(2) Implementation specifications:
(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Tell Me More:
For the maintenance records implementation specification, covered entities must address implementing policies and procedures to document repairs and modifications to the physical components of a facility that are related to security, for example, hardware, walls, doors, and locks. It is important to monitor any changes to physical safeguards so as to ensure that the safeguards continue to be effective as intended. It is critical to monitor all changes to the physical environment and maintain a record of such changes.
Questions to consider include:
- Has the organization implemented policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks)?
- Does the organization have a procedure to retain system maintenance records?
- Does the organization have a procedure to maintain physcal access authorization records?
- Are logs maintained of the repairs and modifications to the physical facility that may have an impact on security? The log also should record who performed the work and what access they were granted for purposes of the work.
- Are the logs reviewed to ensure the access to systems was appropriate and to verify that the changes were made in an appropriate fashion? This is necessary to ensure ongoing security.
- Are the logs reviewed to ensure that any necessary changes to the organization’s security procedures resulting from the repairs or modifications are made?
- Are procedures in place to ensure personnel performing technical system maintenance activities are supervised by authorized/knowledgeable individuals, and that operational personnel are appropriately authorized to access systems? Are these procedures documented?
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
Latest posts by admin (see all)
- $100,000 Fine in Case Involving Defunct Records Storage Firm - February 14, 2018
- Clearwater CEO Bob Chaput Shares Expertise on Insuring Hospital Cyber Risks Through Captives - February 13, 2018
- Partnership Brings Focus on Cyber Security Solutions to Texas Hospitals - February 5, 2018