Whether the login notice is enabled
Things to Consider to Help Answer the Question:
Consider that awareness requires communication and comprehension by the entire group of users who have access to the information system or ePHI. Some examples of security awareness activities could include:
- Motivational slogans
- Login access banners
- Videos
- Computer-based awareness materials
- Web-based awareness materials
- Posters or flyers
- Briefings, articles, newsletters, and magazines
- Exhibits
Training strives to produce relevant and needed (information) security skills and competencies relevant to the roles and responsibilities assigned to the workforce member and the information systems to which they are authorized to access.
Training content can include policies, procedures, tools, and other documents for the roles that your practice defined.
Consider whether your practice involves key stakeholders when preparing and maintaining its security awareness and training program, such as those responsible for human resources, privacy, and security.
Possible Threats and Vulnerabilities:
Your practice may not be able to safeguard its ePHI if it does not have a training program for its workforce members that outlines the various security measures for reducing the risk of improper access, uses, and disclosures
Some potential impacts include:
- Unauthorized or inappropriate access to ePHI can compromise the confidentiality, integrity, and availability of your practice's ePHI.
- Unauthorized disclosure, loss, or theft of ePHI can lead to medical identity theft.
- Accurate ePHI may not be available when needed, which can adversely impact your healthcare professionals' ability to diagnose and treat their patients.
Examples of Safeguards:
Some potential safeguards to use against possible threats/vulnerabilities. NOTE: The safeguards you may choose will depend on the degree of risk (likelihood) and the potential harm that the threat/vulnerability poses to you and the individuals who are the subjects of the ePHI.
Implement a security awareness and training program for all members of its workforce (including management).
[45 CFR �164.308(a)(5)(i)]
Develop, document, and disseminate to workforce members a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, compliance, and procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. The policy should also include procedures to facilitate its implementation and associated personnel security controls
[NIST SP 800-53 AT-1]
In order to be considered compliant, a message with a non-empty caption and body must be displayed at login time
| Target | Silect.Security.Conformance.Computer |
| Parent Monitor | Silect.Security.Conformance.Summary.Aggregate.Configuration |
| Category | ConfigurationHealth |
| Enabled | True |
| Alert Generate | False |
| Alert Auto Resolve | False |
| Monitor Type | Silect.Security.Conformance.Strings.Are.Equal |
| Remotable | True |
| Accessibility | Public |
| RunAs | Default |
Home<UnitMonitor ID="Silect.Security.Conformance.Monitor.LoginNoticeEnabled" Accessibility="Public" Enabled="true" Target="Silect.Security.Conformance.Computer" ParentMonitorID="Silect.Security.Conformance.Summary.Aggregate.Configuration" Remotable="true" Priority="Normal" TypeID="Silect.Security.Conformance.Strings.Are.Equal" ConfirmDelivery="false">
<Category>ConfigurationHealth</Category>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="StringsAreEqual" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="StringsAreNotEqual" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<StringOne>$Target/Property[Type="Silect.Security.Conformance.Computer"]/LoginNoticeEnabledCompliant$</StringOne>
<StringTwo>True</StringTwo>
</Configuration>
</UnitMonitor>