Baseline security controls for HIA-compliant EMR systems using a tailored NIST RMF approach

  • Author(s) / Creator(s)
  • The proclamation of the Health Information Act (HIA) made the Custodian accountable for protecting the confidentiality, integrity, and availability of health information in Alberta, Canada. The health information that a Custodian creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The interpretation of the Act is often complicated and time-consuming for Custodians. The Act defines rules at a high level and most of the time, the compliance process can be lengthy and costly for Custodians. To help Custodians to comply with the Act more efficiently and to maintain industry-standard level of the information security of the electronic medical record (EMR) systems, we have developed a catalogue of baseline information security controls. The catalogue of administrative, physical and technical safeguards for the EMR system is based on a tailored Risk Management Framework (RMF) of the NIST. While the effective and efficient compliance with the HIA was the main driving force for the catalogue development, the usefulness of the catalogue is not limited to the compliance with legal regulations. The catalogue of controls is readily applicable as a guideline and a best practice for Custodians also in different jurisdictions.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International