Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
HIPAA COW
RISK ANALYSIS & RISK MANAGEMENT TOOLKIT NETWORKING GROUP
GUIDE FOR THE HIPAA COW RISK ANALYSIS & RISK MANAGEMENT TOOLKIT
Disclaimers:
This Guide and the HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit) documents
are Copyright  by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). They may be freely
redistributed in their entirety provided that this copyright notice is not removed. When information
from this document is used, HIPAA COW shall be referenced as a resource. They may not be sold
for profit or used in commercial documents without the written permission of the copyright holder.
This Guide and the Toolkit documents are provided “as is” without any express or implied warranty.
This Guide and the Toolkit documents are for educational purposes only and do not constitute legal
advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted,
HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit
documents. Therefore, these documents may need to be modified in order to comply with
Wisconsin/State law.
Introduction:
The Toolkit provides an example HIPAA Security Risk Assessment and documents to support
completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad
spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all
measures needed to secure your patients’ electronic protected health information (ePHI). It is
not meant to be construed as a one-size-fits all Toolkit. The HIPAA Security Rule requires this
be completed on an ongoing basis, but does not prescribe how to accomplish this. The authors of
these documents carefully considered and included information that are believed to be of most
importance, based on legal requirements, known HIPAA Security incident history, and personal
experiences. With that said, it may include items not required by your organization, exclude
items required, and/or items that you need tailor to your organization’s needs.
Table of Contents
I.
Background
……………………………………………………...…………...
……………..2
II. Risk Analysis and Risk Management Approach/Strategy
……………………………….3
III. NIST Risk Assessment Steps. Word document. .....................................................................3
IV. HIPAA COW Risk Assessment Template. ........................................................................3
IV. Example Security P&P List. Excel document. Tab 2 ...........................................................3
V. Security Questions. Excel document. Tab 3. Important Note: when printing this, it is
formatted to print on legal size paper. .............................................................................................3
© Copyright HIPAA COW
Page 1 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
A) NIST Threat Overview……………………………………………………………………4
B) This worksheet includes an example list of questions and a way for your organization to
document how you are meeting (in compliance with) the HIPAA Security Rule and
HITECH security requirements. ..........................................................................................4
C) Inventory Asset List. Excel Document. st .........................................................................4
D) Network Diagram Example.................................................................................................5
E) NIST Risk Definitions & Calculations. Word document. ..................................................5
VI. Risk Mitigation Implementation Plan………………………………… ..............................5
A) NIST Risk Mitigation Activities. Word document. ...........................................................5
B) Office Use Only. Excel Document. It is the seventh worksheet on the HIPAA COW Risk
Assessment Template spreadsheet. .......................................................................................6
VII. Risk Analysis Report Template. Word Document. .............................................................6
VIII. Risk Management Policy..……………………………………………………………...…7
IX. HIPAA COW OCR Audit Protocol..………………………………………………………7
X. Toolkit References
…………...……………………………………..……………..…………7
XI. Other Available Risk Resources…………………………..…………………….…………..7
Background
This Toolkit is based on many of the methodologies described in the National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for
Information Technology Systems (NIST SP 800-30) (2002) 1 and NIST SP 800-66, An
Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule. The reason these were used as a guide for building
this Toolkit is that NIST documents are referenced and used by the U.S. Department of Health
and Human Services. While the government does not require that NIST be used, in the Office
for Civil Rights Guidance on Risk Analysis Requirements under the HIPAA Security Rule
document, it states about NIST documents, “non-federal organizations may find their content
valuable when developing and performing compliance activities”. It is important to note that
there are a myriad of other ways to complete a HIPAA Security Risk Assessment, many of
which may provide you with a more thorough and accurate summary of threats and
vulnerabilities to your patients’ ePHI. It may be beneficial for your organization to review the
Toolkit References listed at the end of this Guide to gain a better understanding of how to
conduct a Risk Analysis and implement a successful Risk Management program in your
organization.
1
NIST has since released a revision to NIST SP 800-30. The original NIST SP 800-30 from 2002 was used in the
development of this Toolkit and its supporting documents. NIST SP 800-30 (2002) is available on the HIPAA COW
website under the Risk Toolkit tab.
© Copyright HIPAA COW
Page 2 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
It is also important to note that in some of the Toolkit documents, references to products are
included. These references are provided for examples only. They are not required to be used
and are not necessarily the best products available to use. They were merely known at the time
as products available that could potentially be considered by organizations to use. Organizations
considering using new products should research and evaluate all available and applicable
products at that time.
Risk Analysis and Risk Management Approach/Strategy
The first goal of completing a Risk Analysis is to identify threats and vulnerabilities in your
organization that have the potential of negatively impacting the confidentiality, integrity, and
availability of ePHI. After ranking threats and vulnerabilities, the next steps are to mitigate the
risks. This is accomplished by taking reasonable and appropriate security measures to protect
ePHI from these threats and vulnerabilities. Mitigation efforts may be technical and nontechnical in nature and will vary between organizations. This Risk Management process and
measures taken is often documented in a Risk Mitigation Implementation Plan.
This Toolkit is a work in progress. More documents will be added to further assist organizations
in their efforts to complete a Risk Analysis, Risk Assessment, and their Risk Management
strategy. This Toolkit is not considered to be all inclusive. There are other aspects to
completing risk assessments/analyses that this Toolkit does not cover (e.g. vulnerability
assessments, penetration testing, etc.).
Following is a brief summary of the documents in the Toolkit and how to use them. A
recommended approach is to use them in the order listed.
1) NIST Risk Assessment Steps. Word document.
A) This document provides a high level summary of the nine risk assessment steps
recommended in the NIST SP 800-30 (2002). These are the steps to take to identify and
rank risks, develop controls, and document results of the risk assessment.
B) A copy of the NIST SP 800-30 (2002) flowchart is also included which provides a
graphical display of these steps.
HIPAA COW Risk Assessment Template. Excel document. Depending on how this spreadsheet
opens, you may need to click on the small left or right arrow keys located at the bottom of the
spreadsheet to get to the worksheets described below that are in this document.
2) Example Security P&P List. Excel document. Tab 2
A) Included is a list of policies and procedures (P&Ps) your organization may write to cover
the requirements of the HIPAA Security Rule.
B) It is an example list only. Your organization is not required to name your P&Ps this way.
C) The policies are listed in order of potential “importance”, or criticality to the
confidentiality, integrity, and availability of ePHI. It is recommended that your
organization take some time to determine if this is order is consistent with your mission,
vision, and/or organizational culture.
© Copyright HIPAA COW
Page 3 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
D) This same list is included in the same order in the Security Questions worksheet as a
cross-reference.
3) Security Questions. Excel document. Tab 3. Important Note: when printing this, it is
formatted to print on legal size paper.
A) This worksheet includes an example list of questions and a way for your organization to
document how you are meeting (in compliance with) the HIPAA Security Rule and
HITECH security requirements. Recommended Actions were updated in 2013 to include
questions from the OCR Audit Protocol.
B) This worksheet is currently sorted by the example HIPAA Security P&P List. It is not
sorted by the order in which it appears in the HIPAA Security Rule. It is important to
note that several sections of the HIPAA Security Rule are often pulled together as they
are interrelated.
i) To better understand what this means relative to the HIPAA Security Rule:
(1) For efficient and effective implementation of the HIPAA Security rule, HIPAA
COW took an approach to logically group similar topics in the HIPAA Security
Rule. Standards and Implementation Specifications are grouped in this worksheet
by the example Security P&P name and also sorted by the order in which the P&P
name appears on the Example Security P&P List. Therefore, you will find that
not all Implementation Specifications are always grouped under the Standard in
which it is listed in the HIPAA Security Rule.
C) Each row includes information about the HIPAA Security rule or HITECH, a
vulnerability/threat pair, an assessment question, recommended controls, etc
i) Refer to Appendix A which provides a summary of what the different text colors in
the rows mean, definitions of the Current Status column, a key that describes what is
included in and how to use each column, and other recommendations for
documenting your current status.
D) NIST Threat Overview. Word Document.
i) Use this document while completing the Risk Management questions on the Security
Questions worksheet.
ii) This document is a Threat Identification Overview provided in NIST SP 800-30. It
includes definitions of a threat, threat source, threat action, threat sources, and
vulnerability.
E) Threat Source List. Excel Document. Tab 4
i) Use this document while completing the Risk Management questions on the Security
Questions worksheet.
ii) This is an example list of potential threat sources to the confidentiality, integrity, and
availability of your organization’s ePHI.
iii) Use the document to identify and create your own list of threat sources to your
organization’s ePHI.
iv) The bolded items on this list are those that are believed to be the most common threat
sources to occur in Wisconsin, as determined by the HIPAA COW Risk Management
Networking Group at the time this was developed.
v) Review this list carefully and modify it to include threat sources that may impact the
confidentiality, integrity, and/or availability of your patient’s ePHI. Consider
previous security incident reports, system and facility break-in attempts, unplanned
© Copyright HIPAA COW
Page 4 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
outages, and possible natural or man-made disasters your facility may be susceptible
to when identifying vulnerability/threat pairs.
F) Inventory Asset List. Excel Document. Tab 5
i) Use this document while completing the Risk Management and Contingency Plan
questions on the Security Questions worksheet.
ii) This is an example list of assets your organization may have.
iii) Update this list to include a list of the communication, hardware, and software that
your organization uses. Document for each: a brief description, its function, how it is
used, its criticality level, quantity, etc.
iv) Important Notes:
(1) This spreadsheet is formatted to print columns A through G. Columns H through
AA are additional items that are often important to document and maintain for
systems.
(2) The different colors in the header row are used only as a means to color code the
different types/groups of information.
(3) This spreadsheet is intended to document a small organization’s hardware and
software. Larger organizations would use a configuration management or other
asset tracking database.
G) Network Diagram Example. PDF document.
i) Use this document while completing the Contingency Plan questions on the Security
Questions worksheet.
ii) This includes an example of a very simple, small practice network diagram. Other
examples are available on the Internet (search for “network diagram”).
iii) Network diagrams display how an organization’s systems and network is set up,
interdependencies, identify critical interdependencies, etc. They are useful to have
during emergencies so that IT staff can easily identify how to get the systems back up
and running.
H) NIST Risk Definitions & Calculations. Word document.
i) This document is extracted directly from NIST SP 800-30 (2002). It includes
definitions of likelihood, impact, and risk levels. Use the Likelihood & Impact
definitions to select the correct likelihood level and magnitude of impact on the Risk
Mitigation Implementation Plan.
ii) Use this document to help you complete the Likelihood and Impact for those
assessment questions that you identified as “Not Complete” and “In Progress” on the
Security Questions worksheet.
iii) After entering the Likelihood level and magnitude of Impact levels, the spreadsheet
will automatically calculate the Risk Level.
iv) It is common for organizations to first review and mitigate the High & Moderate Risk
levels identified.
4) Risk Mitigation Implementation Plan. Excel Document. Tab 6
A) This Risk Mitigation Implementation Plan follows the steps presented in the NIST Risk
Mitigation Activities document (see ii below). It includes the seven steps recommended
by NIST to take to reduce threats and vulnerabilities to a reasonable and appropriate
level.
© Copyright HIPAA COW
Page 5 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
B) Once you have completed scoring the questions on the Security tab, press the Complete
Form button. This will transfer the following columns to the Risk Mitigation Implement
Plan:
i) Risk/Vulnerability Threat Pair (H)
ii) Risk Level (N)
iii) Recommended Actions and Controls (O)
(1) for those questions where the risk score is greater than 50 to the Implementation
Plan Tab 6. (Note: macros must be enabled for the button to work). This will save
you considerable time copying and pasting!
iv) NIST Risk Mitigation Activities. Word document.
(1) This document is extracted directly from NIST SP 800-30 (2002). It provides a
methodology and summary of actions to take to mitigate identified risks.
(2) Use this document while working through each of the risk mitigation steps.
Document the details of these risk mitigation implementation plan steps as you
complete them in this worksheet.
(a) Document all decisions made and rationale for the decisions on this
worksheet.
(b) When determining what to include in the Evaluate Control Options, Conduct
Cost Benefit Analysis, and Select Controls columns, consider the following:
(i) Sensitivity of the data and the system
(ii) Amount of PHI
(iii) Mobility of the system using the data (can it be used remotely from
any location and if yes, when it is accessed is it secure, such as through
an encrypted connection)
(iv) Frequency of use
(v) Number of users
(vi) Consideration of previous security incidents
(vii) Effectiveness of recommended controls (e.g., system compatibility)
(viii) Legislation and regulations
(ix) Organizational policy
(x) Operational impact
(xi) Safety and reliability
(xii) Cost to implement recommended controls
C) Documentation from your Risk Mitigation Implementation Plan may be requested if you
are audited by the Office for Civil Rights.
D) After mitigating these risks, follow the above steps for the low risk levels identified on
the Security Questions worksheet.
E) Office Use Only. Excel Document. It is the seventh worksheet on the HIPAA COW Risk
Assessment Template spreadsheet.
i) Information from this worksheet provides a key that “feeds” into the Security
Questions worksheet. More specifically, it provides the only selections that can be
made for the Current Status, Likelihood, and Impact columns.
ii) Do not delete or change information on this worksheet or you risk disabling the
functionality of the document.
5) Risk Analysis Report Template. Word Document.
© Copyright HIPAA COW
Page 6 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
A) After creating your Risk Mitigation Implementation Plan, use this template to create a
Risk Analysis Report. This Report will outline the methodology and steps taken to
complete the Risk Analysis for your organization, identify safeguarding measures
currently in place, describe and rank risks to the confidentiality, integrity and/or
availability of your organization’s ePHI, and provide recommended controls to address
these risks.
B) Provide this report to your executive leadership team, Board of Directors, etc. Request
their approval and support to put in place the recommended controls.
C) Then begin putting the selected controls in place and document all steps/actions taken on
the risk mitigation implementation plan.
6) Risk Management Policy. Word Document (1/2013)
A) This is a policy template for your organization to use to document your risk management
process. It follows the same seven steps outlined in our other documentation.
7) HIPAA COW OCR Audit Protocol. Excel Spreadsheet
A) The HIPAA COW Risk Management group reviewed the OCR audit protocol and added
a column identifying which Risk Toolkit security questions map to the audit questions
The last column includes the question numbers that currently are believed to cover some
or all of the audit protocol requirements for each specific item.
8) Toolkit References
A) Office for Civil Rights Guidance on Risk Analysis Requirements under the HIPAA
Security Rule, July 14, 2010.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html
B) Office for Civil Rights HIPAA Privacy and Security Regulations:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html
C) Office for Civil Rights HIPAA Security Series:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.ht
ml
D) Office for Civil Rights HIPAA Case Examples and Resolution Agreements:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
E) Office for Civil Rights HIPAA Enforcement Highlights:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html
F) NIST Special Publications: http://csrc.nist.gov/publications/PubsSPs.html
i) NIST SP 800-30: Risk Management Guide for Information Technology Systems, July
2002
ii) NIST SP 800-34: Contingency Planning Guide for Federal Information Systems
(Errata Page - Nov. 11, 2010)
iii) NIST SP 800-53 Rev 3: Recommended Security Controls for Federal Information
Systems and Organizations (August 2009)
iv) NIST SP 800-53 A: Guide for Assessing the Security Controls in Federal Information
Systems and Organizations, Building Effective Security Assessment Plans (June
2010)
v) NIST SP 800-66: An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008
© Copyright HIPAA COW
Page 7 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
G) HIPAA/HITECH Privacy & Security Checklist. WVMI & Quality Insights, Regional
Extension Center, Privacy & Security Community of Practice, January 7, 2011.
H) Risk Analysis Report Template. Quality Insights of Delaware, Regional Extension
Center, Privacy & Security Community of Practice, January 7, 2011 v.1.
I) HIPAA Risk Assessment, Risk Analysis Report, Network Diagram and Other Tools.
MetaStar/WHITEC, 2011.
9) Other Available Risk Resources
A) ISO 27000 Series. http://www.27000.org/
Version History:
Current Version: 9/13/13
Prepared by:
Mary Koehler, ProHealth Care
Bethany Seeboth, Froedtert
Health
Previous Version: 7/2/12
Prepared by:
Holly Schlenvogt, MSH,
CPM, MetaStar/WHITEC
© Copyright HIPAA COW
Reviewed by:
Sue Alwin-Popp, Edgerton
Hospital & Health Services
Maggie Fuchs, Monroe Clinic
Colleen Galetka, Rusk County
Memorial Hospital
Lois Kallunki, WISHIN
Wayne Pierce, Aspirus, Inc.
Holly Schlenvogt, HRT
Consulting, LLC
Jeff Thompson, WI
Department of Health Services
Amy Wolfgram, GHC of Eau
Claire
Content Changed:
General updates to match
supporting documents that
have been updated.
**You may request a copy of
the all the changes made in
this current version by
contacting administration at
admin2@hipaacow.org.
Reviewed by:
Kathy Argall, Co-Founder and CEO, InfoSec
Compliance Advisors
Cathy Boerner, JD, CHC, President, Boerner
Consulting, LLC
Ginny Gerlach, Information Security Officer,
Ascension Health
Lee Kadel, MMOT, EMBA, GHSC, GSEC,
Information Security Analyst – Specialist,
Wheaton Franciscan Healthcare
Jim Sehloff, MS, MT(ASCP), Information
Security Analyst, CareTech Solutions
Kirsten Wild, RN, BSN, MBA, CHC, Wild
Consulting, Inc.
Page 8 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
Appendix A: HIPAA COW Risk Assessment Spreadsheet Key
1) Text colors
A) Rows in which the text is black are questions based directly off regulation language.
B) Rows below these in which the text is green includes items that support the intent of the requirements (of the question in black
above it). These include additional questions to help identify how you are meeting legal requirements and/or industry best
practices.
2) Assessment questions that state: “No questions asked…informational only”. These include language that is in the Security Rule,
but do not require security measures be taken.
3) Current Status column:
A) Select the applicable Current Status from the drop down for each of the questions. Only identify a question as “Complete” if
all required measures are in place and it is consistently followed. If you have a written policy, for example, but it is not
consistently followed, indicate it is “In Progress”.
i) Complete: the item has been written, implemented, and is consistently followed
ii) In Progress: the item has been identified, is currently being addressed, or is written (or partially written), but not fully
implemented and/or consistently followed
iii) On Hold: the item is not currently complete, and is not currently being addressed for reasons such as awaiting approvals,
budgeting, resource allocation, etc.
iv) Not Complete: the item has not been addressed
v) Unknown: it is not certain if this item has been completed or is in progress
vi) N/A: this item is not required to be completed or is not applicable to this organization’s security compliance requirements
B) Document details of the current status in the Current State/Status Column. Include items such as policy and procedures names
in place, technology used, and other safeguarding mechanisms/procedures in place.
© Copyright HIPAA COW
Page 9 of 11
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
The below key describes what is included in each column on the “Security Questions” worksheet in the HIPAA COW Risk
Assessment Template spreadsheet.
Policy #
Reg #
This is the
regulation
number
A
listed in
numbering the
system
HIPAA
created for Security
these
Rule or
questions. HITECH.
Reg
Standard
When listed, this is the
“header” name of the
When listed, regulation. For the Security
this is the
Rule, listed in parenthesis is
regulation in the main section it is under in
which this
the Security Rule (i.e. General
requirement rules, Administrative,
is located
Physical, or Technical
(HIPAA
Safeguards, Organizational or
Security &
P&Ps & documentation
HITECH).
requirements).
Risk Vulnerability/Threat Pair
Identifies the vulnerability(s)
(flaw or weakness) associated
with your organization’s
environment should a threat
source exploit it. Threat sources
listed are those most commonly
known to happen in Wisconsin.
There are likely more that need
to be considered.
© Copyright HIPAA COW
Assessment Question
This assessment question is used
to determine if your organization
has P&Ps or other measures in
place to prevent the
vulnerability/threat pair from
happening, as required or
recommended by the particular
law, or that meets known best
practices.
A/R
This column is for
the Security Rule
only;
A=Addressable,
R=Required (refer to
the definitions of
addressable and
required to
determine how to
meet these
requirements).
Implementation
Specification
This is the
actual
When listed, this regulation text;
is the “header”
when the law
name for the
is lengthy, key
Implementation
points of the
Specification
requirements
which are always are
under Standards. summarized.
Current Status
This is used to document
whether your organization has
measures in place to meet
compliance with the applicable
regulation or best practices.
Select from the drop down
box: Complete; In Progress;
Not Complete; Unknown; or
Not Applicable.
Page 10 of 11
Legal
Requirements
Current State/Comments
Use this column to
document a summary of
the P&Ps, technology, and
other measures your
organization has in place,
or are about to implement,
to prevent the
vulnerability/threat pair
from happening.
Version 3/FINAL: 9/13/13
Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)
Likelihood
(.1, .5, or 1)
Impact (10,
50, or 100)
Risk Level
By multiplying the
likelihood by the impact
Likelihood
level, this calculation
that a threat
represents the degree or
will attempt
level of which ePHI may
to exercise a
be exposed or
vulnerability Impact level compromised if a given
given
(magnitude) vulnerability were
existing or
if a threat
exercised. There is a
planned
actually
formula built into this
security
exercised a
worksheet that
controls
vulnerability automatically calculates
(NIST SP
(NIST SP
this for you (NIST SP
800-30):
800-30):
800-30):
.1=Low;
.1=Low;
1-10=Low;
.5=Medium; .5=Medium; >10-50=Moderate;
1=High
1=High
>50-100=High
© Copyright HIPAA COW
Recommended
Actions/Controls
Red text = from CAPs
with OCR
Recommendations
included here are
intended to help your
organization take
measures necessary to
prevent or minimize
the risk that the
vulnerability/threat
pair will happen. The
controls listed are not
considered allinclusive or one-sizefits all. Your practice
should tailor the
controls as appropriate
for your organization.
Policy/ Procedure
This includes a
generic policy or
procedure name. The
reason for this is to
help organize the
Privacy, Security, &
HITECH regulations
into topics. These
may be similar to
policy names your
organization has in
place. The
spreadsheet is
currently sorted by
this column to keep
the policy topics
together.
Page 11 of 11
HIPAA COW
Reference Document
This is a Resource list.
The HIPAA COW
documents listed
include information
that may help your
organization meet the
Recommended
Actions/Controls and
ultimately the HIPAA
Security Rule &
HITECH requirements.
Many of the documents
are P&Ps you may use
as a template to write
your organization’s
P&Ps.