Thursday, August 22, 2002

Ethernet Network Site This site provides extensive information about Ethernet (IEEE 802.3) local area network (LAN) technology. This includes the original 10 Megabit per second (Mbps) system, 100 Mbps Fast Ethernet (802.3u), 1000 Mbps Gigabit Ethernet (802.3z/802.3ab), and 10 Gigabit Ethernet (802.3ae). See http://www.ethermanage.com/ethernet/ethernet.html 2:08:33 PM     HIPAA and Related Security Common Technical Requirements In order to provide technical infrastructure and related product services to support HIPAA, IRS, CJIS and other related agency security requirements the State of Utah has identified the following as a preliminary common technical requirements set that encompasses security requirements for seven state agencies and the corresponding Federal requirements. These are technical requirements only and do not addrerss other legal requirements associated with privacy and access to information. These are draft technical requirements and have not received final approval. Access Control: Access control mechanisms must be employed across all State of Utah networks to ensure a given user has been granted the permission to access a system resource in the manner authorized.   Advanced Authentication: Advanced authentication should be used in cases where un-trusted inbound traffic (with the exception of Internet mail and push broadcasts) is accessing the authorized State of Utah network. Authentication of the unique user identity can be a unique encrypted logon and password combination and/or use of other authentication methods including but not limited to biometrics, smart cards, tokens, digital signatures (such as VeriSign), etc.   Audit Trails: For any State of Utah operated network, functionality should be added for real‑time monitoring of networked and host‑based systems to detect security vulnerabilities and incidents. The minimum amount of information to be captured in an audit record is:   1.   The identity of each user and, where possible, the device having access to the system or attempting to access the system.   2.   The time and date of the access (synchronized with an atomic clock to the nearest 1/10 of a second), time and date of log off.   3.   Any activities which might modify, bypass or negate security safeguards controlled by the computer system.   Authorization: Once authenticated, users must be granted only specific access to the system’s resources that they require to perform their duties.   Encryption: To prevent unauthorized disclosure of sensitive and valuable information, all host access to restricted information to/from the state authorized network from unauthorized networks must be encrypted with no less than 128 bit encryption. File encryption must provide an equivalent level of protection. Examples of encryption mechanisms that provide 128 bit or better encryption are Secured Socket Layer (SSL), Point-to-Point Tunneling Protocol (PPTP), Advanced Encryption Standard (AES), RSA ( Rivest, Shamir & Aldeman) Elliptic Curve Cryptograpy (ECC), etc.   Firewalls: Prior to the deployment of State of Utah firewalls, a list of permissible paths with a justification for each access path must be submitted to ITS. Agency change control will be used to document all changes. Every network connectivity path not specifically permitted must be denied by firewalls. Permission to enable any paths will be granted by the agency security manager only when (1) the paths are necessary for important business reasons, and (2) adequate security measures will be used. State computer/data resource that exists on authorized networks must be protected from unauthorized traffic with the exception of production services designed to be homed in a demilitarized environment (http, internet mail), or where stateful packet inspection is not required. At a minimum, traffic filter firewalls should have the ability to screen and log traffic at the network and transport protocol layers.   Identification: Each individual who is authorized to access sensitive/restricted information must be uniquely identified.   Intrusion Detection: State of Utah locations with hosts containing sensitive /restricted information must include intrusion detection systems. These intrusion detection systems must each be configured according to the specifications defined by ITS security in cooperation with agencies. Intrusion detection systems must notify technical staff in a position to take corrective action. In addition, all State of Utah locations must incorporate virus protection and removal software.   Logging: All transactions with sensitive/restricted information originating from State of Utah networks or access devices must be logged. Furthermore, all suspicious activity, which might be an indication of unauthorized usage or an attempt to compromise security measures must also be logged and reported to ITS Security. The integrity of these logs must be protected. These logs must be promptly removed from the recording systems and stored in a physically protected container for up to 7 years. Access methods to retrieve information from the logs must be provided, and, the logs must be reviewed periodically to ensure that the security standards are being met..   Physical Security: Resources present on state authorized networks must be physically secured from unauthorized persons.   System Design Documentation: Any agency using sensitive/restricted information must develop and maintain written documentation of the overall design and security features of their system.  Overall design and security features must be reviewed, the implementation tested and the test results documented.  In accordance with the intent of this document, results are considered sensitive/restricted information.    Vulnerability Assessment: Vulnerability checks must be conducted on the design, and periodically after implementation.  Unless otherwise specified by statute or best practice, periodic testing shall occur at least every 12 months.  Results of testing and vulnerability scanning must be documented and accessible only to authorized personnel. Vulnerability Patching: Acting in cooperation with ITS and the CIO’s office, State Agencies are responsible for the application of fixes or measures to stop the exploitation of known vulnerabilities 8:02:29 AM     HIPAA References   There are a number of useful references for collaborative HIPAA security work going on in other states and related organizations from which the State of Utah can derive benefit. Among them are the following: Federal Register, 45 CFR Part 142, Security and Electronic Signature Standards; Proposed Rule, 08/12/1998. URL: http://aspe.os.dhhs.gov/admnsimp/nprm/seclist.htm Federal Register, 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information; Final Rule, 12/28/2000. URL: http://aspe.os.dhhs.gov/admnsimp/nprm/pvclist.htm Fuller, Sandra. Journal of AHIMA, "Implementing HIPAA Security Standards," October 1999. URL: http://www.ahima.org/journal/features/feature.9910.1.html Hawaii Health Information Corporation. URL: http://www.hhic.org HIPAA Security Summit. URL: http://www.wedi.org/public/articles/HSSGuidelines.doc Idaho Department of Health & Welfare. URL: http://www2.state.id.us/dhw/hipaa/home.htm Minnesota Center for Healthcare Electronic Commerce. URL: http://www.mhdi.org/mchec/hipaa/index.html Nebraska Association of Hospitals and Health Systems. URL: http://nahhsnet.org/html/HIPAA.htm North Carolina Healthcare Information and Communications Alliance, Inc. URL: http://www.nchica.org/HIPAA/HIPAA_intro.html Pilot policies released to the general public by the Hawaii HIPAA Readiness Collaborative. URL: http://www.hhic.org/hipaa/pilots.html SANS.org policy templates. URL: http://www.sans.org/newlook/resources/policies/policies.htm 7:48:50 AM

© Copyright 2002 Bob Woolley. Last update: 8/22/2002; 2:11:19 PM. This theme is based on the SoundWaves (blue) Manila theme.