Yesterday, I gave you the side-by-side comparison of changes to Section 308 in the new HIPAA Security rule. Today, I will summarize these changes below.
Section 308 added a lot of new material, retaining most of the old with greater detail, especially with respect to implementation specifications. Procedures within this section now need to more than just implemented, they must be written (documented), tested/verified and maintained. Maintenance is a new implementation specification that applies to almost everything and means that the material must be updated at least annually, as well as when needed due to changes.
In addition to risk assessment, 164.308(a)(1) [formerly 308(a)(1)(i)] now requires a technology asset inventory, network map and maintenance. This is a normal part of risk analysis best practice, but HIPAA now requires it of covered entities and their business associates.
The risk analysis is now in 164.308(a)(2) [formerly risk assessment at 308(a)(1)(ii)(A)], and now includes "Implementation specifications" which require covered entities and business associates again to follow risk assessment best practices with respect to an asset inventory, list of threads, potential vulnerabilities, likelihoods, impacts, and risk levels, including risks associated with business associates, and it further clarifies the maintenance requirements, with a minimum of at least annual, or after any change in environment.
Instead of their being a singular section for implementation specifications, there is a separate implementation section for each standard.
New standards have been added at 164.308(a)(3) for evaluation of changes to a covered entity or business associates environment, and at 164.308(a)(4) for patch management. Personally, I'd change the name of (a)(3) from Evaluation to Change Management to more closely reflect its intent. Both of these are application of existing technology risk management best practices.
On the (a)(4) patch management side, the proposed rule expects remediation of critical risks in 15 days, and high risks in 30 days of any patch or upgrade becoming available. They do suggest that alternative methods can be used to reduce risk when patches are not available.
Nowhere in the patch management section do they use the term risk mitigation, or remediation, and I wish they would.
308(a)(5) Risk Management [formerly 308(a)(1)(ii)(B)] adds a whole section on implementation specifications. You need a written risk management plan, it has to be maintained, risks must be prioritized, and security measures must be implemented in a timely measure in accordance with the priorities.
308(a)(6) Sanction Policy [formerly 308(a)(1)(ii)(C)] again adds a whole section on implementation specifications. Again, these must be established, written, reviewed at least annually or on significant changes, and applied, with applications documented.
308(a)(7) Information Systems Activity Review [formerly 308(a)(1)(ii)(D)] again adds a whole section on implementation specifications. The scope is defined to include at a minimum: audit trail, event logs, firewall logs, data backup logs, access reports, anti-malware logs, security incident tracking reports, et cetera. Includes topics such as records retention, incident response and records thereof, and the required maintenance of process.
308(a)(8) Assigned Security Responsibility [formerly 308(a)(2)] clarifies to ensure that process is written/documented
308(a)(9) Workforce Security [formerly 308(a)(3)] was modestly updated clarifying that the process is written/documented.
The Termination procedure was updated to indicate minimum time before termination of access (one hour from termination time).
The Notification procedure was updated to indicate minimum time before notification of others (e.g., BAs) of rescinded access of 24 hours. The usual annual maintenance requirement was added.
308(a)(10) Information Access Standards [formerly 308(a)(4)] adds implementation specifications for (9)(ii)(C) Authentication Management, (E) Network segmentation, and (F) Maintenance.
308(a)(11) Security Awareness Training was updated [formerly 308(a)(5)] and provides significantly more guidance on the timing, content and documentation of training activities.
308(a)(12) Security Incident Procedures [formerly 308(a)(6)] was updated to add implementation specifications requiring written incident response plans, written procedures for testing and revising plans, and annual (or more frequent) testing and documentation.
308(a)(13) Contingency Plan [formerly 308(a)(7)] was updated. Again, it was clarified that plans need to be written, assessments need to be documented, backups need to be verified, and contingency plans and emergency mode operation plans need to be tested at least annually.
308(1)(14) Compliance Audit [formerly Evaluation at 308(a)(8)] was renamed and the text (but not the intent) simplified.
308(b)(1) Business Associate Contracts standards is largely unchanged, but 308(b)(2) Implementation Specifications adds a requirement for annual written verification that a Business Associate is in compliance with 164.312 through a written analysis and certification.
0 comments:
Post a Comment