45. encryption and decryption

shoulderslyricalΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

102 εμφανίσεις



Page
1

of
4


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights granted to licensee for internal use only.

All other rights reserved.


ENCRYPTION AND DECRY
PTION


ADMINISTRATIVE MANUA
L

POLICY # 45


APPROVED BY:


SUPERCEDES POLICY:

ADOPTED:


REVISED:


REVIEWED:


DATE:

REVIEW:


PAGE:



HIPAA Security
Rule Language:


Implement a mechanism to encrypt and decrypt EPHI.”

Policy Summar
y:

Where risk analysis shows it is necessary, appropriate encryption must be
used to protect the confidentiality, integrity, and availability of EPHI
contained on Sindecuse Health Center (SHC) information systems. SHC
must protect all cryptographic keys a
gainst modification and destruction;
secret and private keys must be protected against unauthorized disclosure.
SHC must have a formal, documented process for managing the
cryptographic keys used to encrypt EPHI on SHC information systems.

Purpose:

This
policy reflects SHC’s commitment to appropriately use encryption
to protect the confidentiality, integrity and availability of EPHI contained
on SHC information systems.

Policy:

1. When risk analysis indicates it is necessary, appropriate encryption
must

be used to protect the confidentiality, integrity, and availability of
EPHI contained on SHC information systems. The risk analysis must
also be used to determine the type and quality of the encryption algorithm
and the length of cryptographic keys.

2.
At a minimum, SHC’s risk analysis must consider the following
factors when determining whether or not specific EPHI must be
encrypted:



The sensitivity of the EPHI



The risks to the EPHI



The expected impact to SHC functionality and work flow if the
EPHI is e
ncrypted



Alternative methods available to protect the confidentiality,
integrity and availability of the EPHI

3. All encryption used to protect the confidentiality, integrity and
availability of EPHI contained on SHC information systems must be
ENCRYPTION AND DECRYPTION



Page
2

of
4


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights gran
ted to licensee for internal use only.

All other rights reserved.

approved b
y SHC’s Information Security Office.

4. Encryption should be used to protect the confidentiality, integrity, and
availability of EPHI stored on SHC portable workstations (i.e. laptops,
etc.).

5. Encryption should be used to protect the confidentiality, i
ntegrity, and
availability as specified in SHC’s
Transmission Security policy
.

6. SHC must protect all of its cryptographic keys against modification
and destruction; its secret and private keys must be protected against
unauthorized disclosure.

7. SHC m
ust have a formal, documented process for managing the
cryptographic keys used to encrypt EPHI on SHC information systems.
At a minimum, this process must include:



A procedure for generating keys for different cryptographic
systems



A procedure for distrib
uting keys to intended users and then
activating them



A procedure for enabling authorized users to access stored keys



A procedure for changing and updating keys



A procedure for revoking keys



A procedure for recovering keys that are lost or corrupted



A proc
edure for archiving keys



Appropriate logging and auditing of cryptographic key
management

8. When possible, SHC cryptographic keys must have defined activation
and deactivation dates.

9. No department will implement encryption of data without the
knowled
ge and approval of the Information Security Officer.

10. The information security officer will maintain documentation with
regards to when encryption is utilized.

Scope/Applicability:

This policy is applicable to all departments that use or disclose elec
tronic
protected health information for any purposes.

This policy’s scope includes all electronic protected health information,
as described in Definitions below
.

Regulatory
Category:

Technical Safeguards

ENCRYPTION AND DECRYPTION



Page
3

of
4


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights gran
ted to licensee for internal use only.

All other rights reserved.

Regulatory Type:

ADDRESSABLE Implementation Speci
fication for Access Control
Standard

Regulatory
Reference:

45 CFR 164.312(a)(2)(iv)

Definitions:

Electronic protected health

information

means individually identifiable
health information that is:



Transmitted by electro
nic media



Maintained in electronic media

Electronic media

means:

(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital

memory card; or

(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide
-
open), extranet (using internet technology to link a
business with information accessible
only to collaborating parties), leased
lines, dial
-
up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
co
nsidered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.

Information system
means an interconnected set of information resources
under the same direct management co
ntrol that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.

Workforce member

means employees, volunteers, and other persons
whose conduct, in the performance of work fo
r a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide s
ervice to the covered entity.

Availability

means the property that data or information is accessible and
useable upon demand by an authorized person.

Confidentiality

means the property that data or information is not made
available or disclosed to unauthor
ized persons or processes.

Integrity

means the property that data or information have not been
ENCRYPTION AND DECRYPTION



Page
4

of
4


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights gran
ted to licensee for internal use only.

All other rights reserved.

altered or destroyed in an unauthorized manner.

Encryption

means the conversion of data into secret, unreadable code.
To read encrypted data, a person must have

access to a secret key or
password that enables them to decrypt (decode) the data.

Cryptographic key
means a variable value that is applied using an
algorithm to data to produce encrypted text, or to decrypt encrypted text.
The length of the key is a fac
tor in considering how difficult it will be to
decrypt the data.

Responsible
Department:

Information Systems

Policy Authority/
Enforcement:

SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure

#(TBD).

Related Policies:

Access Control

Emergency Access Procedure

Automatic Logoff

Unique User Identification

Renewal/Review:

This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the e
vent that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.

Procedures:

TBD