NIST SP 800-66r2 ipd INITIAL PUBLIC DRAFT
IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
1093
5.3.3
1094 1095
HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
1.
2.
3.
4.
Integrity (§ 164.312(c))
Key Activities Identify All Users Who Have Been Authorized to Access ePHI 120 Identify Any Possible Unauthorized Sources that May Be Able to Intercept the Information and Modify It
Develop the Integrity Policy and Requirements
Implement Procedures to Address These Requirements
• •
• •
•
•
Description Identify all approved users with the ability to alter or destroy ePHI, if reasonable and appropriate. Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2.
• • • •
Identify scenarios that may result in modification to the ePHI by unauthorized sources (e.g., hackers, ransomware, disgruntled employees, business competitors). 125 Conduct this activity as part of a risk analysis. 126
•
Establish a formal (written) set of integrity requirements based on the results of the analysis completed in Key Activities 1 and 2.
•
Identify and implement methods that will be used to protect ePHI from unauthorized modification.
•
• •
• •
Sample Questions How are users authorized to access the information? 121 Is there a sound basis for why they need the access? 122 Have they been trained on how to use the information? 123 Is there an audit trail established for all accesses to the information? 124 What are likely sources that could jeopardize information integrity? 127 What can be done to protect the integrity of the information when it is residing in a system (at rest)? What procedures and policies can be established to decrease or eliminate alteration of the information during transmission? 128 Have the requirements been discussed and agreed to by identified key personnel involved in the processes that are affected? Have the requirements been documented? Has a written policy been developed and communicated to personnel? Are current audit, logging, and access control techniques sufficient to address the integrity of ePHI?
See Section 5.1.3, HIPAA Standard: Workforce Security, Section 5.3.1, HIPAA Standard: Access Control, and Section 5.5.1, HIPAA Standard: Policies and Procedures. See Section 5.1.3, HIPAA Standard: Workforce Security and Section 5.3.1, HIPAA Standard: Access Control. 122 See Section 5.1.3, HIPAA Standard: Workforce Security. 123 See Section 5.1.5, HIPAA Standard: Security Awareness and Training. 124 See Section 5.3.2, HIPAA Standard: Audit Controls. 125 See Section 5.1.1, HIPAA Standard: Security Management Process. 126 See Section 5.1.1, HIPAA Standard: Security Management Process. 127 See Section 5.1.1, HIPAA Standard: Security Management Process. 128 See Section 5.1.1, HIPAA Standard: Security Management Process and Section 5.3.5, HIPAA Standard: Transmission Security. 120 121
61
