CORE 15 - Information Confidentiality and Security
This standard requires that your organization implement written policies and procedures addressing confidentiality and security of the paper and electronic information systems. Those policies should demonstrate that your organization:
- assesses its risks and vulnerabilities concerning confidentiality, integrity, and availability of information systems;
- prevents breaches of confidentiality and security; and
- detects, contains, and corrects violations of confidentiality and security rules.
Things that you can expect to include in your policies and procedures should include:
- the user access levels;
- limited access to PHI;
- the designation of the particular individual responsible for corporate compliance regarding confidentiality and security of information;
- control of computer terminals and any portable media devices;
- policies for telecommuters regarding information confidentiality and security; and
- fax machine protocols.
- What intrusion detection software is being used?
- Is there a program to encrypt emails to guard against unintentional breaches of confidentially information?
- What virus protection is installed?
- Does the organization's IT department block IP addresses?
To address the breach prevention issue, your policies must detail the organization's technical, and physical safeguards against breaches.
The detection component of this standard requires the implementation of P&Ps outlining what your organization does to monitor security access levels, detecting and containing breaches, and mechanisms to prevent recurrence of breaches once detected.
For the desktop review, you want to submit confidentiality and security risk assessments and the key policies and procedures addressing confidentiality and security.
The URAC reviewer will interview management and staff members about information systems, and tour and observe equipment and data centers on-site for compliance with this standard.
During the on-site review, the reviewer will examine the breach/incident log, as well as documentation of the risk assessment process.