(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Tell Me More:
The Integrity Controls implementation specification requires covered entities to address implementing security measures to make sure that electronically transmitted electronic protected health information (EPHI) is not improperly modified without detection until disposed of properly.
In reality the risk of illicitly intercepting ePHI and changing it is generally low. However, it can happen.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Does the organization use or need to use electronic signatures? The electronic signature is currently the best way to verify that the data has not been altered.
- Does the organization have procedures to use an integrity authentication mechanism to ensure the integrity of ePHI when it is transmitted? (e.g., digital signatures)
- Does your organization have procedures in place to ensure that ePHI entries by authenticated users are tracked appropriately through audit trails and the changes are periodically reviewed to ensure integrity against changes made to ePHI without authorization?
- NIST SP 800-12 chapter 16 & 19 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-42 Guideline on Network Security Testing
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-63 Recommendation for Electronic Authentication
- FIPS 140-2 Security Requirements for Cryptographic Modules
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems