X
GO
Resource Overview

In order to effectively protect health IT systems, Health Center IT leadership needs to consider not only the physical and technical measures of protection for their site, but also the human and workflow measures required to provide the highest levels of privacy and security available throughout their organization.

Resources provided in this section include a set of curated best practices and gold standards for protecting  and effectively responding to health IT system threats. 

Health IT Privacy & Security Best Practices
Health Center Security & Compliance System Implementation Guide

Health Center Security & Compliance System Implementation Guide

January 2019

There are ever-increasing cybersecurity guidelines and protection measures that Health Centers must navigate and digest. Newer and rurally located Health Centers can especially benefit from guidance and decision support that assists them in determining how to implement systems in a manner that meets compliance requirements and doesn’t expose information to undue security risk. Identifying and managing these types of risk can be especially important when procuring new Health IT (e.g. EHRs, Medical Devices, Data Warehouses) for the Health Center. This toolkit provides a framework for Health Centers to evaluate compliance and security concerns as they purchase, adopt, and implement technology solutions.

Every time a Health Center adopts and implements newly procured technology, they could be exposing themselves to compliance gaps and security risks. Often these topics are addressed after the solution is implemented and are an after-thought. Unfortunately, the later in the adoption process that security is considered, the costlier it becomes to address as it may require redesign or reconfiguration of software, systems, and processes.

Especially important for covered entities, like Health Centers, is for this process to meet the regulations outlined within HIPAA. Throughout this document, the related HIPAA requirements are highlighted within each section so as to better understand where this process sits within broader security risk assessment (SRA) practices. In the Appendix of this guide is an EHR/Health IT Systems checklist that can be used as an implementation interview guide when procuring new resources.

This guide can help organizations identify security concerns and design the appropriate solution starting at the design and vendor-selection phase, thereby increasing the likelihood that security will be considered fully throughout the implementation process.

Download the full toolkit below, which includes the following sections:

  • System overview
  • Information classification and inventory
  • Business Associate Agreements and Contracts
  • Risk Analysis
  • Identity management
  • Encryption
  • Auditing and logging
  • Contingency planning
  • Workstation requirements
  • Patching
  • Security testing
  • Vendor and developer access
  • Physical security
  • Network segmentation

Documents to download

Previous Article Substance Abuse Confidentiality Regulations - 42 CFR Part 2
Next Article Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
Print
6304
Intended AudienceHealth Center IT Staff and Leadership

Acknowledgements

This resource collection was cultivated and developed by the HITEQ team with valuable suggestions and contributions from HITEQ Project collaborators.

Quick Feedback Request
Highlighted Resources & Events
Need Assistance?
Would you like more assistance regarding Privacy and Security strategies or support in using any of the included resource sets?

  Request Support

 

Upcoming Events
The Quadruple Aim
Quadruple Aim

A Conceptual Framework

Improving the U.S. health care system requires four aims: improving the experience of care, improving the health of populations, reducing per capita costs and improving care team well-being. HITEQ Center resources seek to provide content and direction aligned with the goals of the Quadruple Aim

Learn More