Healthcare IT Security Checklist

Access Controls (§164.312(a))

• Unique user identification for all workforce members
• Emergency access procedures documented
• Automatic logoff after inactivity (15 minutes recommended)
• Encryption and decryption mechanisms for PHI
• Role-based access controls implemented

Audit Controls (§164.312(b))

• EHR access logging enabled and reviewed
• Failed login attempt monitoring
• File access audit trails active
• Logs retained for minimum 6 years
• Regular audit log reviews performed

Integrity Controls (§164.312(c))

• Mechanisms to authenticate ePHI
• Data integrity verification procedures
• Backup integrity checks performed

Transmission Security (§164.312(e))

• Encryption for PHI in transit (TLS 1.2+)
• Secure email solution for PHI (not regular email)
• Patient portal uses HTTPS with valid certificates
• VPN for remote EHR access

EHR/EMR Security

• EHR vendor Business Associate Agreement current
• EHR access reviewed quarterly (terminated employees)
• EHR audit reports reviewed monthly
• EHR backup separate from vendor's backup
• EHR downtime procedures documented and tested

Medical Device Security

• Medical device inventory maintained
• Network-connected devices on segmented VLAN
• Device firmware updated regularly
• Default passwords changed on all devices
• FDA cybersecurity guidance followed for applicable devices

Physical Safeguards

• Workstation screens positioned away from public view
• Privacy screens on workstations in public areas
• Badge access to areas with PHI
• Visitor sign-in procedures followed
• Device disposal procedures (certified destruction)

• Current Risk Analysis (required annually)
• Risk Management Plan
• Security policies and procedures
• Business Associate Agreements for all vendors
• Workforce training records
• Incident response plan
• Breach notification procedures