HIPAA and Related Security Common Technical Requirements
In order to provide technical infrastructure and related product services to support HIPAA, IRS, CJIS and other related agency security requirements the State of Utah has identified the following as a preliminary common technical requirements set that encompasses security requirements for seven state agencies and the corresponding Federal requirements. These are technical requirements only and do not addrerss other legal requirements associated with privacy and access to information. These are draft technical requirements and have not received final approval.
Audit Trails: For any State of Utah operated network, functionality should be added for real‑time monitoring of networked and host‑based systems to detect security vulnerabilities and incidents. The minimum amount of information to be captured in an audit record is:
1. The identity of each user and, where possible, the device having access to the system or attempting to access the system.
2. The time and date of the access (synchronized with an atomic clock to the nearest 1/10 of a second), time and date of log off.
3. Any activities which might modify, bypass or negate security safeguards controlled by the computer system.
Identification: Each individual who is authorized to access sensitive/restricted information must be uniquely identified.
Intrusion Detection: State of Utah locations with hosts containing sensitive /restricted information must include intrusion detection systems. These intrusion detection systems must each be configured according to the specifications defined by ITS security in cooperation with agencies. Intrusion detection systems must notify technical staff in a position to take corrective action. In addition, all State of Utah locations must incorporate virus protection and removal software.
Logging: All transactions with sensitive/restricted information originating from State of Utah networks or access devices must be logged. Furthermore, all suspicious activity, which might be an indication of unauthorized usage or an attempt to compromise security measures must also be logged and reported to ITS Security. The integrity of these logs must be protected. These logs must be promptly removed from the recording systems and stored in a physically protected container for up to 7 years. Access methods to retrieve information from the logs must be provided, and, the logs must be reviewed periodically to ensure that the security standards are being met..
Physical Security: Resources present on state authorized networks must be physically secured from unauthorized persons.
System Design Documentation: Any agency using sensitive/restricted information must develop and maintain written documentation of the overall design and security features of their system. Overall design and security features must be reviewed, the implementation tested and the test results documented. In accordance with the intent of this document, results are considered sensitive/restricted information.
Vulnerability Assessment: Vulnerability checks must be conducted on the design, and periodically after implementation. Unless otherwise specified by statute or best practice, periodic testing shall occur at least every 12 months. Results of testing and vulnerability scanning must be documented and accessible only to authorized personnel.
Vulnerability Patching: Acting in cooperation with ITS and the CIO’s office, State Agencies are responsible for the application of fixes or measures to stop the exploitation of known vulnerabilities
8:02:29 AM
|