access-control Controls

Limit system access to authorized users, processes, and devices

Limit system access to permitted transactions and functions

Verify and control connections to external information systems

Control FCI posted or processed on publicly accessible systems

Identify all users, processes, and devices that access systems

Authenticate users, processes, and devices before granting access

Limit physical access to systems and facilities to authorized individuals

Control and manage physical access devices

Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access

Implement policies and procedures for authorizing access to ePHI

Implement policies and procedures to limit physical access to electronic information systems and the facilities where they are housed

Implement technical policies and procedures to allow access to ePHI only to authorized persons or software programs

Implement policies and procedures to protect ePHI from improper alteration or destruction

The physical environment is monitored to detect potential cybersecurity events

Identities and credentials are managed for authorized users and devices

Identities are proofed and bound to credentials based on the context of interactions

Logical access security measures restrict access to assets

Access credentials are issued with appropriate authorization

Role-based access is used and reviewed periodically

Physical access to facilities and systems is restricted