DEPARTMENT: Information Technology & Services / POLICY DESCRIPTION: Information Security – Appropriate Access Conformance and Monitoring
PAGE: 1 of 3 / REPLACES POLICY DATED: 2/25/98, 8/1/99, 4/14/03 (IS.AA.014), 4/21/05, 1/15/10
EFFECTIVE DATE: November 1, 2012 / REFERENCE NUMBER: IS.SEC.021
APPROVED BY: Ethics and Compliance Policy Committee
SCOPE: All workforce members with access to Company information systems identified in theInformation Systems Account Management Key Applications List (ISAM-KAL). The Policy specifically addresses the required monitoring responsibilities of individuals designated as facility reviewer(s). The Facility Privacy Official (FPO) and/or the Facility Information Security Official (FISO) are responsible for coordinating this policy with the facility committee responsible for Privacy and/or Information Security.
PURPOSE: To provide facility leadership with requirements to develop, document, and maintain its Information Systems Account Management (ISAM) processes needed to validate on a periodic basisthat each workforce member’s access to patient information in certain key systems (defined in the ISAM-KAL) is appropriate to the individual’s job role. Facilities must periodically audit and report on these key systems in order to detect any potentially inappropriate or unauthorized access of patient information or other Sensitive information as defined by Information Security Standards. Appropriate Access Conformance and Monitoring supports federal regulations, such as HIPAA and Sarbanes-Oxley.
POLICY:
1. Each workforce member’s continued access to Company information systems identified in the ISAM-KALmust be monitored and analyzed by designated facility reviewer(s)through the use of available reporting tools and/or audit trail reports. See Procedure section below for reviewer criteria.
2. At a minimum, the Facility Security Committeemust annually review and document the scope, frequency, and role(s) responsible for performing the required access reviews for information systems noted in the ISAM-KAL.
3. If the facility is part of a MEDITECH shared market, findings from the review of shared database users must be reviewed by the Multi-Facility Security Committee or equivalent committee designated to address issues in shared markets.
4. It is ultimately the responsibility of the facility’s leadership team to ensure that its monitoring program detects and prevents irregularities in the normal course of business.
DEFINITIONS:
Information Systems Account Management Key Applications List (ISAM-KAL) – This is a spreadsheet maintained by Information Security which lists current applications within the scope of certain policies and standards related to Account Management and appropriate access. This list is stored on Atlas and is updated regularly as new processes allow more applications to be added.
Break Glass feature – This is an emergency feature that some critical patient care applications have which prevents a user from being locked out of a patient record and enables emergency access.
PROCEDURE:
Reviewer Criteria: The designated facility reviewer(s) for each information system must have knowledge of the workforce members’ roles in the organization and each workforce member’s current responsibilities.
Monitoring of Information System User Accounts and Activity
  1. The designated facility reviewer for each information system identified in the ISAM-KALmust present issues and trends identified in the summarization to the Facility Security Committee.
  2. All monitoring reports must be maintained in compliance with Federal requirements, State requirements, and the facility’s retention policy.
  3. Unless mandated by state requirements, monitoring reports for clinical systems must not be combined with a patient’s clinical record and must not be disclosed beyond authorized committee use.
  4. The following are examples of scenarios and MEDITECH-specific reportsthat should be included in the local monitoring program and reviewed by the committee responsible for Privacy and/or Information Security:
  5. High Risk Scenarios: The monitoring program should identify certain high risk scenarios, such as monitoring employee access to VIP or high-profile patients. The facility should identify high risk areas to monitor as well as the frequency and process for systems in the ISAM-KAL.
  6. Break GlassScenario: When this type of auditing functionality is available in a system, the monitoring program should identify users who have performed Break Glass function to access a patient record. If the auditing functionality trail depicts the reason for breaking the glass, the monitoring program should focus on incidents where “Other” is listed as a reason, or when the Break Glass function was used to access records of VIPs or other high-profile patients.
  7. MEDITECH Reports
  8. PCI Maintenance Utilization Reports: These reports identify users accessing patient clinical information in PCI, and include date and time of access and type of data viewed. The report can be run by patient, user, device or time and for confidential patients or sealed patients.
  9. Self Assign Report: Identifies users who have performed the self assign function, the reason for self-assigning, and whether the user “added” the patient to their list. Includes patients that have ever had a visit to the facility(s) included in the facility selection. Higher Risk Self Assign use may be determined through use of the following reports:
  10. Reason for Self-Assign
  11. Self-Assign to a Confidential Patient
  12. MIS User Emulation Log: Identifies users who have used emulation and those users that were emulated at the patient name/account level.
  13. OtherMEDITECH Reports that should be evaluated for use in the local monitoring program are listed in Section 7 of the MEDITECH Appropriate Access Toolkit.

REFERENCES:
  1. Information Security - Physician and Physician Office Staff Policy, IS.SEC.020
  2. AM.IC.01 – Electronic Data Classification Standard
  3. COM.M.03 – Monitoring System Use Standard
  4. Information Systems Account Management Key Applications List
  5. MEDITECH Appropriate Access Toolkit
  6. Information Systems Account Management (ISAM) Manual
  7. Information Security Guidance: Implementing an ISAM Framework
  8. Information Security Guidance: Managing Access for Parallon Workforce Management Solutions Nurses

9/2012