Electronic Health Record Security Guidance for Low-Resource Settings
Total Page:16
File Type:pdf, Size:1020Kb
Assessment Tool for Electronic Health Record Security Guidance for Low-Resource Settings April 2020 MEASURE Evaluation This publication was produced with the support of the United States Agency for International Development (USAID) under University of North Carolina the terms of MEASURE Evaluation cooperative agreement 123 West Franklin Street, Suite 330 AID-OAA-L-14-00004. MEASURE Evaluation is implemented by the Carolina Population Center, University of North Carolina Chapel Hill, NC 27516 USA at Chapel Hill in partnership with ICF International; John Phone: +1 919-445-9350 Snow, Inc.; Management Sciences for Health; Palladium; [email protected] and Tulane University. Views expressed are not necessarily those of USAID or the United States government. MS-20-195 www.measureevaluation.org ISBN: 978-1-64232-260-6 ACKNOWLEDGMENTS We thank the United States Agency for International Development (USAID) for its support of this work. We’d like to recognize the project management team and the technical support we received from Jason B. Smith, Manish Kumar, and David La’Vell Johnson of MEASURE Evaluation at the University of North Carolina at Chapel Hill (UNC); Herman Tolentino, Steven Yoon, Tadesse Wuhib, Eric-Jan Manders, Daniel Rosen, Carrie Preston, Nathan Volk, and Adebowale Ojo of the United States Centers for Disease Control and Prevention (CDC); Mark DeZalia at the President’s Emergency Plan for AIDS Relief (PEPFAR); and Nega Gebreyesus, Kristen Wares, and Jacob Buehler at USAID. The MEASURE Evaluation project, funded by USAID and PEPFAR, would like to thank the Monitoring and Evaluation Technical Support Program at the Makerere University School of Public Health in Uganda for its cooperation and support in testing this tool and providing valuable feedback and insight. We would also like to thank the Rakai Health Service Program, The AIDS Support Organization, the Elizabeth Glaser Pediatric AIDS Foundation, the Infectious Disease Institute, the management of Alive Medical Services Clinic, and the Makerere University Joint AIDS Programme, and the implementing partners in Uganda that allowed us to visit their facilities during the piloting of the assessment tool. The testing of this assessment tool would not have been possible without the support of Rachel Kwezi of USAID in Uganda; Ray Ransom of CDC, Uganda; and technical assistance from CDC, PEPFAR, and USAID headquarters. We acknowledge the team that developed the assessment tool: Christina Villella, Olivia Velez, Annah Ngaruro, and Samuel Wambugu, MEASURE Evaluation, ICF. We also thank Cindy Young-Turner and Mylene San Gabriel, of ICF, for editing, graphics, and formatting support, and MEASURE Evaluation’s knowledge management team, at UNC, for editorial, design, and production support. Suggested citation: MEASURE Evaluation. (2020). Assessment Tool for Electronic Health Record Security: Guidance for Low-Resource Settings. Chapel Hill, NC, USA: MEASURE Evaluation, University of North Carolina Cover design by Denise Todloski Assessment Tool for Electronic Health Record Security 1 CONTENTS Abbreviations ....................................................................................................................................................................... 4 Glossary of Terms ............................................................................................................................................................... 5 Introduction ......................................................................................................................................................................... 7 Background .......................................................................................................................................................................... 8 Overview of the Assessment Process .............................................................................................................................. 9 Assessment Process .......................................................................................................................................................... 10 Step 1. Prepare for the Assessment ........................................................................................................................... 10 1.1 Identify the Purpose of the Assessment .............................................................................................. 10 1.2 Identify the Scope of the Assessment .................................................................................................. 10 1.3 Identify the Assumptions and Constraints of the Assessment ......................................................... 11 1.4 Identify the Sources of Information to be Used and Inputs to the Assessment ........................... 11 Step 2. Conduct the Assessment ................................................................................................................................ 12 2.1 Preliminary Requirements Gathering ................................................................................................... 12 2.2 Privacy Assessment .................................................................................................................................. 12 2.3 Criticality and Sensitivity Assessment ................................................................................................... 12 2.4 Security and Privacy Controls Assessment .......................................................................................... 13 2.5 System Vulnerability Scan ....................................................................................................................... 17 Step 3. Communicate Results ..................................................................................................................................... 17 3.1 Communication Tools and Methods .................................................................................................... 18 3.2 Mitigating Identified Risks ...................................................................................................................... 18 Step 4. Maintain the Assessment ................................................................................................................................ 18 Policies Informing Security and Privacy ................................................................................................................... 19 References .......................................................................................................................................................................... 22 Other Resources ................................................................................................................................................................ 23 Appendix A. EHR Security Assessment Tool .............................................................................................................. 25 Appendix B. Criticality and Sensitivity .......................................................................................................................... 31 Appendix C. Security Controls ....................................................................................................................................... 35 Appendix D. Communicating the Assessment Results: Sample Visuals ................................................................ 163 2 Guidance for Low-Resource Settings FIGURES Figure 1. Overview of the assessment process ............................................................................................................... 9 TABLES Table 1. Criticality and sensitivity determination and definitions .............................................................................. 13 Table 2. List of security control families, thematic area, and classes ........................................................................ 14 Table 3. Security requirements levels, by implementation scenario .......................................................................... 16 Table 4. Security controls assessment scores ................................................................................................................ 16 Table 5. International and regional policies .................................................................................................................. 19 Appendix B. Table B1. Determining criticality and sensitivity of an EHR ............................................................. 32 Appendix C. Table C1. Security requirements level by implementation scenario .................................................. 35 Appendix C. Table C2. Security controls and assessment guidance and questions ............................................... 36 Appendix D. Table D1. Sample table of criticality and sensitivity assessment findings...................................... 163 Appendix D. Table D2. Sample security and privacy controls assessment results table ..................................... 163 Appendix D. Table D3. Sample vulnerability scan visual ......................................................................................... 164 Assessment Tool for Electronic Health Record Security 3 ABBREVIATIONS CDC Centers for Disease Control and Prevention DNS domain name system EAP Extensible Authentication Protocol EHR electronic health record FedRAMP Federal Risk and Authorization Management Program GDPR General Data Protection Regulation HIPAA