Skip to main content

IT System Maintenance Policy

Purpose

It is the policy of iEHR to safeguard the confidentiality, integrity, and availability of protected health information (PHI), business and proprietary information within its information systems by controlling access to these systems/applications. As such, this policy establishes the enterprise System Maintenance Policy, for managing risks from information asset maintenance and repairs through the establishment of an effective System Maintenance program.

Overview

iEHR information systems must undergo routine and continued maintenance and upkeep. In order for iEHR to determine if changes made to machines were part of the continued system maintenance activities, it is important that such activities be documented. In order to ensure that routine system maintenance is performed properly, iEHR must ensure that the individuals performing maintenance activities are authorized by iEHR and have the necessary skill set. In addition, iEHR must ensure that the individual tasked with performing maintenance activities either has the authorization to access the information contained on the system or is overseen by an individual with such authorization to help prevent the unauthorized disclosure of protected health information (PHI).

Definitions

  1. Electronic Protected Health Information (ePHI): Electronic protected health information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
  2. Information Resources: any items, including telecommunication equipment, computer systems, applications, network equipment, and other equipment, goods, and services related to the processing, storage, transmission and collection of PHI.
  3. Information Resource Owners: individual, departments and/or groups with fiscal control over an information resource.
  4. Maintenance Activities: any system, configuration, software, and/or hardware changes performed on a iEHR information resource. Such activities encompass both routine maintenance such as updates, patches, and etc., as well as emergency break/fix activities.
  5. Maintenance Authorization: formal permission either by an information resource owner or permission stemming from job duties that authorizes an individual to access iEHR information resources and perform maintenance activities.

Policy

  1. All system maintenance on iEHR information resource must be coordinated and controlled by the area responsible for the information resources.
  2. Maintenance activities must be documented, supervised by iEHR staff, done in a way that protects information on the information resource from unauthorized disclosures and access, performed by individuals with prior system maintenance authorization, and performed in a timely manner.
  3. Responsibilities
    1. Information Resource Owner
      1. Information Resource Owners are responsible for the development of internal policies and procedures that ensure maintenance activities, on the information resources for which they own, meet the principle responsibilities listed below.
      2. Information Resource Owners are responsible for ensuring that the individual(s) tasked with performing maintenance activities are authorized to perform such activities and have the necessary knowledge, skills and abilities to adequately perform such activities.
    2. Information Technology Security Officer
      1. The Information Technology Security Officer is responsible for reviewing this document no less then annually and making changes, as necessary, to ensure this Policy meets the intended goals of protecting information resources during maintenance activities.
  4. Maintenance Control
    1. The IT department will enact the necessary internal policies, procedures and guidelines to ensure that all information resource maintenance activities are properly scheduled, performed, documented and reviewed to ensure completeness and compliance with any and all applicable local, State and Federal laws and contractual obligations
    2. For all preventative and regular maintenance activities (including repairs) the area responsible for the administration of the information resource must document, at minimum, the following:
      1. The date and time of maintenance
      2. The name of the individual performing the maintenance
      3. The company of the individual performing the maintenance if not an iEHR employee
        1. The name of the iEHR employee escorting the individual performing the maintenance, if necessary
        2. Escorts for third-party individuals performing maintenance on University information resources are required for any maintenance that will take place in restricted access areas
      4. A description of the maintenance performed
      5. A list of all equipment removed and/or replaced, including identification numbers if applicable
    3. For all emergency maintenance activities (including break/fix repair) the area responsible for the administration of the information resource must ensure that maintenance activities are documented following the above guidelines as soon as possible once the emergency maintenance activities are completed
    4. Internal procedures for information resource maintenance must include requirements for approval of area head for any information resource removal for maintenance/repair activities
    5. In such circumstances when an information resource must be removed to an off-site repair facility, the area responsible for the information resource must remove any and all protected information using established media sanitization procedures prior to information resource removal
    6. After maintenance activities, the area responsible for the administration of the information resource must review the operation of the information resource prior to placement back in the production environment to ensure maintenance activities did not negatively impact the security posture of the information resource
  5. Remote Maintenance
    1. The IT department will maintain a list of all individuals with remote access (i.e. any individual with the ability to remotely connect to the information resource from non-iEHR controlled networks such as the Internet) for maintenance and administration of an information resource
    2. The IT department allowing remote maintenance of information resources must review the list of individuals granted remote access to determine if such access is still required at least annually
    3. Remote maintenance activities must take place through a secured and encrypted protocol (e.g. VPN) when conducted from non-iEHR controlled networks
    4. All access accounts for non-iEHR entities used for maintenance purposes must remain disabled at all times except for those times scheduled and documented as necessary for information resource maintenance and must be immediately disabled once the scheduled maintenance has been completed
    5. Any individual engaged in remote maintenance activities must, at the completion of the maintenance task, immediately disconnect from all iEHR information resources accessed during maintenance activities
    6. The installation/use of remote maintenance capabilities (e.g. RDP, SSH, etc.) for a iEHR information resource must be documented by the individual(s) responsible for the ongoing administration of the information resource and kept on file with the rest of the information resource documentation
  6. Maintenance Personnel
    1. Only individuals with permission from the area responsible for administration of an information resource are authorized to perform system maintenance of an information resource
    2. Individuals granted permission for maintenance of an information resource must, at minimum, be authorized, through a documented job description or other written authorization, by iEHR to access the information contained on the information resource
    3. Any individual that does not have iEHR authorization to access the information contained on an information resource must be supervised by an individual with the appropriate authorization during all phases of system maintenance activities
  7. Timely Maintenance
    1. Whenever possible, areas responsible for critical and/or key information resources should maintain a backup set of hardware to enable timely maintenance activities

Violations

  1. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
  2. Violation may also result in civil and criminal penalties to iEHR as determined by federal and state laws and regulations related to loss of data.