RIVER HILLS COMMUNITY HEALTH CENTER
POLICY
ON
INFORMATION SYSTEMS ACCESS CONTROL
Submitted by: Curt Meeks, CO Policy #
Approved By: Policy Supersedes:
Date: Revised/Reviewed:
Policy
It shall be the policy of River Hills CHC that the use and access of River Hills CHC information systems is restricted to appropriately identified, validated and authorized individuals. Unauthorized access to River Hills CHC information systems is a violation of organizational policies and subject to formal discipline up to and including termination.
Purpose
The purpose of this policy is to comply with the HIPAA Privacy Rule and HIPAA Security Rule’s requirements pertaining to the acceptable use of River Hills CHC IT resources regarding protected health information (PHI) and electronic protected health information (EPHI).
River Hills CHC policies regarding privacy and security of PHI/EPHI reflect its commitment to protecting the confidentiality of patients’ medical records, patient accounts, clinical information from management information systems, confidential conversations, and any other sensitive material as a result of doing business. While a commitment to privacy and security of PHI/EPHI is the expectation, there remains a possibility that an inappropriate or unintended disclosure of PHI/EPHI may result in a privacy breach. This policy outlines the procedure to mitigate breaches, both willful violations and unintended actions, consistent with guidance described by the HIPAA and HITECH laws.
Overview
River Hills CHC’s intention for publishing this HIPAA Information Systems Access Control Policy is not to impose restrictions that are contrary to River Hills CHC’s established culture of openness, trust and integrity. River Hills CHC is committed to protecting employees, patients, partners and itself from illegal or damaging actions by individuals, either knowingly or unknowingly.
Effective HIPAA security is a team effort involving the participation and support of every River Hills CHC employee and affiliate that interacts with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
Any time that protected health information (PHI) is referenced in this policy, it is referencing the HIPAA Privacy Rule; when electronic protected health information (EPHI) is referenced in this policy, it is referencing the HIPAA Security Rule.
Scope
This policy applies organization-wide.
Definitions
1. Firewall shall mean a dedicated computer equipped with safeguards that acts as a single, more easily defined Internet connection.
2. FTP shall mean File Transfer Protocol – used to move files.
3. PDA shall mean Personal Data Assistant – a term for any small, mobile, hand-held device that provides users with computing and information storage and retrieval capabilities, may be used for personal or business use, often for keeping schedule calendars and address books.
4. Router shall mean a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination.
5. SSH shall mean a cryptographically protected remote login protocol that replaces insecure telnet and rlogin protocols. It provides strong protection against password sniffing and third party session monitoring, better protecting your authentication credentials and privacy.
6. Switch shall mean a device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination.
7. Tokens shall mean a physical item that is used to provide identity. Typically, an electronic device that can be inserted in a door or a computer system to gain access.
8. VPN shall mean a network constructed using public service provider wires and networks to connect nodes. They use encryption and other security mechanisms to ensure that only authorized users are able to access the network and that the data cannot be intercepted.
Procedures
1. Access to EPHI
1.1 The use and access of River Hills CHC information systems is restricted to appropriately identified, validated and authorized individuals.
1.2 Valid business reasons are the only acceptable instances allowing for access to EPHI.
1.3 The Computer Network Administrator is responsible for setting up new users with accounts and passwords for the River Hills CHC domain allowing access to the River Hills CHC network and computers. The Billing Manager is responsible for ensuring new user accounts access for Dentrix and Centricity and granting access rights to EPHI.
1.4 Access rights shall be periodically audited by the Privacy Officer.
1.5 The senior leadership team shall reevaluate access rights when an employee’s access requirements to EPHI change (e.g., job assignment change or termination). Modifications to workforce member’s access to IT resources shall be properly authorized, documented, and processed in accordance with the appropriate system access control procedures.
1.6 Access rights shall not exceed the minimum necessary for a workforce member’s assigned duties.
1.7 Security configurations shall be maintained on IT resources to restrict access to EPHI to only those workforce members or software programs that have been approved for and granted access.
1.8 The Billing Manager, with oversight and assistance from the Computer Network Administrator as needed, is authorized to create or change access to EPHI.
2. User ID and Password Administration
2.1 River Hills CHC will utilize user authentication mechanisms for access to information systems. Each individual user will have a unique user name or number that will be used to sign-on to a network asset. This unique name or number shall be coupled with a password, PIN, or token.
2.2 Workforce members shall not share assigned unique system identifiers (or passwords) with any other person. Sharing passwords is authorized in emergencies and for specific support purposes only with prior approval of the Computer Network Administrator.
2.3 Anonymous access to any IT resource is prohibited.
2.4 Passwords must be in accordance with the Password Requirements Policy.
2.5 Passwords shall be encrypted for storage and transmission whenever available, or whenever deemed necessary by the risk analysis or evaluation in accordance with the River Hills CHC HIPAA Security Risk Management, Evaluation, and Audit Policy.
2.6 Passwords will be changed every 90 days.
2.7 Where available, password controls shall force password changes every 90 days.
2.8 Password controls shall lockout login accounts after three unsuccessful login attempts, where available. Electronic sessions will be automatically terminated after a 10-minute period of inactivity.
2.9 Password protected screen savers shall be used on all systems, where available.
3. Organization-wide Procedures for Terminating Workforce Member Access to IT Resources.
3.1 Routine Deactivation of IT Access. The workforce member’s direct supervisor is responsible for making appropriate and timely notification and request to the Human Resources (HR) Director and Computer Network Administrator for IT resource account deactivation.
3.2 Upon separation from employment or affiliation, or change of job responsibilities, the HR Director, in coordination with the Computer Network Administrator, shall make necessary changes to security levels within a reasonable time; except in the case of adverse separation, which will be done immediately.
3.3 Immediate Deactivation of IT Access. An employee’s access to IT resources can be immediately deactivated in the case of adverse termination. When deemed necessary, the HR Director is authorized to deactivate IT access prior to the start of the termination action.
3.4 Depending on the nature of the termination, physically escorting the employee while they collect their personal belongings and then off of the premises may be required.
3.5 If the terminated employee is the Computer Network Administrator, the following actions must be taken:
3.5.1 Ensure that device and server administrator passwords are recorded or available so that River Hills CHC does not get locked out of any device or server.
3.5.2 Do not allow the Computer Network Administrator access to any electronic device as they may be angry and change device or server passwords. There are three aspects regarding denying access to consider:
a. Physical access - Can the person get into the building?
· Retrieve the persons ID badge, keys, and/or network access token.
· Consider changing the locks on all doors the person had access to as the person may have made copies of the keys.
b. Remote access - Can the person remotely access the network?
· If VPN access is available, delete account.
· If terminal services is available, delete account.
· If telnet is used for device access, delete account.
· If file sharing (FTP or SSH server) access is available, delete account.
· If web server access is available, delete account.
· If modem access is available, delete account
· Change passwords for remote access programs (logmein, teamviewer, gotomypc) on all computers that have them installed
c. Service access - Have access rights to applications been withdrawn?
· Database servers
· Active directory servers
· Any network devices; firewalls, routers, switches.
· Proprietary software applications
3.5.3 Ensure the Computer Network Administrator returns all equipment in their possession, including PDAs, cell phones, smart phones, laptop, printer, etc.; if they were provided equipment to facilitate telework, make arrangements to retrieve that equipment.
3.5.4 Manually change the password or access information for every device or account in the River Hills CHC network.
3.5.5 As the Computer Network Administrator has access to everything on the network, they may have password hashes for all users. It is not difficult to crack password hashes, especially if users choose easy to guess passwords and it may be necessary for all work force members to change their password.
3.6 Notify all workforce members when employees are no longer employed so that other employees know not to allow the person access, either in person, or remotely.
4. Enforcement. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5. Reference(s)
5.1 Health Insurance Portability and Accountability Act of 1996 (HIPAA) at 45 C.F.R. § 164.308; § 164.530.
5.2 The American Recovery and Reinvestment Act of 2009 (ARRA) Division A, Title XIII, Part 2, Subtitle D-Privacy Sec. 13400; Sec. 13402 of the HITECH Act
5.3 River Hills CHC Password Requirements Policy
5.4 River Hills CHC HIPAA Security Risk Management, Evaluation, and Audit Policy
Page 6 of 6