Page 21 - Delaware Medical Journal - November 2017
P. 21

CYBERSECURITY
an organization’s ability to execute it. A comprehensive program for safeguarding DHIN’s data — and responding to threats — is key to our ability to protect it.
Risk Assessments and Continuous Improvement
As the sanctioned provider of health information exchange for the State of Delaware, DHIN provides safeguards for PHI as the Business Associate for Delaware’s covered entities receiving information exchange services from DHIN.
This responsibility includes annual risk assessments, which alternate between external and internal reviews, with the goal of identifying risks and vulnerabilities.

corrective action plans, as needed, and employs an employee education and awareness program for continuous improvement activities.
Risk Management – System Design, Access
Constraints, System Reviews, and User Audits
DHIN is required to implement and maintain appropriate safeguards to protect the health information we receive on behalf of Covered Entities and to prevent its unauthorized use or disclosure. Risk management includes:
•  interest and to detect control failures
• DHIN is required to keep updated organizational charts and job descriptions, with auditing responsibilities assigned to those independent of the audited tasks.
USER AUDITS
DHIN routinely audits user access to our systems, both those

Audit logs are stored for at least three years, per records retention schedules, and meet both State and HIPAA regulations for information contained therein.

monitored, and disclosure reporting expectations are shared with DHIN’s Business Associates and Covered Entities, as well.
Enforcement
DHIN employs a formal sanctions process for personnel who fail to comply with information security policies and procedures. Each DHIN employee is required to read,
Del Med J | November 2017 | Vol. 89 | No. 11
341
   19   20   21   22   23