The reference guide is intended to serve as a “lowest common denominator” for UniCharts EMR system administrators to achieve and maintain satisfactory compliance with the HIPAA security and privacy regulations. It is about the administrative controls, physical measures and technical safeguards that need to be taken by the system administrators of covered entities where UniCharts EMR software is used to store and handle sensitive health information of the patients. Note that the security and privacy related functionality provided by UniCharts at the "software level" is discussed in a separate article linked herewith. Where applicable, the administrators should use those built-in security/privacy features of the EMR to implement the procedures recommended below and achieve HIPPA compliance. Moreover, the procedures presented here are not intended to be adopted in their entirety by all system administrators. Similarly, many administrators might have alternative processes and procedures in place that adequately meet the objectives defined in various sections of this guide. In those cases administrators may continue using those alternative procedures that they find equivalent or maybe more effective.
Before we begin, it is important to understand that the focus of HIPAA security and privacy rules is to protect the ‘confidentiality’, ‘integrity’, and ‘availability’ of electronic health information that a covered entity may create, receive, maintain, or transmit. The confidentiality is the assurance that electronic health data is shared only among authorized persons or organizations. The Integrity is the assurance that electronic health data is not changed unless an alteration is required, and that the information can be relied upon to be sufficiently accurate for its purpose. Finally, the Availability is the assurance that systems responsible for delivering, storing and processing critical electronic health data are accessible when needed, by those who need them under both routine and emergency circumstances. The HIPAA rule covers information stored not only on the computers' within the medical facility, but also on the removable or transportable digital memory media such as USB flash drives as well as information being transported electronically via the Internet, email or any other electronic means.
Administrative Access Controls
Eliminate generic user level accounts
Compliance with HIPAA requires knowing the identity of everyone who accesses/uses the computer on which EMR server program is installed. Since operating systems record activity based on the username used to log on, it means that each username should always correspond to a unique individual unless absolutely necessary. Regular user level access using generic or wildcard accounts must be removed or disabled. Note that the same applies to clincial users that you add to the EMR system. You should not allow a generic wildcard username to be used by multiple users of the EMR system at different times.
Restrict root access as much as possible
Some system level activities may require the use of the “administrator” or “root” account and more than one person may need access to that account. Remember that someone with “administrator” or “root” access can do anything they want, including “covering the tracks” of any actions they take. Therefore it is absolutely essential that root access is restricted only to those who actually need that level of access. The system administrator must know who has root access to the system at all times, and must review that list from time to time. It is also appropriate to restrict the route by which root access is made, for example the use of a biometric device to login.
Use strong passwords
Since the password is still the primary means of securing access to a computer account, it is essential that the password be “strong”. In general that means a password that is difficult to guess. A password should be at least 7 or 8 characters, and use a mixture of letters, numbers, and punctuation characters (if the system allows). Don’t make a password impossible to remember so that it has to be written down somewhere. If you do not have control over the passwords of your users, consider communications to your users reminding them of good password policies and practices. Note that the same applies to clincial users that you add to the EMR system. You should assign strong initial passwords and also encourage them to regularly change passwords with strong replacements.
Remove unused accounts
HIPAA requires the prompt termination of access to patient health information by those whose job function no longer requires access, or whose access requirement has changed. From the point of view of a system administrator, this means that if someone’s access to a computer is no longer appropriate or needed, the access password must be changed in order to deny access to that person. Note that the same applies to clincial users that you add to the EMR system. If there is a user who has left the institution or no longer performing clinical duties, you should either delete that account or, if it could not be deleted for audit purposes, change its login password to terminate the access.
Physical Access Controls
Remember physical access means full access
Remember that if someone has physical access to a computer, it is only a matter of time before he or she can have access to all the data on the computer. Inserting and then booting from a CD may give access within minutes. Similarly, removing a hard disk and installing it in another computer, though more time–consuming, will give access to all of the data stored on the hard disk.
Keep physical access as restricted as practical
Because physical access generally means full access, it is important to restrict physical access as much as possible. Physically locating the system in a separate room ensures a high–level of physical access control and should be considered. This may be a room with a keyed lock or an electronic lock such as a keypad or badge reader etc.
Review physical access regularly
The system administrator must know who has access to the room at all times and must review the list of those having access periodically. If it is required to limit someone’s access to the room, the key must be recovered or electronic access be removed by whatever means appropriate.
Consider privacy screens
The old style CRT style monitors have always had a wide horizontal angle from which the screen could be viewed. As flat panel screens have been perfected, their angle of view has also widened considerably. In both cases a wide angle of view may permit data to be viewed by prying eyes. If the display from which data on your system is viewed is under your control, consider installing privacy screens/filters to limit inappropriate and unauthorized viewing.
Develop, document, implement and follow a regular backup plan
Since the components of computer systems fail from time to time, it is imperative to consider the possibility that component failure may lead to loss of data. Various technologies are available to mitigate this risk but all have associated costs and a risk/benefit analysis is essential. The use of RAID (particularly RAID levels 1, 0+1 and 5) and other storage technologies can go a long way to mitigate component failure. However, hardware and/or software failure can lead to data corruption so it is usually essential to keep recent copies of critical data that can be restored in the event of data corruption. Thus a backup plan must be devised that takes into account all the types of failure that might occur and how these failures would be remediated. The plan must be written down, so that it can be understood by others. The plan must be followed diligently. The plan must also be tested to ensure that data that is backed up can be retrieved and restored when the need arises.
In addition to the automatic continuous backups, we recommend doing a manual full system backup on an external USB drive on a weekly basis. You may involve two USB drives in this process and use them in a round-robin fashion. Note that manual full system backups may be done easily on the Backup/Export tab on the EMR server, as shown in the knowledgebase article linked in the first paragraph of this guide.
Store backup media away from system and possibly offsite
A data backup plan is useless if the event causing the loss of data also causes loss of the backup data. You must decide whether keeping backup data in a fireproof cabinet locally is required and sufficient, or whether backup data needs to be stored off–site.
Securely erase all media before discarding
HIPAA requires that you protect patient health information when you dispose of systems or media that may contain such data. Simply deleting files does not remove its data and merely changes pointers so that the data does not appear in the device directory. Even formatting a disk may not remove data but may simply reset the device’s directory track. Therefore you may consider using procedures that will securely erase data by writing over every part of a device that may contain data. Even a non–functional computer should have its disks securely erased or physically destroyed before disposal. You must consider all physical ways that confidential health information might leave your system and take all practical steps to eliminate or minimize risks from media disposal.
Develop, document, and test a disaster response plan
Fire and floods are not uncommon and computer systems are extremely vulnerable to both. What will you do if such a disaster strikes and you lose the computer that has the EMR server installed? You must have a disaster response plan that is written down so that others can understand, comment and agree to it. You should devise a method for testing your disaster response plan in as realistic a scenario as possible.
Develop, document and test an emergency mode operation plan
If disaster strikes and your system housing the EMR server get out of commission, what are the implications of the timescale of your disaster response plan? Can the EMR program be hosted temporarily on another system to resume the operations and how? The plan must be written down so that others can understand, comment and agree to the plan. If the availability of clinical data stored within the EMR system is highly critical, it may be essential to test the plan to ensure that it can meet the need.
Develop, document, and test a “break glass” procedure for emergency data access
There may be occasions where emergency access to the computer housing the EMR server is needed by someone who does not have credentials but for whom access is nevertheless appropriate. This access might be needed at a user level, for example to clinical data where there is a clinical emergency. Alternatively, access might be needed at the system level for example to remediate a security incident. In these cases, giving access by sharing a password is not appropriate because it leaves an incorrect access and audit trail. Instead, a “break glass” procedure is appropriate where the user can obtain unique appropriate credentials by following a set procedure that includes complete documentation of who acquired the credentials, when, and for what detailed reason. In this way, a “correct” access and audit trail is created. If possible, you should create, document and test this “break glass” procedure beforehand.
Register new and existing systems that will connect to the EMR server
Even though the EMR server is installed on one central computer, the program is typically used by multiple users from various other machines and terminals over the network. If network monitoring procedures alert you to a problem with a computer on the network, that alert will almost certainly reference the affected system, or systems, by their local IP addresses. In order to contact the system owner/s, you must have current contact information correlating the network IP address with the owner of the system. Accurate registration information will also allow you to contact system owners when advance warning is available for application or system problems or security vulnerabilities.
Technical Security Controls
Do not run unnecessary services
Every service running on a computer that is open for incoming network connections is a potential security vulnerability. Use system management tools to see which ports are open on your system and the applications that are listening on those ports. Unnecessary services should be removed from the computer hosting the EMR server program.
Implement anti-virus and anti-malware software
Implement antivirus and antispyware software to shield the EMR server computer from malware. Real-time protection for all files and file types must be enabled as it will identify infected files when they are created, modified or accessed. Full systems scans should also be performed if realtime protection has been disabled for any period of time, and when antivirus software is initially installed. Antivirus software has a library of definition files used by the antivirus application to identify files on the system that are viruses, or that have viruses embedded in them. It is absolutely essential that the virus definitions be kept up to date. If not using a managed client for updates, make certain that the program is configured to download new signatures at least once per day and to run a disk scan overnight.
Keep the operating system and related software patched
Operating system patches should be applied as soon as possible. However, there is a trade–off to be made. Applying patches as soon as they are available carries the risk that the patches may be faulty or have unexpected consequences. On the other hand, delaying implementation until others have tested the patches may leave the system open to an actual exploitation of the vulnerability. One solution is to apply “critical” patches within 24 hours, and allow up to two weeks for testing “non–critical” patches.
Check for the EMR software updates regularly
Check for EMR software updates online periodically. These updates contain patches and also the new features and enhancements that may have been added to the system. To check for updates, just visit Help menu on the EMR server console and select Update UniCharts option. The system would check for new updates and download them if available. Restarting the EMR server program will install them automatically. We recommended you perform this procedure at least once every month.
Note that if for security reasons you have not exposed the EMR server computer to the Internet, you may request a copy of the update JAR file from us. We will email you the updates JAR along with instructions on how to apply it manually.
Consider local intrusion detection
Software tools can be deployed locally to detect changes made to a computer system and provide alerts when unexpected changes occur. Probably the best known of these is “Tripwire”. Tripwire records “binary signatures” for system files along with file sizes, expected changes of size, etc and monitors these values frequently. Since computer intrusions inevitably involve modifying files, Tripwire is able to provide an alert almost immediately a system becomes compromised. Host–based intrusion detection/prevention functionality should also be configured and enabled whenever possible. Also consider using logfile analysis tools and utilities to monitor the system effectively.
Encrypt sensitive data that travels over the internet
Data traveling entirely within a local network usually has a security advantage in that the network wiring and router systems etc are installed and controlled by local IT personnel, and therefore the chances of unauthorized copying of data as it travels on the internal network are minimal. Even in case of using a wireless network, its built-in security mechanism is usually sufficient to prevent unauthorized copying of data. However, this is not true for data traveling over the Internet. Although the probability of unauthorized capture of data on the internet is also low, it is a HIPPA requirement to encrypt sensitive patient health related data that you send/receive over the internet.
UniCharts EMR provides complete functionality to install digital certificates and enable SSL encryption of data travelling over the Internet. If you are using EMR over the Internet, then you must consider implementing https protocol by enabling SSL encryption. Please see the knowledgebase article linked in the first paragraph of this guide for instructions on how to install a digital certificate.
Implement application timeouts if appropriate
One of the main goals of HIPAA is to prevent viewing of patient health information beyond the “business need to know”. An application left running on an unattended workstation may provide an easy way for an unauthorized individual to view patient health information. As a system administrator you may be able to improve the security of your workflow process by enabling application timeout. Again, UniCharts EMR provides a built-in mechanism for you to enable application timeout and define a timeout interval as appropriate. Consider whether a timeout after 30 minutes of inactivity can be applied to your system without inconveniencing clinical users. Please see the knowledgebase article linked in the first paragraph of this guide for instructions on how to enable an application timeout.
Install a software firewall program
It is absolutely essential that you have a software firewall installed on the computer housing the EMR program. It would help block malicious connections by blocking the ports of the computer and only allow those programs and users to access the system that you, the administrator, allow.
Consider using a hardware firewall
Hardware firewalls are dedicated devices that sit physically between your computer and the network. They are always on and tend to do a better job than software firewall because there is no program to start or crash on the computer. These firewalls also allow more flexibility in selecting what types of connections are to be allowed to and/or from other hosts on the network. Therefore, you should also consider using a hardware firewall in addition to the software firewall installed on the server computer. Note that if you have a router based local network, you may already be having hardware firewall implemented. A router functions as a firewall because it uses IP masquerading to allow multiple devices to share a single IP address on the network. Because inbound connections have to be specifically directed to a particular host on the “inside” of the router, all inbound connections are blocked by default.
Eliminate modem access if possible
You should not use a dial-in modem to provide access to the computer with EMR server unless absolutely unavoidable. This is because even if logon security is provided for a modem connection, the connection itself is not monitored. Network monitoring is one of the main methods by which IT security staff can become aware of compromised systems. Also network connected systems are scanned periodically for vulnerabilities and/or weak passwords. Access to your system via modem cannot take advantage of these forms of security protection. If there is no other option than to use a dial-in modem, the modem should normally be powered down and only enabled specifically for authorized access and even then for the shortest possible time.
System Logs and Audits
Keep records of successful and failed logons to the server computer
Check periodically that access and use of the server computer is appropriate
You should examine the list of who has access to your system down at least once per year. You will need to devise a process to verify that appropriate access is being granted. Remember that you are responsible for who has access to your system and you may need to survey your users and have them verify that their access is authorized and appropriate.
Check periodically that access and use of the EMR software is appropriate
UniCharts EMR software has the built-in ability to track database use down to the chart access level. For example, the application is able to provide a time stamped log of access to patient charts with detail of who the record belongs to, who the user was, what section of the chart was accessed, and whether that chart was changed or merely accessed. Note that you do not have to do anything in this regard; the EMR system automatically record actions related to creation, modification, access and deletion of patient charts, and store the log them directly into the database. You should periodically generate an activity log and audit the report to look for any anomaly therein. Please see the knowledgebase article linked in the first paragraph of this guide for instructions on how to generate an activity log.
Periodically examine and verify the efficacy of security measures
As a separate exercise, you should review the security measures that you have in place at least once per year. You should do this by paying particular attention to things that may have changed during this period. For example, are you using the latest versions of the operating system and the EMR software and are both fully patched? Similarly, have you added extra services to your system or enabled access from new network locations?
Recognize System Compromise
Familiarize yourself with the system commands and tools that can give you an early indication that your server computer has been compromised. The earlier that you can detect that your computer has been compromised, the greater the chance that you can lessen the damage and lower the risks associated with exposure, corruption, or data loss of your system.
Look for signs of problems in the following areas:
- Performance problems. Learn your systems normal pattern of activity and be
suspicious if CPU usage, network traffic, memory utilization, or network
utilization increases dramatically. Unexpected rebooting is a suspicious sign
once hardware problems have been eliminated.
- Additional processes running. Be familiar with the names of processes that
should be running. Be suspicious of any new processes especially if their
names are peculiar or very similar to normal processes
- Unexpected ports open. Make a note of the TCP ports that your system has
open after you shut down the applications that you know about. Be on the
lookout for any new open ports and make sure that the processes that
have these ports open are legitimate.
- Unexpected user log entries. Be on the lookout for unexpected users
especially if they correspond to accounts with administrator or root access.
- Changes in logfiles. Be on the lookout for logfiles that are suddenly
missing, empty, or have unusual entries.
- Changes to system files. Most systems have so many files that this may be
almost impossible to do manually. Consider an automated process that checks
for the appearance of new files and/or directories, especially if your system
does not change much from day to day.
Report Security Incidents to the Administration
Report all security incidents to your administration or the physician in charge. Even if you are certain that patient health data was not exposed or affected by the incident, it is always the best practice that you report the incident. Reporting the incident also helps the administration build a picture of ongoing events that may be affecting other non-clinical users on the network. You should also develop a working relationship with the physician in charge and jointly develop a plan for HIPAA compliance.