Uploaded by xexevil289

HIPAA-Risk-Assessment-Template-BP

advertisement
HIPAA Risk
Assessment
Template
Introduction
Risk analysis is the most acute HIPAA compliance problem that the Department of Health and Human Services
(HHS) for Office of Civil Rights (OCR) investigates. An inaccurate or incomplete analysis can lead to serious
security breaches and steep monetary penalties.
But risk analysis can be difficult to implement, especially if your IT department doesn’t have the people or time
to spare. The risk assessment template provided here can help you perform a complete and accurate audit of
your ePHI security risks so you can put the appropriate mitigation measures in place.
What is a HIPAA risk assessment?
A HIPAA risk assessment helps organizations determine and evaluate threats to the security of electronic
protected health information (ePHI), including the potential for unauthorized disclosure as required by the
Privacy Rule.
If your organization creates, receives, maintains or transmits ePHI, even using a certified electronic health
record (EHR) system, you must assess your security risks to ensure that you have taken the best steps possible
to protect your ePHI. Once you identify those risks, you must implement administrative, physical and technical
safeguards to maintain compliance with the HIPAA Security Rule.
As health care entities work to achieve compliance with HIPAA, risk analysis and risk management tools can
be invaluable; they often enable you to protect the confidentiality, integrity and availability of your ePHI more
effectively and efficiently than you could with manual processes.
2
Tailoring a risk assessment to your organization
HIPAA risk assessment requirements allow you to tailor the assessment to your organization’s environment
and circumstances, including:
ƒ
ƒ
ƒ
ƒ
Your organization’s size, complexity and capabilities
Your organization’s technical infrastructure, hardware and security capabilities
The probability and criticality of the potential risks to ePHI
The cost of the security measures
Implementation specifications: required versus addressable
A HIPAA risk assessment will contain many implementation specifications, which are detailed instructions to
satisfy a certain standard. Some are required, while others are addressable:
ƒ Required specifications document policies or procedures that each covered entity and its business
associates must put in place. One example is risk analysis.
ƒ Addressable specifications are not optional, but organizations have the flexibility to choose appropriate
processes or controls to meet them. For example, password management is addressable, since there are
multiple ways to ensure that only trusted people can access your systems. One way is to use multifactor
authentication.
You cannot refuse to adopt an implementation specification based solely on cost.
3
Key terminology
Here are definitions for terms common to HIPAA, adapted from NIST 800-30:
ƒ ePHI (electronic protected health information) — Data about a patient’s health, treatment or billing that
could identify that patient. ePHI is PHI held in electronic form; it has the same confidentiality requirements
as all PHI, but the ease of copying and transmitting ePHI requires special safeguards to prevent breaches.
ƒ Vulnerability — A flaw or weakness in a security system’s procedures, design, implementation or internal
controls that could be accidentally triggered or intentionally exploited, resulting in a security breach or
violation of the security policy.
ƒ Threat — The potential for a threat source to accidentally trigger or intentionally exploit a specific vulnerability.
ƒ Risk — Refers to IT-related risk. Risk describes the net business impact based on the probability of a specific
threat triggering a particular vulnerability. It includes factors like legal liability and mission loss.
ƒ Risk analysis (or risk assessment) — The process of identifying all risks to security of the system, the
likelihood they will lead to damage, and safeguards that can mitigate that damage. It is a part of risk management.
ƒ Risk management — The process of implementing security measures and practices to adequately reduce
risks and vulnerabilities to a reasonable degree for compliance.
Steps in Risk Analysis
NIST 800-30 details the following steps for a HIPAA-compliant risk assessment:
Step 1. Determine the scope of the analysis.
A risk analysis considers all ePHI, regardless of the electronic medium used to create, receive, maintain or
transmit the data, or the location of the data. It covers all reasonable risks and vulnerabilities to the confidentiality,
integrity and availability of your ePHI.
4
Step 2. Gather complete and accurate information about ePHI use and disclosure.
This process includes:
ƒ
ƒ
ƒ
ƒ
ƒ
Reviewing past and existing projects
Performing interviews
Reviewing documentation
Using other data gathering techniques as needed
Documenting all gathered data
You may have already completed this step to comply with the HIPAA Privacy Rule, even though it was not
directly required.
Step 3. Identify potential threats and vulnerabilities.
Look at the gathered data and consider what types of threats and vulnerabilities exist for each piece of information.
Step 4. Assess your current security measures.
Document the measures you have already implemented to mitigate risks to your ePHI. These measures can be
technical or non-technical:
ƒ Technical measures include information system hardware and software, such as access control,
authentication, encryption, automatic log-off and audit controls.
ƒ Non-technical measures include operational and management controls like policies, procedures, and
physical or environmental security measures.
Then analyze whether the configuration and use of those security measures are appropriate.
5
Step 5. Determine the likelihood of threat occurrence.
Assess the probability that a threat will trigger or exploit a specific vulnerability. Consider each potential
threat and vulnerability combination, and rate them according to the likelihood of an incident. Common rating
methods include labeling each risk as High, Medium and Low, or providing a numeric weight expressing the
likelihood of occurrence.
Step 6. Determine the potential impact of threat occurrence.
Consider the possible outcomes of each data threat, such as:
ƒ
ƒ
ƒ
ƒ
ƒ
Unauthorized access or disclosure
Permanent loss or corruption
Temporary loss or unavailability
Loss of financial cash flow
Loss of physical assets
Estimate the impact of each outcome. Measures can be qualitative or quantitative. Document all reasonable
impacts and the ratings associated with each outcome.
Step 7. Determine the level of risk.
Analyze the values assigned to the probability of each threat occurrence and the impact. Assign the risk level
based on the average of the assigned probabilities and impact levels.
Step 8. Identify appropriate security measures and finalize the documentation.
Identify the possible security measures you could use to reduce each risk to a reasonable level. For each measure, consider:
ƒ The effectiveness of the measure
ƒ Legislative or regulatory requirements for implementation
ƒ Organizational policy and procedure requirements
Document all findings to complete your risk assessment.
6
HIPAA Risk Assessment Template
Below is a HIPAA risk assessment template with a description and an example for each section. This is a general
template that you will need to adapt for your organization’s specific needs. All company and personal names
used in this template are fictional and are used solely as examples.
1. Introduction
Explain the reason for the document.
This document outlines the scope and approach of the risk assessment for Allied Health 4 U, Inc. (hereafter referred
to as Allied Health 4 U). It includes the organization’s data inventory, threat and vulnerability determination, security
measures, and risk assessment results.
1.1 Purpose
State why you need a risk assessment.
The purpose of the risk assessment is to identify areas of potential risk, assign responsibilities, characterize the risk
mitigation activities and systems, and guide corrective action procedures to comply with the HIPAA Security Standard.
1.2 Scope
Document the flow of patient data within your organization. Describe all system components, elements, field
site locations, users (including use of a remote workforce) and any additional details about the EHR system.
Document and define your IT systems, components and information, including removable media and portable
computing devices.
7
The scope of this document includes the technical, physical and administrative processes governing all ePHI
received, created, maintained or transmitted by Allied Health 4 U.
The goal is to assess and analyze the use of resources and controls, both planned and implemented, to
eliminate, mitigate or manage the exploitation of vulnerabilities by internal and external threats to the
electronic health records (EHR) system.
Allied Health 4 U serves the needs of patients and practitioners at Medical City in Regency Park, IL. The
related medical center provides the primary internet firewall and basic physical security for the facility. The
organization provides all other technology and security needs for Allied Health 4 U, Inc.
Allied Health 4 U uses laptops, tablets and desktop PCs to access patient ePHI. Remote access from
outside Allied Health 4 U is strictly prohibited. Three servers are located in a locked server room with video
surveillance enabled.
2. Risk Assessment Approach
Define the methods you use to perform the risk assessment.
Allied Health 4 U performs the risk assessment by inventorying all physical devices and electronic data created,
received, maintained or transmitted by the organization; interviewing users and administrators of the EHR
system; and analyzing system data to determine potential vulnerabilities and threats to the system.
2.1 Participants
Identify the participants, such as all IT staff and management, responsible for or interacting with the EHR.
Include a list of participants’ names and roles, such as Chief Information Officer or Asset Owner.
The ePHI security officer and the Risk Management Team are responsible for maintaining and executing the ePHI
security risk analysis and risk management process for Allied Health 4 U.
8
Chief Information Officer: Bradley Gray, MD
Compliance Officer: Jean Parker, MD
Risk Assessment Team: William Brown, Takisha Lutrelle, and Lili Obrador
2.2 Techniques Used to Gather Information
List the methods used to identify and inventory ePHI data, physical devices, processes and procedures.
The following techniques are used to gather information for the risk assessment:
ƒ Interviews with Chief Information Officer, Risk Management Team, users
ƒ Documentation Review — IT policies and processes, threat and vulnerability reports, incident reports,
information classification documents.
ƒ Site Visits — Regency Park location, any future locations
2.3 Development and Description of the Risk Scale
Describe when risk assessments are performed, the risk-level matrix in use, how risks are determined, and a
risk classification with at least three levels.
Allied Health 4 U conducts risk assessments at the following times:
ƒ After software updates to the EHR
ƒ After the implementation of new hardware, software, or firmware
ƒ After a report of a data breach
Use the following risk matrix to determine the scale of the risk:
Risk scale:
HIGH: >25 to 50
MEDIUM: >5 to 25
LOW: >0.5 to 5
9
Threat Probability
Impact
Low (0.1)
Medium (0.5)
High (1.0)
Low (5)
5 X 0.1 = 0.5
5 X 0.5 = 2.5
5 X 1.0 = 1
Medium (25)
25 X 0.1 = 2.5
25 X 0.5 = 12.5
25 X 1.0 = 25
High (50)
50 X 0.1 = 5
50 X 0.5 = 25
50 X 1.0 = 50
3. System Characterization
Identify the boundaries of the IT system under consideration and the resources and information making up
the system. Characterization establishes risk assessment scope effort, shows the authorization or accreditation
pathway, and provides information on connectivity, responsibility and support.
The Allied Health 4 U EHR system is comprised of all laptops, desktops, tablets, servers and ePHI contained therein.
3.1 System-Related Information
Provide related information and a brief description of the processing environment.
System name
Allied Health 4 U EHR
System owner
Allied Health 4 U, Inc.
10
Physical location
123 Main Street, Dept D, Regency Park, IL
Major business function
Healthcare information storage
Description and components
EHR system, server, desktops, laptops, tablets,
servers, software
Interfaces and boundaries
User interface at each device, internal connection
via WiFi, external connection via cable
Data sensitivity
High
Overall IT sensitivity rating and classification
High, Critical
3.2 System Users
Describe who uses the system, including details on user location and level of access.
System name
Allied Health 4 U EHR
User category
Sysadmin
Access level
4
Number of users
2
System owner
Allied Health 4 U, Inc.
Physical location
123 Main Street, Dept D, Regency Park, IL
11
3.3 Data Inventory
Document all ePHI and where it is stored, received, maintained, or transmitted.
Type of Data
Description
Level of Sensitivity
ePHI
Electronic protected health information
High
Medical procedures
Copies of procedures performed on patient
Low
Test results
Lab, Radiology
High
PPE inventory
Personal protective equipment inventory
Low
Billing data
Insurance and billing information
High
4. Threats and Vulnerabilities
List all credible threats and vulnerabilities to the system being assessed. Often, you can provide a brief
description here and provide the detailed results in an appendix or a separate spreadsheet.
4.1 Threat Identification
Develop a catalog of reasonably anticipated threats. Your most significant concern is human threats from exemployees, criminals, vendors, patients or anyone else with motivation, access and knowledge of the system.
Threat Source
Threat Action
Disgruntled employee
Unauthorized modification of billing data
Hacker
Threatened disclosure of ePHI for ransom
Earthquake
Damage or loss of power to EHR components
12
4.2 Vulnerability Identification
List all technical and non-technical system vulnerabilities that potential threats could trigger or exploit. Include
incomplete or conflicting policies and procedures, insufficient safeguards (both physical and electronic), and
other flaws or weaknesses in any part of the system.
Allied Health 4 U identifies the following vulnerabilities:
Vulnerability
Description
Water-based fire suppressant system
in the office and IT center
Activated water sprinklers could create electrical
shorts in EHR system components
EHR firewall allows inbound access
A user could access EHR from outside the
premises of Allied Health 4 U and Medical City
4.3 Security Measures
Document and assess the effectiveness of all technical and non-technical controls that are currently or will be
implemented to mitigate risk.
Safeguard
Control
Technical safeguard: Secure passwords
Control access to EHR system.
Administrative safeguard: Sanctions
Define and enforce appropriate sanctions, so
employees understand the consequences of noncompliance with security policies and procedures.
Physical safeguard: Locked offices
Keep facility locked during non-business hours
to prevent unauthorized entry for access or
destruction of components or records.
13
5. Risk Assessment Results
Describe the observations (the vulnerabilities and the threats that can trigger them), measure each risk, and
offer recommendations for control implementation or corrective action. The detailed results are often better
presented in an appendix or a separate spreadsheet.
Observation number
100011
Risk (vulnerability/threat pair)
Terminated employee access not revoked
Current control measures
Send notification to IT on date of separation
Probability with existing controls
High
Impact with existing controls
High
Initial risk level
High
Recommended action or control measure
Technical safeguard: Automate revocation of system
access upon employee termination
Residual risk level
Low
Implementation method
Sysadmin configures automated access revocation
tied to employee termination in the HR system
Supervisor
Jane Smith
Start date
January 15, 2021
Target end date
February 15, 2021
Date controls implemented
February 10, 2021
14
6. Revision History
Track all changes to your HIPAA risk assessment.
Version
Description
Author
Description
1.0
01/01/2020
Jane Smith
Original
1.1
06/01/2020
Bill Jones
Modification
15
Ensure the Privacy and Security
of ePHI with HIPAA Compliance
Software from Netwrix
Identify, prioritize and mitigate your data and
infrastructure security risks.
Discover all HIPAA-regulated data, on prem and in
the cloud, and reduce its exposure.
Protect sensitive data by rigorously enforcing the
least-privilege principle.
Detect unauthorized activity around your sensitive
data.
Comply with breach notification requirements with
efficient incident investigation.
Prove the effectiveness of your data security policy
to compliance auditors.
Download Free 20-Day Trial
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000
organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT
teams and knowledge workers.
For more information, visit www.netwrix.com.
Next Steps
Free trial — Set up Netwrix software in your own test environment: netwrix.com/freetrial
In-Browser Demo — Take an interactive product demo in your browser: netwrix.com/browser_demo
Live Demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo
Request Quote — RReceive pricing information: netwrix.com/buy
CORPORATE HEADQUARTER:
PHONES:
OTHER LOCATIONS:
300 Spectrum Center Drive
Suite 200 Irvine, CA 92618
1-949-407-5125
Toll-free (USA): 888-638-9749
Spain:
+34 911 982608
Netherlands:
+31 858 887 804
Sweden:
+46 8 525 03487
Switzerland:
+41 43 508 3472
France:
+33 9 75 18 11 19
Germany:
+49 711 899 89 187
Hong Kong:
+852 5808 1306
Italy:
+39 02 947 53539
565 Metro Place S, Suite 400
Dublin, OH 43017
5 New Street Square
London EC4A 3TW
1-201-490-8840
+44 (0) 203 588 3023
SOCIAL:
netwrix.com/social
17
Download