APPLICATIONS AND DATA CRITICALITY
ANALYSIS
POLICY # 26
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Assess the relative criticality of specific applications and data in
support of other contingency plan components.”
Policy Summary:
Sindecuse Health Center (SHC) must have a formal process for defining
and identifying the criticality of its information systems and the data
contained within them. The prioritization of SHC information systems
must be based on an analysis of the impact to SHC services, processes,
and business objectives if disasters or emergencies cause specific
information systems to be unavailable for particular periods of time. The
criticality analysis must be conducted with significant involvement from
the administrators, users and owners of SHC information systems and
business processes. The criticality analysis must be conducted at least
annually.
Purpose:
This policy reflects SHC’s commitment to conduct a regular analysis of
the criticality of its information systems.
Policy:
1. SHC must have a formal, documented process for defining and
identifying the criticality of its information systems and the data
contained within them. At a minimum, the process must include:





An inventory of all SHC information systems.
Identification of dependencies between SHC information
systems.
A defined methodology for determining and documenting the
criticality of SHC’s information systems (e.g. impact on patient
care).
Identification and likelihood of risks that threaten SHC
information systems and data.
Identification and documentation of the impact to these risks
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
APPLICATIONS AND DATA CRITICALITY ANALYSIS


have to SHC services, processes and business objectives if
specific SHC information systems are unavailable for different
periods of time (e.g. 1 hour, 1 day).
Identification and definition of maximum time periods that SHC
information systems can be unavailable.
Prioritization of SHC information systems according to their
criticality to SHC’s ability to function at normal levels.
2. The prioritization of SHC information systems must be based on an
analysis of the impact to SHC services, processes and business objectives
if disasters or emergencies cause specific information systems to be
unavailable for particular periods of time.
3. The criticality analysis must be conducted with significant
involvement from the administrators, users and owners of SHC
information systems and processes.
4. The criticality analysis can be conducted by either SHC employee(s)
or by a qualified third-party firm. Those conducting the analysis should
understand the interdependencies among SHC’s information systems and
processes.
5. The criticality analysis must be conducted at least annually. Results
from the analysis must be documented and presented to appropriate SHC
management. The criticality analysis report must be securely maintained.
Any change in status of information systems and/or the data contained
within them must be reflected in SHC’s disaster recovery plan.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Contingency Plan
Standard
Regulatory
Reference:
45 CFR 164.308(a)(7)(ii)(E)
Definitions:
Electronic protected health information means individually identifiable
health information that is:
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
APPLICATIONS AND DATA CRITICALITY ANALYSIS


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operation Plan
Testing and Revision Procedure
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.