HIPAA Security Checklist for New Clinical Technology Equipment
Device Model / Manufacturer / Document ID / Today’s DateDevice Category / Software Version / Software Release Date / Operating System
Contact Name / Contact Title / Department / Other Contact
Company Name / Telephone # / 2nd Tele / email
The HIPAA Security Rule requires Kaiser Permanente to implement reasonable security controls on its Clinical Technology devices and computer systems. To assist Kaiser Permanente in determining the technical security measures available on your system, we are seeking the following information.
A. Does the device generate, process or store electronic Protected Health Information (ePHI)? / ______YesNoN/AUser Accounts / YES / NO
1 / Can each individual user be uniquely identified by the device?
2 / Is the device capable of granting user rights, based upon user job responsibilities, for the following actions: (respond Y/N to each item)
2a / Create data
2b / Read data
2c / Update data
2d / Delete data
Passwords / YES / NO
3 / Does this device support user passwords? (This question refers to the interaction between a clinical user and the application/device.)
4 / Can the device be configured to require passwords of at least 6 characters?
5 / Is the device configurable to enforce entry of passwords containing at least one alpha and one numeric character?
6 / Can the device be configured to mask the password on the screen?
7 / Can the device be configured to require the storage of passwords in encrypted or hashed format, instead of readable text?
Log-On / YES / NO
8 / Can the device be configured to suspend user access after a defined number of consecutive, unsuccessful logon attempts of no more than 5 attempts?
9 / Is the device configurable to force passwords to be changed at first login if the password is reset by a system administrator or help desk?
10 / Can the device be configured to use current network logon access controls, i.e. user name and password?
Inactive Sessions / YES / NO
11 / Is the system configurable to interrupt inactive sessions after a defined period of inactivity?
12 / Once an inactive session is interrupted, is a password required to re-establish the session?
Audit Trail / YES / NO
13 / Can unsuccessful login attempts and access violations within the device be logged?
14 / Can successful login attempts by individuals and other systems be logged for the following actions: (respond Y/N to each item)
14a / Read data
14b / Create data
14c / Update data
14d / Delete data
14e / Transmit data
14f / Print data
15 / Are all audit logs identified by a unique record number or event activity report? If yes, does it include the following:
15a / Unique user identifier?
15b / Time and date?
15c / Originating source?
15d / Content (type of data being accessed)?
15e / User’s system logon and logoff with automatic date and time stamp?
16 / Can system administrative activities be logged?
17 / Is the device able to produce detailed audit logs for the info from questions 14 & 15 above?
18 / Are these audit logs protected against the following: (respond Y/N to each item)
18a / Unauthorized access
18b / Modifications
18c / Deletions
19 / Are these audit records readily available for:
19a / 90 days
19b / Archived for a minimum of 1 year?
System Administration / YES / NO
20 / Is your device network capable?
21 / Is your device network dependent? See definitions.
22 / Are system administration functions only available to designated system administrators?
23 / Can the device be configured to prevent remote administration or remote management services or tools from bypassing device access controls?
Integrity / YES / NO
24 / Are controls in place to ensure that data is not altered or destroyed?
25 / Is the device capable of preventing unauthorized changes to its programs or data?
26 / Is the device capable of data backup?
27 / Can backup be done through removable media?
28 / Is an automatic network-based backup configurable?
Security / YES / NO
29 / Does the system support anti-virus software and updates to that software?
30 / Does the device have the capability to protect data during a power failure or other emergency?
31 / Can the device be configured to encrypt ePHI if it is transmitted via a network or removable media?
32 / Can the device be configured to encrypt ePHI that is stored on the device?
33 / If your device supports encryption, describe how. (This field is open-ended.)
Definitions
Access violation log / Does the device log unauthorized attempts to access data?
Admin functions controlled / How does the device keep users from using system administrator functions?
Administrative functions logged / Does the device record systems admin access and changes as well? This does not mean the biomed's service records, but the user’s systems admin.
Audit log protection / If audit logs are created, how long does the device automatically keep them?
Audit Logon time / Does the audit log include a date and time entry for logon and logoff?
Audit logs / Does the device maintain an audit log of all user activity in the areas identified? For a networked device that communicates with other devices or systems, does the device track which of these other devices engage in the identified activities?
Contact name / Who is filling out this form?
Data backup / Does the device use any automatic methods to store data?
Data Integrity / Examples of data integrity controls include checksum, read-back, hash counts, record counts, file update totals, input data checks.
Device Category / Recommend the use of ECRI’s Universal Medical Device Nomenclature System.
Device Model / What is the model name or number?
Document ID / This is an optional box for vendors’ convenience.
ePHI / Electronic Patient Health Information consists of individually identifiable information about a member’s/patient’s past, present or future physical or mental health condition; including, name, address, MRN, age related dates, telephone numbers, SSN’s, health plan beneficiary numbers, URLs, IP addresses, biometric identifiers, including finger and voice prints.
Encryption standard / Do you support 128 or 256 bit encryption? Field will accept text in the answer field.
End-user password / An end-user is the technician or medical person who uses the equipment.
Exempt / Is the purpose of the device to continuously monitor and display physiological data to multiple staff in acute care settings? Is this device used in CCU/ICU/NICU/PICU/PACU, Surgery/OR, ED, Labor & Delivery? Generally, this equipment does not store ePHI, but transmits it to systems/devices that store and process the ePHI.
First logon / If a user’s password has been changed by a system administrator, does the device have the ability to force the user to create an individual password at first logon?
Inactive sessions / If the user does not interact with the device (press keyboard, move mouse, etc) for a defined period of time, does the device stop displaying the screen contents?
Inactivity timeout / If the device will interrupt inactive sessions, can you define the amount of time you wish?
Manufacturer / Who is the manufacturer of this system? i.e. Philips
Mask password / Can the user’s passwords be changed into non-readable text while being typed?
Network dependent / Is the information kept on a central server?
Network domain access controls / If the user logons onto a Kaiser network (with logon and password) to gain access to the device in question, can the device be configured to recognize the KP network logon/password or must the user have a separate logon and password to access the device?
Operating System / What operating system does this system use?
Password complexity / Can the device be configured to require that a user select a password that combines alpha characters, numbers, and/or symbols?
Password Length / Does the device have the ability to block passwords less than 6 characters long?
Password storage / When a user establishes their logon and password, does the device store that information in a file that is in clear readable text (for a system administrator, for example) or does the password file encrypt the data so that it is not readily detectable?
Password visibility / Can the device display passwords as hashed or equivalent so they don't display as text?
RACF / Resource Access Control Facility, IBM mainframe security software.
Remote access control / When someone remotely accesses the system for administration or service activity, are they required to go through a logon process just like any other user?
Security info protected / How does the device keep users from manipulating all auditing records?
Software Version / What version of the application software does this form refer to?
System integrity / Does the system track and log unauthorized attempts to break into the system?
Unique audit logs / Does the audit log maintain uniquely identified records associated with the user’s id creating the audit entry?
Unique Identifier / For users, this means having individual logon and password that associates the user with the work they perform on the system. Users are operators of the equipment, not service techs.
Unsuccessful logon / If someone repeatedly tries unsuccessfully to logon (doesn’t know the correct password) will the system lock-out further logon attempts from that account?
User passwords / Does this device have a vendor supplied feature for individual passwords? Can the vendor configure individual password features for the medical device application? Once it is booted up is there a way to establish user passwords?
User rights / Can the device be configured to assign different users specific functions within the system based on their work assignments?
Juans HD:Users:aguilar:Documents:PS Projects:External Vendor site:vendor:formsreqs:Security_Checklist_Blank_Manu_Model.docx