$TXT Created by HARRIS,DONNA H at MNTVBB.FO-ALBANY.MED.VA.GOV (KIDS) on Friday, 07/22/05 at 15:48 ============================================================================= Run Date: AUG 03, 2005 Designation: DG*5.3*666 Package : DG - REGISTRATION Priority: Mandatory Version : 5.3 SEQ #580 Status: Released Compliance Date: SEP 03, 2005 ============================================================================= Subject: ISO SENSITIVE RECORDS ACCESS REPORT Category: - Routine - Print Template - Sort Template - Other - Enhancement (Mandatory) Description: ============ The Department of Veterans Affairs (VA) Directive 6210, VA Handbook 6210, Computer Security Act of 1987 (PL 100-235), Office of Management and Budget (OMB) Circular A-130, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Security and Electronic Signature standards require a process and procedure be put in place to review and prevent unauthorized access to sensitive patient information. Audit requirements mandate a process be in place by which events may be reconstructed in case an investigation is required. The main goal is to ensure our systems, supporting business processes, policies, procedures and practices will successfully meet not only the implementation standards and deadlines mandated by the documents and standards listed above, but also the expectations of the customers to whom we provide products and support. This is accomplished by ensuring our systems and information protect the confidentiality, integrity, and availability of electronic protected health information and other sensitive patient data. Today's approach is manual and accomplished inconsistently, if at all. It is the VA's policy to protect the confidentiality of patient's medical information as required under law and only to disclose medical information as necessary to third parties to carry out other legitimate business activities. It is also the VA's policy to restrict access to confidential medical information as much as possible and this code would help achieve this goal. This patch (DG*5.3*666) will create a mail group, DG ISO SENSITIVE RCDS, to receive a daily Mailman message containing a list of sensitive patients accessed the previous day. It will also provide reports which readily provide the Information Security Officer (ISO), information regarding sensitive records accessed. Some of these reports can be easily exported to a Microsoft Excel spreadsheet where they can be sorted and analyzed to detect patterns or trends in sensitive record access. This will help simplify the audit review process. Three new menu options will be created. The first option, DG SENSITIVE RCDS RPT-TASK, will provide the capability for the report to be run on a nightly basis via a TaskMan background job. This option will NOT be displayed to the users. The report extracted from the background job will be sent to the users who are members of the DG ISO SENSITIVE RCDS mail group in the form of a Mailman message. The Mailman messages will contain information regarding sensitive record access collected from the prior day only. It can be exported to Microsoft Excel for auditing purposes. It will contain the following data: * Patient Name * Date/Time Record was Accessed * User Who Accessed the Record * User Title * User Alias * User Service/Section * Option user invoked to access the sensitive record * Whether or not the patient was an Inpatient or Outpatient at the time the sensitive record was accessed. The second option, DG SENSITIVE RCDS-EXPORT, will provide the capability to print data collected for the prior day as well as a date range. This report will print the same data contained within the nightly Mailman message. It can also be exported to a Microsoft Excel spreadsheet for auditing purposes. This option can be used to report the information for a variety of reasons; e.g., if e-mail was deleted; if the tasked job didn't run correctly, etc. The third option, DG SENSITIVE RCDS RPT-FORMATTED, will provide the capability to print the report in a printable format. This report will contain the following information: patient name, name of user who accessed the record, title, date/time record accessed, option/protocol used to access the record, and whether or not the patient was an inpatient at the time the record was accessed. Users will be able to select a date or date range of information to view. DG SENSITIVE RCDS RPT-EXPORT and DG SENSITIVE RCDS RPT-FORMATTED options are being added to the DG SECURITY OFFICER MENU option. =============DOCUMENTATION RETRIEVAL=================== The Download Instructions and Audit Guidelines are available on the Office of Information Field Office (OIFO) ANONYMOUS.SOFTWARE directories listed below: OIFO FTP address Directory Albany ftp.fo-albany.med.va.gov anonymous.software Hines ftp.fo-hines.med.va.gov anonymous.software Salt Lake City ftp.fo-slc.med.va.gov anonymous.software VistA download site download.vista.med.va.gov anonymous.software The user documentation files listed below may be obtained via FTP. The preferred method is to download the files from: download.vista.med.va.gov This method transmits the files from the first available FTP server. Sites may also elect to retrieve documentation from a specific server as shown in the above table. Retrieval Filename Contents Format DG_5_3_P666_DI_AG.PDF Download Instructions/Audit Guidelines Binary *********************************************************************** The updated Registration documentation will be available through the VistA documentation Library (VDL) at the following address: http://www.va.gov/vdl/Clinical.asp?appID=55 *********************************************************************** This patch addresses the following New Service Request (NSR): ------------------------------------------------------------- 20041205 - AXVISO Sensitive Record Request This patch addresses the following NOIS/Remedy Ticket(s): -------------------------------------------------------- There are no NOIS/Remedy Tickets associated with this patch. COMPONENTS SENT WITH PATCH -------------------------- The following is a list of the routines included in this patch. The second line of each of these routines now looks like: ;;5.3;Registration;**[patch list]**;Aug 13, 1993 CHECK^XTSUMBLD results Routine Before Patch After Patch Patch List ------- ------------ ----------- ---------- DGISORPT N/A 4087998 666 Total number of routines modified: 0 Total number of new routines: 1 Total number of deleted routines: 0 The following is a list of templates included in this patch: Template Name Type File Name (Number) ------------- ---- ------------------ DG ISO SENSITIVE RCDS PRT Print DG SECURITY LOG (#38.1) DG ISO SENSITIVE RCDS PRT1 Print DG SECURITY LOG (#38.1) DG ISO SENSITIVE RCDS SORT Sort DG SECURITY LOG (#38.1) The following is a list of options included in this patch: Option Name File New/Modified ----------- ---- ------------ DG SECURITY OFFICER MENU N/A DG SENSITIVE RCDS RPT-EXPORT New DG SENSITIVE RCDS RPT-FORMAT New DG SENSITIVE RCDS RPT-TASK New The following is a list of mail groups included in this patch: Mailgroup Name New/Modified -------------- ------------ DG ISO SENSITIVE RCDS New Test Sites: ----------- Roseburg Spokane West LA ================PRE-INSTALLATION INSTRUCTIONS ============== "If your facility is in VISN 20 and you have installed the Class III software - AXVISO V20 ISO Package (AXVISO*1.0*1), please contact your VISN ISO or VISN Software Development Team prior to installing this patch. Steps will need to be taken to ensure the Class III software for the AXVISO Sensitive Records Report is deactivated." ================INSTALLATION INSTRUCTIONS ================= If installed during the normal workday, it is recommended that the following selection(s) in the OPTION (#19) file, and all of their descendants be disabled to prevent possible conflicts while running the KIDS Install. Other VISTA users will not be affected. DG SECURITY OFFICER MENU Security Officer Menu Install Time less than 5 minutes (unless otherwise indicated) 1. LOAD TRANSPORT GLOBAL --------------------- Choose the PackMan message containing this patch and invoke the INSTALL/CHECK MESSAGE PackMan option. 2. DISABLE ROUTINE MAPPING (DSM for Open VMS sites only) ----------------------- Disable routine mapping on all systems for the routines listed in step 3 below. NOTE: If the routines included in this patch are not currently in your mapped routine set, please skip this step. 3. START UP KIDS ------------- Start up the Kernel Installation and Distribution System Menu [XPD MAIN]: Edits and Distribution ... Utilities ... Installation ... Select Kernel Installation & Distribution System Option: Installation --- Load a Distribution Print Transport Global Compare Transport Global to Current System Verify Checksums in Transport Global Install Package(s) Restart Install of Package(s) Unload a Distribution Backup a Transport Global Select Installation Option: 4. Select Installation Option: --------------------------- NOTE: The following are OPTIONAL - (When prompted for the INSTALL NAME, enter DG*5.3*666): a. Backup a Transport Global - This option will create a backup message of any routines exported with this patch. It will not backup any other changes such as DD's or templates. b. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all components of this patch (routines, DD's, templates, etc.). c. Verify Checksums in Transport Global - This option will allow you to ensure the integrity of the routines that are in the transport global. 5. Select Installation Option: Install Package(s) ---------------- a. Choose the Install Package(s) option to start the patch install. b. When prompted to 'Enter the Coordinator for Mail Group': Enter name of ISO Coordinator c. When prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? YES//' answer NO d. When prompted 'Want KIDS to INHIBIT LOGONs during the install? YES//' answer NO e. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? YES//' answer YES f. When prompted 'Enter options you wish to mark as 'Out Of Order':' Enter the following options: Security Officer Menu [DG SECURITY OFFICER MENU] g. When prompted 'Enter protocols you wish to mark as 'Out Of Order':' press . 6. REBUILD MAPPED ROUTINE(S) (DSM for Open VMS sites only) ------------------------- Optional - Include the routines distributed with this patch in the mapped routine set. NOTE: This step is only necessary if you performed step 2 or if you wish to include the routines in your mapped set. ================POST INSTALLATION INSTRUCTIONS ================= 1. After installation is complete, DG SENSITIVE RCDS RPT-TASK option will need to be scheduled to run once a day. This should be queued after midnight, since the report will generate data for the prior day. 2. ISO or designated user will need to be added as member of the DG ISO SENSITIVE RCDS mail group. 3. In order to better track the mail messages for this report, it is recommended that a message filter be put in place. Example of tasked job: --------------------- Menu Text: DG SENSITIVE RCDS RPT-TASK : 10496 QUEUED TO RUN AT WHAT TIME: T+1@00:05 Subj: Sensitive Record Auditing Report [#4195] 07/22/05@16:10 5 lines From: POSTMASTER In 'SENSITIVE RECORD AUDITS' basket. Page 1 *New* -------------------------------------------------------------------------- PATIENT^DATE/TIME^USER^TITLE^ALIAS^SERVICE^OPTION USED^INPATIENT TEST,JANE^07/21/05@0800^TESTER,JOHN^TESTER^^AMBULATORY CARE UNIT^REGISTER A PATIENT^y Example of DG SENSITIVE RCDS RPT-FORMATTED option: ------------------------------------------------- Select Security Officer Menu Option: FMT ISO Sensitive Records Report-Formatted Report THIS REPORT MAY TAKE A WHILE, YOU MAY WANT TO QUEUE IT. ***132 COLUMNS*** * Previous selection: DATE/TIME RECORD ACCESSED from Jun 12,2005 to Jun 13,2005@ 24:00 START WITH DATE/TIME RECORD ACCESSED: Jun 12,2005// JUN1 (JUN 01, 2005) GO TO DATE/TIME RECORD ACCESSED: Jun 13,2005// (JUN 13, 2005) DEVICE: UCX/TELNET Right Margin: 132// Sensitive Records Accessed JULY 12, 2005 21:01 PAGE 1 INPAT DT/TM WHEN PATIENT NAME ACCESSED ACCESSED BY TITLE OPTION/PROTOCOL USED ACCESSED ========================================================================== Example of DG SENSITIVE RCDS RPT-EXPORT option: ---------------------------------------------- Select Security Officer Menu Option: EXP ISO Sensitive Records Report-Export THIS REPORT MAY TAKE A WHILE, YOU MAY WANT TO QUEUE IT. ***256 COLUMNS AND WRAP AROUND NEEDED*** * Previous selection: DATE/TIME RECORD ACCESSED from Jun 1,2005 to Jun 13,2005@2 4:00 START WITH DATE/TIME RECORD ACCESSED: Jun 1,2005// (JUN 01, 2005) GO TO DATE/TIME RECORD ACCESSED: Jun 13,2005// (JUN 13, 2005) DEVICE: UCX/TELNET Right Margin: 80//256 PATIENT^DATE/TIME^USER^TITLE^ALIAS^SERVICE^OPTION USED^INPATIENT DOUGLAS,XXX^01/02/05@0850^TEST,DENNIS^^^RADIOLOGY^Inactivate/ Reactivate Records^NO DOUGLAS,XXX^01/01/05@0851^TEST,DENNIS^^^RADIOLOGY^Request a Record^NO Routine Information: ==================== Routine Name: - DGISORPT Routine Checksum: ============================================================================= User Information: Entered By : HARRIS,DONNA H Date Entered : MAY 18, 2005 Completed By: WOEHRLE,MARGARET Date Completed: AUG 03, 2005 Released By : FLANAGAN,PATTY Date Released : AUG 03, 2005 ============================================================================= Packman Mail Message: ===================== $END TXT