8.1 PURPOSE
The purpose of this policy is to ensure that the security and confidentiality of Subject of Care data transmitted through the Saudi Health Information Exchange is protected through privacy/security audits.
8.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, and to all individuals and organizations that have access to Saudi Health Information Exchange managed health records, including
• Participating Healthcare Subscriber (PHCSs),
• Their business associates,
• Any subcontractors of business associates that perform functions or provide services involving the use and disclosure of personal health information,
• Any Saudi Health Information Exchange Infrastructure Service Provider,
• Any other subcontractor of Saudi Health Information Exchange.
This policy applies to all personal health information (PHI) provided to or retrieved from Saudi Health Information Exchange systems.
8.3 POLICY
1. All Saudi Health Information Exchange systems and HIE nodes SHALL implement technical processes that accurately record activity related to access, creation, modification and deletion of electronic PHI.
1.1. HIE node applications SHALL have successfully completed audit log testing, conducted by Saudi Health Information Exchange approved bodies. Applications that have not yet completed this testing will be considered on a case-by-case basis.
1.2. HIE node applications SHALL be subject to conformance testing and certification for audit log compliance by Saudi Health Information Exchange approved bodies.
1.3. HIE node activity SHALL be logged, and shall be sent to a persistent database (e.g. audit record repository).
1.4. HIE node applications SHALL have successfully completed accounting of disclosures testing, conducted by Saudi Health Information Exchange approved bodies.
1.5. The PHCS SHOULD be able to audit all access to PHI that is stored locally.
2. The Saudi Health Information Exchange systems and all HIE nodes exchanging PHI SHALL support interoperability requirements conformant to ISO 27789 Audit Trails for EHRs (e.g., IHE Audit Trails and Node Authentication, ATNA).
2.1. As a part of log-in monitoring, an audit log is required to be created to record when a person logs on to the network or a software application of the Saudi Health Information Exchange. This includes all attempted and failed logons.
2.2. The Saudi Health Information Exchange privacy and security audit logs SHALL include, but not limited to:
2.2.1. user ID,
2.2.2. date/time stamp, and
2.2.3. identification of all data transmitted (e.g. document unique ID).
2.3. For purposes of information use or disclosure, privacy and security audit SHALL include documentation of the following :
2.3.1. the date and time of the request,
2.3.2. the reason for the request,
2.3.3. a description of the information requested, including the data accessed, the data transmission, any changes to the data (adds, changes, deletes), and whether the data were transmitted to another party,
2.3.4. whether the request was performed as a “break-glass”,
2.3.5. whether the requested information was marked as sensitive PHI,
2.3.6. the ID of person/system requesting use or disclosure,
2.3.7. the ID/verification of the party receiving the information, and
2.3.8. the ID of the party using or disclosing the information.
3. Audit logs SHOULD either be in human readable form or translatable by some easy-to-use tool to be in human readable form.
4. Audit logs SHOULD be retained for the same duration as the retention time required of Saudi Health Information Exchange managed PHI.
5. The generated audit logs SHALL be reviewed on a regular basis, at least quarterly, in order to detect improper use based on audit criteria developed in advance. Anomalies SHALL be documented and appropriate mitigating actions must be taken and documented. The Saudi Health Information Exchange requires that this documentation be retained a minimum of ten years.
5.1. All HIE node systems and Saudi Health Information Exchange systems SHOULD be configured to generate logs wherever possible to enable further investigation and traceability. The audit log review of information systems SHALL include software applications, network servers, firewalls and other network hardware and software. All anomalies must be documented and appropriate mitigating action SHALL be taken and documented. All system logs must be reviewed by respective organization’s privacy and security officer.
6. An external systems auditor is subject to approval by the Saudi Health Information Exchange governing body:
6.1. The external systems auditor SHALL have no conflict of interest.
6.2. The external systems auditor SHALL have qualifications and accreditations as applicable and as required by the Saudi Health Information Exchange.
7. Privacy and security audit review SHALL support inquiry by patients or providers. Response to privacy and security audit review SHALL be required of all HIE nodes and Saudi Health Information Exchange systems maintaining primary audit records related to the Saudi Health Information Exchange.
8. External audits of the Saudi Health Information Exchange SHALL be conducted at least annually as a minimum requirement and when any major system or business change occurs. Comprehensive audit procedures SHOULD be developed, documented, and available. The evaluation SHALL include:
8.1. the documentation of the evaluation SHALL be retained indefinitely,
8.2. the generation of a compliance audit findings report, and
8.3. documentation that an identified deficiency
8.3.1. has been addressed,
8.3.2. SHALL be addressed in order of priority, or
8.3.3. represents a risk that the organization is willing to accept (e.g., unlikely to occur, minimal damage to the organization, expensive to mitigate).
9. The Saudi Health Information Exchange audit record repository system SHALL support the following queries either for all instances or constrained to activity originating from an HIE Node:
9.1. list all users that accessed or modified a given Subject of Care’s information over a period of time,
9.2. list all subjects of care whose health information was accessed by a given user/system over a given period of time,
9.3. list all break-glass events,
9.4. list all access events where the user is not listed as a provider in any patient records, and
9.5. list events that request information marked as sensitive.
10. For purposes of data authentication the use of a valid date/time stamp is required.
10.1. All HIE nodes exchanging PHI SHALL implement the time synchronization mechanism specified by the Saudi Health Information Exchange to assure that timestamps and audit logs are synchronized.
11. Audit logs repository SHALL be secured in accordance with the Saudi Health Information Exchange Information Security Policy. Access to system audit log analyzing tools and audit logs SHALL be safeguarded to prevent misuse or compromise.
12. Saudi Health Information Exchange audit logs access SHALL be restricted only to privacy and security officers approved by the Saudi Health Information Exchange governing body.
8.4 POLICY MAINTENANCE
The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of policies.
|