mbrody wrote on Saturday, December 19, 2009:
Foundational Infrastructure Test Scripts Guidance
For ARRA Preliminary 2011 EHR Technology
November 5, 2009
Product (NUMBER CODE ONLY):_________________________ Date: __________________________
Evaluator: _________________________________________ Signature: _______________________
FOUNDATIONAL INFRASTRUCTURE: Security and Privacy (MU.P5.G1)
All test steps must be demonstrated. The applicant explicitly attests to the veracity of the features and functions demonstrated, the information furnished, and the statements made during the course of this inspection.
Exception: Test steps that are optional are highlighted in yellow. These steps are to be demonstrated if possible, but will not affect certification results.
Procedure Expected Result Criteria and Reference Vendor/Juror Guidance
FND.01 Demonstrate and describe how the technology provides the capability to allow access only to those persons or software programs that have been granted access rights. The capability is demonstrated. AR.FND 01.01 Provide capability to allow access only to those persons or software programs that have been granted access rights. The applicant must describe and demonstrate:
1. The ability to provide access only to authenticated users
2. The authentication procedure (e.g. account creation including user IDs, assignment of privileges,
3. The access control method, user-based, RBAC, SSO, EUA, SAML, context-based, etc.
4. The product’s password strength rule and password security (age, reuse, display, encryption, etc.)
5. The product’s limit of number of consecutive invalid attempt
6. The product’s Account lockout after exceeding the limit of number of invalid attempt:
- configurable time delay until next login
attempt
- require release by administrator
7. The ability to suspend user accounts
8. The history of inactive accounts
9. The ability to configure and display notice of warning against unauthorized use
10. The ability to generate audit record for valid logins and invalid login attempts
FND.02 Demonstrate and describe how the technology provides the capability to assign a unique name and/or number for identifying and tracking user identity. The capability is demonstrated. AR.FND 01.02 Provide capability to assign a unique name and/or number for identifying and tracking user identity. The applicant must describe and demonstrate:
1. Uniqueness of user IDs
2. Composition of user IDs
3. Case sensitivity and case insensitivity of user IDs
4. The ability to track user IDs in audit records
5. The ability to generate audit records for valid logins and invalid login attempts with user IDs
FND.03 Demonstrate and describe how the technology provides the capability to access necessary electronic protected health information during an emergency. The capability is demonstrated. AR.FND 01.03 Provide capability to access necessary electronic protected health information during an emergency. The applicant must describe and demonstrate:
1. The support for emergency access policies
2. The method supported for clinical user access in emergency situations also known as the break-the-glass function
3. The support for the expiration of emergency mode
4. Audit events tracking the start of emergency mode and the users using the emergency mode.
FND.04 Demonstrate and describe how the technology provides the capability to terminate an electronic session after a predetermined time of inactivity. The capability is demonstrated. AR.FND 01.04 Provide capability to terminate an electronic session after a predetermined time of inactivity. The applicant must describe and demonstrate:
1. The ability to configure the period of inactivity for timeout
2. The ability to prevent further access
3. The ability to prevent further display of information
4. The ability to re-authenticate after inactivity timeout
FND.05 Demonstrate and describe how the technology provides the capability to encrypt and decrypt electronic protected health information. The capability is demonstrated. AR.FND 01.05 Provide the capability to encrypt and decrypt electronic protected health information. The applicant must:
1. Identify the encryption method and the tools used for standards based encryption
2. Demonstrate the availability (license) of the encryption software
3. Demonstrate access to the tools and available encryption/decryption algorithms
4. Demonstrate the availability of the procedure to encrypt and decrypt PHI
5. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require AES (3DES and other algorithms are excluded).
FND.06 Demonstrate and describe how the technology provides the capability to encrypt data at rest using AES. The capability is demonstrated. AR.FND 01.06 Provide the capability to encrypt data at rest using AES. The applicant must:
1. Identify the media or the location of data at rest
2. Identify the software and/or hardware tools used for encryption
3. Demonstrate the availability (license) of the encryption software
4. Demonstrate access to the tools and available encryption decryption algorithms
5. Demonstrate the availability of the procedure to encrypt and decrypt PHI
6. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
FND.07 Demonstrate and describe how the technology provides the capability to record and examine activity in information systems that contain or use electronic protected health information. The capability is demonstrated. AR.FND 02.01 Provide the capability to record and examine activity in information systems that contain or use electronic protected health information. The applicant must:
1. Describe and demonstrate the capability to detect auditable events
2. Identify the various audit logs being maintained or used (e.g. operating system log, application logs, database logs, infrastructure logs, etc.)
3. display the content of audit records
4. Demonstrate the ability for authorized users to read (readable format) and interpret the information including date and time, user ID/subject ID, event description, system component where the event occurred, and success and failure of the event.
5. Demonstrate the inability of unauthorized users to access the same logs.
6. Describe and demonstrate the ability to maintain consistent time via the use of NPT/SNTP synchronization
7. Describe and demonstrate the protection of audit records (i.e. access only to authorized users/administrators)
FND.08 Demonstrate and describe how the technology provides the capability to use the ATNA profile to communicate audit messages between Secure Nodes and to establish Audit Repository nodes to collect audit information. The capability is demonstrated. AR.FND 02.02 Provide the capability to use the ATNA profile to communicate audit messages between Secure Nodes and to establish Audit Repository nodes to collect audit information. The applicant must describe and demonstrate:
1. The capability to send those audit records which have been collected from different sources (local processes and distributed services) to a central audit log repository.
2. Demonstrate the configuration of the application for ATNA: configuration screens or files.
3. The capability to produce one sample record in the IHE ITI-TF’s XML schema for reporting events that are relevant to security and privacy auditing as specified in the “Security Audit and Access Accountability Message XML Data Definitions for Healthcare Applications” (RFC-3881).
FND.09 Person or entity authentication: Demonstrate and describe how the technology provides the capability to verify that a person or entity seeking access to electronic protected health information is the one claimed. The capability is demonstrated. AR.FND 03.01 Person or entity authentication: Provide the capability to verify that a person or entity seeking access to electronic protected health information is the one claimed. The applicant must:
1. Identify all services, connections and protocols used for the purposes such as physician’s remote access, access using a wireless network, connections used for lab test and diagnostic orders, connections to knowledge-bases, exchanging billing information etc.
2. Describe and demonstrate how remote node authentication is done and what open protocol is used for each service.
FND.10 Demonstrate and describe how the technology provides the capability to authenticate users and entities within an organization using Kerberos. The capability is demonstrated. AR.FND 03.02 Provide the capability to authenticate users and entities within an organization using Kerberos. The applicant must:
1. Describe and demonstrate the capability to authenticate users and entities within an organization (e.g. MS Active Directory, 3rd party servers, via application, between web browser and web server, etc.) between client and server or server to server
2. For a Microsoft OS, demonstrate via the security log in the event viewer.
3. For Microsoft Active Directory (which can include non-MS OSs and Web Servers, execute Kerbtray, a Microsoft utility to display ticket information for a given computer running the Kerberos protocol.
4. Execute klist, a utility provided by MIT Kerberos to list credentials (intended for workstations)
5. Show the account creation and active directory being propagated to applications.
FND.11 Demonstrate and describe how the technology implements the EUA Profile (which uses Kerberos) to provide a single sign-on capability within enterprises. The capability is demonstrated. AR.FND 03.03 Implement the EUA Profile (which uses Kerberos) to provide a single sign-on capability within enterprises. 1. Demonstrate SSO capability across enterprise and across multiple applications and platforms.
FND.12 Demonstrate and describe how the technology provides the capability to electronically record individual consumers’ consents and authorizations. The capability is demonstrated. AR.FND 04.01 Provide the capability to electronically record individual consumers’ consents and authorizations. The applicant must
1. Describe the method used to record consumer’s consents and authorizations.
2. Demonstrate the menus, options and functions via screen displays to prompt and obtain consents and authorizations
3. Demonstrate the menus, and functions to view/retrieve consents and authorizations
FND.13 Demonstrate and describe how the technology provides the capability to create an electronic copy of an individual’s electronic health record, to record it on removable media, and to transmit it to a designated entity capable of receiving electronic transmissions. The capability is demonstrated. AR.FND 05.01 Provide the capability to create an electronic copy of an individual’s electronic health record, to record it on removable media, and to transmit it to a designated entity capable of receiving electronic transmissions. The capabilities to create an electronic copy of an individual’s electronic health record, record it on removable media and transmit it to a designated entity capable of receiving electronic transmissions will be tested with in the clinical scenario under component S and T.
The applicant must:
1. Identify the encryption method and the tools used for standards based encryption of health record on portable media and removable devices
2. Demonstrate the availability (license) of the encryption software
3. Demonstrate access to the tools and available encryption/decryption algorithms
4. Demonstrate the availability of the procedure to encrypt and decrypt PHI
5. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require AES (3DES and other algorithms are excluded).
FND.14 Demonstrate and describe how the technology provides the capability to create and distribute an electronic copy of an individual’s EHR as an unstructured document. The capability is demonstrated. AR.FND 05.02 Provide the capability to create and distribute an electronic copy of an individual’s EHR as an unstructured document. The capabilities to create an electronic copy of an individual’s electronic health record, record it on removable media, transmit it to a designated entity capable of receiving electronic transmissions and distribute it via PHR, patient portal, CD, USB dive will be tested with in the clinical scenario under component S and T.
The applicant must:
1. Identify the encryption method and the tools used for standards based encryption of health record on portable media and removable devices
2. Demonstrate the availability (license) of the encryption software
3. Demonstrate access to the tools and available encryption/decryption algorithms
4. Demonstrate the availability of the procedure to encrypt and decrypt PHI
5. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require AES (3DES and other algorithms are excluded).
FND.15 Demonstrate and describe how the technology provides the capability to remove the identifiers enumerated in Section 164.514(b)(2)(i) of the HIPAA Privacy Rule. The capability is demonstrated. AR.FND 06.01 Provide the capability to remove the identifiers enumerated in Section 164.514(b)(2)(i) of the HIPAA Privacy Rule. The applicant must:
1. Describe the method used and demonstrate the function to remove the identifiers referenced in section 164.514(b)(2)(i) of HIPAA Privacy Rule.
2. Demonstrate the ability to generate reports of patient information without the identifiers referenced in section 164.514(b)(2)(i) of HIPAA Privacy Rule.
FND.16 Demonstrate and describe how the technology provides the capability to generate and assign a code or other means of record identification to allow information de-identified in accordance with the HIPAA Privacy Rule to be re-identified by the covered entity; such code or other means must not be derived from or related to the information and must not be otherwise capable of being translated so as to disclose the identity of the individual. The capability is demonstrated. AR.FND 06.02 Provide the capability to generate and assign a code or other means of record identification to allow information de-identified in accordance with the HIPAA Privacy Rule to be re-identified by the covered entity; such code or other means must not be derived from or related to the information and must not be otherwise capable of being translated so as to disclose the identity of the individual. The applicant must:
1. Describe the method used to generate and assign a code or other means of record identification
2. Demonstrate the function to generate and assign a code or other means of record identification to allow information to be de-identified via the use of system menus and displays.
FND.17 Demonstrate and describe how the technology provides the capability to protect the code or other means of record identification from unauthorized disclosure. The capability is demonstrated. AR.FND 06.03 Provide the capability to protect the code or other means of record identification from unauthorized disclosure. The applicant must:
1. Identify and demonstrate the method or tools used to prevent access to the code including the use of encryption, hashing, etc.
FND.18 Demonstrate and describe how the technology uses ISO/TS 25237 as guidance in the implementation of pseudonymization capabilities. The capability is demonstrated. AR.FND 06.04 Use ISO/TS 25237 as guidance in the implementation of pseudonymization capabilities. The applicant must:
1. Identify the features, controls, guidelines, protocols rules, etc. implemented from the guide.
2. Demonstrate adherence to the guide.
FND.19 Demonstrate and describe how the technology provides the capability to protect electronic protected health information from improper alteration or destruction. The capability is demonstrated. AR.FND 07.01 Provide the capability to protect electronic protected health information from improper alteration or destruction. The applicant must describe and demonstrate:
1. The capability configured in the product to prevent corruption, improper alteration or loss of data. (e.g., checksums, integrating with a UPS, use of redundant servers/storage, redundant processors, redundant hardware, firewall, IDS, IPS, malware protection, etc.)
2. The threats that have been anticipated, which can lead to loss or corruption of data and the mitigation provided by the system.
3. The use of backup software that can restore to the point of failure, in the event a transaction is corrupted for example due to a sudden power failure.
FND.20 Demonstrate and describe how the technology provides electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. The capability is demonstrated. AR.FND 07.02 Provide electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. The applicant must :
1. Describe and demonstrate the capability to use checksums
2. Describe and demonstrate the capability to use hashing
3. Describe and demonstrate the capability to detect and create audit trail
4. Describe the technical security measures employed to guard against unauthorized access to the PHI being transmitted
5. Identify the secure transmission method used (e.g., VPN, open protocols such as SSL and TLS)
6. Identify the hashing method and the tools used for standards based hashing (e.g. SHA2) to ensure that the transaction has not been tampered in transit
7. Identify the encryption method and the tools used for standards based encryption (e.g. AES) to ensure that the confidentiality of the PHI being transmitted is protected.
8. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require SHA2 (SHA1 excluded) and AES (3DES and other algorithms are excluded).
FND.21 Demonstrate and describe how the technology provides the capability to use SHA-2 to protect the integrity of data at rest. The capability is demonstrated. AR.FND 07.03 Provide the capability to use SHA to protect the integrity of data at rest. The applicant must:
1. Identify the software tool used for hashing (SHA-2)
2. Demonstrate the menu options and functions
FND.22 If the system uses electronic signature, demonstrate and describe the use of ASTM Standard Guide for Electronic Authentication of Health Care Information: # E1762-95(2003) for the design and implementation of electronic signatures. The capability is demonstrated. AR.FND 07.04 Use as guidance in the design and implementation of electronic signatures. The applicant must:
1. Identify the features, design, controls, guidelines, protocols rules, etc. implemented from the ASTM Standard Guide or required by the product.
2. Demonstrate adherence to the guide.
FND.23 Demonstrate and describe how the technology implements technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. The capability is demonstrated. AR.FND 08.01 Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. The applicant must :
1. Describe and demonstrate the capability to use checksums
2. Describe and demonstrate the capability to use hashing
3. Describe and demonstrate the capability to detect and create audit trail
4. Describe the technical security measures employed to guard against unauthorized access to the PHI being transmitted
5. Identify the secure transmission method used (e.g., VPN, open protocols such as SSL and TLS)
6. Identify the hashing method and the tools used for standards based hashing (e.g. SHA2) to ensure that the transaction has not been tampered in transit
7. Identify the encryption method and the tools used for standards based encryption (e.g. AES) to ensure that the confidentiality of the PHI being transmitted is protected.
8. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require SHA2 (SHA1 excluded) and AES (3DES and other algorithms are excluded).
FND.24 Integrity controls (Addressable). Demonstrate and describe how the technology implements security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. The capability is demonstrated. AR.FND 08.02 Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. The applicant must :
1. Describe and demonstrate the capability to use checksums
2. Describe and demonstrate the capability to use hashing
3. Describe and demonstrate the capability to detect and create audit trail
4. Describe the technical security measures employed to guard against unauthorized access to the PHI being transmitted
5. Identify the secure transmission method used (e.g., VPN, open protocols such as SSL and TLS)
6. Identify the hashing method and the tools used for standards based hashing (e.g. SHA2) to ensure that the transaction has not been tampered in transit
7. Identify the encryption method and the tools used for standards based encryption (e.g. AES) to ensure that the confidentiality of the PHI being transmitted is protected.
8. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require SHA2 (SHA1 excluded) and AES (3DES and other algorithms are excluded).
FND.25 Encryption (Addressable). Demonstrate and describe how the technology implements a mechanism to encrypt electronic protected health information whenever deemed appropriate. The capability is demonstrated. AR.FND 08.03 Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. The applicant must:
1. Identify the encryption method and the tools used for standards based encryption
2. Demonstrate the availability (license) of the encryption software
3. Demonstrate access to the tools and available encryption/decryption algorithms
4. Demonstrate the availability of the procedure to encrypt and decrypt PHI
5. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
Note: HHS’ proposed standards require AES (3DES and other algorithms are excluded).
FND.26 Demonstrate and describe how the technology provides the capability to use SHA-2 to protect the integrity of data transmissions. The capability is demonstrated. AR.FND 08.04 Provide the capability to use SHA to protect the integrity of data transmissions. The applicant must:
1. Identify the encryption method and the tools used for standards based encryption (e.g. SHA-2) to ensure that the confidentiality of the PHI being transmitted is protected.
2. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
FND.27 Demonstrate and describe how the technology provides the capability to use AES to encrypt data for transmission. The capability is demonstrated. AR.FND 08.05 Provide the capability to use AES to encrypt data for transmission. The applicant must:
1. Identify the encryption method and the tools used for standards based encryption AES) to ensure that the confidentiality of the PHI being transmitted is protected.
2. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
FND.28 Demonstrate and describe how the technology provides the capability to use TLS (with SHA-2 and AES) to establish a mutually authenticated, encrypted, and integrity-protected channel for data exchanges over the World Wide Web. The capability is demonstrated. AR.FND 08.06 Provide the capability to use TLS (with SHA-2 and AES) to establish a mutually authenticated, encrypted, and integrity-protected channel for data exchanges over the World Wide Web. The applicant must:
1. Describe the technical measures taken to use TLS, together with SHA-2 and AES and ensure the use of mutual authentication, encryption and integrity protected channel for data exchanges over the World Wide Web
2. Demonstrate the menus, functions, options and the choice for selecting or implementing the methods identified above
FND.29 If an email capability is provided, demonstrate and describe how the technology implements the CMS standard to cryptographically protect messages, including digital signatures, message digest, message authentication, and content encryption. The capability is demonstrated. AR.FND 08.07 If an email capability is provided, implement the CMS standard to cryptographically protect messages, including digital signatures, message digest, message authentication, and content encryption. If email capability is provided, the applicant must:
1. Demonstrate that the product has implemented the Cryptographic Message Syntax per RFC 2630, -3852 to digitally sign, digest, authenticate, or encrypt arbitrary messages.