Home Forums Discussions Meaningful Use Lawyers, Guns and Money.....and Security

1 ?172.302(o) Access control. Assign a unique name and/or number for
identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

Each user should have their own Windows account and their own account into whatever software that requires each user to have their own user account outisde of Windows. Users should not share accounts.

2 ?172.302(p) Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.

Subjective. For most of you, the built in Administrator account in Windows will suffice.

3 ?172.302(q) Automatic log-off. Terminate an electronic session after a predetermined time of inactivity.

Set a screen saver in Windows to lock the machine after so much time of inactivity. Set Terminal Servers to disconnect users after so much time of inactivity.

4 ?172.302(r) Audit Log.
(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in ? 170.210(b).

Set the Windows Security Event Log to track log on and log off and access to certain files and file shares. EMR's should have their own facilities for this.

(2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b).

This is what the Administrator account in Windows and Amazing Charts is for.

5 ?172.302(s) Integrity.
(1) Create a message digest in accordance with the standard specified in 170.210(c).
(2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered.

If you have an HL7 or other interface, ensure you encrypt the data while en route to it's destination via VPN or other method. Have the necessary business associates agreement in with those you are sending to/receiving from.

(3) Detection. Detect the alteration of audit logs.

If you ever see an event in Windows that says the "Security Event Log has been cleared" then you know the deal.

6 ?172.302(t) Authentication. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.

Again, make sure users are not sharing accounts.

7 ?172.302(u) General encryption. Encrypt and decrypt electronic health information in accordance with the standard specified in ? 170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology.

Utilize the built-in encryption in Windows to encrypt information from workstation to server (domain based networks only).

8 ?172.302(v) Encryption when exchanging electronic health information. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in ? 170.210(a)(2).

Utilize the built-in encryption in Windows to encrypt information from workstation to server (domain based networks only).

How do I accomplish all of this??

A SBS 2011 network with all Windows 7 workstations will handle the majority of this for you with no work on your part save setting up user accounts. A Juniper SRX100 security gateway will handle setting up VPN's with outside entities and security publishing services to the Internet (e.g. Exchange, Terminal Server). Such a network with 5 workstations should cost you less than $10,000 to purchase AND SET UP.

JamesNT