Minimum NTLM Security Level

Summary

Things to Consider to Help Answer the Question:

Consider that written policies and procedures that:

- Can drive the development of processes and adoption of standards and controls, which reduce risk to ePHI

- Can provide essential information for privacy and security awareness and role-based training.

Possible Threats and Vulnerabilities:

If your practice's polices do not require ePHI to be encrypted when it is appropriate to do so, then it is not required to consider all appropriate means available to protect the confidentiality, integrity, and availability of ePHI when it is stored and transmitted.

Some potential impacts include:

- Unauthorized access can go undetected and your practice might not be able to reduce the risk to the privacy, confidentiality, integrity or availability of ePHI.

- Unauthorized disclosure (including disclosure through theft and loss) of ePHI can lead to identity theft.

- Accurate ePHI is not available, adversely impacting the practitioner's ability to diagnose and treat the patient.

Examples of Safeguards:

Some potential safeguards to use against possible threats/vulnerabilities. NOTE: The safeguards you may choose will depend on the degree of risk (likelihood) and the potential harm that the threat/vulnerability poses to you and the individuals who are the subjects of the ePHI.

Implement a mechanism to encrypt ePHI whenever deemed appropriate.

[45 CFR �164.312(e)(2)(ii)]

Develop, document, and disseminate to workforce members a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

[NIST SP 800-53 SC-1]

Configuration

In order to be considered compliant, clients must employ NTLMv2 session security, along with 128-bit encryption