Upload
educause
View
217
Download
0
Embed Size (px)
Citation preview
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 1/20
Contents
Worksheet name What is covered
Contents This sheet.
Overview * The model of a unit of the HCC.
* What are: technical assets, physical sites, and administrative subunits.
* How to identify a HCC unit's physical sites and administrative subunits.
Process * The process of filling out the HIPAA Risk Assessment Inventory.
* The suggested grading scale.
* Desciptive narrative.
* Some criteria for prioritizing risks.
* Delivery instructions.
Instructions * A description of the four sheets which form the actual Risk Assessment Inventory.
* Descriptions of the fields found on each of those four sheets.
* How to score risks on each sheet, which are mitigated by different types of Safeguards.
Worksheet name What is covered
I. HCC Unit Names of the HCC Unit, Physical Site(s) and Admin Subunit(s)
II. Tech Assets Inventory of technical assets, and assessment of risks mitigated by applicable:
Administrative, Physical and Technical Safeguards.
III. Phys Site(s) Inventory of physical sites, and assessment of risks mitigated by applicable:
Physical Safeguards and Technical Safeguards.
IV. Admin Subunit(s) Inventory of administrative subunits, and assessment of risks mitigated by applicable:
Administrative Safeguards
Worksheet name What is covered
HIPAA Security Regs * Administrative, Physical and Technical Safeguards,
with language taken directly from the regulation itself.
* Suggested grading scales for the required Safeguards.
* Summary of the process for addressing the "addressable" safeguards.
Contents of the HIPAA Risk Assessment Inventory Workbook
Explanations
The workbook is divided into three parts:
This workbook contains the HIPAA Risk Assessment Inventory instrument for use by the units of the Health Care Component (HCC) at the
University of Wisconsin - Madison. It was designed by the Risk Assessment Subcommittee of the UW-Madison HIPAA Security Committee.
Before learning about the details of the Risk Assessment Inventory, you may find it helpful to read the summary of language from the HIPAA Security
Regulation, which is included in this workbook as the last sheet named 'HIPAA Security Reg'.
The Risk Assessment Inventory
The HIPAA Regulation, and possible grading scalesC.
B.
This risk assessment inventory is intended to assist the units of the HCC in meeting the risk assessment requirement of the HIPAA security regulation
(45 CFR Part 164.308(a)(1)(ii)(A)), and the risk assessment inventory and migration planning process specified in the UW-Madison policy (#8.4 III(A)(i)).
Completing this risk assessment inventory is not by itself sufficient to meet the requirements of either the regulation or the policy, but is an early step in
an ongoing process leading to compliance.
A.
Printed: 8/1/2013
Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 1 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 2/20
Overview
UW-Madison HCC
The Unit of the HCC(has a Security Coordinator)
Other Units
of the HCC
Administrative
Subunits
Physical
Sites
Own and Operate Contain
* Technical assets. These include servers, workstations, network devices, peripherals, portables and applications. See the sheet named 'Instructions' for a more
detailed description of each class of technical assets.
Overview of HIPAA Risk Assessment Inventory
Technical Assets
The HIPAA Risk Assessment Inventory includes three elements:
* Administrative Subunits. The unit of the HCC will consist of one or more administrative subunits that own and operate technical assets. A subunit could be a
distinct department, a sizable research group, a separate service organization, etc. Distinct subunits should have a significant degree of operational autonomy.
Subunits that share the same information technology, human resource, and administrative staff might be treated as one, because most of the relevant policies and
procedures are defined and implemented by those staff members.
* Physical Sites. The unit of the HCC will have one or more physical sites at which technical assets are located. Most technical assets are located at one such
physical site, but a few such as network devices and applications may be distributed among multiple sites. A physical site could be a building complex, a building
wing or floor, a number of rooms scattered around a building or complex, or in some cases an isolated room with distinct security requirements. Distinct sites will
typically be physically isolated from each other, and should have differing security issues. For example: scattered rooms in the same building may share many of
the same security issues and might be treated as a single physical site, while a server room in the same building might be treated as separate physical site because of
its unique security requirements.
Printed: 8/1/2013
Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 2 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 3/20
Process
2
3
4
5
b. Physical Site(s)
Establish a team to Assess risks
When intervening to mitigate significant risks, not all D's and F's are equally important. Take into
account the cost of intervention and the business impact of loss of confidentiality, integrity, or
availability of data. Scores may be grouped whenever that seems appropriate. Add the prioritization to
the descriptive narrative.
Deliver to the Security Coordinator
See sheet 'III. Phys Site(s)'.
Suggestion: have IT, HR, and management representative(s).
Deliver the inventory and descriptive narrative your Security Coordinator by October 1st 2003 (or
other date as directed by the Security Coordinator.)
If you are the Security Coordinator, deliver a migration plan and the accompanying risk assessment
inventory to the Security Officer by October 14th.
Process
Score the risk associated with each applicable safeguard.
Write a descriptive narrative.
Prioritize significant risks (high to low) and add that to the
descriptive narrative.
See sheet 'I. HCC Unit'.
Score risk on a five point scale. For example: a scale of A, B, C, D, & F where A (excellent) is low
risk, and F is high risk, and . Risk associated with all applicable safeguards should be assessed, but
spend the most time and attention on the required safeguards. The 'HIPAA Security Regs' sheet in this
workbook includes a possible grading scale for each required safeguard.
The Risk Assessment Inventory is not by itself a complete risk assessment. A descriptive narrative
should accompany the inventory. The narrative should explain "why". Why were those physical sites
and those administrative subunits were selected. Why were various technical assets grouped together.
Why were particular scores given, especially when the score was a "A", "D" or "F". It is important to
explain cases where there is minimal risk as well as cases where there is significant risk. To shorten
the narrative, comments may be added to the cells of sheets II. through IV. When the inventory is
printed the comments will follow each sheet.
See sheet 'II. Tech Assets'.
Process for HIPAA Risk Assessment Survey
Conduct an inventory of the unit of the HCC
a. Technical Assets
1
c. Administrative Subunit(s) See sheet 'IV. Admin Subunit(s)'.
Printed: 8/1/2013
Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 3 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 4/20
Instructions
Server A computer running the "server" side of client/server applications or services.
Often managed by an assigned system administrator who routinely gives attention to the system.
Network A computer or non-trivial specialized device forming or managing a network, such as a router, switch, wireless network hub or access point, or network monitor. Often managed
by one or more network administrators and/or technicians as a component of the entire network.
Workstation A single-user or shared computer running the "client" side of client/server applications or services; or
A computer attached to instrumentation for the purpose of data acquistion and control. Managed by a single user, administrator, or technician (i.e. "the owner") or managed en
mass by one or more workstation administrators and/or technicians.
Peripheral A printer, plotter, scanner, or other stand-alone I/O device, whether connected to the network or connected directly to a server, workstation, or portable. Managed by a single user
or administrator (i.e. "the owner") or enmass by the workstation administrators and/or technicians.Portable A laptop, PDA or portable computing device, and similarly portable peripherals. Managed by a single user (i.e. "the owner".) Presents unique security challenges because it can
leave the physically secure environment, or might be connected via a public or wireless network.
Application A software application, other than the operating system or embedded applications. It is not necessary to include in this category any applications that are embedded in a device
such as a peripheral, PDA, network router, etc., because such applications an integral part of the device.
Other Critical or Sensitive
Data?
Y/N: Does the technical asset or physical site either store or process critical or sensitive business data other than PHI?
Score the risk as: A B, C, D, & F, where A (excellent) is low risk and F is high risk. Depending upon Asset Category, n/a may be the appropriate value.
The risk factors correspond to specific provisions of the HIPAA security regulation. See the sheet named 'HIPAA Security Regs' for more detail on each provision.
There is some overlap of risk factors. On the sheet 'II. Tech Assets', each technical asset can be assessed as to the extent it is included in the
policies and procedures of selected Administrative or Physical Safeguards. On the sheet 'III. Phys Site(s)', a few Technical Safeguards are
applicable to technological systems used to enhance the physical security of the site. Of particular note: Physical security of a particular technical
asset is assessed on 'II. Tech Assets', but overall physical security of a physical site is assessed on the 'III. Phys Site(s)'.
Similarly, inclusion of a particular technical asset in the policy or procedure of an Administrative Safeguard is assessed on 'II. Tech Assets',
Asset Category
Use these categories. Within the
same category, it is OK to
group multiple assets together if
they are similar, for example:
all office productivity
workstations.
I/E: Is the technical asset Internal or External to the firewall(s) or the physical security permiter. Treat all portable devices as external
because they may leave the physical perimeter and/or might be connected beyond the firewalls. A firewall itself is external.
Operating system (with major version)Major subsystems that have significant security implications, (e.g. IIS or Apache for a webserver, etc., with major version.)
Make/model for peripherals, PDA's and other devices where the operating system and subsystems are integrated.
IP address (numeric or alphanumeric) or IP address pool, if applicable.
Example: Win2000 Server, IIS, www.dept.wisc.edu
Internal or External
to the Firewall?
Name of the asset, an inventory tag, or a descriptive tag, (e.g. server name, "Router #7", "Jane Doe's laptop", "3rd floor printer", etc.)Asset name should be unique among all assets of the HCC entity.
For technical assets ('II. Tech Assets'): the room and building, also the "site" at which it is located (if there are multiple "sites")
and the "subunits" of the which have personnel using or managing the asset ( if there are multiple "subunits".)
For portable assets, the location of the asset's owner. For applications, the location of the server(s). Otherwise whatever seems reasonable.
For physical sites ('III. Phys Site(s)'): the rooms and buildings or other description of what makes up the site.
For administrative subunits ('IV. Admin Subunit(s)'): the list of sites at which the subunit has personnel or equipment.
Description
Stores or Processes PHI? Y/N: Does the technical asset or physical site either store or process PHI?
An asset or site that does not store and process PHI may still create a threat to other assets which do have PHI.
The sheet named 'I. HCC Unit', is a summary of the physical sites and administrative subunits of the unit of the HCC. Enter the name of the HCC unit, and the names of the administrative subunits and physical sites. These are
carried forward on the other sheets for consistency.
The sheets numbered II., III. and IV. are for scoring the risk associated with each technical asset, physical site and administrative subunit respectively. A descriptive narrative should accompany the scores. To shorten the narrative,
comments can be added to the sheets, and when printed will follow each sheet.
There are four sheets in the template, numbered I. through IV.
Filling out sheets I. through IV.
Instructions for the HIPAA Risk Assessment Inventory
Estimate of Risk
(The Risk Factors)
The Fields (Columns) of Sheets II. through IV.
Asset
Location
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 4 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 5/20
HCC Unit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
A B C
Updated: 2/9/05
Unit Name
Example Unit Name
Site Name
Example site name 1
Example site name 2
Example site name 3
Add more sites here
Unit Name
Example subunit name 1
Example subunit name 2
Add more subunits here
In determining what administrative subunits exist in the unit of the HCC,
consider the degree of autonomy of the subunit. The distribution of
information technology, human resource, and administrative staff is a
possible guide. Units sharing the same IT, HR, and administrative staff
may not be sufficiently autonomous to be considered separate units for
purposes of HIPAA compliance, because most provisions of the HIPAA
security rule have strong IT, HR, or administrative components.
Enter the name of the unit of the HCC, typically a
division or department name. This name will
appear on each inventory sheet.
Enter the names of each physical site at which the
unit of the HCC has personnel or equipment. These
become line items on the sheet named
'III. Phys Site(s)'.
Enter the names of each administrative subunit
within the unit of the HCC which has significantly
different administrative, personnel or technical
policies or policies and procedures. These become
line items on the sheet named
'IV. Admin Subunit(s)'.
Administrative Units of the HCC Entity
Unit of the HCC
Physical Sites of the Unit of the HCC
I. HIPAA Risk Assessment Inventory, The Unit of the HCCThis is the first of four worksheets, numbered I. through IV.
Fill in names below to populate those sheets.
In determining what physical sites exist in the unit of the HCC, consider
not only the degree of physical separation, but also the extent to which
their security needs differ. Scattered rooms in the same building may
have very similar security needs. Facilities in two or three different
buildings may also have similar needs. On the other hand, a single room
(such as a "server room") could have significantly different security
needs, even when located in the same building with other facilities.
Printed: 8/1/2013
Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 5 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 6/20
Technical Assets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1516
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AA AB AC AD AE AF AG AH AI AJ AK AL A
(6) (8) (b) (c) (b) (c
A u t h
o r i z a t i o n a n d / o r S u p e r v i s i o n ( A )
W o r k f o r c e C l e a r a n c e P r o c e d u r e ( A
)
T e r m
i n a t i o n P r o c e d u r e ( A )
I s o l a
t i n g t h e C l e a r i n g h o u s e F u n c t . ( R )
A c c e
s s A u t h o r i z a t i o n ( A )
A c c e
s s E s t a b l i s h m e n t & M o d . ( A )
M a l i
c i o u s S o f t w a r e ( A )
L o g i n M o n i t o r i n g ( A )
P a s s w o r d M a n a g e m e n t ( A )
I n c i d
e n t R e s p o n s e & R e p o r t i n g ( R )
D a t a
B a c k u p P l a n ( R )
D i s a s t e r R e c o v e r y P l a n ( R )
E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )
T e s t i n g a n d R e v i s i o n P r o c e d u r e ( A )
A p p
a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )
P e r i o d i c E v a l u a t i o n ( R )
C o n t i n g e n c y O p e r a t i o n s ( A )
I n c l u
s i o n i n S e c u r i t y P l a n ( A )
A c c e
s s s C o n t r o l & V a l i d a t i o n ( A )
M a i n
t e n a n c e R e c o r d s ( A )
W o r k s t a t i o n U s e ( R )
W o r k s t a t i o n S e c u r i t y ( R )
M e d i a D i s p o s a l ( R )
M e d i a R e - u s e ( R )
M e d i a A c c o u n t a b i l i t y ( A )
D a t a
B a c k u p a n d S t o r a g e ( A )
U n i q
u i e U s e r I d e n t i f i e r ( R )
E m e r g e n c y A c c e s s P r o c e d u r e ( R )
A u t o
m a t i c L o g o f f ( A )
E n c y
r p t i o n ( S t o r e d D a t a ) ( A )
A u d i t C o n t r o l s ( R )
I n t e g r i t y ( S t o r e d D a t a ) ( A )
Examples: DeleteDefault Server Server n/a n/a n/a
Default Network Network n/a n/a n/a n/a n/a n/a n/a n/a n/a n
Default WS Workstation n/a
Default Peripheral Peripheral n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a
Default Portable Portable E n/a
Default Application Application n/a
Risk Factor Key
Risk Factor (A) D, F Failure -- High
Risk Factor (R) Excellent -- LoThose marked (R) must be filled out.
Descriptive Information
(a)
Phys 164.310
(a)
I n t e r n a l o r E x t e r n a l t o F i r e w a l l ? ( I
/ E )
(d)
Asset
Category (One of:
Server,
Network,
Workstation,
Peripheral,
Portable,
Application)
Location
(Rm, Bldg, also:
Phys Site
(if multiple), &
Admin Subunit(s)
(if multiple))
(7)
Description
(As Appropriate:
Make/Model,
Operating System,
Major Subsystem(s),
IP number or name)
S t o r
e s o r P r o c e s s e s P H I ? ( Y / N )
O t h e r c r i t i c a l o r s e n s i t i v e d a t a ? ( Y ? N )
A
Tech 164.312
Those marked (A) need to be filled out as time permits.
Intermediate RB, C
n/a Not Applicable
Estimate of Risk:A B, C, D, & F, where A is low risk and F is high Risk
Updated
Color Key Interpretation
Example Unit Name
II. HIPAA Technical Assets Risk Assessment
If desired when adding rows, copy formulas from an existing empy row in order to apply the default values.
Instructions
(3) (4) (5)
Admin 164.308(a)
Expand to multiple sheets as needed. Insert new rows between any two rows above.
Technical Asset
(Name or
other tag)
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 7/20
Physical Sites
1
2
3
4
5
6
7
89
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
A B C D E F G H I J K L M N O P Q R
Tech 164.312
(b) (c) (a) (b) (d)
C o n t i n g e n c y O p e r a t i o n s ( A )
F a c i l i t y S e c u r i t y P l a n ( A )
A c c e s s s C o n t r o l & V a l i d a t i o n ( A )
M a i n t e n a n c e R e c o r d s ( A )
W o r k s t a t i o n U s e ( R )
W o r k s t a t i o n S e c u r i t y ( R )
M e d i a D i s p o s a l ( R )
M e d i a R e - u s e ( R )
M e d i a A c c o u n t a b i l i t y ( A )
D a t a B a c k u p a n d S t o r a g e
( A )
E m e r g e n c y A c c e s s P r o c e d
u r e ( R )
A u d i t C o n t r o l s ( R )
P e r s o n o r E n t i t y A u t h e n t i c a t i o n ( R )
Example site name 1
Example site name 2Example site name 3
Add more sites here
Risk Factor Key
Poor or Nothing -- High Risk
n/a Not Applicable
Color Key Interpretation
A
Risk Factor (A)
Risk Factor (R)
Instructions
Excellent -- Low Risk
D, F
O t h e r c r i t i c a l o r s e n s t i v e d a t a ? ( Y ? N )
Physical Site
(Name)
2/9/2005
Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.
Location
(Rm(s) / Bldg(s) or
other description)
Good or Moderate
Updated:
Admin Subunits
(Admin Subunits
with Personnel or
Equipment at the
Physical Site)
S t o r e s o r P r o c e s s e s P H I ? ( Y / N )
Physical 164.310
(a)
Those marked (R) must be filled out.
Those marked (A) need to be filled out as time permits.
B, C
III. HIPAA Physical Site Risk Assessment
Example Unit Name
Descriptive Information
(d)
Printed: 8/1/2013
Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 7 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 8/20
Administrative Subunits
1
2
3
4
5
6
7
8
910
11
12
13
14
15
16
17
18
1920
21
A B C D E F G H I J K L M N O P Q R S T U V W X Y
(2) (6) (8)
R i s k A n a l y s i s ( R )
R i s k M a n a g e m e n t ( R )
S a n c t i o n P o l i c y ( R )
I n f o r m a t i o n S y s t e m A c t i v i t y R e v i e w ( R )
A s s i g n e d S e c u r i t y R e s p o
n s i b i l i t y ( R )
A u t h o r i z a t i o n a n d / o r S u
p e r v i s i o n ( A )
W o r k f o r c e C l e a r a n c e P r
o c e d u r e ( A )
T e r m i n a t i o n P r o c e d u r e ( A )
I s o l a t i n g t h e C l e a r i n g h o u s e F u n c t . ( R )
A c c e s s A u t h o r i z a t i o n ( A )
A c c e s s E s t a b l i s h m e n t &
M o d . ( A )
S e c u r i t y R e m i n d e r s ( A )
M a l i c i o u s S o f t w a r e ( A )
L o g i n M o n i t o r i n g ( A )
P a s s w o r d M a n a g e m e n t ( A )
I n c i d e n t R e s p o n s e & R e p o r t i n g ( R )
D a t a B a c k u p P l a n ( R )
D i s a s t e r R e c o v e r y P l a n ( R )
E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )
T e s t i n g a n d R e v i s i o n P r o c e d u r e ( A )
A p p a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )
P e r i o d i c E v a l u a t i o n ( R )
B u s i n e s s A s s o c i a t e s ( R )
Example subunit name 1
Example subunit name 2
Add more subunits here
Risk Factor Key
Not Applicable
Instructions
Those marked (R) must be filled out.
Those marked (A) need to be filled out as time permits.
Interpretation
Excellent -- Low Risk
Good or Moderate
Poor or Nothing -- High Risk
IV. HIPAA Administrative Subunit Risk Assessment
Descriptive Information Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.
2/9/2005Updated:Example Unit Name
Administrative
Subunit
(Name)
Location(s)
(Phys Site(s) at which
the Admin Subunit
has Personnel or
Equipment)
(4)
Risk Factor (A)
Risk Factor (R)
Color Key
n/a
B, C
D, F
A
(7)
(b)Admin 164.308(a)
(5)(1) (3)
Printed: 8/1/2013
Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 8 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 9/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition
Risk Analysis (R) Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of
electronic PHI held by the covered entity.
Risk Management (R) Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to comply with Sec.
164.306(a).
Sanction Policy (R) Apply appropriate sanctions against workforce members who fail to
comply with the security policies and procedures of the covered entity.
Information
System Activity
Review
(R) Implement procedures to regularly review records of information system
activity, such as audit logs, access reports, and security incident tracking
reports.
Assigned Security Responsibility (R) Identify the security official who is responsible for the development and
implementation of the policies and procedures required by this subpart
for the entity.
Authorization
and/or
Supervision
(A) Implement procedures for the authorization and/or supervision of
workforce members who work with electronic protected health
information or in locations where it might be accessed.
Workforce
Clearance
Procedure
(A) Implement procedures to determine that the access of a workforce
member to electronic protected health information is appropriate.
Termination
Procedures
(A) Implement procedures for terminating access to electronic protected
health information when the employment of a workforce member ends
or as required by determinations made as specified in paragraph
(a)(3)(ii)(B) of this section.
Isolating Health
care
ClearinghouseFunction
(R) If a health care clearinghouse is part of a larger organization, the
clearinghouse must implement policies and procedures that protect the
electronic protected health information of the clearinghouse fromunauthorized access by the larger organization.
Access
Authorization
(A) Implement policies and procedures for granting access to electronic
protected health information, for example, through access to a
workstation, transaction, program, process, or other mechanism.
Access
Establishment
and Modification
(A) Implement policies and procedures that, based upon the entity's access
authorization policies, establish, document, review, and modify a user's
right of access to a workstation, transaction, program, or process.
Implementation
164.308
(a)(2)
Security Management Process
Implement policies and procedures to
prevent, detect, contain, and correct
security violations.
164.308
(a)(1)
Workforce Security
Implement policies and procedures to
ensure that all members of its workforce
have appropriate access to electronic PHI,
as provided under paragraph (a)(4) of thissection, and to prevent those workforce
members who do not have access under
paragraph (a)(4) of this section from
obtaining access to electronic PHI.
164.308
(a)(3)
Information Access Management
Implement procedures for terminating
access to electronic PHI when theemployment of a workforce member
ends or as required by determinations
made as specified in paragraph
(a)(3)(ii)(B) of this section.
Administrative Safeguards
164.308
(a)(4)
The administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of securit
of the covered entity's workforce in relation to the protection of that information.
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 9 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 10/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition
Security (A) Periodic security updates.
Protection from
Malicious
(A) Procedures for guarding against, detecting, and reporting malicious
software.
Log-in
Monitoring
(A) Procedures for monitoring log-in attempts and reporting discrepancies.
Password
Management
(A) Procedures for creating, changing, and safeguarding passwords.
Security Incident Procedures
Implement policies and procedures toaddress security incidents.
164.308
(a)(6)
Response and
Reporting
(R) Identify and respond to suspected or known security incidents; mitigate,
to the extent practicable, harmful effects of security incidents that areknown to the covered entity; and document security incidents and their
outcomes.
Data Backup Plan (R) Establish and implement procedures to create and maintain retrievable
exact copies of electronic protected health information.
Disaster Recovery
Plan
(R) Establish (and implement as needed) procedures to restore any loss of
data.
Emergency Mode
Operation Plan
(R) Establish (and implement as needed) procedures to enable continuation
of critical business processes for protection of the security of electronic
PHI while operating in emergency mode.
Testing and
Revision
(A) Implement procedures for periodic testing and revision of contingency
plans.
Applications and
Data Criticality
(A) Assess the relative criticality of specific applications and data in support
of other contingency plan components.
Evaluation (R) Perform a periodic technical and non-technical evaluation, basedinitially upon the standards implemented under this rule and
subsequently, in response to environmental or operational changes
affecting the security of electronic PHI, that establishes the extent to
which an entity's security policies and procedures meet the requirements
of this subpart.
Business Associate Contracts and
Other Arrangement
164.308
(b)
Written Contract or
Other
Arrangements
(R) A covered entity, in accordance with Sec. 164.306, may permit a
business associate to create, receive, maintain, or transmit electronic
protected health information on the covered entity's behalf only if the
covered entity obtains satisfactory assurances, in accordance with Sec.164.314(a) that the business associate will appropriately safeguard the
information.
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
Security Awareness and Training
Implement a security awareness and
training program for all members of
its workforce (including
management).
164.308
(a)(5)
Administrative Safeguards (continued)
Implementation
Contingency Plan
Establish (and implement as needed)
policies and procedures for
responding to an emergency or other
occurrence (for example, fire,
vandalism, system failure, and natural
disaster) that damages systems that
contain electronic PHI.
164.308
(a)(7)
164.308(a)(8)
Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.
Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the like
(ii) As applicable to the entity--
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate--
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 10 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 11/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 11 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 12/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition
Contingency
Operations
(A) Establish (and implement as needed) procedures that allow facility
access in support of restoration of lost data under the disaster recovery
plan and emergency mode operations plan in the event of an emergency.
Facility Security
Plan
(A) Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and
theft.
Access Control
and Validation
Procedures
(A) Implement procedures to control and validate a person's access to
facilities based on their role or function, including visitor control, and
control of access to software programs for testing and revision.
Maintenance
Records
(A) Implement policies and procedures to document repairs and
modifications to the physical components of a facility which are related
to security (for example, hardware, walls, doors, and locks).
Workstation Use (R) Implement policies and procedures that specify the proper functions to
be performed, the manner in which those functions are to be performed,
and the physical attributes of the surroundings of a specific workstation
or class of workstation that can access electronic PHI.
Workstation Security (R) Implement physical safeguards for all workstations that access electronic
PHI, to restrict access to authorized users.
Disposal (R) Implement policies and procedures to address the final disposition of
electronic PHI, and/or the hardware or electronic media on which it is
stored.
Media Re-use (R) Implement procedures for removal of electronic PHI from electronic
media before the media are made available for re-use.
Accountability (A) Maintain a record of the movements of hardware and electronic media
and any person responsible therefore.
Data Backup and
Storage
(A) Create a retrievable, exact copy of electronic protected health
information, when needed, before movement of equipment.
The physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equip
Physical Safeguards
Facility Access Controls
Implement policies and procedures to
limit physical access to its electronic
information systems and the facility
or facilities in which they are housed,
while ensuring that properly
authorized access is allowed.
164.310
(a)
164.310
(b)
Implementation
Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.
164.310
(c)
Device and Media Controls
Implement physical safeguards for all
workstations that access electronic
PHI, to restrict access to authorized
users.
164.310
(d)
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate--
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the like
(ii) As applicable to the entity--
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 12 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 13/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition
Unique User
Identification
(R) Assign a unique name and/or number for identifying and tracking user
identity.
Emergency
Access Procedure
(R) Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency.
Automatic Logoff (A) Implement electronic procedures that terminate an electronic session
after a predetermined time of inactivity.
Encryption and
Decryption
(A) Implement a method to encrypt and decrypt electronic protected health
information.
Audit Controls (R) Implement hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that contain or use
electronic protected health information.
Integrity
Implement policies and procedures to
protect electronic protected health
information from improper alteration or
destruction.
164.312
(c)
Mechanism to
Authenticate
Electronic PHI
(A) Implement electronic mechanisms to corroborate that electronic
protected health information has not been altered or destroyed in an
unauthorized manner.
Person or Entity Authentication (R) Implement procedures to verify that a person or entity seeking access to
electronic protected health information is the one claimed.
Integrity Controls (A) Implement security measures to ensure that electronically transmitted
electronic protected health information is not improperly modified
without detection until disposed of.
Encryption (A) Implement a mechanism to encrypt electronic protected health
information whenever deemed appropriate.
Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.
164.312
(a)
164.312
(b)
164.312
(d)
Transmission Security
Implement technical security measures to
guard against unauthorized access to
electronic protected health information
that is being transmitted over an electronic
communications network.
(B) If implementing the implementation specification is not reasonable and appropriate--
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(A) Implement the implementation specification if reasonable and appropriate; or
Access Control
Implement technical policies and
procedures for electronic information
systems that maintain electronic
protected health information to allow
access only to those persons or
software programs that have been
granted access rights as specified in
Sec. 164.308(a)(4).
164.312
(e)
(2) Implement an equivalent alternative measure if reasonable and appropriate.
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the like
(ii) As applicable to the entity--
Implementation
The technology and the policy and procedures for its use that protect electronic protected health information (PHI) and control access to it.
Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--
Technical Safe uards
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 13 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 14/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
* These are simply suggestions that might be used as a starting point. Do not rely on these being representative of the regulation or the intent of the regulators
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 14 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 15/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Possible Grading Scale for Required Safeguards *
A. RA completed. Risks fully prioritized and followup actions scheduled.
B. RA completed. Risks not yet prioritized and followup actions not scheduled.
C. RA started but not completed. Top risk areas identified.
D. RA planned and method being developed
F. RA not started
A. RM action plan developed and fully implemented
B. RM action plan developed and partially implemented
D. RM action plan developed and scheduled but not yet started.
E. RM action plan brief list developed but no implementation to date.
F. No RM action plan.
A. Policy is completed and full implemented. Staff trained to follow policy.
B. Policy is completed and full implemented. Still some gaps in training.
C. Policy is completed. Implementation and training not well developed.
D. Policy may be started but not completed or approved. Minor consequences if a failure.
F. Policy not written and/or implemented. Major consequences if a failure.
Same as Sanction Policy
A. Security Officer assigned and fully engaged.
B. Security Officer assigned and becoming familiar with responsibilities
C. Recruiting Security Officer
D. Trying to agree on requirements of Security Officer
F. No SO on the horizon
Not Applicable
measures to protect electronic protected health information (PHI) and to manage the conduct
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 15 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 16/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Possible Grading Scale for Required Safeguards *
A. Response team in place and effective. All incidents documented and followed up.
B. Response team in place and effective. Incidents documented and some followed up.C. Response team designated but less effective. Sporadic documentation and followup
D. No response team, documentation or followup – minor consequences of failure
F. No response team, documentation or followup – major consequences of failure
A. Plan is completed and full implemented. Staff well trained to follow plan.
B. Plan is completed and full implemented. Still some gaps in training.
C. Plan is completed. Implementation and training not well developed.
D. Plan may be started but not completed or approved. Minor consequences if a failure.
F. Plan not written and/or implemented. Major consequences if a failure.
Same as Data Backup Plan
Same as Data Backup Plan
A. Technical and non/tech evaluations conducted after all major environmental or operational changes.
B. Technical and non/tech evaluations conducted after some major environmental or operational changes.
C. Evaluations conducted sporadically.
D. Evaluations not conducted. Minor consequences of not conducting.
F. Evaluations not conducted. Major consequences of not conducting.
A. Business associate contracts exist for all entities. BA’s audited periodically.
B. Business associate contracts exist for all entities. BA’ s audited by exception only.
C. Business associate contracts exist for some entities. BA’ s not audited.D. Business associate contracts do not exist. Minor consequences likely.
F. Business associate contracts do not exist. Major consequences likely.
ly contribution to protecting the entity's electronic protected health information; and
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 16 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 17/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 17 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 18/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Possible Grading Scale for Required Safeguards *
A = Policy and procedure in place that address the following for workstations that access electronic PHI:
proper workstation functions, manner in which those functions are to be performed and physical
surroundings of workstation.
B = Draft policy and procedure being revised.
C = Determining proper workstation functions, end-user behavior and physical surroundings for
workstation. Evaluating resources to reach intended outcome.
D = Workgroup charged to develop Workstation Use Policy.
F = No efforts towards Workstation Use Policy.
Similar to Workstation Use
A = Policy and procedure in place to address the final disposition of electronic PHI
and/or the hardware or electronic media on which it is stored.
B = Draft policy and procedure being revised.
C = Determining scope of devices require disposition of PHI electronic data.
Evaluating methods to reach intended outcome.
D = Workgroup charged to develop Device and Media Control Disposal Policy.
F = No efforts towards Device and Media Control Disposal Policy.
Similar to Disposal.
ent, from natural and environmental hazards, and unauthorized intrusion.
ly contribution to protecting the entity's electronic protected health information; and
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 18 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 19/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Possible Grading Scale for Required Safeguards *
A. All users identified uniquely within organization, ultimately linked to UW ID
B. Few users accessing PHI but all uniquely identified within unit. No linkage to UW ID
C. Many users accessing PHI, all uniquely identified within unit only
D. Several users accessing PHI, identified by group or shared access
F. No unique way of identifying users
A. Well documented step-by-step procedures in place to provide access to PHI in emergency such as loss
of power or environmental controls
B. Some procedures available for accessing PHI in emergency
C. No procedures in place for emergency access but no time-critical PHID. Contain some time-critical PHI with no procedure for emergency access
F. Contain large amounts of time-critical PHI with no procedure for emergency access
A. All PHI contained in database that supports full record-level logging of database access
B. File-level logging of all modifies and writes for any PHI
C. Small number of users or PHI and minimal logging of system activity such as log-ins
D. Large body of users and significant amounts of PHI with no mechanism in place to log account activity
such as log-ins
F. No mechanism in place to log access to any PHI
A. Two-level identification of individuals including some combination of passwords, ID cards, biometrics
and certificatesB. Widespread use of ID cards or specific policy in place to specify password use
C. Policies requiring password use by all staff
D. General use of password authentication of individuals but no policy addressing password use
F. No procedures in place to authenticate individual users
ly contribution to protecting the entity's electronic protected health information; and
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 19 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)
http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 20/20
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
.
Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory
Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 20 of 20
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html