51 integrity controls

aurorabellyNetworking and Communications

Nov 21, 2013 (3 years and 9 months ago)

116 views



Page
1

of
3


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights granted to licensee for internal use only.

All other rights reserved.


INTEGRITY CONTROLS


ADMINISTRATIVE MANUA
L

POLICY # 51


APPROVED BY:


SUPERCEDES POLICY:

ADOPTED:


REVISED:


REVIEWED:


DATE:

REVIEW:


PAGE:



HIPAA Security
Rule Language:


Implement security measures to ensure that electronically transmitted
EPH
I is not improperly modified without detection until disposed of.”

Policy Summary:

When risk analysis indicates it is necessary, appropriate integrity controls
must be used to protect the confidentiality, integrity, and availability of
Sindecuse Health Ce
nter (SHC) data transmitted over electronic
communications networks. SHC’s integrity controls must ensure that the
value and state of all transmitted data is maintained and the data is
protected from unauthorized modification. All such integrity controls

must be approved by SHC’s Information Security Office.

Purpose:

This policy reflects SHC’s commitment to use appropriate integrity
controls to protect the confidentiality, integrity, and availability of SHC
data transmitted over electronic communications

networks.

Policy:

1. When risk analysis indicates it is necessary, appropriate integrity
controls must be used to protect the confidentiality, integrity and
availability of SHC data transmitted over electronic communications
networks.

2. At a minimum,
SHC’s risk analysis must consider the following
factors when determining whether or not integrity controls must be used
when sending specific data over an electronic communications network:



The sensitivity of the data



The risks to the data



The expected imp
act to SHC functionality and work flow if the
data are sent with integrity controls



The ability of the recipient of the data to check the integrity of
the data that were sent

3. Integrity controls must always be used when highly sensitive SHC
data such as

passwords are transmitted over electronic communications
networks.

4. SHC’s integrity controls must ensure that the value and state of all
INTEGRITY CONTROLS



Page
2

of
3


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights granted to licensee for internal use only.

All other rights reserved.

transmitted data is maintained and the data is protected from
unauthorized modification. Such controls include but

are not limited to:



Checksums



Message authentication codes



Hash values

5. All integrity controls used to protect the confidentiality, integrity and
availability of SHC data transmitted over an electronic communications
network must be approved by SHC’s i
nformation security office.

Scope/Applicability:

This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.

This policy’s scope includes all electronic protected health information,
as descr
ibed in Definitions below.

Regulatory
Category:

Technical Safeguards

Regulatory Type:

ADDRESSABLE Implementation Specification for Transmission
Security Standard

Regulatory
Reference:

45 CFR 164.312(e)(2)(i)

Definitio
ns:

Availability

means the property that data or information is accessible and
useable upon demand by an authorized person.

Confidentiality

means the property that data or information is not made
available or disclosed to unauthorized persons or processes.

Integrity

means the property that data or information have not been
altered or destroyed in an unauthorized manner.

Electronic communications network

means any series of nodes
interconnected by communication paths that is outside the SHC network
(e.g., th
e Internet). Such networks may interconnect with other networks
or contain sub networks.

Checksum

means a count of the number of bits in a transmission unit that
is included with the unit so that the receiver can check to see whether the
same number of bi
ts arrived. If the counts match, it's assumed that the
complete transmission was received. This number can be regularly
verified to ensure that the data has not been improperly altered.

INTEGRITY CONTROLS



Page
3

of
3


Copyright 2003 Phoenix Health Systems, Inc.

Limited rights granted to licensee for internal use only.

All other rights reserved.

Message authentication code

means a one
-
way hash of a message that i
s
then appended to the message. This is used to verify that the message is
not altered between the time the hash is appended and the time it is
tested.

Hash (or hash value)
means a number generated from a string of text. A
sender of data generates a hash

of the message, encrypts it, and sends it
with the message itself. The recipient of the data then decrypts both the
message and the hash, produces another hash from the received message,
and compares the two hashes. If they are the same, there is a very

high
probability that the message was transmitted intact.

Responsible
Department:


Information Systems

Policy Authority/
Enforcement:

SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (T
BD).

Related Policies:

Transmission Security

Encryption

Renewal/Review:

This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, t
he policy will be reviewed and updated
as needed.

Procedures:

TBD