Addendum 3

HIPAA SECURITY MATRIX- mapping

Please Note: While we have attempted to categorize security requirements for ease of understanding and reading clarity, there are overlapping areas on the matrix in which the same requirements are restated in a slightly different context.

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY

REQUIREMENT:

IMPLEMENTATION:

MAPPED STANDARDS:

Certification

47

Chain of trust partner agreement

12, 47

Contingency plan (all listed implementation features must be implemented).

Applications and data criticality analysis

17, 47, 53

Data backup plan

12, 17, 47

Disaster recovery plan

12, 17, 47, 53

Emergency mode operation plan

47, 53

Testing and revision

12, 17, 47

Formal mechanism for processing records

12, 17

Information access control (all listed implementation features must be implemented).

Access authorization

12, 17, 47, 53

Access establishment

17, 47, 53

Access modification

12, 17, 47, 53

Internal audit

12, 17, 43, 44, 47

Personnel security (all listed implementation features must be implemented)

Assure supervision of maintenance personnel by authorized, knowledgeable person

17, 47

Maintainance of record of access authorizations

12, 17, 47

Operating, and in some cases, maintenance personnel have proper access authorization

17, 47

Personnel security policy/procedure

17, 47, 53

System users, including maintenance personnel, trained in security

12, 17, 47, 53

Security configuration mgmt. (all listed implementation features must be implemented).

Documentation

12, 17, 47, 53

Hardware/software installation & maintenance review and testing for security features

12, 17, 47

Inventory

12, 17

Security testing

12, 17, 47

Virus checking

12, 17, 47, 53

Security incident procedures (all listed implementation features must be implemented).

Report procedures

12, 17, 47

Response procedures

17, 47

Security management process (all listed implementation features must be implemented).

Risk analysis

12, 17, 47, 53

Risk management

17, 47

Sanction policy

12, 17, 47, 53

Security policy

17, 47, 53

Termination procedures (all listed implementation features must be implemented).

Combination locks changed

12, 17

Removal from access lists

12, 17, 47, 53

Removal of user account(s)

12, 17, 47

Turn in keys, token or cards that allow access

12, 17, 47

Training (all listed implementation features must be implemented).

Awareness training for all personnel (including mgmt).

12, 17, 18, 47, 53

Periodic security reminders

12, 18

User education concerning virus protection

User education in importance of monitoring log in success/failure, and how to report discrepancies

12, 17, 18

User education in password management

12, 18, 47

PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY

REQUIREMENT:

IMPLEMENTATION:

MAPPED STANDARDS:

Assigned security responsibility

47

Media controls (all listed implementation features must be implemented).

Access control

17, 47, 53

Accountability (tracking mechanism)

17, 18, 47

Data backup

12, 17, 47, 53

Data storage

12, 17, 47

Disposal

17, 47, 53

Physical access controls (limited access) (all listed implementation features must be implemented).

Disaster recovery

17

Emergency mode operation

17

Equipment control (into and out of site)

17, 47

Facility security plan

12, 17, 47

Procedures for verifying access authorizations prior to physical access

17, 18, 47

Maintenance records

17

Need-to-know procedures for personnel access

12, 17, 47, 53

Sign-in for visitors and escort, if appropriate

17

Testing and revision

17, 47

Policy/guideline on work station use

18

Secure work station location

17, 53

Security awareness training

12, 17, 47

TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY

REQUIREMENT:

IMPLEMENTATION:

MAPPED STANDARDS:

Access control (The following implementation feature must be implemented: Procedure for emergency access, In addition, at least one of the following three implementatin features must be implemented : Context-based access, Role-based access, User-based access. The use of Encryption is optional).

Context-based access

5, 12, 14, 16, 17, 40, 47

Encryption

1, 6, 12, 14, 17, 21, 22, 23, 24, 26, 36, 28, 29, 30, 31, 47, 49, 53, 54, 55

Procedure for emergency access

14, 17, 53

Role-based access

14, 16, 17, 40, 41, 47, 53

User-based access

11, 12, 14, 16, 17, 40, 41, 47, 53

Audit controls

12, 14, 18, 47, 53

Authorization control (At least one of the listed implementation features must be implemented).

Role-based access

5, 14, 16, 17, 47, 53

User-based access

14, 16, 47, 53

Data authentication

11, 53

Entity Authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented).

Automatic logoff

14, 16, 17, 18, 40, 53

Biometric

14, 16, 18, 40, 47, 53

Password

14, 16, 17, 18, 19, 40, 47, 53

PIN

14, 16, 18, 19, 40, 47

Telephone callback

14, 17, 18, 47, 53

Token

14, 17, 47, 50, 53

Unique user identification

14, 47, 53

TECHNICAL SECURITY MECHANISMS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY

REQUIREMENT:

IMPLEMENTATION:

MAPPED STANDARDS:

Communications/network controls (If communications or networking is employed, the following implementation features must be implemented: Integrity controls, Message authentication. In addition, one of the following implementation features must be implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trail, Entity authentication, Event reporting).

Access controls

14, 17, 22, 23, 39, 47, 48, 53

Alarm, event reporting, and audit trail

14, 17, 18, 35, 36, 37, 38, 44

Audit trail

Encryption

1, 6, 12, 14, 17, 21, 22, 23, 24, 26, 27, 28, 29, 30, 31, 47, 49, 52, 53

Entity authentication

12, 14, 17, 18, 20, 22, 23, 31, 32, 34, 33, 51, 53

Event reporting

Integrity controls

14, 15, 17, 18, 22, 23, 45, 46

Message authentication

14, 15, 17, 18, 22, 23, 25, 45, 46, 52

ELECTRONIC SIGNATURE

REQUIREMENT:

IMPLEMENTATION:

MAPPED STANDARDS:

Digital signature (If digital signature is employed, the following three implementation features must be implemented: Message integrity, Non-repudiation, User authentication. Other implementation features are optional).

Ability to add attributes

3, 4, 10, 11, 13, 20

Continuity of signature capability

3, 4, 11, 13, 14, 18

Counter signatures

3, 4, 10, 11, 13, 14, 18

Independent verifiability

3, 4, 11, 13, 20

Interoperability

3, 4, 7, 8, 9, 13, 14, 48

Message integrity

3, 4, 10, 11, 13, 14, 18

Multiple signatures

3, 4, 10, 11, 13, 20

Non-repudiation

2, 3, 4, 10, 11, 13, 14, 42,

Transportability

3, 4, 11, 13, 14, 18

User authentication

3, 4, 10, 11, 13, 20

MAPPED STANDARDS

  1. ANSI X3.92 Data Encryption Standard
  2. ANSI X9.30 Part 1: Public Key Cryptography Using Irreversible Algorithms: Digital Signature Algorithm
  3. ANSI X9.30 Part 2: Public Key Cryptography Using Irreversible Algorithms: Secure Hash Algorithm (SHA-1)
  4. ANSI X9.31 Reversible Digital Signature Algorithms
  5. ANSI X9.45 Enhanced Management Controls Using Digital Signatures and Attribute Certificates
  6. ANSI X9.52 Triple DES Modes of Operation
  7. ANSI X9.55 Extensions to Public Key Certificates and CRLs
  8. ANSI X9.57 Certificate Management
  9. ANSI X9.62 Elliptic Curve Digital Signature Algorithm (draft)
  10. ANSI X12.58 Security Structures (version 2)
  11. ASTM E 1762 Standard Guide for Authentication of Healthcare Information
  12. ASTM E 1869 Draft Standard for Confidentiality, Privacy, Access and Data Security Principles
  13. ASTM PS 100-97 Standard Specification for Authentication of Healthcare Information Using Digital Signatures
  14. ASTM PS 101-97 Security Framework for Healthcare Information
  15. ASTM PS 102-97 Standard Guide for Internet and Intranet Security
  16. ASTM PS 103-97 Authentication & Authorization Guideline
  17. CEN European Pre-Standard
  18. FDA Electronic Records-Electronic Signatures-Final Rule
  19. FIPS PUB 112 Password Usage
  20. FIPS PUB 196 Entity Authentication Using Public Key Cryptography
  21. FIPS PUB 46-2 Data Encryption Standard
  22. IEEE 802.10: Interoperable LAN/MAN Security (SILS), 1992-1996 (multiple parts)
  23. IEEE 802.10c LAN/WAN Security-Key Management
  24. IETF ID Combined SSL/PCT Transport Layer Security Protocol
  25. IETF ID FTP Authentication Using DSA
  26. IETF ID Secure HyperText TP Protocol (S-HTTP)
  27. IETF ID SMIME Cert Handling
  28. IETF ID SMIME Message Specification
  29. IETF RFC 1422 Privacy Enhanced Mail: Part 1: Message Encryption and Authentication Procedures
  30. IETF RFC 1424 Privacy Enhanced Mail: Part 2: Certificate-Based Key Management
  31. IETF RFC 1423 Privacy Enhanced Mail: Part 3: Algorithms, Modes, and Identifiers
  32. ISO/IEC 9798-1: Information Technology - Security Techniques-Entity Authentication Mechanisms - Part 1: General Model
  33. ISO/IEC 9798-2: Information Technology - Security Techniques-Entity Authentication Mechanisms - Part 2: Entity Authentication Using Asymmetric Techniques
  34. ISO/IEC 9798-2: Information Technology - Security Techniques-Entity Authentication Mechanisms - Part 2: Entity Authentication Using Symmetric Techniques
  35. ISO/IEC 10164-4 Information Technology - Open Systems Connection - System Management: Alarm Reporting Function
  36. ISO/IEC 10164-5 Information Technology - Open Systems Connection - System Management: Event Report Management Function
  37. ISO/IEC 10164-7 Information Technology - Open Systems Connection - System Management: Security Alarm Reporting Function
  38. ISO/IEC 10164-8 Information Technology - Open Systems Connection - System Management: Security Audit Trail Function
  39. ISO/IEC 10164-9 Information Technology - Open Systems Connection - System Management: Objects and Attributes for Access Control
  40. ISO/IEC 10181-2 Information Technology - Security Frameworks in Open Systems - Authentication Framework
  41. ISO/IEC 10181-3 Information Technology - Security Frameworks in Open Systems - Access Control Framework
  42. ISO/IEC 10181-4 Information Technology - Security Frameworks in Open Systems - Non-repudiation Framework
  43. ISO/IEC 10181-5 Information Technology - Security Frameworks in Open Systems - Confidentiality Framework
  44. ISO/IEC 10181-7 Information Technology - Security Frameworks in Open Systems - Security Audit Framework
  45. ISO/IEC 10736 Information Technology - Telecommunications and Information Exchange Between Systems - Transport Layer Security Protocol (TLSP)
  46. ISO/IEC 11577 Information Technology - Telecommunications and Information Exchange Between Systems - Network Layer Security Protocol (NLSP)
  47. NIST Generally Accepted Principles and Practices for Secure Information Technology Systems
  48. NIST MISPC Minimum Interoperability Specification for PKI Components Version 1
  49. PKCS #7 Cryptographic Message Syntax Standard Version 1.5 or later
  50. PKCS #11 Cryptoki B A Cryptographic Token Interface
  51. RFC 1510 Kerberos Authentication Service
  52. RFC 2104 HMAC:Keyed-Hashing for Message Authentication
  53. For the Record - Protecting Electronic Health Information
  54. ANSI X9.42 Management of Symmetric Keys Using Diffie-Hellman
  55. ANSI X9.44 Key Transport Using RSA

[FR Doc. 98-21601 Filed 8-7-98; 1:23 p.m.]

BILLING CODE 4120-01-P