NOTE: This section of the Security Standard has been updated in the final Security Rule as of April 21, 2003, and is no longer current - it is provided for reference only.

Addendum 3

HIPAA SECURITY MATRIX

Please Note: (1) While we have attempted to categorize security requirements for ease of understanding and reading clarity, there are overlapping areas on the matrix in which the same requirements are restated in a slightly different context. (2) To ensure that no Requirement or Implementation feature is considered more important than another, this matrix has been presented, within each subject area, in alphabetical order.

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
REQUIREMENT:	IMPLEMENTATION:	MAPPED STANDARDS:
Certification		47
Chain of trust partner agreement		12, 47
Contingency plan (all listed implementation features must be implemented).	Applications and data criticality analysis. Data backup plan. Disaster recovery plan. Emergency mode operation plan. Testing and revision.	17, 47, 53 12, 17, 47 12, 17, 47, 53 47, 53 12, 17, 47
Formal mechanism for processing records.		12, 17
Information access control (all listed implementation features must be implemented).	Access authorization. Access establishment. Access modification.	12, 17, 47, 53 17, 47, 53 12, 17, 47, 53
Internal audit		12, 17, 43, 44, 47
Personnel security (all listed implementation features must be implemented).	Assure supervision of maintenance personnel by authorized, knowledgeable person. Maintenance of record of access authorizations. Operating, and in some cases, maintenance personnel have proper access authorization. Personnel clearance procedure. Personnel security policy/procedure. System users, including maintenance personnel, trained in security.	17, 47 12, 17, 47 17, 47 17, 47, 53 12, 17, 47, 53
Security configuration mgmt. (all listed implementation features must be implemented).	Documentation. Hardware/software installation & maintenance review and testing for security features. Inventory. Security Testing. Virus checking.	12, 17, 47, 53 12, 17, 47 12, 17 12, 17, 47 12, 17, 47, 53
Security incident procedures (all listed implementation features must be implemented).	Report procedures. Response procedures.	12, 17, 47 17, 47
Security management process (all listed implementation features must be implemented).	Risk analysis. Risk management. Sanction policy. Security policy.	12, 17, 47, 53 17, 47 12, 17, 47, 53 17, 47, 53
Termination procedures (all listed implementation features must be implemented).	Combination locks changed. Removal from access lists. Removal of user account(s). Turn in keys, token or cards that allow access.	12, 17 12, 17, 47, 53 12, 17, 47 12, 17, 47
Training (all listed implementation features must be implemented)	Awareness training for all personnel (including mgmt). Periodic security reminders. User education concerning virus protection. User education in importance of monitoring log in success/failure, and how to report discrepancies. User education in password management.	12, 17, 18, 47, 53 12, 18 12, 17, 18 12, 18, 47
PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Assigned security responsibility		47
Media controls (all listed implementation features must be implemented).	Access control. Accountability (tracking mechanism). Data backup. Data storage. Disposal.	17, 47, 53 17, 18, 47 12, 17, 47, 53 12, 17, 47 17, 47, 53
Physical access controls (limited access) (all listed implementation features must be implemented).	Disaster recovery. Emergency mode operation. Equipment control (into and out of site). Facility security plan. Procedures for verifying access authorizations prior to physical access. Maintenance records. Need-to-know procedures for personnel access. Sign-in for visitors and escort, if appropriate. Testing and revision.	17 17 17, 47 12, 17, 47 17, 18, 47 17 12, 17, 47, 53 17 17, 47
Policy/guideline on work station use		18
Secure work station location		17, 53
Security awareness training		12, 17, 47

TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Role-based access, User-based access. The use of Encryption is optional).	Context-based access. Encryption. Procedure for emergency access. Role-based access. User-based access.	5, 12, 14, 16, 17, 40, 47 1, 6, 12, 14, 17, 21, 22, 23, 24, 26, 36, 28, 29, 30, 31, 47, 49, 53, 54, 55 14, 17, 53 14, 16, 17, 40, 41, 47, 53 11, 12, 14, 16, 17, 40, 41, 47, 53
Audit controls		12, 14, 18, 47, 53
Authorization control (At least one of the listed implementation features must be implemented).	Role-based access. User-based access.	5, 14, 16, 17, 47, 53 14, 16, 47, 53
Data Authentication		11, 53
Entity authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented).	Automatic logoff. Biometric. Password. PIN. Telephone callback. Token. Unique user identification.	14, 16, 17, 18, 40, 53 14, 16, 18, 40, 47, 53 14, 16, 17, 18, 19, 40, 47, 53 14, 16, 18, 19, 40, 47 14, 17, 18, 47, 53 14, 17, 47, 50, 53 14, 47, 53

TECHNICAL SECURITY MECHANISMS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Communications/network controls (If communications or networking is employed, the following implementation features must be implemented: Integrity controls, Message authentication. In addition, one of the following implementation features must be implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trail, Entity authentication, Event reporting).	Access controls. Alarm, Audit trail. Encryption. Entity authentication. Event reporting. Integrity controls. Message authentication.	14, 17, 22, 23, 39, 47, 48, 53 14, 17, 18, 35, 36, 37, 38, 44 1, 6, 12, 14, 17, 21, 22, 23, 24, 26, 27, 28, 29, 30, 31, 47, 49, 52, 53 12, 14, 17, 18, 20, 22, 23, 31, 32, 34, 33, 51, 53 14, 15, 17, 18, 22, 23, 45, 46 14, 15, 17, 18, 22, 23, 25, 45, 46, 52

ELECTRONIC SIGNATURE
Digital signature (If digital signature is employed, the following three implementation features must be implemented: Message integrity, Non-repudiation, User authentication. Other implementation features are optional.)	Ability to add attributes. Continuity of signature capability. Countersignatures. Independent verifiability. Interoperability. Message integrity. Multiple Signatures. Non-repudiation. Transportability. User authentication.	3, 4, 10, 11, 13, 20 3, 4, 11, 13, 14, 18 3, 4, 10, 11, 13, 14, 18 3, 4, 11, 13, 20 3, 4, 7, 8, 9, 13, 14, 48 3, 4, 10, 11, 13, 14, 18 3, 4, 10, 11, 13, 20 2, 3, 4, 10, 11, 13, 14, 42 3, 4, 11, 13, 14, 18 3, 4, 10, 11, 13, 20

MAPPED STANDARDS

1. ANSI X3.92 Data Encryption Standard
2. ANSI X9.30 Part 1: Public Key Cryptography Using Irreversible Algorithms: Digital Signature Algorithm
3. ANSI X9.30 Part 2: Public Key Cryptography Using Irreversible Algorithms: Secure Hash Algorithm (SHA-1)
4. ANSI X9.31 Reversible Digital Signature Algorithms
5. ANSI X9.45 Enhanced Management Controls Using Digital Signatures and Attribute Certificates
6. ANSI X9.52 Triple DES Modes of Operation
7. ANSI X9.55 Extensions to Public Key Certificates and CRLs
8. ANSI X9.57 Certificate Management
9. ANSI X9.62 Elliptic Curve Digital Signature Algorithm (draft)
10. ANSI X12.58 Security Structures (version 2)
11. ASTM E 1762 Standard Guide for Authentication of Healthcare Information
12. ASTM E 1869 Draft Standard for Confidentiality, Privacy, Access and Data Security Principles
13. ASTM PS 100-97 Standard Specification for Authentication of Healthcare Information Using Digital Signatures
14. ASTM PS 101-97 Security Framework for Healthcare Information
15. ASTM PS 102-97 Standard Guide for Internet and Intranet Security
16. ASTM PS 103-97 Authentication & Authorization Guideline
17. CEN European Pre-Standard
18. FDA Electronic Records-Electronic Signatures-Final Rule
19. FIPS PUB 112 Password Usage
20. FIPS PUB 196 Entity Authentication Using Public Key Cryptography
21. FIPS PUB 46-2 Data Encryption Standard
22. IEEE 802.10: Interoperable LAN/MAN Security (SILS), 1992-1996 (multiple parts)
23. IEEE 802.10c LAN/WAN Security-Key Management
24. IETF ID Combined SSL/PCT Transport Layer Security Protocol
25. IETF ID FTP Authentication Using DSA
26. IETF ID Secure HyperText TP Protocol (S-HTTP)
27. IETF ID SMIME Cert Handling
28. IETF ID SMIME Message Specification
29. IETF RFC 1422 Privacy Enhanced Mail: Part 1: Message Encryption and Authentication Procedures
30. IETF RFC 1424 Privacy Enhanced Mail: Part 2: Certificate-Based Key Management
31. IETF RFC 1423 Privacy Enhanced Mail: Part 3: Algorithms, Modes, and Identifiers
32. ISO/IEC 9798-1: Information Technology - Security Techniques-Entity Authentication Mechanisms - Part 1: General Model
33. ISO/IEC 9798-2: Information Technology - Security Techniques-Entity Authentication Mechanisms - Part 2: Entity Authentication Using Asymmetric Techniques
34. ISO/IEC 9798-2: Information Technology - Security Techniques-Entity Authentication Mechanisms - Part 2: Entity Authentication Using Symmetric Techniques
35. ISO/IEC 10164-4 Information Technology - Open Systems Connection - System Management: Alarm Reporting Function
36. ISO/IEC 10164-5 Information Technology - Open Systems Connection - System Management: Event Report Management Function
37. ISO/IEC 10164-7 Information Technology - Open Systems Connection - System Management: Security Alarm Reporting Function
38. ISO/IEC 10164-8 Information Technology - Open Systems Connection - System Management: Security Audit Trail Function
39. ISO/IEC 10164-9 Information Technology - Open Systems Connection - System Management: Objects and Attributes for Access Control
40. ISO/IEC 10181-2 Information Technology - Security Frameworks in Open Systems - Authentication Framework
41. ISO/IEC 10181-3 Information Technology - Security Frameworks in Open Systems - Access Control Framework
42. ISO/IEC 10181-4 Information Technology - Security Frameworks in Open Systems - Non-repudiation Framework
43. ISO/IEC 10181-5 Information Technology - Security Frameworks in Open Systems - Confidentiality Framework
44. ISO/IEC 10181-7 Information Technology - Security Frameworks in Open Systems - Security Audit Framework
45. ISO/IEC 10736 Information Technology - Telecommunications and Information Exchange Between Systems - Transport Layer Security Protocol (TLSP)
46. ISO/IEC 11577 Information Technology - Telecommunications and Information Exchange Between Systems - Network Layer Security Protocol (NLSP)
47. NIST Generally Accepted Principles and Practices for Secure Information Technology Systems
48. NIST MISPC Minimum Interoperability Specification for PKI Components Version 1
49. PKCS #7 Cryptographic Message Syntax Standard Version 1.5 or later
50. PKCS #11 Cryptoki B A Cryptographic Token Interface
51. RFC 1510 Kerberos Authentication Service
52. RFC 2104 HMAC:Keyed-Hashing for Message Authentication
53. For the Record - Protecting Electronic Health Information
54. ANSI X9.42 Management of Symmetric Keys Using Diffie-Hellman
55. ANSI X9.44 Key Transport Using RSA

[FR Doc. 98-21601 Filed 8-7-98; 1:23 p.m.]

BILLING CODE 4120-01-P

Go to TOP