User management involves those tasks associated with the support of the end-user environment, combining the various administrative activities of account creation and management, creation of shares and home directories, management of group memberships, monitoring, and management of rights in the Active Directory. It can be very labor intensive . Security needs to also be incorporated into end-user support such as a helpdesk, coordinated with procedures for problem resolution, and the creation of security-focused knowledge bases. Activities can include:
Definition and implementation of user policies for information systems and data that parallel those for physical access to facilities and information;
Policies for workstation usage and location;
Development, testing, and production environments isolated from each other, data de-identified for test;
Helpdesk procedures including problem reporting, troubleshooting, and password procedures;
User guidelines related to entity authentication; and,
Internet access control policies and enforcement.
In the summary document, the analysis of the security rule is basically divided into the three main categories: Administrative, Physical, and Technical Safeguards. Additional sections that should also be included in the summary include 164.314 on Organizational Requirements and 164.316 on Policies and Procedures and Documentation Requirements.
We can summarize the findings, based on the completed security survey and questionnaire, relative to each section of the rule. Our presentation is in table form and concentrates on three topics: the current state or security posture relative to the rule, a statement of the gaps, and a discussion of how the gap might be treated. Each section is then cross-referenced to the remediation category. This will allow your organization to see how concentration in one major area, such as the development of an entity-wide security management program or enterprise system / network management, can provide remediation across multiple gaps and can help structure your compliance approach in the manner best suited to their business.
The following figure shows an example of the presentation.
CURRENT STATE ASSESSMENT
The agency developed a contingency plan for the last JCAHO inspection. This plan has not been revised, however, on a periodic basis.
The agency does have an enterprise wide backup strategy.
The current plans do not address any extensive coordination with facilities regarding issues such as power, A/C, and personnel placement.
TIER is a critical information system for the agency, slowly becoming the central ˜electronic' chart room. It was initially deployed as a single server without any regard for redundancy (i.e., a backup server).
The disk subsystem on the current TIER server is RAID-5, but the agency has not addressed other design considerations for high availability and/or business continuity that may become more critical in the future. Outages could take TIER off-line for an unspecified amount of time.
The agency does not have a routinely updated and tested contingency plan that meets the requirements of this section.
The agency should also perform a criticality analysis on their main information systems, chiefly TIER.
The agency needs to develop a full and formal contingency plan that incorporates current network, systems, and facility plans and meets the HIPAA 'availability' requirement. This plan should include:
The agency should consolidate all existing casual and undocumented backup and recovery practices into one all-encompassing and well-orchestrated plan with a clear sense of purpose.
The agency needs to develop procedures for periodically reviewing, testing and updating the contingency plan on a yearly basis. The greater the emphasis on, and awareness of, data protection, the more the agency's efforts will serve to mitigate many worst-case 'human error' scenarios.
The agency should establish ˜data center' guidelines for the server /server rooms such as: cable management, rack space, labeling standards, adequate cooling for secure areas, access control, backup power, and environmental controls. This has a direct impact on security, allowing the server area to be physically secured without concern as to environmental impact. These guidelines can also directly contribute to agency disaster recovery/business continuity planning.
The agency needs to determine its operational model (e.g., 24 by 7) and the resulting requirements for TIER system availability. Then, based on availability requirements and cost, the agency should review various technical options and select a cost effective solution to meet these availability requirements.
Remediation Categories: Business Continuity & Disaster Recovery, Security Management Program, Security / Network Management
Once the results are captured in the summary table for each area of the rule, they can be grouped for each category and section of the regulation and mapped against the remediation strategy as shown in the next table. The current state for each section and, based on the analysis, assigned each section the following score:
= No Compliance
= Partial Compliance
= Full Compliance
This example is based on a simple Yes, No or Not Applicable for each section in the questionnaire that was used. The presentation can easily be adapted to a more quantitative approach if needed.