FacebookTwitterLinkedInEmailPrint
This entry is part 36 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

Tell Me More:

The Protection from Malicious Software implementation specification requires covered entities to address implementing procedures for guarding against, detecting, and reporting malicious software.  Malicious software refers to viruses, worms, Trojan horses and backdoor programs. Malicious software either has negative behaviors or is used by attackers to further their goals of attacking enterprise networks and systems. The key difference between the types of malicious software is their means of spreading.

Entities should utilize policy, education and awareness, and technical prevention and detection controls best suited for their environments, to avoid introduction and exploitation of malicious software in state information systems.

Questions to consider:

  • Does the organization have virus protection and firewall programs installed? If you connect to an intranet or the Internet, or if you allow anyone to install data or software from a diskette, CD, or DVD, such programs are necessary.
  • Are the programs appropriate for the organization and its system configuration? An off the shelf product may be appropriate for your environment to sufficiently lessen the degree of risk associated with receiving malicious software or you may need to implement a customized program.
  • If the system configuration is a network, is anti-virus software (updates and scans) controlled at the server level (thereby assuring there is no chance an “end-user” could override or ignore an update)? Do you have appropriate safeguards at the server and workstation levels? It is important to protect all access points.
  • Does the organization prevent use of non-business related software from home or any other location, including downloads? Such programs often carry malicious software.
  • Are systems properly “patched” (patch management) in an expeditious manner to avoid being exploited by malicious logic that takes advantage of improperly patched systems? System updates are issued on an ongoing basis and should be installed.
  • Are users periodically trained on opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail? Users need to be involved in protecting systems from malicious software.

References:

Series Navigation<< 164.312(a)(2)(iv) Standard: Access control – Encryption and decryption164.310(d)(2)(i) Standard: Device and media controls – Disposal >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint