HIPAA Access Control – Password Management, Encrypted VPNs

HIPAA Access control – A covered entity is required to implement technical policies and procedures for electronic information systems that maintain electronic protected health information, allowing access only to those persons or software programs that have been granted access rights as specified in the Administrative Safeguard Standard:  Information Access Management.

Four implementation specifications are associated with the HIPAA Access Control standard.

1. Unique User Identification (Required)

“Assign a unique name and/or number for identifying and tracking user identity.”

A unique user identifier allows an entity to track specific user activity when that user is logged into an information system. It enables an entity to hold users accountable for functions performed on information systems with EPHI when logged into those systems.

2. Emergency Access Procedure (Required)

“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”

Access controls are necessary under emergency conditions, although they may be very different from those used in normal operational circumstances. Covered entities must determine the types of situations that would require emergency access to an information system or application that contains EPHI.

3. Automatic Logoff (Addressable)

“Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

Automatic logoff is an effective way to prevent unauthorized users from accessing EPHI on a workstation when it is left unattended for a period of time.

4. Encryption and Decryption (Addressable)

“Implement a mechanism to encrypt and decrypt electronic protected health information.”

If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text.

Questions to consider

The questions here relate to the controls in place for employees and contractors who manage IT infrastructure and hosted systems

Does your organization require all of your third party suppliers to adhere to the types of requirements of this section?

Is there a documented process for access control based on business risk and security requirements?

Is there a formal process whereby management approves the granting of user access?

A formal process includes a focus on ensuring authorized user access, and preventing unauthorized user access, to information and information systems.  Formal procedures should be in place to control the allocation of access rights. These procedures covering all stages in the life-cycle of user access, from provisioning to de-provisioning. They should also include special attention to control of privileged (“super-user”) access rights and those users who must access machines that contain PHI.

Is there a formal process for revoking leavers’ access rights to systems?

A formal process should be in place for user registration and de-registration procedures. These procedures are for granting and revoking access to all information systems and services.  In addition to assignment of unique user-IDs to each user, this includes: documentation of approval from the information system owner for each user’s access; confirmation by a reviewing party (supervisor or other personnel) that each user’s access is consistent with business purposes and with other security controls (e.g., segregation of duties); giving each user a written statement of their access rights and responsibilities; requiring users to sign statements indicating they understand the conditions of access ; immediately changing/eliminating access rights for users who have changed roles or left the organization; and checking for and removing redundant or apparently unused user-IDs.

Is there a formal process for controlling the allocation and use of administrative privileges?

Allocation and use of access privileges should be restricted and controlled.  This includes: development of privilege profiles for each system, based on intersection of user profiles and system resources; granting of privileges based on these standard profiles when possible; a formal authorization process for all privileges, with additional review requirements for exceptions to standard profiles; and maintaining a current record of privileges granted.

Does your organization have a password policy that includes each of the following? If administrator / privileged accounts are subject to different password policies, please distinguish this in your response  to the following:

  • Minimum password length?
  • Password complexity rules?
  • Password expiry period?
  • Password history to prevent re-use of recent passwords?
  • requirement on the user to change a reset password on first use?

Does each user have a unique (non-generic) login ID?

Is system access granted on a least-privilege basis (only the minimum required to do the job)?

Does your organization have a Data Loss Prevention (DLP) system in place to detect and prevent sensitive data or PI from being copied or transmitted to unauthorized recipients or devices? If YES, please describe the solution and related compliance processes, including monitoring and escalation.

You can restrict outbound requests to a whitelist of Ips for DLP. You can also leverage Symantec Data Loss Prevention.

Are encrypted VPNs used for all remote access to internal systems?

Is two-factor (e.g. token) authentication required for remote access?

Do third party interfaces restrict access in line with your organizations access control policy?

Are screen savers activated on unattended equipment after 15 minutes or less?

Is a clear-desk policy implemented within the organization?