allow automatic check-in and checkout of equipment and media. A system record will be generated and maintained appropriately. To be compliant with this requirement, the movement of hardware and electronic media within the facility should also follow a defined policy and procedure. Any movement, including receipt, transfer and turnover should follow a defined procedure. Small covered entities can establish policies and procedures to meet this requirement with a manual process.

Further, if a covered entity ships and transports equipment and media containing protected health information, a formal system with receipts through a credible carrier should be established to ensure that shipped materials have been properly received and accountability has been transferred to the receiving party. The procedure should include standards for wrapping and marking shipped media that both minimize the likelihood of its being identified as containing protected health information and prevents tampering. A procedure should be in place to report lost devices and media immediately.

A covered entity would need to explicitly define what type of Device & Electronic Media need this type of security control, what needs to be documented (into and out of facility, movement within facility), who will maintain records, which third party carrier is used between a covered entity and business associates , and asks itself, 'If this piece of ePHI is disclosed to the public, and liability becomes an issue, can we trace the source of the disclosure?'.

While the 'Device and Media controls' standard must be met and specifications for disposal and media re-use must be implemented, each covered entity must assess the need to implement the two addressable specifications: accountability and data backup and storage. For example, small covered entity would not likely be involved in large-scale moves of equipment that would require systematic tracking, unlike large health care providers or health plans. Therefore, it is possible that a small covered entity may not need to implement these two addressable specifications while still providing reasonable and sufficient device and media control. This decision must be based upon the covered entity's risk analysis and risk management process.

To implement this requirement, a covered entity can follow these steps:

  1. Develop a formal device and media control policy:

    1. Defining the covered entity's security objectives and requirements for device and media control, and,

    2. Defining the organizational structure, roles and responsibilities for business function.

  2. Develop a formal device and media control procedure:

    1. Establishing device and media management procedures to track all physical assets that contain sensitive data by configuration and location, and,

    2. Defining tracking requirements with devices and media receipts, reuse, moving and disposal, and,

    3. Defining acceptable final data disposition technical requirements, and,

    4. Standardizing systems, utilities and tools that must be used in this process, and,

    5. Documenting and following strict data sanitization routines to dispose ePHI when equipment is removed from service, and,

    6. Periodically reviewing data disposal procedures for adequacy, completeness and scope, and failure analysis, and,

    7. Developing a process to ensure that data is securely disposed when external contracts are terminated , including at off-site back-up locations and on non-company equipment, and,

    8. Establishing a process to ensure the same level of requirements are met when a service provider is contracted to sanitize data on hard drives , disposal, maintenance or other tasks that would give non- employees access to corporate data at their sites.

  3. Implement this policy and procedures:

    1. Providing detailed training for technical staff that are in charge of this function, and,

    2. Developing a security audit program to ensure that established policies are followed accurately.

12.5.1 Disposal (Required)

Implementation Specification: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Sensitive ePHI could be leaked to outside persons through careless disposal of media. The secure disposal of electronic PHI depends upon properly designed policies and procedures. Within this implementation specification, the covered entity must create a policy and process that includes the following components that address the secure disposal of media and assets that contain electronic PHI.

It would be ideal if a covered entity can explicitly define a list of the hardware and electronic media that require adequate secure disposal. This list should include servers and workstations, PDA, medial equipment, magnetic tapes, removable disks or cassettes and optical storage media. The list should also include network equipment and all manufacturer software distribution media. It may be easier to arrange for all hardware and electronic media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items.

Formal procedures for the secure disposal of media should be established to minimize this exposure. Formal procedures must be followed when a computer system hardware and/or media is sold, transferred, or disposed. The procedures also apply to contractor-supplied computers. Before a computer system is sold, transferred, or otherwise disposed, all sensitive and/or confidential program or data files on any storage media must be completely erased or otherwise made unreadable in accordance with technical measures unless there is specific intent to transfer the particular software or data to the purchaser/recipient. The computer system must be relocated to a designated, secure storage area until the data can be erased. Hard drives of surplus computer equipment must be securely erased within a defined period of time after replacement. Whenever licensed software is resident on any computer media being sold, transferred, or otherwise disposed, the terms of the license agreement must be followed. After the sanitization of the hard drive has been completed, the process must be certified and a record maintained as specified by the agency's records retention schedule. Disposal of sensitive items should be logged where possible in order to maintain an audit trail. When accumulating media for disposal, consideration should be given to the aggregation effect, which may cause a large quantity of unclassified information to become more sensitive

Electronic media containing ePHI should be disposed of securely and safely when no longer required. Clearing data (deleting files) removes information from storage media in a manner that renders it unreadable unless special utility software or techniques are used to recover the cleared data. A clearing process may be acceptable if the media will be reused within the same covered entity. However, because the clearing process does not prevent data from being recovered by technical means, it is not an acceptable method of sanitizing storage media. Technical measures must sufficiently erase or overwrite media based upon the physical attributes before disposal. A covered entity must define and strictly follow the organization's accepted methods to expunge ePHI from storage media. Sanitization must be performed on hard drives to ensure that information is removed from the hard drive in a matter that gives assurance that the information cannot be recovered. Before the sanitization process begins, the computer must be disconnected from any network to prevent accidental damage to the network operating system or other files on the network.

There are three acceptable methods to be used for the sanitization of hard drives depending upon the operability of the hard drive: Overwriting, Degaussing, and Physical Destruction. If the operable hard drive is to be removed from service completely, it must be physically destroyed or degaussed. If the hard drive is inoperable or has reached the end of its useful life, it must be physically destroyed or degaussed. Operable hard drives that will be reused must be overwritten prior to disposition. Hard drives must be destroyed when they are defective or cannot be repaired or sanitized for reuse. Physical destruction must be accomplished to an extent that precludes any possible use of the hard drive. This can be attained by removing the hard drive from the cabinet and removing any steel shielding materials and/or mounting brackets and cutting the electrical connection to the hard drive unit. The hard drive should then be subjected to physical force (pounding with a sledgehammer) or extreme temperatures (incineration) that will disfigure, bend, mangle or otherwise mutilate the hard drive so it cannot be reinserted into a functioning computer.

If there is any risk of disclosure of sensitive data on media other than computer hard drives, the appropriate sanitization procedures should be followed. Particular attention should be paid to floppy disks, tapes, CDs, DVDs, optical disks and nonvolatile memory devices. A reasonable standard for purging magnetic media containing protected health information by overwriting is a one-time bit-by-bit method that wipes the entire piece of media. The government standard for declassifying media is a three-time overwrite: First overwrite with a character or character string, second overwrite with the binary compliment of the first, and the third overwrite may consist of any character or character string.

Many organizations offer collection and disposal services equipment and media. Care should be taken in selecting a suitable contractor with adequate controls and experience. Even the third party is liable to unauthorized disclosure and covered entity's reputation may be harmed. Many enterprises will decide that the most-effective approach to secure data sanitization will be to let an external service provider handle the task. However, outsourcing is no panacea and does not absolve the enterprise of the responsibility for secure data sanitization. A covered entity should thoroughly investigate any service provider selected to ensure that it follows appropriate data security and sanitization processes. When contracting with a service provider for data sanitization, a covered entity should include asset tracking, a validation process, and a certificate of data destruction and an indemnification for improper data disposal if possible.

To comply , a covered entity can follow these steps:

  1. Develop a formal device and media disposal policy:

    1. Identifying the authorization and authorized personnel who perform secure disposal function, and,

    2. Defining device and media disposal documentation requirements, and

    3. Identifying acceptable technical requirements and methods of safe, unrecoverable disposition of device and media.

  2. Develop a formal device and media disposal procedure:

    1. Defining a technical sanitation procedure for overwriting, degaussing and physically destroying a device and media, and,

    2. Defining acceptable device and media sanitation software and tools.

  1. To Implement this polices and procedures:

    1. Providing training for technical personal in charge of device and media disposal, and,

    2. Provide security awareness education for the entire work force on how to properly dispose ePHI.

12.5.2 Media Re-use (Required)

Implementation Specification: Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Similar to disposal, the covered entity must ensure that there are procedures in place to address the secure re-use of media that contain electronic PHI. A covered entity should take the necessary measures to sufficiently erase or overwrite media before re-use. Even though it is common to refer to the data cleansing process as sanitization, it is important to make some distinctions. 'Clearing' is not the same as sanitization. Clearing data removes information from hard drives in a manner that renders it unreadable unless special utility software or techniques are used to recover the cleared data. Clearing doesn't permanently delete the data. Sanitization is the process of removing sensitive data from media in such a way that it is beyond the reach of all ordinary and most laboratory recovery methods. Because the clearing process does not prevent data from being recovered by technical means, it is not an acceptable method of final disposition of ePHI or sanitizing ePHI from media. Clearing is acceptable for media re-use when redeploying it internally within an enterprise. Simply deleting the data is not sufficient.

Although media re-use allows a covered entity to apply less stringent technical solution and process than disposal, the media covered in this standard should be only applicable within the same covered entity and same classification of data. If the media is to be used in other organizations, the technical measures in the disposal should be followed.

  1. Develop a formal device and media re-use procedure:

    1. Identifying acceptable technical requirements and methods of safe, unrecoverable disposition of EPHI data on the media and device to be reused, and,

    2. Updating asset owner, inventory and documentation prior to re-use, and,

    3. Specifying the acceptable device and media clearing or sanitization software and tools.

  2. Implement this procedure:

    1. Providing training for personal in charge of device and media re-use, and,

    2. Providing awareness education for the entire work force on how to properly reuse certain type of media.

12.5.3 Accountability (Addressable)

Implementation Specification: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

It would be difficult for a covered entity to legally defend its compliance unless it knows exactly where its ePHI resides. A complete and up-to-date inventory of device and media implied in this standard is also a sound business practice. Inventories of hardware and electronic media help ensure that adequate asset protection takes place. This may also be required for other business purposes, such as insurance, financial, health and safety reasons. The process of compiling and maintaining an update-to-date inventory of hardware and electronic media is also an important aspect of risk management. A covered entity needs to be able to identify the relative value and importance of its assets through Application and Data Criticality Analysis covered under Contingency Plan. Without adequate inventory control, a covered entity can not provide 'reasonable and appropriate' levels of protection commensurate with the value and criticality of the assets.

Appropriate protection of organizational assets should be maintained through each asset's life cycle starting with purchasing and ending with final disposal. Each asset should be clearly identified, accounted for and have a nominated owner or custodian. Accountability for assets helps to ensure that the responsibility for the maintenance of appropriate controls is assigned and appropriate protection is maintained. While responsibility for implementing controls may be delegated, accountability should remain with the nominated owner of the asset until it is transferred to the next nominated owner. The ownership, asset security classification, together with its present location should be documented. The owner should also be responsible to authorize, track and maintain appropriate records on all the movements of the asset. This will ensure the actions of a person relative to the receipt and removal of hardware and electronic media into, out of and within a facility can be traceable to the source.

Although HIPAA standards generally only cover hardware and electronic media that house or transmit ePHI, a covered entity should consider it as a good business practice to include all physical assets, such as all computer equipment and media, communications devices and other technical equipment. Sufficient details should be spelled out in the procedures to address permanent movement of physical assets that come and go constantly, such as laptops, PDA, or hard drives. A barcode system may help with this effort for a large covered entity, and can be combined with other inventory controls the organization may already have in place. All hardware and electronic media should not be moved from its present location without authorization. Where necessary and appropriate, equipment should be logged out and logged back in when returned.

A small covered entity with a small number of personnel and equipment can simply document their equipment, name an owner for each, and make the owner accountable for tracking the movement of equipment. Systematic tracking may not be necessary and could be very counter-productive.

To implement this specification, a covered entity can follow these steps:

  1. Develop a formal information asset accountability process:

    1. Defining accountability requirements for all information assets, and,

    2. Establishing and maintaining a complete, accurate and up-to-date inventory of systems that house/transmit ePHI, and,

    3. Assigning device and media control responsibility of information assets to information custodians, and,

    4. Defining a process to maintain accountability via appropriate authorization and documentation through a device and media life span.

  2. Implement this process:

    1. Providing training for information custodians, and,

    2. Providing awareness education for the entire work force, and,

    3. Implementing a technical solution such as a bar code system to ease the administrative burden while providing a practical and sustainable solution.

12.5.4 Data Backup and Storage (Addressable)

Implementation Specification: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

A covered entity should already be backing up electronic PHI on a routine basis as part of the implementation of Data Backup Plan requirements under the Contingency Plan standard. These plans should identify what is backed up (i.e., ePHI, the application software, other information), the frequency of the back-up process, on what media the back-ups are stored, how they are tested , and where they are stored. For large covered entities where the backups of all systems occur, the data backup plan should also define what ePHI is needed to be retrievable and what backup method is considered to be capable of creating exact copies to allow the entity to continue business in the face of damage or destruction of data, hardware, or software. For example, databases and source data will need to be retrievable while aggregated reporting data or operating systems may not. In small offices or for departmental systems, however, it is important to ensure that components of the operating system that change as data are processed are also backed up. A copy of the application software may be available through the vendor, but not if the software has been customized by the provider.

This 'addressable' implementation specification requires each covered entity to assess the need for an additional safeguard precaution by creating another retrievable, exact copy of ePHI before movement of any equipment. This will ensure that any ePHI updates since the last successful routine backups are captured and the movement of equipment does not cause accidental permanent loss or destruction of data. Detailed back-up technical procedures for ePHI should be spelled out in the implementation of this specification.

A frequent problem in data backup and storage is the lack of back-up system testing. Error-check programs can ensure the integrity of the back-up, but full restoration testing should also be performed. Although offsite storage of backup is generally required under data backup plan, it may not be necessary in this specification if movement of equipment is within the same facility and temporary in nature. Still, a covered entity should not leave the back-ups right beside the system itself. Access to the media should be secured and extra environmental precautions are required.

In addition to storing back-ups, all ePHI storage is included in the physical security requirement. Healthcare facilities are cautioned that the weakest link in securing health information is often not in the file area, data center, or even warehouse, but in storage of shadow records, stand-alone servers, individual databases, copies, preliminary reports , drafts, worksheets, and other documents that are not a part of the official medical record but still contain health information.

In a small covered entity's office environment, it may well be unreasonable and inappropriate to make another retrievable, exact electronic copy of the data when moving the equipment. An alternative could be to perform an error checking or system testing of the existing routine backup tapes. In some situations, it may well be more practical and affordable to make paper copies of the data as a sufficient safeguard measure.

To implement this specification, a covered entity can follow these steps:

  1. Develop a formal data backup and storage process:

    1. Defining data backup requirement prior to the movement of equipment, and,

    2. Defining secure storage requirements for backup media.

  2. Implement this Process:

    1. Providing awareness and training for the personnel in charge of equipment movement, and,

    2. Providing utilities and tools as defined in the data backup plan for this task.



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Lotus Notes and Domino 6 Development (2nd Edition)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Java Concurrency in Practice
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy