Information System Safeguard Dimensions
HRS’ information security risk management process covers administrative, physical, and technical safeguards governing and processing electronic information handling activities: entry, processing, transmission, storage, and retrieval. Management determines the best controls for reducing risk to information systems. The following briefly describes the system environment and is supported by comprehensive compilation of policies and associated procedures.
HRS controls access to its office and on-site data center through an alarmed system, keyed locks and assigned key cards facilitating logged access and physical security to the office. Office guests use a door bell and then the receptionist remotely unlocks the front door where logging occurs. The data center requires ‘specially authorized key cards’ distributed only to IT staff. The center has UPS power, dedicated cooling, alarmed entry, smoke detection and fire suppression.
HRS’ policy-based access administration leverages active directory technology for the administration of usernames and passwords, along with group membership for specific data sets. Anti-virus software provides anti-spyware and anti-virus applications and a firewall is utilized for intrusion detection. Occasionally, ePHI may be transmitted via email using a premium based exchange along with appliances encrypting email while it is in motion. At rest, whole disk encryption is deployed for desktops and laptops. HRS partners with an ISO certified off-site location for its multiple daily backup cycles.
Additionally, HRS has deployed a Network scanning, monitoring and alerting service provided by a qualified independent technology firm. This service monitors all devices and the platform allows central review of aggregated server event logs based on defined profiles. Tunable notifications and alerts are based on user defined rules.
The firm recently completed an independent technology review including vulnerability assessments conducted by a qualified technology firm providing opportunity for continuous security refinements. During 4th quarter 2016, the firm completed its re-occurring independent Risk Analysis and Assessment.
HRS has various policies and procedures to safeguard the confidentiality, integrity, and availability of protected health, business, and proprietary information systems by controlling access to its systems and applications. Access to information systems for all workforce users is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized use or access of HRS systems. The firm has many safeguard procedures conforming to security regulations dealing with controlled system access and authentication, workstation security, patient confidentiality, and personnel accountability requirements.
The journey at HRS evolves around continuous risk assessments and research, incorporating varied safeguards while refining routines consistent with Privacy and Security rules.