HIPAA/HITECH Privacy & Security

acceptablepeasΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

90 εμφανίσεις

Practice Name:___
_
________________________
____
__________

Location: ________
____
_
___
___________ Date: __
_
__________

Facility Walkthrough Checklist v1.0

Page
1


HIPAA/HITECH

Privacy
&
Security

Facility Walkthrough Checklist


This document is designed
as

a checklist that can be used
to determine security risks
on a
walkthrough of a facility.


The items in this checklist are derived from NIST SP 800
-
53
Recommended Security Controls
for Federal Information Systems and Organizations
. As such, the items in this checklist are
neither required for HIPAA Compliance, nor guarantee HIPAA C
ompliance. However, this
checklist

can be useful to a health care provid
er for identifying physical security risks in the
facility and can be used as part of an overall risk assessment.


The entries in the ID column relate directly to the IDs found in the “Physical and Environmental
Protection
” section of SP 800
-
53 where more
information and guidance can be found on the risks
and remediation of said item.


To use this checklist it is suggested that
you
:

a)

Print this document

and carry on the walkthrough

b)

During walkthrough, place checkmarks
or x’s
in the Yes/No column

c)

Get addition
al information from

facility
staff member about items that are not visibly
apparent or about policies and procedures controlling access to the facility

d)

Make any additional notes in the Note
s

column

e)

After walkthrough, fill out an electronic copy of the docu
ment and provide to the
provider to be included with other Risk Assessment documentation


Practice Name:___
_
________________________
____
__________

Location: ________
____
_
___
___________ Date: __
_
__________

Facility Walkthrough Checklist v1.0

Page
2


ITEM

YES/

NO

ID

CONTROL DESCRIPTION

NOTES

General

Policies


PE
-
1

Documented policies and procedures
that address physical and environmental
security


Physical
Authorization


PE
-
2

Method to determine who is authorized
to access secure area of the office (e.g.
badges, swipe cards, biometrics)


Inventory of
Assets


PE
-
3f

Inventory of physical assets maintained.


Delivery/Removal
Records


PE
-
16

The organization
authorizes, monitors,
and controls components containing
EHR entering and exiting the facility.


Alternate Work
Site


PE
-
17

The facility provides an alternate work
site or remote access for employees in
the event of an emergency.


Visitors escorted


PE
-
7

Visitors are authenticated and escorted
or monitored at all times.


Visitor records


PE
-
8

Visitor access records exist containing
name/organization, signature, form of
ID, time of entry and departure, purpose
of visit, and person visited.


Facility
Access

Access
Authorization

(Visitors)


PE
-
3a

PE
-
3b

Physical access authorization for visitor
access to secure area of office (e.g.
sign
-
in sheet,
Photo
ID verification
,
Photo in EHR
)


Access
Authorization

(Staff)


PE
-
3a

PE
-
3b

Physical access
authorization for staff
access to secure area of office (e.g.
badges)


Public Area
Protected
Appropriately


PE
-
3d

Access to publicly
-
accessible area
controlled in accordance with identified
risk (e.g. receptionist able to monitor
waiting room, after hours

locks or alarm
system)


Secure Area
Physically
Protected


PE
-
3c

Access to secure access physically
monitored or protected (e.g. receptionist
monitors entry, locked door, or security
camera)


Practice Name:___
_
________________________
____
__________

Location: ________
____
_
___
___________ Date: __
_
__________

Facility Walkthrough Checklist v1.0

Page
3


ITEM

YES/

NO

ID

CONTROL DESCRIPTION

NOTES

Keys etc secured.


PE
-
3e

Keys, combinations, and passwords
physically secured.


Locks changed


PE
-
3g

Changes locks and keys when lost or
stolen or staff termination.


Physical Protections

Monitors not
visible


PE
-
5(2)

Computer monitors are protected from
visibility by unauthorized individuals
(e.g. by situating

in such a way that they
are not visible or security filters on
screens)


Secure

systems
with access to
EHR


PE
-
18(2)

Systems with access to EHR are
protected by theft by physical location
or anti
-
theft controls (e.g. cable locks)


Output devices
protected


PE
-
5(1)

Devices such as monitors, printers, and
fax machines protected by physical
access control.


Network/phone
cable protected


PE
-
4

Transmission lines are protected (e.g.
wiring cabinet is locked, cables are
protected by conduit, no access
to
cables in publicly accessible area)


Power protected


PE
-
9

Power equipment and power cabling are
protected from damage or destruction
(e.g. redundant power, physical
protection of cables)


Emergency Systems

Emergency power
shut
-
off


PE
-
10

Ability to
shut off power to the EHR in
the event of an emergency and ability to
shut off power from a safe location.
Power shut off protected from
unauthorized activation.


Water shut
-
off
valves


PE
-
15

The organization protects the
information system from damage
r
esulting from water

leakage by
providing master shutoff valves that are
accessible, working properly, and
known to

key personnel.


Emergency
lighting


PE
-
12

The organization employs and
maintains autom
atic emergency lighting
for the
information system
that activates
in the event of a power outag
e or

Practice Name:___
_
________________________
____
__________

Location: ________
____
_
___
___________ Date: __
_
__________

Facility Walkthrough Checklist v1.0

Page
4


ITEM

YES/

NO

ID

CONTROL DESCRIPTION

NOTES

disruption and that covers
emergency
exits and evacuation routes within the
facility.

Fire detectors and
suppression.


PE
-
13

The organization employs and
maintains fire suppressio
n and detection
devices/systems
for the information
system that are supported by an
independent energy source.


EHR System

EHR in secure
location


PE
-
18(1)

The EHR system is positioned to
minimize potential damage from
environmental hazards such as flooding,
fire, electrical interference, and
theft
.


Doors
locked/monitored
to secure area


PE
-
18(3)

Physical entry points to secure area are
protected from
unauthorized entry.


EHR systems
monitored


PE
-
6

Physical access to EHR systems is
monitored. (e.g. access logs, cameras,
alarms)


Emergency power


PE
-
11

The organization provides a
UPS

to
facilitate an
orderly shutdown of the
information system in the
event of a
primary power source loss.


Temp and
Humidity
Controlled


PE
-
14

Maintains and monitors temperature
and humidity controls within the area
where the EHR resides.




Notes: