security risk asssessment questionnaire - home | … - … · xls file · web view ·...

Start Here

1. Enable Macros for this Excel Spreadsheet2. Click on Screen Questions to begin assessment3. Click Identified Risks to begin working on your risk management plan

PLEASE NOTE: Some items in the screening questions are prefilled which are common responses from many small practices. Feel free to make any adjustments/edits as necessary to ensure the answers represent your practice's environment.

Screening Questions Identified Risks

2 of 59

HOW TO COMPLETE THE FORMSIntroduction Completion of this tool will assist a practice in complying with Meaningful Use and the HIPAA Security Rule, but it is not a guarantee of compliance with either. Practices are still obligated to comply with the specific requirements of each rule. Use of this tool will provide an overall view of the state of security and provide suggestions for remediation of deficiencies. A complete risk assessment must address each asset type separately, which this tool does not do.

This Risk Assessment Tool contains a four-step process designed to enable respondents to identify their level of risk against pre-identified threats and vulnerabilities. The tool is designed for ease of use and user-friendliness. Cells that populated on one table will be automatically populated on subsequent tabs to ensure accuracy and simplicity. The US Department of Health and Human Services(HHS), Office for Civil Rights (OCR) references components of the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-66 and 800-30 as guidance for a security risk assessment. NIST SP 800-66 is an introductory resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and NIST SP 800-30 is a risk management guide for information technology systems.

Background information on the nine primary steps to the risk assessment methodology outlined in NIST SP 800-66 and in NIST SP 800-30 is available on the next tab, labeled 800-66 Risk Guidance. These steps offer helpful background information on the assessment steps, how they interact with one another and basic descriptions of risk and the components of risk, such as threats and vulnerabilities. Internet links to NIST SP 800-66 and SP 800-30 are also provided for those seeking additional information.

Purpose The purpose of a risk assessment is to identify conditions where Electronic Protected Health Information (EPHI) could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information is then used to make risk management decisions on what reasonable and appropriate safeguards are needed to reduce risk to an acceptable level.

This Risk Assessment Tool is intended to be a starting point for identifying cybersecurity risks to your organization.

The Risk Assessment Tool Four-Step Process The following four-step process is provided for using the Risk Assessment Tool :

Preparation is the Inventorying of Assets tab and is optional to the respondent but highly recommended for completion. In this step, the respondent should list ALL devices that are touched by EPHI. Devices may be for example, desktop PCs, fax machines or specialized medical devices with computerized hard drives to record patient data and test results. Any software applications, whether for recording of patient information, billing information or any other purpose which comes into contact with EPHI should also be listed here. The next column will ask whether the device processes, stores or transmits EPHI. If the devices does not process EPHI, there is no need to proceed further with this device. If the devices DOES process EPHI, then the respondent would select from the next column whether the asset should be categorized as a People and Process asset, or as a Technology asset.

Step 1 is the Screening Questions. This tab is offered as a means for determining the degree to which threats and associated vulnerabilities apply to their organization’s assets. While this tab is an optional feature in the risk analysis, it is strongly recommended that respondents utilize this tab, as these questions will assist in additional responses in Steps 2a and 2b. Users should examine the question and determine the degree to which their current operations address the matching Threat-Vulnerability Statement. The choices from the drop down menu are Addressed, Partially Addressed or Not Addressed. Two columns are provided to the far right in the table for respondents to provide expanded responses to the questions in the row; responses entered in the People/Processes column will be automatically transferred to the Existing Control column of the People and Processes (Step 2a) tab and responses entered in the Technology column will be automatically transferred to the Existing Control column of the Technology (Step 2b) tab. If no action is taken, please indicate 'No Action Taken' in the appropriate column(s). There is no correct or incorrect response, this is merely a sampling of what practitioners are doing to mitigate threats or minimize vulnerabilities.

Steps 2a (People and Processes) and 2b (Technology) utilize the same questions, criteria and risk calculations. It is necessary to separate the two categories of assets for analysis purposes. The People and Processes and Technology tabs will list assets typically found within a medical practice which are applicable to the Threat-Vulnerability Statement appearing in the next column.

The Recommended Control Measures, which is associated with the Threat-Vulnerability, is pre-populated and is provided for respondents to consider in developing their information security posture.

The Existing Control is what the practitioner is doing, if any corrective actions are being taken, to mitigate and reduce the threat or vulnerability. These cells will be pre-populated with data from the People/Processes and/or Technology columns of the Screening Questions (Step 1) tab.

The Existing Control Effectiveness is a Drop-Down list in which the respondent will select the best answer to describe the degree to which their counter-measures address the Threat-Vulnerability statement earlier in the row. When making a selection, respondents should also consider how effective their counter-measures are in relation to the Recommended Control Activity which is suggested in the previous cell. The available response choices are Effective, Partially Effective or Not Effective.

The Exposure Potential is a pre-populated cell from the response in the previous Step 1 tab and represents the risk exposure to the practice for this Threat-Vulnerability statement. The risk exposure is rated on a scale of High, Medium or Low. The purpose is to offer additional guidance and empower the respondent in their selections on the following choices of Impact and the Likelihood of Occurrence, or simply ‘Likelihood’. As with the Impact Rating, this is a judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Please select from the appropriate corresponding choice of: VERY LIKELY is defined as having a probable chance of occurrence.LIKELY is defined as having a significant chance of occurrence .NOT LIKELY is defined as a modest or insignificant chance of occurrence .

Impact is the consequences of a security event to the medical practice. Please select from the appropriate corresponding choice of High, Medium or Low for each Business Asset. HIGH is defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical records have been lost or compromised. MEDIUM is defined as having a significant impact; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the practice have been lost or compromised. LOW is defined as a modest or insignificant impact; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised. NOTE: Any loss or compromise of 500 medical records or more requires that the practice notify the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) immediately. The Risk Rating requires no action by the respondent. The column automatically calculates the risk rating to the medical practice based upon the inputs to the 'Impact' and 'Likelihood' columns.

Step 3, Findings-Remediation, is the final tab requiring completion and is almost entirely auto-populated with data from previous tabs. The Risks Found column is populated with the data from the People and Process or Technology asset tabs ,which in Steps 2a or 2b was determined to have a Risk Rating of either Medium or High. The Existing Control Measures Applied are the measures, if any, currently being undertaken to address the threat as was indicated in Steps 2a or 2b. Recommended Control Measures are the corresponding recommended corrective measures which were automatically populated in the tabs of Steps 2a and 2b and appear again in this space. The final cell, Additional Steps, offers the respondent an opportunity to consider and state any additional measures they would like to implement.

NEXT STEP: Please proceed to the 800-66 Risk Guidance tab which provides guidance on conducting a risk assessment.

3 of 59

HOW TO COMPLETE THE FORMSIntroduction Completion of this tool will assist a practice in complying with Meaningful Use and the HIPAA Security Rule, but it is not a guarantee of compliance with either. Practices are still obligated to comply with the specific requirements of each rule. Use of this tool will provide an overall view of the state of security and provide suggestions for remediation of deficiencies. A complete risk assessment must address each asset type separately, which this tool does not do.

This Risk Assessment Tool contains a four-step process designed to enable respondents to identify their level of risk against pre-identified threats and vulnerabilities. The tool is designed for ease of use and user-friendliness. Cells that populated on one table will be automatically populated on subsequent tabs to ensure accuracy and simplicity. The US Department of Health and Human Services(HHS), Office for Civil Rights (OCR) references components of the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-66 and 800-30 as guidance for a security risk assessment. NIST SP 800-66 is an introductory resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and NIST SP 800-30 is a risk management guide for information technology systems.

Background information on the nine primary steps to the risk assessment methodology outlined in NIST SP 800-66 and in NIST SP 800-30 is available on the next tab, labeled 800-66 Risk Guidance. These steps offer helpful background information on the assessment steps, how they interact with one another and basic descriptions of risk and the components of risk, such as threats and vulnerabilities. Internet links to NIST SP 800-66 and SP 800-30 are also provided for those seeking additional information.

Purpose The purpose of a risk assessment is to identify conditions where Electronic Protected Health Information (EPHI) could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information is then used to make risk management decisions on what reasonable and appropriate safeguards are needed to reduce risk to an acceptable level.

This Risk Assessment Tool is intended to be a starting point for identifying cybersecurity risks to your organization.

The Risk Assessment Tool Four-Step Process The following four-step process is provided for using the Risk Assessment Tool :

Preparation is the Inventorying of Assets tab and is optional to the respondent but highly recommended for completion. In this step, the respondent should list ALL devices that are touched by EPHI. Devices may be for example, desktop PCs, fax machines or specialized medical devices with computerized hard drives to record patient data and test results. Any software applications, whether for recording of patient information, billing information or any other purpose which comes into contact with EPHI should also be listed here. The next column will ask whether the device processes, stores or transmits EPHI. If the devices does not process EPHI, there is no need to proceed further with this device. If the devices DOES process EPHI, then the respondent would select from the next column whether the asset should be categorized as a People and Process asset, or as a Technology asset.

Step 1 is the Screening Questions. This tab is offered as a means for determining the degree to which threats and associated vulnerabilities apply to their organization’s assets. While this tab is an optional feature in the risk analysis, it is strongly recommended that respondents utilize this tab, as these questions will assist in additional responses in Steps 2a and 2b. Users should examine the question and determine the degree to which their current operations address the matching Threat-Vulnerability Statement. The choices from the drop down menu are Addressed, Partially Addressed or Not Addressed. Two columns are provided to the far right in the table for respondents to provide expanded responses to the questions in the row; responses entered in the People/Processes column will be automatically transferred to the Existing Control column of the People and Processes (Step 2a) tab and responses entered in the Technology column will be automatically transferred to the Existing Control column of the Technology (Step 2b) tab. If no action is taken, please indicate 'No Action Taken' in the appropriate column(s). There is no correct or incorrect response, this is merely a sampling of what practitioners are doing to mitigate threats or minimize vulnerabilities.

Steps 2a (People and Processes) and 2b (Technology) utilize the same questions, criteria and risk calculations. It is necessary to separate the two categories of assets for analysis purposes. The People and Processes and Technology tabs will list assets typically found within a medical practice which are applicable to the Threat-Vulnerability Statement appearing in the next column.

The Recommended Control Measures, which is associated with the Threat-Vulnerability, is pre-populated and is provided for respondents to consider in developing their information security posture.

The Existing Control is what the practitioner is doing, if any corrective actions are being taken, to mitigate and reduce the threat or vulnerability. These cells will be pre-populated with data from the People/Processes and/or Technology columns of the Screening Questions (Step 1) tab.

The Existing Control Effectiveness is a Drop-Down list in which the respondent will select the best answer to describe the degree to which their counter-measures address the Threat-Vulnerability statement earlier in the row. When making a selection, respondents should also consider how effective their counter-measures are in relation to the Recommended Control Activity which is suggested in the previous cell. The available response choices are Effective, Partially Effective or Not Effective.

The Exposure Potential is a pre-populated cell from the response in the previous Step 1 tab and represents the risk exposure to the practice for this Threat-Vulnerability statement. The risk exposure is rated on a scale of High, Medium or Low. The purpose is to offer additional guidance and empower the respondent in their selections on the following choices of Impact and the Likelihood of Occurrence, or simply ‘Likelihood’. As with the Impact Rating, this is a judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Please select from the appropriate corresponding choice of: VERY LIKELY is defined as having a probable chance of occurrence.LIKELY is defined as having a significant chance of occurrence .NOT LIKELY is defined as a modest or insignificant chance of occurrence .

Impact is the consequences of a security event to the medical practice. Please select from the appropriate corresponding choice of High, Medium or Low for each Business Asset. HIGH is defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical records have been lost or compromised. MEDIUM is defined as having a significant impact; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the practice have been lost or compromised. LOW is defined as a modest or insignificant impact; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised. NOTE: Any loss or compromise of 500 medical records or more requires that the practice notify the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) immediately. The Risk Rating requires no action by the respondent. The column automatically calculates the risk rating to the medical practice based upon the inputs to the 'Impact' and 'Likelihood' columns.

Step 3, Findings-Remediation, is the final tab requiring completion and is almost entirely auto-populated with data from previous tabs. The Risks Found column is populated with the data from the People and Process or Technology asset tabs ,which in Steps 2a or 2b was determined to have a Risk Rating of either Medium or High. The Existing Control Measures Applied are the measures, if any, currently being undertaken to address the threat as was indicated in Steps 2a or 2b. Recommended Control Measures are the corresponding recommended corrective measures which were automatically populated in the tabs of Steps 2a and 2b and appear again in this space. The final cell, Additional Steps, offers the respondent an opportunity to consider and state any additional measures they would like to implement.

NEXT STEP: Please proceed to the 800-66 Risk Guidance tab which provides guidance on conducting a risk assessment.

NIST SP 800-66 Guidance

4 of 59

NIST SP 800-66 RISK GUIDANCEHow to Conduct the Risk Assessment: Risk assessments can be conducted using many different methodologies. There is no single methodology that will work for all organizations and all situations. The following steps represent key elements in a comprehensive risk assessment program, and provide an example of the risk assessment. It is expected that these steps will be customized to most effectively identify risk for an organization based on its own uniqueness. Even though these items are listed as steps, they are not prescriptive in the order that they should be conducted. Some steps can be conducted simultaneously rather than sequentially.

1. Scope the Assessment. The first step in assessing risk is to define the scope of the effort. To do this, it is necessary to identify where EPHI is created, received, maintained, processed, or transmitted. Ensure that the risk assessment scope takes into consideration the remote work force and telecommuters, and removable media and portable computing devices (e.g., laptops, removable media, and backup media).

2. Gather Information. During this step, the covered entity should identify: The conditions under which EPHI is created, received, maintained, processed, or transmitted by the covered entity. It should also identify the security controls currently being used to protect the EPHI.

3. Identify Realistic Threats. Often performed simultaneously with Step 4, Identify Potential Vulnerabilities, the goal of this step is to identify the potential threat sources and compile a threat statement listing potential threat-sources that are applicable to the covered entity and its operating environment. The listing of threat sources should include realistic and probable human and natural incidents that can have a negative impact on an organizations ability to protect EPHI.

4. Identify Potential Vulnerabilities. Often performed simultaneously with Step 3, Identify Realistic Threats, the goal of this step is to develop a list of vulnerabilities (flaws or weaknesses) that could be exploited by potential threat sources. This list should focus on realistic technical and nontechnical areas where EPHI can be disclosed without proper authorization, improperly modified, or made unavailable when needed.

5. Assess Current Security Controls. Often performed simultaneously with Step 2, Gather Information, the purpose of this step is to determine if the implemented or planned security controls will minimize or eliminate risks to EPHI. A thorough understanding of the actual security controls in place for a covered entity will reduce the list of vulnerabilities, as well as the realistic probability, of a threat attacking (intentionally or unintentionally) EPHI. 6. Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability. The next major step in measuring the level of risk is to determine the likelihood and the adverse impact resulting from a threat successfully exploiting a vulnerability. A business impact assessment prioritizes the impact levels associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset criticality assessment identifies and prioritizes the sensitive and critical organization information assets (e.g., hardware, software, systems, services, and related technology assets) that support the organization’s critical missions.

7. Determine the Level of Risk. The purpose of this step is to assess the level of risk to the IT system. The determination of risk takes into account the information gathered and determinations made during the previous steps. The level of risk is determined by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.

8. Recommend Security Controls. During this step, security controls that could mitigate the identified risks, as appropriate to the organization’s operations, are recommended. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. Security control recommendations provide input to the risk mitigation process, during which the recommended security controls are evaluated, prioritized, and implemented.

9. Document the Risk Assessment Results. Once the risk assessment has been completed (threat sources and vulnerabilities identified, risks assessed, and security controls recommended), the results of each step in the risk assessment should be documented. NIST SP 800-30 provides a sample risk assessment report. Key Terms Defined When talking about risk, it is important that terminology be defined and clearly understood. This section defines important terms associated with risk assessment and management. • Risk is the potential impact that a threat can have on the confidentiality, integrity, and availability on EPHI by exploiting a vulnerability. • Threats are anything that can have a negative impact on EPHI. Threats are: o Intentional (e.g., malicious intent); or o Unintentional (e.g., misconfigured server, data entry error).

• Threat sources are: o Natural (e.g., floods, earthquakes, storms, tornados); o Human (e.g., intentional such as identity thieves, hackers, spyware authors; unintentional such as data entry error, accidental deletions); or o Environmental (e.g., power surges and spikes, hazmat contamination, environmental pollution).

• Vulnerabilities are a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat. • Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of EPHI.

For further information, please refer to NIST SP 800-66 and NIST SP 800-30. A link to the NIST Special Publications 800 Series is provided below:http://csrc.nist.gov/publications/PubsSPs.html

NEXT STEP : Please proceed to the Step 1 tab and complete the appropriate sections which follow. Background information and guidance is offered at the top of each tab.


5 of 59















6 of 59














Practice Summary

Last Revision Date

Practice InformationPractice Name

Office Locations

EHR Information

EHR SystemCertified Version?

Vendors/Third PartiesIT VendorEHR Vendor CompanyRECOther

InfrastructureEHR Server InformationFax Server InformationNetwork FirewallWireless DevicesWorkstationsLaptopsScannersFax MachinesCopiersTabletsiPad's

Other

Media UsedSmartphonesUSB Thumb Drives

Contributors(persons involved with the assessment)

Contact Information(Practice Point of Contact)

Name:Email:Phone:

EHR Model(Hosted or Client/Server)

Medical Devices(Devices that may contain and/or transmit data)

A16

ngibson: Understanding what vendors and third parties are used by the Practice can help determine what Business Associate Agreements may need to be in place as well as what security monitoring may be needed and/or other security controls.

A22

ngibson: Any information about the Infrastructure. The more information the better. This could include the make and model, type of device, or even just how many of that device.

A37

ngibson: Any information about the media being utilized The more information the better. This could include the make and model, type of device, or even just how many of that device or media.

USB Hard DrivesCD'sBackup TapesOther

PHI LocationWhere is PHI Stored?

A45

ngibson: Understanding where Protected Health Information (PHI) is stored is very important. This can help determine where to focus a large part of the privacy and security efforts and what security controls may be needed.

9 of 59

Inventory Assets (Preparation)Purpose: This tab may be helpful to respondents in determining what to consider in the population of assets in Steps 2a and 2b. The tab provides a space to list all potential assets and whether they process EPHI. If the asset processes EPHI, then decide if the asset is best suited as a People and Process asset or a Technology asset.

The following template, consistent with Step 1 of NIST Special Publications 800-66 and 800-30. Using the Inventory Assets Tab:The respondent should take a moment to carefully consider and reflect upon their complete asset inventory, then list the assets in the initial column. The respondent can then utilize the next column to consider whether or not the asset processes EPHI. If the asset does not process EPHI, then the asset does not need to be listed or considered for this analysis any further. If, however, the asset DOES process EPHI, then indicate the best category for the asset in the last column.

Respondents should distinguish assets in the following way:

People and Processes: Any asset(s) which processes, transmits or stores Electronic Personal Health Information (EPHI). The assets may be used in an operational or administrative capacity, for business purposes or for sustainment of operations. As long as the asset usage impacts EPHI usage, then it should be listed in the tool.

Examples could include devices such as Desktop PCs, Fax Machines, Photo Copiers, Scanners, Mobile Computing Devices, Cell Phones/Smart Phones, Storage Servers, Monitors, Phones, Pagers, Network Connections, Internet Routers, Printer(s), Teleconferencing Equipment, Dictaphones, Software, Medical Equipment, Specialized Medical Devices (such as X-Ray, EKG, or EEG) or Portable Storage devices such as Thumb Drives.

NOTE: policies, procedures, organizational standards and guidance should all be considered and included in the Business Asset section.

Technology: This would be a list that exclusively contains the software package(s) which process EPHI. This may be any computer program from specialized medical software to the Microsoft Office suite of products such as Excel, Word or Access. Any software or computer program which processes, transmits or stores EPHI would be categorized in this section.

NOTE: If an asset does not process, store, or transmit EPHI, then it is NOT necessary to consider or include that asset on this list. The only consideration is whether or not EPHI is a factor in the usage of the asset.

NEXT STEP: Please take the opportunity to review all your selections and inputs, in order to ensure accuracy in the responses given.

10 of 59

Asset Type People/Process or Technology Asset?Does this asset process, store or transmit EPHI?

11 of 59

Asset Type People/Process or Technology Asset?Does this asset process, store or transmit EPHI?

12 of 59

Screening Questions (Step 1)

Topic Question Response Threat Vulnerability Statement People/Processes Technology

1. Security Program

1.1 Roles & Responsibilities N/A

1.2 External Parties

[1.1] Has your organization formally appointed a central point of contact for security coordination?a) If so, whom, and what is their position within the organization?b) Responsibilities clearly documented? i.e. job descriptions, information security policy

Management has not defined responsibilities for the information security program. [TVS001]

[1.2] Do you work with third parties, such as IT service providers, that have access to your patient's information? a) Does your organization have Business Associate agreements in place with these third parties? i.e. REC, IT Vendor, EHR Vendor, etc.b) If not, what controls does your organization have in place to monitor and assess third parties? i.e. Logging of VPN connections, EHR logs, etc.

Security breaches occur when dealing with third parties due to a lack of security considerations in the related third party agreement. [TVS002]

Purpose: The following tab is offered as a means for determining the degree to which threats and associated vulnerabilities apply to their organization’s assets. While this tab is an optional feature in the risk analysis, it is strongly recommended that the respondents utilize this workspace as these questions will assist in additional responses on Steps 2a and 2b.

Steps for Using the Screening Questions Tab (Step 1):

When examining each of the individual questions below, consider the question and your organizations current posture. Please select from the drop-down list as to whether your organization Addresses, Partially-Addresses or Does Not Address the security issue in question. There is no correct or incorrect response. The purpose of the risk analysis effort is to gauge the information security practices within medical facilities and where to best direct resources to remediate the areas of greatest concern. When the selection is made, the corresponding ‘Exposure Potential’ column in Steps 2a or 2b will automatically populate with the words, ‘High', 'Medium' or ‘Low’ as a means of assisting the respondent in calculating their risk.

There will be a pre-selected Threat-Vulnerability Statement which will correspond to the question; no action is required for this cell. The respondent is offered this statement in consideration of what, if any, response they would like to offer in the last two cells- People/Processes and Technology. All responses in the last two columns will pre-populate information in the Existing Control column on the People and Processes (Step 2a) or Technology (Step 2b) tab respectively. The respondent should populate this cell with what the practitioner is doing, if any corrective actions are being taken, to mitigate and reduce the threat or vulnerability. If no action is taken, please indicate 'No Action Taken' in the appropriate column(s). There is no correct or incorrect response, this is merely a sampling of what practitioners are doing to mitigate threats or minimize vulnerabilities. The pre-populated Threat-Vulnerability Statement will appear again in Steps 2a and 2b.

NEXT STEP: After completing the questions on this tab, please proceed to the tab labeled People and Processes (Step 2a).

13 of 59


2. Security Policy

2.1 N/A

3. Risk Management & Compliance

3.1 Risk Assessment

3.2 N/A

4. Training & Awareness

4.1

5. Personnel Security

5.1 Background Checks N/A

Information Security Policy & Procedures

[2.1] Do you have documented information security policies and procedures?a) Do you have a formal information classification procedure? Please describe it. In particular, how would patient data be categorized? For example, critical, essential, and normal.b) Have formal acceptable use rules been established for assets? Example assets include data assets, computer equipment, communications equipment, etc.Do you have formal processes in place for security policy maintenance and deviation?

Management does not set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security. [TVS003]

[3.1] Do you have a process that addresses: the identification and measurement of potential risks, mitigating controls (measures taken to reduce risk), and the acceptance or transfer (Insurance policies, warranties for example) of the remaining (residual) risk after mitigation steps have been applied?

Information around risks and related control options are not presented to management before management decisions are made. [TVS004]

- REC helping to start the risk assessment process by using this spreadsheet as a foundation for the risk assessment as well as risk management plan. - No prior risk assessments conducted

- No regular assessments of technology is performed; including vulnerability testing, patch management, or other review of systems to help determine risks associated with them so appropriate action(s) can be taken.

Compliance with Legal Requirements - Identification of applicable legislation

[3.2] Does a process exist to identify new laws and regulations with IT security implications? (e.g., new state breach notification requirements)? i.e. Newsletters, Webinars, etc.

Legislative, statutory, regulatory or contractual obligations related to security are violated due to lack of controls. [TVS005]

- Working with the REC helps to identify new laws and regulations due to the training and guidance with the REC team - State breach guidance also available through the REC within the privacy and security toolkit

During Employment – Training, Education & Awareness

[4.1] Have your employees been provided formal information security training? Have policies been communicated to your employees? Are periodic security reminders provided? i.e. New employee orientation, yearly training, posters in public areas, email reminders, etc.

Applications and technology solutions are not correctly and securely used since a training curriculum for employees has not been established or regularly updated. [TVS006]

- No formal information security training but periodic HIPAA training (random). - No one dedicated to the role of training. - No IT orientation

- The use of technology regarding a training curriculum is not currently being utilized.

[5.1] Does your organization perform background checks to examine and assess an employee’s or contractor’s work and criminal history? i.e. Credential verification, criminal history, references

Background verification checks are not carried out and management is not aware of academic, professional, credit or criminal backgrounds of employees. [TVS007]

- References are verified - Credential verification is also performed - No criminal background checks are performed at this time

14 of 59


5.2

5.3

6. Physical Security

6.1 Secure Areas

7. Network Security

Prior to Employment - Terms and Conditions of Employment

[5.2] Are your employees required to sign a non-disclosure agreement? If so, are employees required to sign the non-disclosure agreement annually? Non-disclosure and/or confidentiality form at initial employment

Employees or contractors do not agree or sign terms or conditions of employment. [TVS008]

- Non disclosure Agreements required prior to employment

- Accounts are not created within the EHR until appropriate Agreements are signed

Termination or Change in Employment

[5.3] Do you have a formal process to manage the termination and or transfer of employees? i.e. All equipment is returned, user ID's disabled in EHR and Windows, badges and/or keys returned.

Employee, contractor or third party user terminations or change of responsibilities could result in a security breach due to lack of a defined management process for terminations or changes in responsibilities. [TVS009]

- No known procedures in place for terminations or changes of responsibilities. - Disabling of access within the EHR as well as retrieval of keys and equipment is performed.

- User accounts are disabled within the EHR

[6.1] Do you have effective physical access controls (e.g., door locks) in place that prevent unauthorized access to facilities and a facility security plan? a) Are there plans in place to handle/manage contingent events or circumstances (e.g. what if the person with the key to the server room is sick)? b) Is there a facility security plan? c) How are physical access controls authorized (who is responsible for ensuring that only appropriate persons have keys or codes to the facility and to locations within the facility with ePHI)? d) Are there policies and procedures to document repairs and modifications to physical components of the facility that are related to security? - [See Facility Walkthrough Checklist for additional information]

Unauthorized parties gain physical access to facilities due to insufficient physical entry/exit controls. [TVS010]

- No facility security plan is currently in place at the practice - Fire escape plans are posted throughout the building - Alarm system is currently in place and monitored 24/7

- Front DeskWaiting room securely separated?All patients must sign in?All visitors must sign in?All visitors & patients escorted?Sign-in sheet secured and maintained?

- Workstations/Laptops/TabletsPositioning?Privacy screens used?Cable locks used?

- Server RoomServer room location?Locked at all times?Proper cooling?Battery backup?Fire suppression?

- Network ClosetLocked at all times?Proper cooling?Battery backup?

- BuildingEmergency lighting?Fire detection?Fire suppression?Back door remains locked?Other doors remain locked? Water shut-off valves?Emergency power shut-off?Building alarm system?

15 of 59


7.1

7.2 Encryption

7.3 Vulnerability Assessment

7.4 Monitoring

8. Logical Access

Application and Information Access Control - Sensitive System Isolation

[7.1] Describe your network configuration. Has your IT vendor provided information regarding how your Electronic Health Record (EHR) system is protected?a) Are systems and networks that host, process and or transfer sensitive information ‘protected’ (isolated or separated) from other systems and or networks? b) Are internal and external networks separated by firewalls with access policies and rules?c) Is there a standard approach for protecting network devices to prevent unauthorized access/ network related attacks and data-theft? i.e. Firewall between public and private networks, internal VLAN, firewall separation, separate WLAN network, and/or secure patient portal.

Sensitive systems co-located with less sensitive systems are accessed by unauthorized parties. [TVS011]

- No network diagram or details regarding the configurations being used are currently available.

- Network ConfigurationFirewall in place?Wireless encryption?Remote access type?Remote access encryption?

[7.2] Is sensitive information transferred to external recipients? If so, are controls in place to protect sensitive information when transferred (e.g. with encryption)? i.e. Secure VPN connection with EHR and/or IT vendors or email encryption (certificate server, ZixMail).a) Is sensitive information being sent via text, either by email (i.e. [email protected]) or by texting on the phones themselves?

Information involved in electronic messaging is compromised. [TVS012]

- No policies or procedures around the protection of electronic messaging. - No PHI is electronically sent via email or other electronic means except through fax.

[7.3] How often do you perform periodic vulnerability scans on your information technology systems, networks and supporting security systems? i.e. Internal assessments, third party assessments, automated?

Technical vulnerabilities are exploited to gain inappropriate or unauthorized access to information systems due to lack of controls for those vulnerabilities. [TVS013]

- No vulnerability testing has been completed.

- No vulnerability testing currently being performed internally or from a third party

[7.4] Are third party connections to your network monitored and reviewed to confirm authorized access and appropriate usage? i.e. VPN logs, server Event Logs, EHR logging, automated alerts, regular review of logs or reports.

Unauthorized access is given to information over third party connections. [TVS014]

16 of 59


8.1

8.2 Identity Management

8.3 Entitlement Reviews

9. Operations Management

Identity & Access Management

[8.1] Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information) ? i.e. Role-based permissions, limited access based on specific responsibilities, network access request form?a) How are systems and applications configured to restrict access only to authorized individuals? i.e. Use of unique ID's and passwords. 1) Minimum password length? Complexity? History? Lockout? Password change?b) Is there a list maintained of authorized users with access (administrative access) to operating systems? i.e. Active Directory user lists, within EHR application, Excel spreadsheet of users, HR file?c) Does a list of 'accepted mobile devices' (e.g., smart phones, cell phones) exist based on testing? Are accepted mobile devices tested prior to production use?d) Is sensitive information (e.g., social security numbers) removed from, or encrypted within, documents and or websites before it is distributed? i.e. Use of Patient Portal for distribution, de-identifying of sensitive information prior to being distributed.e) Is software installation restricted for desktops, laptops and servers?i.e. Restricted User access to workstations, Group Policy enforcement, AD privileges on servers 1) automatic logoff of workstations? EHR system?f) Is access to source application code restricted? If so, how? Is a list of authorized users maintained?

Unauthorized access is gained to information systems. [TVS015]

- Access rights to the EHR are allocated based on the employees role within the facility but no procedures are in place.

- EHR Password SecurityPassword Change?Minimum Length?Complexity?Password History?Lockout?

- Windows Password SecurityPassword Change?Minimum Length?Complexity?Password History?Lockout?

- Auto LogoffEHR?Windows?

- Servers/Network DevicesDefault Admin passwords have been changed?

[8.2] Are user IDs for your system uniquely identifiable? a) Any shared accounts at all? i.e. hard coded into applications, someone is sick or unavailable, emergency access to sensitive information?

Unauthorized users are able to gain access to operating systems by claiming to be an authorized user. [TVS016]

- No policy or procedure around the use of unique user ID's

- Unique user ID's are utilized within the EHR. - However, user ID's are NOT unique for workstation access

[8.3] Do you have a process to review user accounts and related access? i.e. manual process of reviewing HR records to user accounts in AD and EHR

Users that no longer have a business need for information systems access still have access to the information. [TVS017]

- User accounts are not currently reviewed on a regular basis

- No regular review of accounts currently being performed within the EHR, servers, and other systems.

17 of 59


9.1 Antivirus

9.2 Security Monitoring

9.3 Media Handling

9.4 Secure Disposal N/A

9.5

9.6 Segregation of Duties N/A

9.7 Change Management

10. Incident Management

[9.1] Has antivirus software been deployed and installed on your computers and supporting systems (e.g., desktops, servers and gateways)? 1) Product installed? Centrally managed? Updated daily?

Systems and data are exposed to malicious software and/or unauthorized use. [TVS018]

- No current policies and procedures surrounding the use and updating of antivirus software

[9.2] Are systems and networks monitored for security events? If so, please describe this monitoring. i.e. server and networking equipment logs monitored regularly. Servers, routers, switches, wireless AP's.

Unauthorized information processing activities occur undetected due to lack of consistent logging and monitoring activities. [TVS019]

[9.3] Do procedures exist to protect documents, computer media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and destruction? Is sensitive data encrypted when stored on laptop, desktop and server hard drives, flash drives, backup tapes, etc.? i.e. Data at Rest - Is data encrypted on the EHR server? Backups? Mobile devices? SD Cards?

Media (e.g., documents, computer media (e.g. tapes, disks), input/output data, system documentation) is compromised by unauthorized parties due to ineffective handling procedures. [TVS020]

- No procedures in place surrounding the handling of media.

- BackupsAre backups encrypted?

[9.4] Are there security procedures for the decommissioning (replacement) of IT equipment and IT storage devices which contain or process sensitive information? i.e. use of Shred-IT, Retire-IT, wiping, NIST 800-88

Unauthorized parties access data from discarded media. [TVS021]

Segregation of Computing Environment

[9.5] Are development, test and production environments separated from operational IT environments to protect production (actively used) applications from inadvertent changes or disruption?

The production environment is impacted due to the lack of separation of development and production environments. [TVS022]

- Testing that relates to the EHR occurs though the EHR vendor and not performed internally.

- No test systems - EHR vendor tests their updates and then notifies the Practice for installation into production

[9.6] Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets? i.e. front desk duties separated from accounting. Nurse duties separated from Doctor's?

The integrity of a business process is compromised due to the lack of segregation of duties (e.g., maker & checker). [TVS023]

- Job duties are separated within the EHR based on their job roles but not formally outlined within any policy or procedure.

[9.7] Do formal change management procedures exist for networks, systems, desktops, software releases, deployments, and software vulnerability (e.g., Virus or Spyware) patching activities? i.e. Changes to the EHR? Changes to the workstations and servers? Appropriate testing, notification, and approval?

The change management process in place does not adequately protect the environment from disruptive changes in production. [TVS024]

- No formal change management procedures currently in place. - The existing process for EHR updating involves being contacted by the vendor and then scheduling a time for installation.

- No internal tracking or reporting of changes to the systems - EHR vendor does keep records of any changes performed through the use of their ticketing system

- Windows UpdatesWorkstations update automatically?

18 of 59


10.1 Process & Procedures

11. Business Continuity Management

11.1

[10.1] How do you identify, respond to and mitigate suspected or known security incidents?i.e. Incident Form filled out as a response to an incidenta) During the investigation of a security incident, is evidence properly collected and maintained?i.e. Chain of custody and other computer forensic methodologies followed by internal and/or external parties?b) Are incidents identified, investigated, and reported according to applicable legal requirements?c) How are incidents escalated and communicated? i.e. documented process for escalation to management and even outside authorities.

Security incidents are not managed with a consistent and effective approach. [TVS025]

- Incidents are reported but not consistent in the approach and no formalized incident response plan is currently in place.

- No incident management tracking / reporting software is being utilized

Disaster Recovery Plan & Backups

[11.1] Do you have a mechanism to back up critical IT systems and sensitive data? i.e. nightly, weekly, quarterly backups? Taken offsite?a) Have you had to restore files after a systems outage? Does a Disaster Recovery plan exist for the organization and does it consider interruption to, or failure of, critical IT systems?a) Are disaster recovery plans updated at least annually?b) If not, has the backup and restoration process been tested?

Information systems cannot be recovered due to a lack of written disaster recovery plans. [TVS026]

- No Disaster Recovery Plan or Emergency Operations Plan currently in place at the facility

- EHR is web based and all backups and restores are performed by the EHR vendor.

19 of 59

People and Processes (Step 2a) Purpose: This tab is designed to determine a risk rating for an organization's (people and process) assets, which store, transmit, or process EPHI. The Threats and Vulnerabilities offered is a sample of possibilities which may be expanded upon. These assets help to identify the scope of what needs to be assessed. This tab addresses the Risk Assessment Steps 1 through 8 of NIST Special Publications 800-66 and 800-30. Steps for Using the People and Processes Tab (Step 2a): NOTE: All Columns must be filled in completely.

1. Asset Management Category - This list has already been pre-populated to assist the respondent and requires no action. This cell contains the typical asset or business process which corresponds with the Threat-Vulnerability Statement in the next cell.

2. Threat-Vulnerability Statement - The Threat-Vulnerability Statement is also pre-populated and requires no action on the part of the respondent.

3. Recommended Control Measures - This column requires no action by the respondent. This is a recommended action which is provided for respondents to consider in developing their information security posture.

4. Existing Control - This column is pre-populated from the response in the People/Processes column of the Screening Questions (Step 1) tab and requires no action by the respondent.

5. Existing Control Effectiveness - This is a Drop-Down list in which the respondent will select the best answer to describe the degree to which their counter-measures address the Threat-Vulnerability statement earlier in the row. When making a selection, respondents should also consider how effective their counter-measures are in relation to the Recommended Control Measures which is suggested in the previous cell. The available choices are Effective, Partially Effective or Not Effective.

For example, the Threat-Vulnerability statement that “Facilities are protected by appropriate entry controls” would be evaluated as to how effectively the workspaces where EPHI can be accessed are protected. Additionally, the respondent would also want to consider how effectively the medical facility itself is secured and protected. These are some of the factors which must be considered in offering a response.

6. Exposure Potential - This cell is pre-populated from the response on the Screening Questions (Step 1) tab and requires no action. This cell represents the response of ‘Addressed, Partially-Addressed or Not-Addressed’ relative to the Threat-Vulnerability statement. The purpose is to offer additional guidance and empower the respondent in their selections on the following choices of Impact and Likelihood.

7. Likelihood - As with the Impact Rating, this is a judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Please select from the appropriate corresponding choice of Low, Medium or High for each asset. Very Likely would be defined as having a probable chance of occurrence. Likely would be defined as having a significant chance of occurrence. Not Likely would be defined as modest or insignificant chance of occurrence. 8. Impact - In the event that an 'Undesirable Event' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the practitioner as to what the impact of an occurrence of the threat would have upon the medical practice. Please select from the appropriate corresponding choice of High, Medium, or Low for each asset. High would be defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical records have been lost or compromised. Medium would be defined as having a significant impact on the medical practice; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the practice have been lost or compromised. Low would be defined as having a modest or insignificant impact on the medical practice; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised.

NOTE: A loss or compromise of 500 medical records or more may qualify as a breach that requires the practice to notify the US Department of Health and Human Services Office for Civil Rights within a defined time frame.

9. Risk Rating - This column requires no action by the respondent. The column automatically calculates the risk rating to the medical practice based upon the inputs from the 'Impact Rating' and 'Likelihood of Occurrence' columns. NEXT STEP: After completing the questions on this tab, please proceed to the tab labeled Technology (Step 2b).

References: HIPAA Security RuleOCR Security Rule Guidance: http://www.hhs.gov/ocr/privacyCOBIT Framework for IT Governance and Control, version 4.1 NIST Special Publication 800-66ISO/IEC 17799 (2005) Part 1 Payment Card Industry, Data Security Standards PCI DSS v1.1

20 of 59

Partially Effective

Purpose: This tab is designed to determine a risk rating for an organization's (people and process) assets, which store, transmit, or process EPHI. The Threats and Vulnerabilities offered is a sample of possibilities which may be expanded upon. These assets help to identify the scope of what needs to be assessed. This tab addresses the Risk Assessment Steps 1 through 8 of NIST Special Publications 800-66 and 800-30. Steps for Using the People and Processes Tab (Step 2a): NOTE: All Columns must be filled in completely.

1. Asset Management Category - This list has already been pre-populated to assist the respondent and requires no action. This cell contains the typical asset or business process which corresponds with the Threat-Vulnerability Statement in the next cell.


3. Recommended Control Measures - This column requires no action by the respondent. This is a recommended action which is provided for respondents to consider in developing their information security posture.

4. Existing Control - This column is pre-populated from the response in the People/Processes column of the Screening Questions (Step 1) tab and requires no action by the respondent.




7. Likelihood - As with the Impact Rating, this is a judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Please select from the appropriate corresponding choice of Low, Medium or High for each asset. Very Likely would be defined as having a probable chance of occurrence. Likely would be defined as having a significant chance of occurrence. Not Likely would be defined as modest or insignificant chance of occurrence. 8. Impact - In the event that an 'Undesirable Event' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the practitioner as to what the impact of an occurrence of the threat would have upon the medical practice. Please select from the appropriate corresponding choice of High, Medium, or Low for each asset. High would be defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical records have been lost or compromised. Medium would be defined as having a significant impact on the medical practice; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the practice have been lost or compromised. Low would be defined as having a modest or insignificant impact on the medical practice; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised.

NOTE: A loss or compromise of 500 medical records or more may qualify as a breach that requires the practice to notify the US Department of Health and Human Services Office for Civil Rights within a defined time frame.

9. Risk Rating - This column requires no action by the respondent. The column automatically calculates the risk rating to the medical practice based upon the inputs from the 'Impact Rating' and 'Likelihood of Occurrence' columns. NEXT STEP: After completing the questions on this tab, please proceed to the tab labeled Technology (Step 2b).


21 of 59

Perform Control Analysis Exposure Assess Risk

Recommended Control Measures Existing Control Likelihood Impact

Security Program 0

Likely High Medium

Asset Management Category

Threat-Vulnerability Statement

Existing Control

EffectivenessExposure Potential

Risk Rating


All information security responsibilities are clearly documented . This is to ensure timely, safe and effective handling of all situations, administration user accounts- including additions, deletions, and modifications. [RCM001] - Ensure responsibilities are formalized within the employee(s) job descriptions as well as within relevant IS policies.

Partially Effective

22 of 59


Recommended Control Measures Existing Control Likelihood ImpactAsset Management Category


Existing Control


Risk Rating

Security Program 0

Effective Not Likely High Low


Agreements with third parties, such as IT vendors, which involve accessing, processing, communicating with or managing the organization's information or information processing facilities, or adding products or services to information processing facilities cover all relevant security requirements.Contracts between business associates and covered entities address administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information. [RCM002] - Verify and ensure Business Associate agreements are in place with all third parties that use or disclose PHI. This includes those that even have access to PHI like IT service providers and EHR vendors.

23 of 59




Existing Control


Risk Rating

Security Policy 0

Likely High Medium


An information security policy is approved by management in accordance with business requirements and all relevant laws and regulations. [RCM003]

Partially Effective

24 of 59




Existing Control


Risk Rating

Likely High Medium

Risk Management & Compliance


Risk assessments are conducted to identify, quantify, prioritize and manage risks. The prioritization is accomplished by creating and using criteria for risk acceptance and objectives which are important to the organization. [RCM004] - Ensure this risk assessment is accurate with all information that has been filled out as well as the risk ratings (likelihood and impact) that have also been completed based on the information provided. - After verifying the accuracy of information, the Medium and High risk items from the Findings-Remediation tab should be addressed by making the necessary business decisions on whether to mitigate, transfer, or accept the risks. It is recommended to mitigate risks that are easy to address. - It is important to continue the risk assessment process by assessing additional risks to your facility, systems, and all other assets to ensure a thorough and up-to-date risk assessment is conducted.


Partially Effective

25 of 59




Existing Control


Risk Rating



Legislative, statutory, regulatory or contractual obligations related to security are violated due to lack of controls. [TVS005]

Controls, which are applicable to each situation, have been applied to avoid violations of any legal obligations (e.g. statutory, regulatory, or contractual), and of any security requirements. Access controls could be door locks or computer passwords, while other controls could be firewalls and anti-virus software. [RCM005] - It is recommended to continue follow any legal obligations by signing up with regular email newsletters, i.e. Healthcare IT, HIPAA Weekly Advisory, HIMSS, etc. - Various Webinars and conferences are also great resources.

- Working with the REC helps to identify new laws and regulations due to the training and guidance with the REC team - State breach guidance also available through the REC within the privacy and security toolkit

26 of 59




Existing Control


Risk Rating

Training & Awareness

High


A training curriculum for employees has been established to educate and train users for correct and secure use of applications and technology solutions. [RCM006] - Training could include new employee orientation for all new personnel and contractors as well as weekly or monthly email security reminders. - Security reminders could also be posted in public areas (kitchen, hallways, etc.) to help train employees.

- No formal information security training but periodic HIPAA training (random). - No one dedicated to the role of training. - No IT orientation

27 of 59




Existing Control


Risk Rating

Personnel Security


Personnel Security

High

Background verification checks are not carried out and management is not aware of academic, professional, credit or criminal backgrounds of employees. [TVS007]

Background verification checks on all candidates for employment, contractors and third party computer system users are carried out in accordance with relevant laws, regulations and ethics, and relevant to the business requirements, the classification of the information to be accessed, and the perceived risks. [RCM007] - Verifying credentials and even background verification checks may be beneficial to your facility. - In addition to any verification checks performed for potential employees, it is also important to ensure that some, or all, of these checks are performed for contractors and third parties.

- References are verified - Credential verification is also performed - No criminal background checks are performed at this time


As part of their terms of employment or contractual agreements, employees, contractors and third party users agree and sign the terms and conditions of their employment contract, which should state their responsibilities and the organizations responsibilities for information security. [RCM008]

- Non disclosure Agreements required prior to employment

28 of 59




Existing Control


Risk Rating

Personnel Security

High


Procedures are in place to ensure the properly managed exit from the organization of employees, contractors or third parties and that all equipment is returned and the removal of all access rights are completed. [RCM009]

- No known procedures in place for terminations or changes of responsibilities. - Disabling of access within the EHR as well as retrieval of keys and equipment is performed.

29 of 59




Existing Control


Risk Rating

Physical Security

High


A facility security plan is implemented, which protects the facility with appropriate entry/exit controls to ensure that only authorized personnel are allowed access, removal of equipment from the facility is restricted to authorized individuals, and repair/modification of physical components of the facility are documented and monitored. Workstations are protected from removal by unauthorized individuals. A contingency plan is implemented for permitting and enabling physical access to alternate authorized individuals (e.g. in the event primary authorized individuals are sick or not available). [RCM010] - A facility security plan should be implemented which outline how personnel and patients are authorized access to all or parts of the facility. - The control of physical components (equipment) should also be part of a facility security plan. - It's a good practice to ensure that all visitors are escorted at all times.

- No facility security plan is currently in place at the practice - Fire escape plans are posted throughout the building - Alarm system is currently in place and monitored 24/7

- Front DeskWaiting room securely separated?All patients must sign in?All visitors must sign in?All visitors & patients escorted?Sign-in sheet secured and maintained?

30 of 59




Existing Control


Risk Rating

Network Security

High

Network Security

High


If possible sensitive systems have a dedicated, and isolated, computing environment. [RCM011] - A complete network diagram that outlines the boundaries of the network is recommended to help gain an overview of the computing environment(s) being protected.

- No network diagram or details regarding the configurations being used are currently available.


Information involved in electronic messaging is appropriately protected. [RCM012] - The protection of electronic messaging should be outlines within the Information Security Policy - The Information Security Policy template provided by the REC could help outline the protection of electronic messaging as it relates to the facility; even if the policy prohibits the use of electronic messaging of sensitive information. Refer to section IS-1.14. - Any texting of PHI should include a policy and procedures surrounding this process and the safeguards being utilized.

- No policies or procedures around the protection of electronic messaging. - No PHI is electronically sent via email or other electronic means except through fax.

31 of 59




Existing Control


Risk Rating

Network Security

Not Effective Very LIkely High High

Network Security 0

High


Timely information about technical vulnerabilities of information systems being used is obtained, the organization's exposure to the vulnerabilities is evaluated and appropriate measures are taken to address the associated risk. [RCM013] - Vulnerability testing should be performed regularly to obtain information bout technical vulnerabilities to the systems. - A policy and procedure surrounding this process should be in place and should include the steps taken, where necessary, once vulnerabilities are found.



A formal process is in place to control all external third party network connections. [RCM014] - A process should be put in place to ensure all external third party connections are made, including those of the EHR vendor. - The process could include the automated or manual review (regular intervals) of VPN logs, EHR logs, server logs, etc.

32 of 59




Existing Control


Risk Rating

Logical Access

High

Logical Access

High


Formal procedures should be in place to control the allocation of access rights to information systems and services. [RCM015] - Your policy shloud also outline the formalized password policy required for unique user ID's.

- Access rights to the EHR are allocated based on the employees role within the facility but no procedures are in place.


All users are assigned a unique identifier (user ID) for their business use. This unique ID shall be used exclusively on computing systems within the medical practice which process EPHI, and a suitable authentication technique is chosen to validate the identity of a user. [RCM016] - Unique user ID's should extend beyond the EHR and include other systems, i.e. workstations and servers.

- No policy or procedure around the use of unique user ID's

33 of 59




Existing Control


Risk Rating

Logical Access

High


Management reviews and makes the appropriate corrections to the access right(s) of individual users at regular intervals using a formal process¹. [RCM017] - User accounts should be regularly reviewed to ensure that terminated employees or contractors that no longer work on the systems do not have access. - A process should be in place that outlines the regular review of user accounts within all systems, how often, and what actions to perform if discrepancies are found.

- User accounts are not currently reviewed on a regular basis

34 of 59




Existing Control


Risk Rating

Operations Management

High


Policies and procedures are implemented that address the prevention, detection and removal of malicious code in the computer operating environment. This would cover all computers or devices, such as printers and thumb drives, which connect to computers. [RCM018] - Procedures regarding the administration, whether centrally or locally managed, should also be in place and include what actions to take whenever any detections occur

- No current policies and procedures surrounding the use and updating of antivirus software

35 of 59




Existing Control


Risk Rating

Operations Management 0

High


Policies and procedures for information system monitoring have been established and implemented. This is done to institute consistency and standards in computer activity logging, computer activity monitoring and reporting of any system events. [RCM019] - A process should be put in place to ensure that all systems are actively monitored. The systems include the EHR, servers, networking devices (firewall, switches, and routers), etc.. - The process could include the automated or manual review (regular intervals) of VPN logs, EHR logs, server logs, etc.

36 of 59




Existing Control


Risk Rating


High

Operations Management 0

High


Operating procedures are established to protect documents, computer media (e.g., tapes, disks), input/output data and system documentation. This is done to protect sensitive information from unauthorized disclosure, modification, removal, and destruction. [RCM020] - Handling of media should include expectations of employees, use of encryption, wiping and destruction, storage, etc.

- No procedures in place surrounding the handling of media.

Unauthorized parties access data from discarded media. [TVS021]

Equipment containing storage media (e.g. fixed hard disks, CD-ROMs, thumb drives) is checked to ensure that any sensitive data and licensed software has been removed or overwritten prior to disposal. [RCM021] - Destruction policy should be in place surrounding the disposal and reuse methods accepted within the facility for all equipment containing storage media.

37 of 59




Existing Control


Risk Rating


High


High


Development, test, and operational facilities are separated from one another. This is done to reduce the risks of unauthorized access or unauthorized changes to the computer operational system or to any software applications running upon the operating system. [RCM022]

- Testing that relates to the EHR occurs though the EHR vendor and not performed internally.

The integrity of a business process is compromised due to the lack of segregation of duties (e.g., maker & checker). [TVS023]

Employee duties and employees 'areas of responsibility' are separated; this is to reduce potential opportunities for unauthorized or unintentional modification or misuse of the organization's computing systems or assets. [RCM023] - Appropriate and detailed job descriptions can also help outline the areas of responsibility between employees.

- Job duties are separated within the EHR based on their job roles but not formally outlined within any policy or procedure.

38 of 59




Existing Control


Risk Rating


High


Formal 'change policies and procedures' have been established to manage the implementation of changes to assure the adherence to standards and security practices. [RCM024] - Change management policies and procedures should be in place to help address the changes that occur to any system, including the EHR, server, workstations, routers, switches, etc. - Change management procedures could include how changes are known, reviewed, tested, approved, and verified.

- No formal change management procedures currently in place. - The existing process for EHR updating involves being contacted by the vendor and then scheduling a time for installation.

39 of 59




Existing Control


Risk Rating

Incident Management

High


A consistent approach to managing information security incidents, consistent with applicable law, is in place to handle information security events and weaknesses once they are reported. Activities such as incident reporting, organizational response, relocation of operations, evidence collection and system recovery are all components of incident response. [RCM025] - An incident response plan should also be in place to address how incidents are to be responded to and outlines the escalation steps necessary.- Your policy should contain the following items: Security Incident Report Security Incident Investigation form Security Incident Log Security Breach Assessment Tool

- Incidents are reported but not consistent in the approach and no formalized incident response plan is currently in place.

40 of 59




Existing Control


Risk Rating

High

Category New Threat 1 (TVS027) Recommended Control Measures Category New Threat 2 (TVS028) Recommended Control Measures Category New Threat 3 (TVS029) Recommended Control Measures Category New Threat 4 (TVS030) Recommended Control Measures Category New Threat 5 (TVS031) Recommended Control Measures

Business Continuity Management


Backup and Recovery plans are documented, distributed through the organization and easily obtained by office personnel in the event that an event occurs. The DR Plan must identify the required actions to undertake following interruption to, or failure of, critical IT systems. [RCM026] - A complete disaster recovery plan and/or documented emergency operations plan should be in place in the event that there's an interruption or failure of critical IT systems. The plan should also include the specific actions employee roles/jobs are to take in the event of a disaster. - The use of backups, rotation type, encryption, and offsite storage should all be documented appropriately.

- No Disaster Recovery Plan or Emergency Operations Plan currently in place at the facility

41 of 59

Technology (Step 2b) Purpose: This tab is designed to develop a list of Assets that store, transmit, or process EPHI. The Threats and Vulnerabilities offered is a sample of possibilities which may be expanded upon. These Business Assets help to identify the scope of what needs to be assessed. This tab addresses the Risk Assessment Steps 1 through 8 of NIST special Publications 800-66 and 800-30. Steps for Using the Technology Tab (Step 2b): NOTE: All Columns must be filled in completely.

1. Asset Management Category - This list has already been pre-populated to assist the respondent and requires no action. This cell contains the typical technology process which corresponds with the Threat-Vulnerability Statement in the next cell.


3. Recommended Control Measures - This column requires no action by the respondent. This is a recommended action which is provided for respondents to consider in developing their Information Security posture.

4. Existing Control - This column is pre-populated from the response in the Technology column of the Screening Questions (Step 1) tab and requires no action by the respondent.




7. Likelihood - As with the Impact Rating, this a subjective judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Please select from the appropriate corresponding choice of Low, Medium or High for each Business Asset. Very Likely would be defined as having a probable chance of occurrence. Likely would be defined as having a significant chance of occurrence. Not Likely would be defined as modest or insignificant chance of occurrence.

8. Impact - In the event that an 'Undesirable Event ' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the practitioner as to what the impact of an occurrence of the threat would have upon the medical practice. Please select from the appropriate corresponding choice of High, Medium or Low for each Business Asset. High would be defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical records have been lost or compromised. Medium would be defined as having a significant impact; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the practice have been lost or compromised. Low would be defined as a modest or insignificant impact; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised. NOTE: A loss or compromise of 500 medical records or more may qualify as a breach that requires the practice to notify the US Department of Health and Human Services Office for Civil Rights within a defined time frame.

9. Risk Rating - This column requires no action by the respondent. The column is automatically calculates the risk rating to the medical practice based upon the inputs from the 'Impact Rating' and 'Likelihood of Occurrence' columns. NEXT STEP: After completing the questions on this tab, please proceed to the tab marked Findings-Remediation (Step 3).


42 of 59

Purpose: This tab is designed to develop a list of Assets that store, transmit, or process EPHI. The Threats and Vulnerabilities offered is a sample of possibilities which may be expanded upon. These Business Assets help to identify the scope of what needs to be assessed. This tab addresses the Risk Assessment Steps 1 through 8 of NIST special Publications 800-66 and 800-30. Steps for Using the Technology Tab (Step 2b): NOTE: All Columns must be filled in completely.












43 of 59


Recommended Control Measures Existing Control Likelihood Impact

Security Program 0


Likely High Medium


Asset Management

CategoryThreat-Vulnerability

StatementExisting Control


Risk Rating


Agreements with third parties, such as IT vendors, which involve accessing, processing, communicating with or managing the organization's information or information processing facilities, or adding products or services to information processing facilities cover all relevant security requirements.Contracts between business associates and covered entities address administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information. [RCM002] - Controls should be in place to help monitor any access by third parties. This can include the regular review of VPN logs, EHR logs, server logs, etc. - Automated alerts when certain criteria is met within a system can greatly help monitor third party connections to internal systems.



Risk assessments are conducted to identify, quantify, prioritize and manage risks. The prioritization is accomplished by creating and using criteria for risk acceptance and objectives which are important to the organization. [RCM004] - It is important to expand upon this risk assessment by assessing the risk of each asset itself.


Partially Effective

Training & Awareness


A training curriculum for employees has been established to educate and train users for correct and secure use of applications and technology solutions. [RCM006] - Technology use for a training curriculum could include the use of regular email newsletters that include security reminders, an Intranet site, or a training service provided over the Internet.

- The use of technology regarding a training curriculum is not currently being utilized.













44 of 59


Recommended Control Measures Existing Control Likelihood ImpactAsset

Management Category


Existing Control


Risk Rating













Personnel Security


Personnel Security



As part of their terms of employment or contractual agreements, employees, contractors and third party users agree and sign the terms and conditions of their employment contract, which should state their responsibilities and the organizations responsibilities for information security. [RCM008] - Technology in this area is to prohibit employee or contractor access to systems until such Agreements are signed. For example, no Active Directory accounts, VPN access, or application access is created/activated prior to the Agreement of terms.

- Accounts are not created within the EHR until appropriate Agreements are signed


Procedures are in place to ensure the properly managed exit from the organization of employees, contractors or third parties and that all equipment is returned and the removal of all access rights are completed. [RCM009] - Accounts/access to all systems should be properly managed for employees and contractors. This includes local workstation access, server access, etc. in addition to the user accounts within the EHR.

- User accounts are disabled within the EHR

45 of 59



Management Category


Existing Control


Risk Rating













Physical Security


Network Security

Likely High Medium


A facility security plan is implemented, which protects the facility with appropriate entry/exit controls to ensure that only authorized personnel are allowed access, removal of equipment from the facility is restricted to authorized individuals, and repair/modification of physical components of the facility are documented and monitored. Workstations are protected from removal by unauthorized individuals. A contingency plan is implemented for permitting and enabling physical access to alternate authorized individuals (e.g. in the event primary authorized individuals are sick or not available). [RCM010] - The server room should be secured to ensure physical access is available for only authorized individuals. This can include all doors to the servers to be locked at all time and any windows secured/monitored. - Best practice to ensure proper temperature and humidity for both server and wiring rooms. - Wiring closets that contain switches, routers, and other networking equipment should also remain locked and accessible by only authorized individuals. - The use of cable locks can help prevent theft of mobile devices (laptops) and privacy screens can help prevent unauthorized viewing of computer screens/monitors






If possible sensitive systems have a dedicated, and isolated, computing environment. [RCM011] - Verify and ensure firewall capabilities exist between the public Internet and internal network beyond the basic port blocking and NATing functions of the Cisco router.


Partially Effective

46 of 59



Management Category


Existing Control


Risk Rating













Network Security 0


Network Security



Information involved in electronic messaging is appropriately protected. [RCM012] - The use of email encryption (via certificate authority or encryption software) can help protect information involved in electronic messaging - For any texting, or email-to-texting, of PHI, the use of encryption is important as well as: - Including only the minimum necessary information - Phones lock after inactivity - Phones (smartphone) encryption - Central management of the phones - Regular removing (retention) of all previous texts - Also, working with the phone company to determine their methods of retention of any texts being sent or is the phone company just a conduit without any capturing of plaintext messages being sent/received.


Timely information about technical vulnerabilities of information systems being used is obtained, the organization's exposure to the vulnerabilities is evaluated and appropriate measures are taken to address the associated risk. [RCM013] - Regular vulnerability testing can be performed using free or commercial scanning tools. The results provide information about technical vulnerabilities that may need to be addressed within the systems.Example tools include: Microsoft Baseline Security Analyzer, Nessus, and nmap. - Vulnerability assessments should include servers, workstations, switches, firewalls, routers, etc. to ensure all entry points within the systems are assessed for vulnerabilities.


47 of 59



Management Category


Existing Control


Risk Rating













Network Security 0


Logical Access



A formal process is in place to control all external third party network connections. [RCM014] - Reviewing of logs from the EHR, servers, networking systems, etc. should be reviewed on a regular basis whether automated or reviewed manually. - Network connections from third party could also be restricted to business hours or activated upon request to help control the connections.


Formal procedures should be in place to control the allocation of access rights to information systems and services. [RCM015] - It's good practice to limit access rights to local workstations by using Restricted User access rights for each authorized user to help control the installation of software as well as to help minimize the impact of malware - Passwords should be changed regularly, i.e. 30, 60, or 90 days - Minimum password length should be enforced, i.e. 8 characters long - Password complexity and history of previously used passwords should also be enforced, i.e. passwords to contain uppercase and lowercase letters and numbers as well as not being able to reuse the last x amount of passwords - Auto logoff should be enforced within the EHR to help prevent unauthorized access if the user walks away from the system, i.e. 15 minutes of inactivity - Auto screenlock should also be enforced on the workstations and servers to help prevent unauthorized access if the user walks away from the system, i.e. 15 minutes of inactivity - Remote connectivity should be accomplished through secure connections including, SSL/TLS, IPSec VPN tunnels, or other secure methods. The use of Remote Desktop external from the network through port forwarding can introduce various vulnerabilities.





48 of 59



Management Category


Existing Control


Risk Rating













Logical Access


Logical Access

Likely High Medium

0



All users are assigned a unique identifier (user ID) for their business use. This unique ID shall be used exclusively on computing systems within the medical practice which process EPHI, and a suitable authentication technique is chosen to validate the identity of a user. [RCM016] - Access to local workstations and other systems should also have unique user ID's and passwords in addition to the EHR itself



Management reviews and makes the appropriate corrections to the access right(s) of individual users at regular intervals using a formal process¹. [RCM017] - Reviewing of user accounts could be accomplished on a regular basis by comparing HR active employee lists to the lists within the EHR and other systems.


Partially Effective



Policies and procedures are implemented that address the prevention, detection and removal of malicious code in the computer operating environment. This would cover all computers or devices, such as printers and thumb drives, which connect to computers. [RCM018] - All workstations and servers should have protection from malicious software. This should include at least antivirus protection but could also include full security suites or Endpoint Security packages - Antivirus software should be updated at least daily and full scans ran on a regular basis

49 of 59



Management Category


Existing Control


Risk Rating













0





Policies and procedures for information system monitoring have been established and implemented. This is done to institute consistency and standards in computer activity logging, computer activity monitoring and reporting of any system events. [RCM019] - Reviewing of logs from the EHR, servers, networking systems, etc. should be reviewed on a regular basis whether automated or reviewed manually. - Network connections from third party could also be restricted to business hours or activated upon request to help control the connections.



Operating procedures are established to protect documents, computer media (e.g., tapes, disks), input/output data and system documentation. This is done to protect sensitive information from unauthorized disclosure, modification, removal, and destruction. [RCM020] - The use of encryption that follows NIST 800-11 is recommended - Encryption of the EHR database should be considered as well as any file servers that contain ePHI - Utilizing full disk encryption on all desktops, laptops, USB drives, backup tapes, and/or other mobile devices can also help prevent unauthorized access to data if lost or stolen. - The use of encryption can help give "safe harbor" from breach notification the encrypted media becomes lost or stolen


50 of 59



Management Category


Existing Control


Risk Rating














Likely Medium Medium



Development, test, and operational facilities are separated from one another. This is done to reduce the risks of unauthorized access or unauthorized changes to the computer operational system or to any software applications running upon the operating system. [RCM022]

- No test systems - EHR vendor tests their updates and then notifies the Practice for installation into production



Formal 'change policies and procedures' have been established to manage the implementation of changes to assure the adherence to standards and security practices. [RCM024] - It is recommended to have all changes recorded and tracked. This is usually accomplished through a helpdesk ticket system or even through the use of a database or Excel spreadsheet in some cases. Appendix G of the information security policy template provided by the REC contains a Change Management Tracking Log that can help in this area.



Partially Effective

51 of 59



Management Category


Existing Control


Risk Rating













Likely Medium Medium

Likely High Medium

Category New Threat 1 (TVS027) Recommended Control Measures

Incident Management


A consistent approach to managing information security incidents, consistent with applicable law, is in place to handle information security events and weaknesses once they are reported. Activities such as incident reporting, organizational response, relocation of operations, evidence collection and system recovery are all components of incident response. [RCM025] - An incident response plan should include how evidence is collected, whether performed internally or from a third party. - The ability to track and report on incidents is recommended - Incident response plans should be tested regularly (i.e. annually). - The Information Security Policy template provided by the REC contains a Security Incident Log in Appendix E that can help in this area.


Partially Effective

Business Continuity Management


Backup and Recovery plans are documented, distributed through the organization and easily obtained by office personnel in the event that an event occurs. The DR Plan must identify the required actions to undertake following interruption to, or failure of, critical IT systems. [RCM026] - Backups should be tested regularly and is a good practice to document each test - A Disaster Recovery Plan (DRP) should also be tested regularly (i.e. annually). - It is recommended that all backups be encrypted utilizing NIST 800-111 for guidance - Full backups should be taken offsite at least once a week and stored at a secure location


Partially Effective

52 of 59



Management Category


Existing Control


Risk Rating













Category New Threat 2 (TVS028) Recommended Control Measures Category New Threat 3 (TVS029) Recommended Control Measures Category New Threat 4 (TVS030) Recommended Control Measures Category New Threat 5 (TVS031) Recommended Control Measures

53 of 59

Findings-Remediation (Step 3)

Number of High Risks 9

Number of Medium Risks 9

18

High and Medium Risks Findings and Remediation

Risk Rating Recommended Control Measures Owner Remediation Steps Target Date

People and Processes

Total Number of High and Medium Risks

Risks Found (High and Medium Only)

Existing Control Measures Applied

Purpose: This tab is the final stage of the data collection process. It is designed to highlight the HIGH and MEDIUM risk ratings that were determined in Steps 2a and 2b., and to provide recommendations for safeguards. The information generated in this tab can be used to obtain further guidance from your Regional Extension Center (REC).

Steps for Using the Findings-Remediation Tab (Step 3): NOTE: All columns with the exception of the 'Additional Steps' column, are automatically populated based upon user input proivided in the preceding tabs (Steps 1, 2a and 2b). Please allow a few moments for this tab to populate with the data from the previous tabs.

Risk Found - This column requires no action by the respondent and will self-populate from risks identified as being either MEDIUM or HIGH in the Risk Rating column from the previous Steps 2a and 2b tabs. If the risk is deemed LOW, then this is insignificant need not be considered further in the overall Risk Matrix.

Risk Rating - This column requires no action by the respondent and will self-populate from risks identified as being either MEDIUM or HIGH in the Risk Rating column from the previous Steps 2a and 2b tabs. Risk Rating would be the rating the accompanying the Asset or Application. Only the Asset or Application in Steps 2a and 2b tabs as Medium or High are to be displayed and rated on this chart.

Existing Control Measures Applied - This column requires no action by the respondent and will self-populate from the Existing Control Measures are listed in the previous Step 2 (both Step 2a and 2b from the previous tabs). This is what corrective actions practitioner is taking, if any corrective actions are taken, to mitigate and reduce the threat or vulnerability. Control Measures can be an Alarm System, Sprinkler System or Computer Access restrictions and will be listed again in this space.

Recommended Control Measures - This column contains the Recommended Control Measures which self-populated in Steps 2a and 2b on the previous tabs. This column requires no action by the respondent and will self-populate.

Owner: The person that is assigned responsibility for determining how to address the risk.

Remediation Steps: The response is a judgment by the practitioner as to what supplemental measures may be taken, within the current availability of resources, to achieve a sound state of security and to ensure the continuation of operations. There is no right or wrong answer. This is an opportunity for the respondent to consider and document any additional measures they wish to take to address and reduce the risk.

Target Date: The date by which mediation of the risk should be complete.

NEXT STEP (OPTIONAL): The final step in this risk assessment process is to talk to your REC for clarification and additional information.

54 of 59

Risk Rating Recommended Control Measures Owner Remediation Steps Target DateRisks Found (High and Medium Only)


Medium

0

Medium

0

Medium

High

Technology


All information security responsibilities are clearly documented . This is to ensure timely, safe and effective handling of all situations, administration user accounts- including additions, deletions, and modifications. [RCM001] - Ensure responsibilities are formalized within the employee(s) job descriptions as well as within relevant IS policies.


An information security policy is approved by management in accordance with business requirements and all relevant laws and regulations. [RCM003]



Risk assessments are conducted to identify, quantify, prioritize and manage risks. The prioritization is accomplished by creating and using criteria for risk acceptance and objectives which are important to the organization. [RCM004] - Ensure this risk assessment is accurate with all information that has been filled out as well as the risk ratings (likelihood and impact) that have also been completed based on the information provided. - After verifying the accuracy of information, the Medium and High risk items from the Findings-Remediation tab should be addressed by making the necessary business decisions on whether to mitigate, transfer, or accept the risks. It is recommended to mitigate risks that are easy to address. - It is important to continue the risk assessment process by assessing additional risks to your facility, systems, and all other assets to ensure a thorough and up-to-date risk assessment is conducted.



Timely information about technical vulnerabilities of information systems being used is obtained, the organization's exposure to the vulnerabilities is evaluated and appropriate measures are taken to address the associated risk. [RCM013] - Vulnerability testing should be performed regularly to obtain information bout technical vulnerabilities to the systems. - A policy and procedure surrounding this process should be in place and should include the steps taken, where necessary, once vulnerabilities are found.

55 of 59



High

0

Medium


Agreements with third parties, such as IT vendors, which involve accessing, processing, communicating with or managing the organization's information or information processing facilities, or adding products or services to information processing facilities cover all relevant security requirements.Contracts between business associates and covered entities address administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information. [RCM002] - Controls should be in place to help monitor any access by third parties. This can include the regular review of VPN logs, EHR logs, server logs, etc. - Automated alerts when certain criteria is met within a system can greatly help monitor third party connections to internal systems.



Risk assessments are conducted to identify, quantify, prioritize and manage risks. The prioritization is accomplished by creating and using criteria for risk acceptance and objectives which are important to the organization. [RCM004] - It is important to expand upon this risk assessment by assessing the risk of each asset itself.

56 of 59



High

Medium






A facility security plan is implemented, which protects the facility with appropriate entry/exit controls to ensure that only authorized personnel are allowed access, removal of equipment from the facility is restricted to authorized individuals, and repair/modification of physical components of the facility are documented and monitored. Workstations are protected from removal by unauthorized individuals. A contingency plan is implemented for permitting and enabling physical access to alternate authorized individuals (e.g. in the event primary authorized individuals are sick or not available). [RCM010] - The server room should be secured to ensure physical access is available for only authorized individuals. This can include all doors to the servers to be locked at all time and any windows secured/monitored. - Best practice to ensure proper temperature and humidity for both server and wiring rooms. - Wiring closets that contain switches, routers, and other networking equipment should also remain locked and accessible by only authorized individuals. - The use of cable locks can help prevent theft of mobile devices (laptops) and privacy screens can help prevent unauthorized viewing of computer screens/monitors



If possible sensitive systems have a dedicated, and isolated, computing environment. [RCM011] - Verify and ensure firewall capabilities exist between the public Internet and internal network beyond the basic port blocking and NATing functions of the Cisco router.

57 of 59



High

High

0

High



Timely information about technical vulnerabilities of information systems being used is obtained, the organization's exposure to the vulnerabilities is evaluated and appropriate measures are taken to address the associated risk. [RCM013] - Regular vulnerability testing can be performed using free or commercial scanning tools. The results provide information about technical vulnerabilities that may need to be addressed within the systems.Example tools include: Microsoft Baseline Security Analyzer, Nessus, and nmap. - Vulnerability assessments should include servers, workstations, switches, firewalls, routers, etc. to ensure all entry points within the systems are assessed for vulnerabilities.


A formal process is in place to control all external third party network connections. [RCM014] - Reviewing of logs from the EHR, servers, networking systems, etc. should be reviewed on a regular basis whether automated or reviewed manually. - Network connections from third party could also be restricted to business hours or activated upon request to help control the connections.






Formal procedures should be in place to control the allocation of access rights to information systems and services. [RCM015] - It's good practice to limit access rights to local workstations by using Restricted User access rights for each authorized user to help control the installation of software as well as to help minimize the impact of malware - Passwords should be changed regularly, i.e. 30, 60, or 90 days - Minimum password length should be enforced, i.e. 8 characters long - Password complexity and history of previously used passwords should also be enforced, i.e. passwords to contain uppercase and lowercase letters and numbers as well as not being able to reuse the last x amount of passwords - Auto logoff should be enforced within the EHR to help prevent unauthorized access if the user walks away from the system, i.e. 15 minutes of inactivity - Auto screenlock should also be enforced on the workstations and servers to help prevent unauthorized access if the user walks away from the system, i.e. 15 minutes of inactivity - Remote connectivity should be accomplished through secure connections including, SSL/TLS, IPSec VPN tunnels, or other secure methods. The use of Remote Desktop external from the network through port forwarding can introduce various vulnerabilities.

58 of 59



High

Medium

High

0

High



All users are assigned a unique identifier (user ID) for their business use. This unique ID shall be used exclusively on computing systems within the medical practice which process EPHI, and a suitable authentication technique is chosen to validate the identity of a user. [RCM016] - Access to local workstations and other systems should also have unique user ID's and passwords in addition to the EHR itself



Management reviews and makes the appropriate corrections to the access right(s) of individual users at regular intervals using a formal process¹. [RCM017] - Reviewing of user accounts could be accomplished on a regular basis by comparing HR active employee lists to the lists within the EHR and other systems.


Policies and procedures for information system monitoring have been established and implemented. This is done to institute consistency and standards in computer activity logging, computer activity monitoring and reporting of any system events. [RCM019] - Reviewing of logs from the EHR, servers, networking systems, etc. should be reviewed on a regular basis whether automated or reviewed manually. - Network connections from third party could also be restricted to business hours or activated upon request to help control the connections.



Operating procedures are established to protect documents, computer media (e.g., tapes, disks), input/output data and system documentation. This is done to protect sensitive information from unauthorized disclosure, modification, removal, and destruction. [RCM020] - The use of encryption that follows NIST 800-11 is recommended - Encryption of the EHR database should be considered as well as any file servers that contain ePHI - Utilizing full disk encryption on all desktops, laptops, USB drives, backup tapes, and/or other mobile devices can also help prevent unauthorized access to data if lost or stolen. - The use of encryption can help give "safe harbor" from breach notification the encrypted media becomes lost or stolen

59 of 59



Medium

Medium

Medium




Formal 'change policies and procedures' have been established to manage the implementation of changes to assure the adherence to standards and security practices. [RCM024] - It is recommended to have all changes recorded and tracked. This is usually accomplished through a helpdesk ticket system or even through the use of a database or Excel spreadsheet in some cases. Appendix G of the information security policy template provided by the REC contains a Change Management Tracking Log that can help in this area.



A consistent approach to managing information security incidents, consistent with applicable law, is in place to handle information security events and weaknesses once they are reported. Activities such as incident reporting, organizational response, relocation of operations, evidence collection and system recovery are all components of incident response. [RCM025] - An incident response plan should include how evidence is collected, whether performed internally or from a third party. - The ability to track and report on incidents is recommended - Incident response plans should be tested regularly (i.e. annually). - The Information Security Policy template provided by the REC contains a Security Incident Log in Appendix E that can help in this area.



Backup and Recovery plans are documented, distributed through the organization and easily obtained by office personnel in the event that an event occurs. The DR Plan must identify the required actions to undertake following interruption to, or failure of, critical IT systems. [RCM026] - Backups should be tested regularly and is a good practice to document each test - A Disaster Recovery Plan (DRP) should also be tested regularly (i.e. annually). - It is recommended that all backups be encrypted utilizing NIST 800-111 for guidance - Full backups should be taken offsite at least once a week and stored at a secure location

security risk asssessment questionnaire - home | … - … · xls file · web view ·...

Documents