This document was obtained from the Internet by AuditNet® using advanced search

techniques. The document is from a site which has not identified restrictions on
permitted use and are sharing this information for the benefit of the audit community.
However, while we have attempted to provide accurate information no
representation is made or warranty given as to the completeness or accuracy of the
document. In particular, you should be aware that the document may be incomplete,
may contain errors, or may have become out of date. While every reasonable
precaution has been taken in the preparation of this document, neither the author
nor AuditNet® assumes responsibility for errors or omissions, or for damages
resulting from the use of the information contained herein. The information contained
in this document is believed to be accurate. However, no guarantee is provided. Use
this information at your own risk.
Audit Program Licensing Terms 1. You accept that this product is
intended for your use, and you will not duplicate in any form or manner,
electronic or otherwise, copies of this product nor distribute this product to
anyone else. 2. You recognize that the product and its content are the sole
property of AuditNet® (the Publisher), and that we have copyrighted the
product. 3. You agree that the Publisher is not responsible for any
interruption of service or malfunction that is a consequence of the Internet,
a service provider, personal computer, browser or other software or
hardware components. You accept that there is no guarantee that this
product is totally error free. You further understand and accept that the
Publisher intends to provide reliable information but does not guarantee the
accuracy or completeness of any information, and is not responsible for any
results obtained from the use of such information. 4 This license is effective
until terminated, when the license or subscription period ends without
renewal, or when you destroy this product and any related documentation.
The Publisher may terminate your license without notice if you fail to
comply with the conditions set forth in this agreement, and may pursue any
other legal recourse.
HIT Security Risk Assessment Tool
Presented By: The National Learning Consortium (NLC)
Developed By: Health Information Technology Research Center (HITRC)
Privacy and Security Community of Practice (Toolkit Workgroup)
Version: 1.0
Date: October 21, 2011
Description: The purpose of a risk assessment is to identify conditions where Electronic Protected Health Information (EPHI) could be disclosed
without proper authorization, improperly modified, or made unavailable when needed. This information is then used to make risk
management decisions on what reasonable and appropriate safeguards are needed to reduce risk to an acceptable level. This Risk
Assessment Tool is intended to be a starting point for identifying cybersecurity risks to your organization. Please note that this tool is best
printed using landscape orientation and on legal sized paper.
Table of Contents: How to Complete the Forms
800-66 Risk Guidance
Practice Summary
Inventory (Preparation)
Screening Questions (Step 1)
People and Processes (Step 2a)
Technology (Step 2b)
Findings-Remediation (Step 3)

The National Learning Consortium (NLC) is a virtual and evolving body of knowledge and tools designed to support healthcare providers
and health IT professionals working towards the implementation, adoption and meaningful use of certified EHR systems.

The NLC represents the collective EHR implementation experiences and knowledge gained directly from the field of ONC’s outreach
programs (REC, Beacon, State HIE) and through the Health Information Technology Research Center (HITRC) Communities of Practice
(CoPs).

The following resource is a tool used in the field today and recommended by “boots-on-the-ground” professionals for use by others who
have made the commitment to implement or upgrade to certified EHR systems.

Introduction Page 3 October 21, 2011

 HOW TO COMPLETE THE FORMS
Introduction
Completion of this tool will assist a practice in complying with Meaningful Use and the HIPAA Security Rule, but it is not a guarantee of compliance with either. Practices are still
obligated to comply with the specific requirements of each rule. Use of this tool will provide an overall view of the state of security and provide suggestions for remediation of
deficiencies. A complete risk assessment must address each asset type separately, which this tool does not do.

This Risk Assessment Tool contains a four-step process designed to enable respondents to identify their level of risk against pre-identified threats and vulnerabilities. The tool is
designed for ease of use and user-friendliness. Cells that populated on one table will be automatically populated on subsequent tabs to ensure accuracy and simplicity. The US
Department of Health and Human Services(HHS), Office for Civil Rights (OCR) references components of the National Institute of Standards and Technology (NIST) Special
Publications (SP) 800-66 and 800-30 as guidance for a security risk assessment. NIST SP 800-66 is an introductory resource guide for implementing the Health Insurance
Portability and Accountability Act (HIPAA) Security Rule, and NIST SP 800-30 is a risk management guide for information technology systems.

Background information on the nine primary steps to the risk assessment methodology outlined in NIST SP 800-66 and in NIST SP 800-30 is available on the next tab, labeled 800-
66 Risk Guidance. These steps offer helpful background information on the assessment steps, how they interact with one another and basic descriptions of risk and the
components of risk, such as threats and vulnerabilities. Internet links to NIST SP 800-66 and SP 800-30 are also provided for those seeking additional information.

The Risk Assessment Tool Four-Step Process

The following four-step process is provided for using the Risk Assessment Tool:

Preparation is the Inventorying of Assets tab and is optional to the respondent but highly recommended for completion. In this step, the respondent should list ALL devices that
are touched by EPHI. Devices may be for example, desktop PCs, fax machines or specialized medical devices with computerized hard drives to record patient data and test results.
Any software applications, whether for recording of patient information, billing information or any other purpose which comes into contact with EPHI should also be listed here. The
next column will ask whether the device processes, stores or transmits EPHI. If the devices does not process EPHI, there is no need to proceed further with this device. If the
devices DOES process EPHI, then the respondent would select from the next column whether the asset should be categorized as a People and Process asset, or as a Technology
asset.

Step 1 is the Screening Questions. This tab is offered as a means for determining the degree to which threats and associated vulnerabilities apply to their organization’s assets.
While this tab is an optional feature in the risk analysis, it is strongly recommended that respondents utilize this tab, as these questions will assist in additional responses in Steps 2a
and 2b. Users should examine the question and determine the degree to which their current operations address the matching Threat-Vulnerability Statement. The choices from the
drop down menu are Addressed, Partially Addressed or Not Addressed. Two columns are provided to the far right in the table for respondents to provide expanded responses to the
questions in the row; responses entered in the People/Processes column will be automatically transferred to the Existing Control column of the People and Processes (Step 2a) tab
and responses entered in the Technology column will be automatically transferred to the Existing Control column of the Technology (Step 2b) tab. If no action is taken, please
indicate 'No Action Taken' in the appropriate column(s). There is no correct or incorrect response, this is merely a sampling of what practitioners are doing to mitigate threats or
minimize vulnerabilities.

Steps 2a (People and Processes) and 2b (Technology) utilize the same questions, criteria and risk calculations. It is necessary to separate the two categories of assets for
analysis purposes.
The People and Processes and Technology tabs will list assets typically found within a medical practice which are applicable to the Threat-Vulnerability Statement appearing in the
next column.

How
Theto Complete the Control
Recommended Forms Measures, which is associated with the Threat-Vulnerability, is pre-populated
4 and is provided for respondents to consider in developing their information October 21, 2011
security posture.
 analysis purposes.
The People and Processes and Technology tabs will list assets typically found within a medical practice which are applicable to the Threat-Vulnerability Statement appearing in the
next column.

The Recommended Control Measures, which is associated with the Threat-Vulnerability, is pre-populated and is provided for respondents to consider in developing their information
security posture.

The Existing Control is what the practitioner is doing, if any corrective actions are being taken, to mitigate and reduce the threat or vulnerability. These cells will be pre-populated
with data from the People/Processes and/or Technology columns of the Screening Questions (Step 1) tab.

The Existing Control Effectiveness is a Drop-Down list in which the respondent will select the best answer to describe the degree to which their counter-measures address the
Threat-Vulnerability statement earlier in the row. When making a selection, respondents should also consider how effective their counter-measures are in relation to the
Recommended Control Activity which is suggested in the previous cell. The available response choices are Effective, Partially Effective or Not Effective.

The Exposure Potential is a pre-populated cell from the response in the previous Step 1 tab and represents the risk exposure to the practice for this Threat-Vulnerability statement.
The risk exposure is rated on a scale of High, Medium or Low. The purpose is to offer additional guidance and empower the respondent in their selections on the following choices of
Impact and the Likelihood of Occurrence, or simply ‘Likelihood’. As with the Impact Rating, this is a judgment by the respondent as to how likely an 'Undesirable Event', such as
power outage or fire, are to occur to the medical practice. Please select from the appropriate corresponding choice of:
VERY LIKELY is defined as having a probable chance of occurrence.
LIKELY is defined as having a significant chance of occurrence .
NOT LIKELY is defined as a modest or insignificant chance of occurrence .

Impact is the consequences of a security event to the medical practice. Please select from the appropriate corresponding choice of High, Medium or Low for each Business Asset.
HIGH is defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of
medical records have been lost or compromised.
MEDIUM is defined as having a significant impact; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the
practice have been lost or compromised.
LOW is defined as a modest or insignificant impact; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised.

NOTE: Any loss or compromise of 500 medical records or more requires that the practice notify the US Department of Health and Human Services (HHS), Office for Civil
Rights (OCR) immediately.

The Risk Rating requires no action by the respondent. The column automatically calculates the risk rating to the medical practice based upon the inputs to the 'Impact' and
'Likelihood' columns.

Step 3, Findings-Remediation, is the final tab requiring completion and is almost entirely auto-populated with data from previous tabs. The Risks Found column is populated with
the data from the People and Process or Technology asset tabs ,which in Steps 2a or 2b was determined to have a Risk Rating of either Medium or High. The Existing Control
Measures Applied are the measures, if any, currently being undertaken to address the threat as was indicated in Steps 2a or 2b. Recommended Control Measures are the
corresponding recommended corrective measures which were automatically populated in the tabs of Steps 2a and 2b and appear again in this space. The final cell, Additional
Steps, offers the respondent an opportunity to consider and state any additional measures they would like to implement.

NEXT STEP: Please proceed to the 800-66 Risk Guidance tab which provides guidance on conducting a risk assessment.

How to Complete the Forms 5 October 21, 2011

 NIST SP 800-66 RISK GUIDANCE
How to Conduct the Risk Assessment:
Risk assessments can be conducted using many different methodologies. There is no single methodology that will work for all organizations and all situations. The following steps
represent key elements in a comprehensive risk assessment program, and provide an example of the risk assessment. It is expected that these steps will be customized to most
effectively identify risk for an organization based on its own uniqueness. Even though these items are listed as steps, they are not prescriptive in the order that they should be
conducted. Some steps can be conducted simultaneously rather than sequentially.

1. Scope the Assessment.

The first step in assessing risk is to define the scope of the effort. To do this, it is necessary to identify where EPHI is created, received, maintained, processed, or transmitted.
Ensure that the risk assessment scope takes into consideration the remote work force and telecommuters, and removable media and portable computing devices (e.g., laptops,
removable media, and backup media).

2. Gather Information.
During this step, the covered entity should identify: The conditions under which EPHI is created, received, maintained, processed, or transmitted by the covered entity. It should also
identify the security controls currently being used to protect the EPHI.

3. Identify Realistic Threats.

Often performed simultaneously with Step 4, Identify Potential Vulnerabilities, the goal of this step is to identify the potential threat sources and compile a threat statement listing
potential threat-sources that are applicable to the covered entity and its operating environment. The listing of threat sources should include realistic and probable human and natural
incidents that can have a negative impact on an organizations ability to protect EPHI.

4. Identify Potential Vulnerabilities.

Often performed simultaneously with Step 3, Identify Realistic Threats, the goal of this step is to develop a list of vulnerabilities (flaws or weaknesses) that could be exploited by
potential threat sources. This list should focus on realistic technical and nontechnical areas where EPHI can be disclosed without proper authorization, improperly modified, or made
unavailable when needed.

5. Assess Current Security Controls.

Often performed simultaneously with Step 2, Gather Information, the purpose of this step is to determine if the implemented or planned security controls will minimize or eliminate
risks to EPHI. A thorough understanding of the actual security controls in place for a covered entity will reduce the list of vulnerabilities, as well as the realistic probability, of a threat
attacking (intentionally or unintentionally) EPHI.

6. Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability.

The next major step in measuring the level of risk is to determine the likelihood and the adverse impact resulting from a threat successfully exploiting a vulnerability. A business
impact assessment prioritizes the impact levels associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the
sensitivity and criticality of those assets. An asset criticality assessment identifies and prioritizes the sensitive and critical organization information assets (e.g., hardware, software,
systems, services, and related technology assets) that support the organization’s critical missions.

7. Determine the Level of Risk.

The purpose of this step is to assess the level of risk to the IT system. The determination of risk takes into account the information gathered and determinations made during the
previous steps. The level of risk is determined by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.
800-66 Risk Guidance 6 October 21, 2011
8. Recommend Security Controls.
 systems, services, and related technology assets) that support the organization’s critical missions.

7. Determine the Level of Risk.

The purpose of this step is to assess the level of risk to the IT system. The determination of risk takes into account the information gathered and determinations made during the
previous steps. The level of risk is determined by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence.

8. Recommend Security Controls.

During this step, security controls that could mitigate the identified risks, as appropriate to the organization’s operations, are recommended. The goal of the recommended controls is
to reduce the level of risk to the IT system and its data to an acceptable level. Security control recommendations provide input to the risk mitigation process, during which the
recommended security controls are evaluated, prioritized, and implemented.

9. Document the Risk Assessment Results.

Once the risk assessment has been completed (threat sources and vulnerabilities identified, risks assessed, and security controls recommended), the results of each step in the risk
assessment should be documented. NIST SP 800-30 provides a sample risk assessment report.

Key Terms Defined

When talking about risk, it is important that terminology be defined and clearly understood. This section defines important terms associated with risk assessment and management.
• Risk is the potential impact that a threat can have on the confidentiality, integrity, and availability on EPHI by exploiting a vulnerability.
• Threats are anything that can have a negative impact on EPHI.
Threats are:
o Intentional (e.g., malicious intent); or
o Unintentional (e.g., misconfigured server, data entry error).

• Threat sources are:

o Natural (e.g., floods, earthquakes, storms, tornados);
o Human (e.g., intentional such as identity thieves, hackers, spyware authors; unintentional such as data entry error, accidental deletions); or
o Environmental (e.g., power surges and spikes, hazmat contamination, environmental pollution).

• Vulnerabilities are a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat.
• Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of EPHI.

For further information, please refer to NIST SP 800-66 and NIST SP 800-30. A link to the NIST Special Publications 800 Series is provided below:
http://csrc.nist.gov/publications/PubsSPs.html

NEXT STEP : Please proceed to the Step 1 tab and complete the appropriate sections which follow. Background information and guidance is offered at the top of each tab.

800-66 Risk Guidance 7 October 21, 2011

 Practice Summary
Last Revision Date
Contributors
(persons involved with the assessment)

Practice Information
Practice Name
Contact Information Name:
(Practice Point of Contact) Email:
Phone:
Office Locations

EHR Information
EHR Model
(Hosted or Client/Server)
EHR System
Certified Version?

Vendors/Third Parties
IT Vendor
EHR Vendor Company
REC
Other

Infrastructure
EHR Server Information
Fax Server Information
Network Firewall
Wireless Devices
Workstations

Practice Summary 8 October 21, 2011

 Practice Summary
Laptops
Scanners
Fax Machines
Copiers
Tablets
iPad's
Medical Devices
(Devices that may contain and/or transmit data)
Other

Media Used
Smartphones
USB Thumb Drives
USB Hard Drives
CD's
Backup Tapes
Other

PHI Location
Where is PHI Stored?

Practice Summary 9 October 21, 2011

 Inventory Assets (Preparation)
Purpose: This tab may be helpful to respondents in determining what to consider in the population of assets in Steps 2a and 2b. The tab provides a space to
list all potential assets and whether they process EPHI. If the asset processes EPHI, then decide if the asset is best suited as a People and Process asset or a
Technology asset.

The following template, consistent with Step 1 of NIST Special Publications 800-66 and 800-30.

Using the Inventory Assets Tab:

The respondent should take a moment to carefully consider and reflect upon their complete asset inventory, then list the assets in the initial column. The
respondent can then utilize the next column to consider whether or not the asset processes EPHI. If the asset does not process EPHI, then the asset does not
need to be listed or considered for this analysis any further. If, however, the asset DOES process EPHI, then indicate the best category for the asset in the last
column.

Respondents should distinguish assets in the following way:

People and Processes: Any asset(s) which processes, transmits or stores Electronic Personal Health Information (EPHI). The assets may be used in an
operational or administrative capacity, for business purposes or for sustainment of operations. As long as the asset usage impacts EPHI usage, then it should
be listed in the tool.

Examples could include devices such as Desktop PCs, Fax Machines, Photo Copiers, Scanners, Mobile Computing Devices, Cell Phones/Smart Phones,
Storage Servers, Monitors, Phones, Pagers, Network Connections, Internet Routers, Printer(s), Teleconferencing Equipment, Dictaphones, Software, Medical
Equipment, Specialized Medical Devices (such as X-Ray, EKG, or EEG) or Portable Storage devices such as Thumb Drives.

NOTE: policies, procedures, organizational standards and guidance should all be considered and included in the Business Asset section.

Technology: This would be a list that exclusively contains the software package(s) which process EPHI. This may be any computer program from specialized
medical software to the Microsoft Office suite of products such as Excel, Word or Access. Any software or computer program which processes, transmits or
stores EPHI would be categorized in this section.

NOTE: If an asset does not process, store, or transmit EPHI, then it is NOT necessary to consider or include that asset on this list. The only consideration is
whether or not EPHI is a factor in the usage of the asset.

NEXT STEP: Please take the opportunity to review all your selections and inputs, in order to ensure accuracy in the responses given.

Inventory (Preparation) 10 October 21, 2011

 Does this asset process, store or
Asset Type People/Process or Technology Asset?
transmit EPHI?

Inventory (Preparation) 11 October 21, 2011

Inventory (Preparation) 12 October 21, 2011
NationSelect text object to read instructions then proceed to A14 to view and complete form

Screening Questions (Step 1)

Purpose: The following tab is offered as a means for determining the degree to which threats and associated vulnerabilities apply to their organization’s assets. While this tab is an optional feature
in the risk analysis, it is strongly recommended that the respondents utilize this workspace as these questions will assist in additional responses on Steps 2a and 2b.

Steps for Using the Screening Questions Tab (Step 1):

When examining each of the individual questions below, consider the question and your organizations current posture. Please select from the drop-down list as to whether your organization
Addresses, Partially-Addresses or Does Not Address the security issue in question. There is no correct or incorrect response. The purpose of the risk analysis effort is to gauge the information
security practices within medical facilities and where to best direct resources to remediate the areas of greatest concern. When the selection is made, the corresponding ‘Exposure Potential’ column
in Steps 2a or 2b will automatically populate with the words, ‘High', 'Medium' or ‘Low’ as a means of assisting the respondent in calculating their risk.

There will be a pre-selected Threat-Vulnerability Statement which will correspond to the question; no action is required for this cell. The respondent is offered this statement in consideration of what,
if any, response they would like to offer in the last two cells- People/Processes and Technology. All responses in the last two columns will pre-populate information in the Existing Control column on
the People and Processes (Step 2a) or Technology (Step 2b) tab respectively. The respondent should populate this cell with what the practitioner is doing, if any corrective actions are being taken, to
mitigate and reduce the threat or vulnerability. If no action is taken, please indicate 'No Action Taken' in the appropriate column(s). There is no correct or incorrect response, this is merely a sampling
of what practitioners are doing to mitigate threats or minimize vulnerabilities. The pre-populated Threat-Vulnerability Statement will appear again in Steps 2a and 2b.

NEXT STEP: After completing the questions on this tab, please proceed to the tab labeled People and Processes (Step 2a).

Threat Vulnerability People/

Topic Question Response Technology
Statement Processes
1. Security Program
[1.1] Has your organization formally appointed a central point
of contact for security coordination? Management has not defined
Roles & a) If so, whom, and what is their position within the responsibilities for the
1.1 N/A
Responsibilities organization? information security program.
b) Responsibilities clearly documented? i.e. job descriptions, [TVS001]
information security policy

Screening Questions (Step 1) 13 October 21, 2011

 [1.2] Do you work with third parties, such as IT service
providers, that have access to your patient's information? Security breaches occur when
a) Does your organization have Business Associate dealing with third parties due
agreements in place with these third parties? i.e. REC, IT to a lack of security
1.2 External Parties
Vendor, EHR Vendor, etc. considerations in the related
b) If not, what controls does your organization have in place third party agreement.
to monitor and assess third parties? i.e. Logging of VPN [TVS002]
connections, EHR logs, etc.
2. Security Policy

[2.1] Do you have documented information security policies

and procedures?
a) Do you have a formal information classification
Management does not set a
procedure? Please describe it. In particular, how would patient
clear policy direction in line
Information data be categorized? For example, critical, essential, and
with business objectives and
2.1 Security Policy & normal. N/A
demonstrate support for, and
Procedures b) Have formal acceptable use rules been established for
commitment to, information
assets? Example assets include data assets, computer
security. [TVS003]
equipment, communications equipment, etc.
Do you have formal processes in place for security policy
maintenance and deviation?

3. Risk Management & Compliance

- REC helping to
start the risk
assessment process
- No regular assessments of
[3.1] Do you have a process that addresses: the identification by using this
Information around risks and technology is performed; including
and measurement of potential risks, mitigating controls spreadsheet as a
related control options are not vulnerability testing, patch
Risk (measures taken to reduce risk), and the acceptance or foundation for the
3.1 presented to management management, or other review of
Assessment transfer (Insurance policies, warranties for example) of the risk assessment as
before management decisions systems to help determine risks
remaining (residual) risk after mitigation steps have been well as risk
are made. [TVS004] associated with them so appropriate
applied? management plan.
action(s) can be taken.
- No prior risk
assessments
conducted

Screening Questions (Step 1) 14 October 21, 2011

 - Working with the
REC helps to identify
new laws and
regulations due to
Compliance with
Legislative, statutory, the training and
Legal [3.2] Does a process exist to identify new laws and regulations
regulatory or contractual guidance with the
Requirements - with IT security implications? (e.g., new state breach
3.2 obligations related to security REC team N/A
Identification of notification requirements)?
are violated due to lack of - State breach
applicable i.e. Newsletters, Webinars, etc.
controls. [TVS005] guidance also
legislation
available through the
REC within the
privacy and security
toolkit

4. Training & Awareness

- No formal
Applications and technology information security
During [4.1] Have your employees been provided formal information
solutions are not correctly and training but periodic
Employment – security training? Have policies been communicated to your - The use of technology regarding
securely used since a training HIPAA training
4.1 Training, employees? Are periodic security reminders provided? a training curriculum is not currently
curriculum for employees has (random).
Education & i.e. New employee orientation, yearly training, posters in being utilized.
not been established or - No one dedicated
Awareness public areas, email reminders, etc.
regularly updated. [TVS006] to the role of training.
- No IT orientation

5. Personnel Security

- References are
verified
Background verification
- Credential
[5.1] Does your organization perform background checks to checks are not carried out and
verification is also
Background examine and assess an employee’s or contractor’s work and management is not aware of
5.1 performed N/A
Checks criminal history? academic, professional, credit
- No criminal
i.e. Credential verification, criminal history, references or criminal backgrounds of
background checks
employees. [TVS007]
are performed at this
time

Prior to
[5.2] Are your employees required to sign a non-disclosure Employees or contractors do
Employment - - Non disclosure - Accounts are not created within
agreement? If so, are employees required to sign the non- not agree or sign terms or
5.2 Terms and Agreements required the EHR until appropriate
disclosure agreement annually? Non-disclosure and/or conditions of employment.
Conditions of prior to employment Agreements are signed
confidentiality form at initial employment [TVS008]
Employment

Screening Questions (Step 1) 15 October 21, 2011

 - No known
Employee, contractor or third procedures in place
party user terminations or for terminations or
[5.3] Do you have a formal process to manage the termination change of responsibilities changes of
Termination or
and or transfer of employees? could result in a security responsibilities. - User accounts are disabled within
5.3 Change in
i.e. All equipment is returned, user ID's disabled in EHR and breach due to lack of a defined - Disabling of access the EHR
Employment
Windows, badges and/or keys returned. management process for within the EHR as
terminations or changes in well as retrieval of
responsibilities. [TVS009] keys and equipment
is performed.

6. Physical Security

- Workstations/Laptops/Tablets
Positioning?
- No facility security
Privacy screens used?
plan is currently in
Cable locks used?
place at the practice
[6.1] Do you have effective physical access controls (e.g., door - Fire escape plans
- Server Room
locks) in place that prevent unauthorized access to facilities are posted
Server room location?
and a facility security plan? throughout the
Locked at all times?
a) Are there plans in place to handle/manage contingent building
Proper cooling?
events or circumstances (e.g. what if the person with the key to - Alarm system is
Battery backup?
the server room is sick)? currently in place and
Fire suppression?
b) Is there a facility security plan? monitored 24/7
Unauthorized parties gain
c) How are physical access controls authorized (who is
physical access to facilities - Network Closet
6.1 Secure Areas responsible for ensuring that only appropriate persons have - Front Desk
due to insufficient physical Locked at all times?
keys or codes to the facility and to locations within the facility Waiting room
entry/exit controls. [TVS010] Proper cooling?
with ePHI)? securely separated?
Battery backup?
d) Are there policies and procedures to document repairs All patients must sign
and modifications to physical components of the facility that in?
- Building
are related to security? All visitors must sign
Emergency lighting?
- [See Facility Walkthrough Checklist for additional in?
Fire detection?
information] All visitors & patients
Fire suppression?
escorted?
Back door remains locked?
Sign-in sheet
Other doors remain locked?
secured and
Water shut-off valves?
maintained?
Emergency power shut-off?
Building alarm system?

7. Network Security

Screening Questions (Step 1) 16 October 21, 2011

 [7.1] Describe your network configuration. Has your IT vendor
provided information regarding how your Electronic Health
Record (EHR) system is protected?
a) Are systems and networks that host, process and or
transfer sensitive information ‘protected’ (isolated or separated) - No network
Application and - Network Configuration
from other systems and or networks? Sensitive systems co-located diagram or details
Information Firewall in place?
b) Are internal and external networks separated by firewalls with less sensitive systems are regarding the
7.1 Access Control - Wireless encryption?
with access policies and rules? accessed by unauthorized configurations being
Sensitive System Remote access type?
c) Is there a standard approach for protecting network parties. [TVS011] used are currently
Isolation Remote access encryption?
devices to prevent unauthorized access/ network related available.
attacks and data-theft?
i.e. Firewall between public and private networks, internal
VLAN, firewall separation, separate WLAN network, and/or
secure patient portal.

- No policies or
[7.2] Is sensitive information transferred to external recipients? procedures around
If so, are controls in place to protect sensitive information when the protection of
transferred (e.g. with encryption)? i.e. Secure VPN connection electronic
Information involved in
with EHR and/or IT vendors or email encryption (certificate messaging.
7.2 Encryption electronic messaging is
server, ZixMail). - No PHI is
compromised. [TVS012]
a) Is sensitive information being sent via text, either by email electronically sent via
(i.e. phonenumber@messaging.att.com) or by texting on the email or other
phones themselves? electronic means
except through fax.

Technical vulnerabilities are

[7.3] How often do you perform periodic vulnerability scans on exploited to gain inappropriate
- No vulnerability - No vulnerability testing currently
Vulnerability your information technology systems, networks and supporting or unauthorized access to
7.3 testing has been being performed internally or from a
Assessment security systems? i.e. Internal assessments, third party information systems due to
completed. third party
assessments, automated? lack of controls for those
vulnerabilities. [TVS013]

[7.4] Are third party connections to your network monitored and

reviewed to confirm authorized access and appropriate Unauthorized access is given
7.4 Monitoring usage? to information over third party
i.e. VPN logs, server Event Logs, EHR logging, automated connections. [TVS014]
alerts, regular review of logs or reports.
8. Logical Access

Screening Questions (Step 1) 17 October 21, 2011

 [8.1] Do you have a formal access authorization process based
on 'least privilege' (employees are granted the least amount of
access possible in order to perform their assigned duties) and
need to know (access permissions are granted based upon the
legitimate business need of the user to access the information)
?
i.e. Role-based permissions, limited access based on specific - EHR Password Security
responsibilities, network access request form? Password Change?
a) How are systems and applications configured to restrict Minimum Length?
access only to authorized individuals? Complexity?
i.e. Use of unique ID's and passwords. Password History?
1) Minimum password length? Complexity? History? Lockout?
Lockout? Password change?
b) Is there a list maintained of authorized users with access - Access rights to - Windows Password Security
(administrative access) to operating systems? i.e. Active the EHR are Password Change?
Identity & Directory user lists, within EHR application, Excel spreadsheet Unauthorized access is gained allocated based on Minimum Length?
8.1 Access of users, HR file? to information systems. the employees role Complexity?
Management c) Does a list of 'accepted mobile devices' (e.g., smart [TVS015] within the facility but Password History?
phones, cell phones) exist based on testing? no procedures are in Lockout?
Are accepted mobile devices tested prior to production use? place.
d) Is sensitive information (e.g., social security numbers) - Auto Logoff
removed from, or encrypted within, documents and or EHR?
websites before it is distributed? i.e. Use of Patient Portal for Windows?
distribution, de-identifying of sensitive information prior to being
distributed. - Servers/Network Devices
e) Is software installation restricted for desktops, laptops and Default Admin passwords have
servers? been changed?
i.e. Restricted User access to workstations, Group Policy
enforcement, AD privileges on servers
1) automatic logoff of workstations? EHR system?
f) Is access to source application code restricted? If so, how?
Is a list of authorized users maintained?

[8.2] Are user IDs for your system uniquely identifiable? Unauthorized users are able to - No policy or - Unique user ID's are utilized
Identity a) Any shared accounts at all? i.e. hard coded into gain access to operating procedure around the within the EHR.
8.2
Management applications, someone is sick or unavailable, emergency systems by claiming to be an use of unique user - However, user ID's are NOT
access to sensitive information? authorized user. [TVS016] ID's unique for workstation access

Screening Questions (Step 1) 18 October 21, 2011

 Users that no longer have a
- User accounts are
[8.3] Do you have a process to review user accounts and business need for information - No regular review of accounts
Entitlement not currently
8.3 related access? i.e. manual process of reviewing HR records to systems access still have currently being performed within the
Reviews reviewed on a
user accounts in AD and EHR access to the information. EHR, servers, and other systems.
regular basis
[TVS017]
9. Operations Management

- No current policies
[9.1] Has antivirus software been deployed and installed on Systems and data are
and procedures
your computers and supporting systems (e.g., desktops, exposed to malicious software
9.1 Antivirus surrounding the use
servers and gateways)? and/or unauthorized use.
and updating of
1) Product installed? Centrally managed? Updated daily? [TVS018]
antivirus software

Unauthorized information
[9.2] Are systems and networks monitored for security events?
processing activities occur
Security If so, please describe this monitoring. i.e. server and
9.2 undetected due to lack of
Monitoring networking equipment logs monitored regularly. Servers,
consistent logging and
routers, switches, wireless AP's.
monitoring activities. [TVS019]

Media (e.g., documents,

[9.3] Do procedures exist to protect documents, computer
computer media (e.g. tapes,
media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized
disks), input/output data, - No procedures in
disclosure, modification, removal, and destruction? Is sensitive
system documentation) is place surrounding - Backups
9.3 Media Handling data encrypted when stored on laptop, desktop and server
compromised by unauthorized the handling of Are backups encrypted?
hard drives, flash drives, backup tapes, etc.?
parties due to ineffective media.
i.e. Data at Rest - Is data encrypted on the EHR server?
handling procedures.
Backups? Mobile devices? SD Cards?
[TVS020]

[9.4] Are there security procedures for the decommissioning

Unauthorized parties access
(replacement) of IT equipment and IT storage devices which
9.4 Secure Disposal data from discarded media. N/A
contain or process sensitive information? i.e. use of Shred-IT,
[TVS021]
Retire-IT, wiping, NIST 800-88

The production environment is - Testing that relates

[9.5] Are development, test and production environments - No test systems
Segregation of impacted due to the lack of to the EHR occurs
separated from operational IT environments to protect - EHR vendor tests their updates
9.5 Computing separation of development though the EHR
production (actively used) applications from inadvertent and then notifies the Practice for
Environment and production environments. vendor and not
changes or disruption? installation into production
[TVS022] performed internally.

Screening Questions (Step 1) 19 October 21, 2011

 - Job duties are
[9.6] Are duties separated, where appropriate, to reduce the The integrity of a business separated within the
opportunity for unauthorized modification, unintentional process is compromised due EHR based on their
Segregation of
9.6 modification or misuse of the organization's IT assets? i.e. front to the lack of segregation of job roles but not N/A
Duties
desk duties separated from accounting. Nurse duties duties (e.g., maker & checker). formally outlined
separated from Doctor's? [TVS023] within any policy or
procedure.

- No formal change
management - No internal tracking or reporting of
procedures currently changes to the systems
[9.7] Do formal change management procedures exist for The change management
in place. - EHR vendor does keep records of
networks, systems, desktops, software releases, deployments, process in place does not
- The existing any changes performed through the
Change and software vulnerability (e.g., Virus or Spyware) patching adequately protect the
9.7 process for EHR use of their ticketing system
Management activities? i.e. Changes to the EHR? Changes to the environment from disruptive
updating involves
workstations and servers? Appropriate testing, notification, and changes in production.
being contacted by - Windows Updates
approval? [TVS024]
the vendor and then Workstations update automatically?
scheduling a time for Servers are updated regularly?
installation.

10. Incident Management

[10.1] How do you identify, respond to and mitigate suspected

or known security incidents?
i.e. Incident Form filled out as a response to an incident
- Incidents are
a) During the investigation of a security incident, is evidence
reported but not
properly collected and maintained? Security incidents are not
consistent in the
Process & i.e. Chain of custody and other computer forensic managed with a consistent - No incident management
10.1 approach and no
Procedures methodologies followed by internal and/or external parties? and effective approach. tracking / reporting software is being
formalized incident
b) Are incidents identified, investigated, and reported [TVS025] utilized
response plan is
according to applicable legal requirements?
currently in place.
c) How are incidents escalated and communicated? i.e.
documented process for escalation to management and even
outside authorities.

11. Business Continuity Management

Screening Questions (Step 1) 20 October 21, 2011

 -EHR backup services are utilized
[11.1] Do you have a mechanism to back up critical IT systems
for secure offsite backups of the
and sensitive data? i.e. nightly, weekly, quarterly backups? - No Disaster
database.
Taken offsite? Information systems cannot be Recovery Plan or
Disaster - Test restore of backups are
a) Have you had to restore files after a systems outage? recovered due to a lack of Emergency
11.1 Recovery Plan & periodically completed especially as
Does a Disaster Recovery plan exist for the organization and written disaster recovery Operations Plan
Backups needed but not consistently tested
does it consider interruption to, or failure of, critical IT systems? plans. [TVS026] currently in place at
on a regular basis
a) Are disaster recovery plans updated at least annually? the facility
- No alternate facility available to
b) If not, has the backup and restoration process been tested?
recover from a disaster

Screening Questions (Step 1) 21 October 21, 2011

 People and Processes (Step 2a)
Purpose: This tab is designed to determine a risk rating for an organization's (people and process) assets, which store, transmit, or process EPHI. The Threats and Vulnerabilities offered is a
sample of possibilities which may be expanded upon. These assets help to identify the scope of what needs to be assessed. This tab addresses the Risk Assessment Steps 1 through 8 of NIST
Special Publications 800-66 and 800-30.

Steps for Using the People and Processes Tab (Step 2a):

NOTE: All Columns must be filled in completely.

1. Asset Management Category - This list has already been pre-populated to assist the respondent and requires no action. This cell contains the typical asset or business process which
corresponds with the Threat-Vulnerability Statement in the next cell.

2. Threat-Vulnerability Statement - The Threat-Vulnerability Statement is also pre-populated and requires no action on the part of the respondent.

3. Recommended Control Measures - This column requires no action by the respondent. This is a recommended action which is provided for respondents to consider in developing their information
security posture.

4. Existing Control - This column is pre-populated from the response in the People/Processes column of the Screening Questions (Step 1) tab and requires no action by the respondent.

5. Existing Control Effectiveness - This is a Drop-Down list in which the respondent will select the best answer to describe the degree to which their counter-measures address the Threat-
Vulnerability statement earlier in the row. When making a selection, respondents should also consider how effective their counter-measures are in relation to the Recommended Control Measures
which is suggested in the previous cell. The available choices are Effective, Partially Effective or Not Effective.

For example, the Threat-Vulnerability statement that “Facilities are protected by appropriate entry controls” would be evaluated as to how effectively the workspaces where EPHI can be accessed are
protected. Additionally, the respondent would also want to consider how effectively the medical facility itself is secured and protected. These are some of the factors which must be considered in
offering a response.

6. Exposure Potential - This cell is pre-populated from the response on the Screening Questions (Step 1) tab and requires no action. This cell represents the response of ‘Addressed, Partially-
Addressed or Not-Addressed’ relative to the Threat-Vulnerability statement. The purpose is to offer additional guidance and empower the respondent in their selections on the following choices of
Impact and Likelihood.

7. Likelihood - As with the Impact Rating, this is a judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Please
select from the appropriate corresponding choice of Low, Medium or High for each asset.
Very Likely would be defined as having a probable chance of occurrence.
Likely would be defined as having a significant chance of occurrence.
Not Likely would be defined as modest or insignificant chance of occurrence.

8. Impact - In the event that an 'Undesirable Event' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the
People and Processes
practitioner as to what(Step 2a) of an occurrence of the threat would have upon the medical practice.
the impact 22 Please select from the appropriate corresponding choice of High, Medium, or Low October
for each 21, 2011
asset.
 Very Likely would be defined as having a probable chance of occurrence.
Likely would be defined as having a significant chance of occurrence.
Not Likely would be defined as modest or insignificant chance of occurrence.

8. Impact - In the event that an 'Undesirable Event' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the
practitioner as to what the impact of an occurrence of the threat would have upon the medical practice. Please select from the appropriate corresponding choice of High, Medium, or Low for each
asset.
High would be defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical records
have been lost or compromised.
Medium would be defined as having a significant impact on the medical practice; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical
records within the practice have been lost or compromised.
Low would be defined as having a modest or insignificant impact on the medical practice; the medical practice can continue to offer treatment to patients and some medical records may be lost or
compromised.

NOTE: A loss or compromise of 500 medical records or more may qualify as a breach that requires the practice to notify the US Department of Health and Human Services Office for
Civil Rights within a defined time frame.

9. Risk Rating - This column requires no action by the respondent. The column automatically calculates the risk rating to the medical practice based upon the inputs from the 'Impact Rating' and
'Likelihood of Occurrence' columns.

NEXT STEP: After completing the questions on this tab, please proceed to the tab labeled Technology (Step 2b).

References:
HIPAA Security Rule
OCR Security Rule Guidance: http://www.hhs.gov/ocr/privacy
COBIT Framework for IT Governance and Control, version 4.1
NIST Special Publication 800-66
ISO/IEC 17799 (2005) Part 1
Payment Card Industry, Data Security Standards PCI DSS v1.1

Perform Control Analysis Exposure Assess Risk

Asset Perform Control Analysis

Threat-Vulnerability Perform Control Analysis

Existing Control Exposure Assess Risk Assess Risk

Management Recommended Control Measures Existing Control Likelihood Risk Rating

Statement Effectiveness Potential Impact
Category

People and Processes (Step 2a) 23 October 21, 2011

Security Program Management has not All information security responsibilities are 0
defined responsibilities clearly documented . This is to ensure timely,
for the information safe and effective handling of all situations,
security program. administration user accounts- including
[TVS001] additions, deletions, and modifications.
[RCM001]
- Ensure responsibilities are formalized within High
the employee(s) job descriptions as well as
within relevant IS policies.
- The Information Security Policy Template
provided by the REC could help formalize this
role.

Security Program Security breaches occur Agreements with third parties, such as IT 0
when dealing with third vendors, which involve accessing,
parties due to a lack of processing, communicating with or managing
security considerations the organization's information or information
in the related third party processing facilities, or adding products or
agreement. [TVS002] services to information processing facilities
cover all relevant security requirements.
Contracts between business associates and
covered entities address administrative,
physical, and technical safeguards that
reasonably and appropriately protect the
confidentiality, integrity, and availability of High
information. [RCM002]
- Verify and ensure Business Associate
agreements are in place with all third parties
that use or disclose PHI. This includes those
that even have access to PHI like IT service
providers and EHR vendors.

People and Processes (Step 2a) 24 October 21, 2011

Security Policy Management does not An information security policy is approved by 0
set a clear policy management in accordance with business
direction in line with requirements and all relevant laws and
business objectives and regulations. [RCM003]
demonstrate support for, - An Information Security Policy template has
and commitment to, been provided by the REC and can be used if High
information security. desired. If used, it should be reviewed, filled
[TVS003] out appropriately, and formally adopted within
the facility. Refer to section IS-1.1.

Risk Management Information around risks Risk assessments are conducted to identify, - REC helping to start the
& Compliance and related control quantify, prioritize and manage risks. The risk assessment process by
options are not prioritization is accomplished by creating and using this spreadsheet as a
presented to using criteria for risk acceptance and foundation for the risk
management before objectives which are important to the assessment as well as risk
management decisions organization. [RCM004] management plan.
are made. [TVS004] - Ensure this risk assessment is accurate - No prior risk assessments
with all information that has been filled out as conducted
well as the risk ratings (likelihood and impact)
that have also been completed based on the
information provided.
- After verifying the accuracy of information,
the Medium and High risk items from the
Findings-Remediation tab should be
addressed by making the necessary business Likely High Medium
decisions on whether to mitigate, transfer, or
accept the risks. It is recommended to
mitigate risks that are easy to address.
- It is important to continue the risk
assessment process by assessing additional
risks to your facility, systems, and all other
assets to ensure a thorough and up-to-date
risk assessment is conducted.

People and Processes (Step 2a) 25 October 21, 2011

Risk Management Legislative, statutory, Controls, which are applicable to each - Working with the REC
& Compliance regulatory or contractual situation, have been applied to avoid helps to identify new laws
obligations related to violations of any legal obligations (e.g. and regulations due to the
security are violated due statutory, regulatory, or contractual), and of training and guidance with
to lack of controls. any security requirements. Access controls the REC team
[TVS005] could be door locks or computer passwords, - State breach guidance
while other controls could be firewalls and also available through the
anti-virus software. [RCM005] REC within the privacy and Not Likely High Low
- It is recommended to continue follow any security toolkit
legal obligations by signing up with regular
email newsletters, i.e. Healthcare IT, HIPAA
Weekly Advisory, HIMSS, etc.
- Various Webinars and conferences are also
great resources.

Training & Applications and A training curriculum for employees has been - No formal information
Awareness technology solutions are established to educate and train users for security training but
not correctly and correct and secure use of applications and periodic HIPAA training
securely used since a technology solutions. [RCM006] (random).
training curriculum for - The REC has provided a privacy and - No one dedicated to the
employees has not been security toolkit which includes PowerPoint role of training.
established or regularly training that could be utilized for regular - No IT orientation
updated. [TVS006] training.
- Training could include new employee
High
orientation for all new personnel and
contractors as well as weekly or monthly
email security reminders.
- Security reminders could also be posted in
public areas (kitchen, hallways, etc.) to help
train employees.

People and Processes (Step 2a) 26 October 21, 2011

Personnel Background verification Background verification checks on all - References are verified
Security checks are not carried candidates for employment, contractors and - Credential verification is
out and management is third party computer system users are carried also performed
not aware of academic, out in accordance with relevant laws, - No criminal background
professional, credit or regulations and ethics, and relevant to the checks are performed at
criminal backgrounds of business requirements, the classification of this time
employees. [TVS007] the information to be accessed, and the
perceived risks. [RCM007]
- Verifying credentials and even background
verification checks may be beneficial to your
facility.
- In addition to any verification checks Not Likely High Low
performed for potential employees, it is also
important to ensure that some, or all, of these
checks are performed for contractors and
third parties.
- The Information Security Policy template
provided by the REC can also help in this
area with the Background Check
Authorization in Appendix F.

Personnel Employees or As part of their terms of employment or - Non disclosure

Security contractors do not agree contractual agreements, employees, Agreements required prior
or sign terms or contractors and third party users agree and to employment
conditions of sign the terms and conditions of their
employment. [TVS008] employment contract, which should state their High
responsibilities and the organizations
responsibilities for information security.
[RCM008]

People and Processes (Step 2a) 27 October 21, 2011

Personnel Employee, contractor or Procedures are in place to ensure the - No known procedures in
Security third party user properly managed exit from the organization place for terminations or
terminations or change of employees, contractors or third parties and changes of responsibilities.
of responsibilities could that all equipment is returned and the removal - Disabling of access within
result in a security of all access rights are completed. [RCM009] the EHR as well as retrieval
breach due to lack of a - The Information Security Policy template of keys and equipment is
defined management provided by the REC can help be a starting performed.
process for terminations point for creating termination procedures. The
or changes in policy does include a section about High
responsibilities. terminations and procedures can be created
[TVS009] based on the policy, if adopted within your
facility.
- The template also includes a hiring and
termination checklist (Appendix H).

People and Processes (Step 2a) 28 October 21, 2011

Physical Security Unauthorized parties A facility security plan is implemented, which - No facility security plan is
gain physical access to protects the facility with appropriate entry/exit currently in place at the
facilities due to controls to ensure that only authorized practice
insufficient physical personnel are allowed access, removal of - Fire escape plans are
entry/exit controls. equipment from the facility is restricted to posted throughout the
[TVS010] authorized individuals, and repair/modification building
of physical components of the facility are - Alarm system is currently
documented and monitored. Workstations are in place and monitored 24/7
protected from removal by unauthorized
individuals. A contingency plan is - Front Desk
implemented for permitting and enabling Waiting room securely
physical access to alternate authorized separated?
individuals (e.g. in the event primary All patients must sign in?
authorized individuals are sick or not All visitors must sign in?
available). [RCM010] All visitors & patients
- A facility security plan should be escorted?
implemented which outline how personnel Sign-in sheet secured and High
and patients are authorized access to all or maintained?
parts of the facility.
- The control of physical components
(equipment) should also be part of a facility
security plan.
- The Information Security Policy template
provided by the REC contains a section on
Building Security which can be a good
starting point for formalizing a policy / facility
plan. Refer to section IS-1.6.
- It's a good practice to ensure that all visitors
are escorted at all times.

Network Security Sensitive systems co- If possible sensitive systems have a - No network diagram or
located with less dedicated, and isolated, computing details regarding the
sensitive systems are environment. [RCM011] configurations being used
accessed by - A complete network diagram that outlines are currently available.
unauthorized parties. the boundaries of the network is High
[TVS011] recommended to help gain an overview of the
computing environment(s) being protected.

People and Processes (Step 2a) 29 October 21, 2011

Network Security Information involved in Information involved in electronic messaging - No policies or procedures
electronic messaging is is appropriately protected. [RCM012] around the protection of
compromised. [TVS012] - The protection of electronic messaging electronic messaging.
should be outlines within the Information - No PHI is electronically
Security Policy sent via email or other
- The Information Security Policy template electronic means except
provided by the REC could help outline the through fax.
protection of electronic messaging as it
relates to the facility; even if the policy
High
prohibits the use of electronic messaging of
sensitive information. Refer to section IS-
1.14.
- Any texting of PHI should include a policy
and procedures surrounding this process and
the safeguards being utilized.

Network Security Technical vulnerabilities Timely information about technical - No vulnerability testing
are exploited to gain vulnerabilities of information systems being has been completed.
inappropriate or used is obtained, the organization's exposure
unauthorized access to to the vulnerabilities is evaluated and
information systems due appropriate measures are taken to address
to lack of controls for the associated risk. [RCM013]
those vulnerabilities. - Vulnerability testing should be performed
[TVS013] regularly to obtain information bout technical Very Likely High High
vulnerabilities to the systems.
- A policy and procedure surrounding this
process should be in place and should
include the steps taken, where necessary,
once vulnerabilities are found.

Network Security Unauthorized access is A formal process is in place to control all 0

given to information over external third party network connections.
third party connections. [RCM014]
[TVS014] - A process should be put in place to ensure
all external third party connections are made,
including those of the EHR vendor.
- The process could include the automated or High
manual review (regular intervals) of VPN logs,
EHR logs, server logs, etc.

People and Processes (Step 2a) 30 October 21, 2011

Logical Access Unauthorized access is Formal procedures should be in place to - Access rights to the EHR
gained to information control the allocation of access rights to are allocated based on the
systems. [TVS015] information systems and services. [RCM015] employees role within the
- The Information Security Policy template facility but no procedures
provided by the REC contains a network are in place.
access request form that could be adopted by
the facility as a formal process for controlling
the allocation of access rights to the systems. High
Refer to section IS-1.2.
- The policy also outlines the formalized
password policy required for unique user ID's.

Logical Access Unauthorized users are All users are assigned a unique identifier - No policy or procedure
able to gain access to (user ID) for their business use. This unique around the use of unique
operating systems by ID shall be used exclusively on computing user ID's
claiming to be an systems within the medical practice which
authorized user. process EPHI, and a suitable authentication
[TVS016] technique is chosen to validate the identity of
a user. [RCM016]
- The Information Security Policy template
provided by the REC contains a section on High
the use of unique user ID's, if adopted. Refer
to section IS-1.2.
- Unique user ID's should extend beyond the
EHR and include other systems, i.e.
workstations and servers.

People and Processes (Step 2a) 31 October 21, 2011

Logical Access Users that no longer Management reviews and makes the - User accounts are not
have a business need appropriate corrections to the access right(s) currently reviewed on a
for information systems of individual users at regular intervals using a regular basis
access still have access formal process¹. [RCM017]
to the information. - User accounts should be regularly reviewed
[TVS017] to ensure that terminated employees or
contractors that no longer work on the
systems do not have access.
- A process should be in place that outlines
the regular review of user accounts within all High
systems, how often, and what actions to
perform if discrepancies are found.
- The information security policy template
provided by the REC helps to formalize this
area, if adopted. Audit controls is outlined in
section IS-1.13 of the policy template.

Operations Systems and data are Policies and procedures are implemented that - No current policies and
Management exposed to malicious address the prevention, detection and procedures surrounding the
software and/or removal of malicious code in the computer use and updating of
unauthorized use. operating environment. This would cover all antivirus software
[TVS018] computers or devices, such as printers and
thumb drives, which connect to computers.
[RCM018]
- The Information Security Policy template
provided by the REC can help with the policy
needed regarding antivirus protection. This is High
outlined in section IS-1.4 of the policy.
- Procedures regarding the administration,
whether centrally or locally managed, should
also be in place and include what actions to
take whenever any detections occur

People and Processes (Step 2a) 32 October 21, 2011

Operations Unauthorized Policies and procedures for information 0
Management information processing system monitoring have been established and
activities occur implemented. This is done to institute
undetected due to lack consistency and standards in computer
of consistent logging activity logging, computer activity monitoring
and monitoring activities. and reporting of any system events.
[TVS019] [RCM019]
- A process should be put in place to ensure
that all systems are actively monitored. The
systems include the EHR, servers, networking
devices (firewall, switches, and routers), etc..
- The process could include the automated or High
manual review (regular intervals) of VPN logs,
EHR logs, server logs, etc.
- The information security policy template
provided by the REC helps to formalize this
area, if adopted. Audit controls is outlined in
sections IS-1.12 and IS-1.13 of the policy
template.

Operations Media (e.g., documents, Operating procedures are established to - No procedures in place
Management computer media (e.g. protect documents, computer media (e.g., surrounding the handling of
tapes, disks), tapes, disks), input/output data and system media.
input/output data, documentation. This is done to protect
system documentation) sensitive information from unauthorized
is compromised by disclosure, modification, removal, and
unauthorized parties destruction. [RCM020]
due to ineffective - The Information Security Policy template
handling procedures. provided by the REC can be a good starting
[TVS020] point for how media is handled within the High
facility. Refer to sections IS-1.9 and IS-1.10 of
the Information Security Policy template.
- Handling of media should include
expectations of employees, use of encryption,
wiping and destruction, storage, etc.

People and Processes (Step 2a) 33 October 21, 2011

Operations Unauthorized parties Equipment containing storage media (e.g. 0
Management access data from fixed hard disks, CD-ROMs, thumb drives) is
discarded media. checked to ensure that any sensitive data and
[TVS021] licensed software has been removed or
overwritten prior to disposal. [RCM021]
- Destruction policy should be in place
surrounding the disposal and reuse methods
accepted within the facility for all equipment
containing storage media.
High
- The Information Security Policy template
can be a good starting point to help create a
destruction policy and work towards
procedures. Refer to sections IS-1.9 and IS-
10 of the Information Security Policy template.

Operations The production Development, test, and operational facilities - Testing that relates to the
Management environment is impacted are separated from one another. This is done EHR occurs though the
due to the lack of to reduce the risks of unauthorized access or EHR vendor and not
separation of unauthorized changes to the computer performed internally.
development and operational system or to any software High
production applications running upon the operating
environments. [TVS022] system. [RCM022]

Operations The integrity of a Employee duties and employees 'areas of - Job duties are separated
Management business process is responsibility' are separated; this is to reduce within the EHR based on
compromised due to the potential opportunities for unauthorized or their job roles but not
lack of segregation of unintentional modification or misuse of the formally outlined within any
duties (e.g., maker & organization's computing systems or assets. policy or procedure.
checker). [TVS023] [RCM023]
- The Information Security Policy template
can be a good start to help address the
segregation of duties within the facility but
High
should be updated as needed as well as
adopted as a formal policy. Refer to section
IS-1.2 of the information security policy
template.
- Appropriate and detailed job descriptions
can also help outline the areas of
responsibility between employees.

People and Processes (Step 2a) 34 October 21, 2011

Operations The change Formal 'change policies and procedures' - No formal change
Management management process in have been established to manage the management procedures
place does not implementation of changes to assure the currently in place.
adequately protect the adherence to standards and security - The existing process for
environment from practices. [RCM024] EHR updating involves
disruptive changes in - Change management policies and being contacted by the
production. [TVS024] procedures should be in place to help vendor and then scheduling
address the changes that occur to any a time for installation.
system, including the EHR, server,
workstations, routers, switches, etc. Section High
IS-1.11 of the information security policy
template provided by the REC can be a great
starting point for formalizing change
management.
- Change management procedures could
include how changes are known, reviewed,
tested, approved, and verified.

Incident Security incidents are A consistent approach to managing - Incidents are reported but
Management not managed with a information security incidents, consistent with not consistent in the
consistent and effective applicable law, is in place to handle approach and no formalized
approach. [TVS025] information security events and weaknesses incident response plan is
once they are reported. Activities such as currently in place.
incident reporting, organizational response,
relocation of operations, evidence collection
and system recovery are all components of
incident response. [RCM025]
- An incident response plan should also be in
place to address how incidents are to be
responded to and outlines the escalation
steps necessary.
- The Information Security Policy template
provided by the REC can be a good starting High
point for addressing a breach which does
contain a breach assessment tool that could
be part of an incident response plan.
Appendix E of the template contains the
following items:
Security Incident Report
Security Incident Investigation form
Security Incident Log
Security Breach Assessment Tool

People and Processes (Step 2a) 35 October 21, 2011

Business Information systems Backup and Recovery plans are documented, - No Disaster Recovery
Continuity cannot be recovered distributed through the organization and Plan or Emergency
Management due to a lack of written easily obtained by office personnel in the Operations Plan currently in
disaster recovery plans. event that an event occurs. The DR Plan place at the facility
[TVS026] must identify the required actions to
undertake following interruption to, or failure
of, critical IT systems. [RCM026]
- A complete disaster recovery plan and/or
documented emergency operations plan
should be in place in the event that there's an
interruption or failure of critical IT systems.
The plan should also include the specific
actions employee roles/jobs are to take in the
High
event of a disaster.
- The information security policy provided by
the REC has a great starting point in this
area, if adopted, as outlined in section IS-1.15
(Contingency Plan).
- The use of backups, rotation type,
encryption, and offsite storage should all be
documented appropriately.

Category New Threat 1 (TVS027) Recommended Control Measures

Category New Threat 2 (TVS028) Recommended Control Measures

Category New Threat 3 (TVS029) Recommended Control Measures

Category New Threat 4 (TVS030) Recommended Control Measures

Category New Threat 5 (TVS031) Recommended Control Measures

People and Processes (Step 2a) 36 October 21, 2011

 Technology (Step 2b)
Purpose: This tab is designed to develop a list of Assets that store, transmit, or process E PHI. The Threats and Vulnerabilities offered is a sample of possibilities which may be expanded upon.
These Business Assets help to identify the scope of what needs to be assessed. This tab addresses the Risk Assessment Steps 1 through 8 of NIST special Publications 800-66 and 800-30.

Steps for Using the Technology Tab (Step 2b):

NOTE: All Columns must be filled in completely.

1. Asset Management Category - This list has already been pre-populated to assist the respondent and requires no action. This cell contains the typical technology process which corresponds with
the Threat-Vulnerability Statement in the next cell.

2. Threat-Vulnerability Statement - The Threat-Vulnerability Statement is also pre-populated and requires no action on the part of the respondent.

3. Recommended Control Measures - This column requires no action by the respondent. This is a recommended action which is provided for respondents to consider in developing their
Information Security posture.

4. Existing Control - This column is pre-populated from the response in the Technology column of the Screening Questions (Step 1) tab and requires no action by the respondent.

5. Existing Control Effectiveness - This is a Drop-Down list in which the respondent will select the best answer to describe the degree to which their counter-measures address the Threat-
Vulnerability statement earlier in the row. When making a selection, respondents should also consider how effective their counter-measures are in relation to the Recommended Control Measures
which is suggested in the previous cell. The available choices are Effective, Partially Effective or Not Effective.

For example, the Threat-Vulnerability statement that “Facilities are protected by appropriate entry controls” would be evaluated as to how effectively the workspaces where EPHI can be accessed are
protected. Additionally, the respondent would also want to consider how effectively the medical facility itself is secured and protected. These are some of the factors which must be considered in
offering a response.

6. Exposure Potential - This cell is pre-populated from the response on the Screening Questions (Step 1) tab and requires no action. This cell represents the response of ‘Addressed, Partially-
Addressed or Not-Addressed’ relative to the Threat-Vulnerability statement. The purpose is to offer additional guidance and empower the respondent in their selections on the following choices of
Impact and Likelihood.

7. Likelihood - As with the Impact Rating, this a subjective judgment by the respondent as to how likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice.
Please select from the appropriate corresponding choice of Low, Medium or High for each Business Asset.
Very Likely would be defined as having a probable chance of occurrence.
Likely would be defined as having a significant chance of occurrence.
Not Likely would be defined as modest or insignificant chance of occurrence.

8. Impact - In the event that an 'Undesirable Event ' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the
practitioner as to what the impact of an occurrence of the threat would have upon the medical practice. Please select from the appropriate corresponding choice of High, Medium or Low for each
Technology (Step 2b)
Business Asset. 37 October 21, 2011
High would be defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical
 Likely would be defined as having a significant chance of occurrence.
Not Likely would be defined as modest or insignificant chance of occurrence.

8. Impact - In the event that an 'Undesirable Event ' such as a power outage or a fire occurs, what is the level of impact to the practice? The response is a completely subjective judgment by the
practitioner as to what the impact of an occurrence of the threat would have upon the medical practice. Please select from the appropriate corresponding choice of High, Medium or Low for each
Business Asset.
High would be defined as having a catastrophic impact on the medical practice; the medical practice is incapable of offering medical treatments or services and a significant number of medical
records have been lost or compromised.
Medium would be defined as having a significant impact; the medical practice may offer a reduced array of treatment services to patients. A moderate number of medical records within the practice
have been lost or compromised.
Low would be defined as a modest or insignificant impact; the medical practice can continue to offer treatment to patients and some medical records may be lost or compromised.

NOTE: A loss or compromise of 500 medical records or more may qualify as a breach that requires the practice to notify the US Department of Health and Human Services Office for
Civil Rights within a defined time frame.

9. Risk Rating - This column requires no action by the respondent. The column is automatically calculates the risk rating to the medical practice based upon the inputs from the 'Impact Rating' and
'Likelihood of Occurrence' columns.

NEXT STEP: After completing the questions on this tab, please proceed to the tab marked Findings-Remediation (Step 3).

References:
HIPAA Security Rule
OCR Security Rule Guidance: http://www.hhs.gov/ocr/privacy
COBIT Framework for IT Governance and Control, version 4.1
NIST Special Publication 800-66
ISO/IEC 17799 (2005) Part 1
Payment Card Industry, Data Security Standards PCI DSS v1.1

Perform Control Analysis Exposure Assess Risk

Asset Threat- Perform Control Analysis Assess Risk

Perform Control Analysis

Existing Control Exposure Assess Risk Assess Risk

Risk
Management Vulnerability Recommended Control Measures Existing Control Likelihood Impact
Effectiveness Potential Rating
Category Statement

Technology (Step 2b) 38 October 21, 2011

Security Program Security breaches Agreements with third parties, such as IT 0
occur when dealing vendors, which involve accessing, processing,
with third parties due communicating with or managing the
to a lack of security organization's information or information
considerations in the processing facilities, or adding products or
related third party services to information processing facilities cover
agreement. [TVS002] all relevant security requirements.
Contracts between business associates and
covered entities address administrative, physical,
and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity,
and availability of information. [RCM002] Not Effective Likely High Medium
- Controls should be in place to help monitor any
access by third parties. This can include the
regular review of VPN logs, EHR logs, server
logs, etc.
- Automated alerts when certain criteria is met
within a system can greatly help monitor third
party connections to internal systems.

Risk Information around Risk assessments are conducted to identify, - No regular assessments of
Management & risks and related quantify, prioritize and manage risks. The technology is performed;
Compliance control options are prioritization is accomplished by creating and including vulnerability testing,
not presented to using criteria for risk acceptance and objectives patch management, or other
management before which are important to the organization. review of systems to help
Not Effective Likely High Medium
management [RCM004] determine risks associated
decisions are made. - It is important to expand upon this risk with them so appropriate
[TVS004] assessment by assessing the risk of each asset action(s) can be taken.
itself.

Training & Applications and A training curriculum for employees has been - The use of technology
Awareness technology solutions established to educate and train users for correct regarding a training curriculum
are not correctly and and secure use of applications and technology is not currently being utilized.
securely used since a solutions. [RCM006]
training curriculum for - Technology use for a training curriculum could
employees has not include the use of regular email newsletters that Not Effective High
been established or include security reminders, an Intranet site, or a
regularly updated. training service provided over the Internet.
[TVS006]

Technology (Step 2b) 39 October 21, 2011

Personnel Employees or As part of their terms of employment or - Accounts are not created
Security contractors do not contractual agreements, employees, contractors within the EHR until
agree or sign terms and third party users agree and sign the terms appropriate Agreements are
or conditions of and conditions of their employment contract, signed
employment. which should state their responsibilities and the
[TVS008] organizations responsibilities for information
security. [RCM008]
- Technology in this area is to prohibit employee
or contractor access to systems until such Effective Not Likely High Low
Agreements are signed. For example, no Active
Directory accounts, VPN access, or application
access is created/activated prior to the
Agreement of terms.

Personnel Employee, contractor Procedures are in place to ensure the properly - User accounts are disabled
Security or third party user managed exit from the organization of within the EHR
terminations or employees, contractors or third parties and that
change of all equipment is returned and the removal of all
responsibilities could access rights are completed. [RCM009]
result in a security - Accounts/access to all systems should be
breach due to lack of properly managed for employees and
a defined contractors. This includes local workstation
management process access, server access, etc. in addition to the Partially Effective Not Likely High Low
for terminations or user accounts within the EHR.
changes in
responsibilities.
[TVS009]

Technology (Step 2b) 40 October 21, 2011

Physical Security Unauthorized parties A facility security plan is implemented, which -
gain physical access protects the facility with appropriate entry/exit Workstations/Laptops/Tablets
to facilities due to controls to ensure that only authorized personnel Positioning?
insufficient physical are allowed access, removal of equipment from Privacy screens used?
entry/exit controls. the facility is restricted to authorized individuals, Cable locks used?
[TVS010] and repair/modification of physical components
of the facility are documented and monitored. - Server Room
Workstations are protected from removal by Server room location?
unauthorized individuals. A contingency plan is Locked at all times?
implemented for permitting and enabling physical Proper cooling?
access to alternate authorized individuals (e.g. in Battery backup?
the event primary authorized individuals are sick Fire suppression?
or not available). [RCM010]
- The server room should be secured to ensure - Network Closet
physical access is available for only authorized Locked at all times?
individuals. This can include all doors to the Proper cooling?
servers to be locked at all time and any windows Battery backup?
Partially Effective Very Likely High High
secured/monitored.
- Best practice to ensure proper temperature - Building
and humidity for both server and wiring rooms. Emergency lighting?
- Wiring closets that contain switches, routers, Fire detection?
and other networking equipment should also Fire suppression?
remain locked and accessible by only authorized Back door remains locked?
individuals. Other doors remain locked?
- The use of cable locks can help prevent theft Water shut-off valves?
of mobile devices (laptops) and privacy screens Emergency power shut-off?
can help prevent unauthorized viewing of Building alarm system?
computer screens/monitors

Network Security Sensitive systems co- If possible sensitive systems have a dedicated, - Network Configuration
located with less and isolated, computing environment. [RCM011] Firewall in place?
sensitive systems are - Verify and ensure firewall capabilities exist Wireless encryption?
accessed by between the public Internet and internal network Remote access type?
unauthorized parties. beyond the basic port blocking and NATing Remote access encryption? Partially Effective Likely High Medium
[TVS011] functions of the Cisco router.

Technology (Step 2b) 41 October 21, 2011

Network Security Information involved Information involved in electronic messaging is 0
in electronic appropriately protected. [RCM012]
messaging is - The use of email encryption (via certificate
compromised. authority or encryption software) can help protect
[TVS012] information involved in electronic messaging
- For any texting, or email-to-texting, of PHI, the
use of encryption is important as well as:
- Including only the minimum necessary
information
- Phones lock after inactivity
- Phones (smartphone) encryption
- Central management of the phones Effective Not Likely High Low
- Regular removing (retention) of all previous
texts
- Also, working with the phone company to
determine their methods of retention of any texts
being sent or is the phone company just a
conduit without any capturing of plaintext
messages being sent/received.

Network Security Technical Timely information about technical vulnerabilities - No vulnerability testing
vulnerabilities are of information systems being used is obtained, currently being performed
exploited to gain the organization's exposure to the vulnerabilities internally or from a third party
inappropriate or is evaluated and appropriate measures are taken
unauthorized access to address the associated risk. [RCM013]
to information - Regular vulnerability testing can be performed
systems due to lack using free or commercial scanning tools. The
of controls for those results provide information about technical
vulnerabilities. vulnerabilities that may need to be addressed
[TVS013] within the systems. Not Effective Very Likely High High
Example tools include: Microsoft Baseline
Security Analyzer, Nessus, and nmap.
- Vulnerability assessments should include
servers, workstations, switches, firewalls,
routers, etc. to ensure all entry points within the
systems are assessed for vulnerabilities.

Technology (Step 2b) 42 October 21, 2011

Network Security Unauthorized access A formal process is in place to control all external 0
is given to information third party network connections. [RCM014]
over third party - Reviewing of logs from the EHR, servers,
connections. networking systems, etc. should be reviewed on
[TVS014] a regular basis whether automated or reviewed
manually.
- Network connections from third party could Not Effective Very Likely High High
also be restricted to business hours or activated
upon request to help control the connections.

Technology (Step 2b) 43 October 21, 2011

Logical Access Unauthorized access Formal procedures should be in place to control - EHR Password Security
is gained to the allocation of access rights to information Password Change?
information systems. systems and services. [RCM015] Minimum Length?
[TVS015] - It's good practice to limit access rights to local Complexity?
workstations by using Restricted User access Password History?
rights for each authorized user to help control the Lockout?
installation of software as well as to help
minimize the impact of malware - Windows Password Security
- Passwords should be changed regularly, i.e. Password Change?
30, 60, or 90 days Minimum Length?
- Minimum password length should be enforced, Complexity?
i.e. 8 characters long Password History?
- Password complexity and history of previously Lockout?
used passwords should also be enforced, i.e.
passwords to contain uppercase and lowercase - Auto Logoff
letters and numbers as well as not being able to EHR?
reuse the last x amount of passwords Windows?
- Auto logoff should be enforced within the EHR
to help prevent unauthorized access if the user - Servers/Network Devices Partially Effective Very Likely High High
walks away from the system, i.e. 15 minutes of Default Admin passwords
inactivity have been changed?
- Auto screenlock should also be enforced on
the workstations and servers to help prevent
unauthorized access if the user walks away from
the system, i.e. 15 minutes of inactivity
- Remote connectivity should be accomplished
through secure connections including, SSL/TLS,
IPSec VPN tunnels, or other secure methods.
The use of Remote Desktop external from the
network through port forwarding can introduce
various vulnerabilities.

Technology (Step 2b) 44 October 21, 2011

Logical Access Unauthorized users All users are assigned a unique identifier (user - Unique user ID's are utilized
are able to gain ID) for their business use. This unique ID shall within the EHR.
access to operating be used exclusively on computing systems within - However, user ID's are NOT
systems by claiming the medical practice which process EPHI, and a unique for workstation access
to be an authorized suitable authentication technique is chosen to
user. [TVS016] validate the identity of a user. [RCM016] Partially Effective Very Likely High High
- Access to local workstations and other systems
should also have unique user ID's and
passwords in addition to the EHR itself

Logical Access Users that no longer Management reviews and makes the appropriate - No regular review of
have a business need corrections to the access right(s) of individual accounts currently being
for information users at regular intervals using a formal performed within the EHR,
systems access still process¹. [RCM017] servers, and other systems.
have access to the - Reviewing of user accounts could be Not Effective Likely High Medium
information. [TVS017] accomplished on a regular basis by comparing
HR active employee lists to the lists within the
EHR and other systems.

Operations Systems and data are Policies and procedures are implemented that 0
Management exposed to malicious address the prevention, detection and removal of
software and/or malicious code in the computer operating
unauthorized use. environment. This would cover all computers or
[TVS018] devices, such as printers and thumb drives,
which connect to computers. [RCM018]
- All workstations and servers should have
protection from malicious software. This should Not Effective Not Likely High Low
include at least antivirus protection but could also
include full security suites or Endpoint Security
packages
- Antivirus software should be updated at least
daily and full scans ran on a regular basis

Technology (Step 2b) 45 October 21, 2011

Operations Unauthorized Policies and procedures for information system 0
Management information monitoring have been established and
processing activities implemented. This is done to institute
occur undetected due consistency and standards in computer activity
to lack of consistent logging, computer activity monitoring and
logging and reporting of any system events. [RCM019]
monitoring activities. - Reviewing of logs from the EHR, servers,
[TVS019] networking systems, etc. should be reviewed on
a regular basis whether automated or reviewed Not Effective Very Likely High High
manually.
- Network connections from third party could
also be restricted to business hours or activated
upon request to help control the connections.

Operations Media (e.g., Operating procedures are established to protect - Backups

Management documents, computer documents, computer media (e.g., tapes, disks), Are backups encrypted?
media (e.g. tapes, input/output data and system documentation.
disks), input/output This is done to protect sensitive information from
data, system unauthorized disclosure, modification, removal,
documentation) is and destruction. [RCM020]
compromised by - The use of encryption that follows NIST 800-11
unauthorized parties is recommended
due to ineffective - Encryption of the EHR database should be
handling procedures. considered as well as any file servers that
[TVS020] contain ePHI
- Utilizing full disk encryption on all desktops, Partially Effective Very Likely High High
laptops, USB drives, backup tapes, and/or other
mobile devices can also help prevent
unauthorized access to data if lost or stolen.
- The use of encryption can help give "safe
harbor" from breach notification the encrypted
media becomes lost or stolen

Technology (Step 2b) 46 October 21, 2011

Operations The production Development, test, and operational facilities are - No test systems
Management environment is separated from one another. This is done to - EHR vendor tests their
impacted due to the reduce the risks of unauthorized access or updates and then notifies the
lack of separation of unauthorized changes to the computer Practice for installation into
development and operational system or to any software production Partially Effective Not Likely High Low
production applications running upon the operating system.
environments. [RCM022]
[TVS022]

Operations The change Formal 'change policies and procedures' have - No internal tracking or
Management management process been established to manage the implementation reporting of changes to the
in place does not of changes to assure the adherence to standards systems
adequately protect and security practices. [RCM024] - EHR vendor does keep
the environment from - It is recommended to have all changes records of any changes
disruptive changes in recorded and tracked. This is usually performed through the use of
production. [TVS024] accomplished through a helpdesk ticket system their ticketing system
or even through the use of a database or Excel Partially Effective Likely Medium Medium
spreadsheet in some cases. Appendix G of the - Windows Updates
information security policy template provided by Workstations update
the REC contains a Change Management automatically?
Tracking Log that can help in this area. Servers are updated
regularly?

Incident Security incidents are A consistent approach to managing information

Management not managed with a security incidents, consistent with applicable law, - No incident management
consistent and is in place to handle information security events tracking / reporting software is
effective approach. and weaknesses once they are reported. being utilized
[TVS025] Activities such as incident reporting,
organizational response, relocation of
operations, evidence collection and system
recovery are all components of incident
response. [RCM025]
- An incident response plan should include how
evidence is collected, whether performed
internally or from a third party. Not Effective Very Likely Medium Medium
- The ability to track and report on incidents is
recommended
- Incident response plans should be tested
regularly (i.e. annually).
- The Information Security Policy template
provided by the REC contains a Security Incident
Log in Appendix E that can help in this area.

Technology (Step 2b) 47 October 21, 2011

Business Information systems Backup and Recovery plans are documented, -EHR backup services are
Continuity cannot be recovered distributed through the organization and easily utilized for secure offsite
Management due to a lack of obtained by office personnel in the event that an backups of the database.
written disaster event occurs. The DR Plan must identify the - Test restore of backups are
recovery plans. required actions to undertake following periodically completed
[TVS026] interruption to, or failure of, critical IT systems. especially as needed but not
[RCM026] consistently tested on a
- Backups should be tested regularly and is a regular basis
good practice to document each test - No alternate facility
Partially Effective Likely High Medium
- A Disaster Recovery Plan (DRP) should also available to recover from a
be tested regularly (i.e. annually). disaster
- It is recommended that all backups be
encrypted utilizing NIST 800-111 for guidance
- Full backups should be taken offsite at least
once a week and stored at a secure location

Category New Threat 1 Recommended Control Measures

Category (TVS027)
New Threat 2 Recommended Control Measures
Category (TVS028)
New Threat 3 Recommended Control Measures
Category (TVS029)
New Threat 4 Recommended Control Measures
Category (TVS030)
New Threat 5 Recommended Control Measures
(TVS031)

Technology (Step 2b) 48 October 21, 2011

 Findings-Remediation (Step 3)
Purpose: This tab is the final stage of the data collection process. It is designed to highlight the HIGH and MEDIUM risk ratings that were determined in Steps 2a and 2b., and to provide
recommendations for safeguards. The information generated in this tab can be used to obtain further guidance from your Regional Extension Center (REC).

Steps for Using the Findings-Remediation Tab (Step 3):

NOTE: All columns with the exception of the 'Additional Steps' column, are automatically populated based upon user input proivided in the preceding tabs (Steps 1, 2a and 2b). Please
allow a few moments for this tab to populate with the data from the previous tabs.

Risk Found - This column requires no action by the respondent and will self-populate from risks identified as being either MEDIUM or HIGH in the Risk Rating column from the previous Steps 2a and
2b tabs. If the risk is deemed LOW, then this is insignificant need not be considered further in the overall Risk Matrix.

Risk Rating - This column requires no action by the respondent and will self-populate from risks identified as being either MEDIUM or HIGH in the Risk Rating column from the previous Steps 2a and
2b tabs. Risk Rating would be the rating the accompanying the Asset or Application. Only the Asset or Application in Steps 2a and 2b tabs as Medium or High are to be displayed and rated on this
chart.

Existing Control Measures Applied - This column requires no action by the respondent and will self-populate from the Existing Control Measures are listed in the previous Step 2 (both Step 2a and
2b from the previous tabs). This is what corrective actions practitioner is taking, if any corrective actions are taken, to mitigate and reduce the threat or vulnerability. Control Measures can be an Alarm
System, Sprinkler System or Computer Access restrictions and will be listed again in this space.

Recommended Control Measures - This column contains the Recommended Control Measures which self-populated in Steps 2a and 2b on the previous tabs. This column requires no action by the
respondent and will self-populate.

Owner: The person that is assigned responsibility for determining how to address the risk.

Remediation Steps: The response is a judgment by the practitioner as to what supplemental measures may be taken, within the current availability of resources, to achieve a sound state of security
and to ensure the continuation of operations. There is no right or wrong answer. This is an opportunity for the respondent to consider and document any additional measures they wish to take to
address and reduce the risk.
Target Date: The date by which mediation of the risk should be complete.

NEXT STEP (OPTIONAL): The final step in this risk assessment process is to talk to your REC for clarification and additional information.

Number of High Risks 8 `

Findings-Remediation (Step 3) 49 October 21, 2011
Number of Medium Risks 8
Total Number of High and
Medium Risks 16
High and Medium Risks Findings and Remediation
Risks Found Existing Control Measures
Risk Rating Recommended Control Measures Owner Remediation Steps Target Date
(High and Medium Only) Applied
People and Processes
Information around risks and - REC helping to start the risk Risk assessments are conducted to identify, quantify,
related control options are not assessment process by using this prioritize and manage risks. The prioritization is
presented to management before spreadsheet as a foundation for accomplished by creating and using criteria for risk
management decisions are made. the risk assessment as well as risk acceptance and objectives which are important to the
[TVS004] management plan. organization. [RCM004]
- No prior risk assessments - Ensure this risk assessment is accurate with all
conducted information that has been filled out as well as the risk
ratings (likelihood and impact) that have also been
completed based on the information provided.
- After verifying the accuracy of information, the
Medium and High risk items from the Findings-
Remediation tab should be addressed by making the
Medium necessary business decisions on whether to mitigate,
transfer, or accept the risks. It is recommended to
mitigate risks that are easy to address.
- It is important to continue the risk assessment
process by assessing additional risks to your facility,
systems, and all other assets to ensure a thorough
and up-to-date risk assessment is conducted.

Findings-Remediation (Step 3) 50 October 21, 2011

Technical vulnerabilities are - No vulnerability testing has been Timely information about technical vulnerabilities of
exploited to gain inappropriate or completed. information systems being used is obtained, the
unauthorized access to organization's exposure to the vulnerabilities is
information systems due to lack of evaluated and appropriate measures are taken to
controls for those vulnerabilities. address the associated risk. [RCM013]
[TVS013] - Vulnerability testing should be performed regularly
High to obtain information bout technical vulnerabilities to
the systems.
- A policy and procedure surrounding this process
should be in place and should include the steps
taken, where necessary, once vulnerabilities are
found.

Technology

Agreements with third parties, such as IT vendors,

which involve accessing, processing, communicating
with or managing the organization's information or
information processing facilities, or adding products or
services to information processing facilities cover all
relevant security requirements.
Medium Contracts between business associates and covered
entities address administrative, physical, and
technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and
availability of information. [RCM002]
- Controls should be in place to help monitor any
Security breaches occur when access by third parties. This can include the regular
dealing with third parties due to a review of VPN logs, EHR logs, server logs, etc.
lack of security considerations in - Automated alerts when certain criteria is met within
the related third party agreement. a system can greatly help monitor third party
[TVS002] 0 connections to internal systems.

- No regular assessments of Risk assessments are conducted to identify, quantify,

technology is performed; including prioritize and manage risks. The prioritization is
Information around risks and Medium vulnerability testing, patch accomplished by creating and using criteria for risk
related control options are not management, or other review of acceptance and objectives which are important to the
presented to management before systems to help determine risks organization. [RCM004]
management decisions are made. associated with them so - It is important to expand upon this risk assessment
[TVS004] appropriate action(s) can be taken. by assessing the risk of each asset itself.

Findings-Remediation (Step 3) 51 October 21, 2011

 A facility security plan is implemented, which protects
- Workstations/Laptops/Tablets the facility with appropriate entry/exit controls to
Positioning? ensure that only authorized personnel are allowed
Privacy screens used? access, removal of equipment from the facility is
Cable locks used? restricted to authorized individuals, and
repair/modification of physical components of the
- Server Room facility are documented and monitored. Workstations
Server room location? are protected from removal by unauthorized
Locked at all times? individuals. A contingency plan is implemented for
Proper cooling? permitting and enabling physical access to alternate
Battery backup? authorized individuals (e.g. in the event primary
High Fire suppression? authorized individuals are sick or not available).
[RCM010]
- Network Closet - The server room should be secured to ensure
Locked at all times? physical access is available for only authorized
Proper cooling? individuals. This can include all doors to the servers to
Battery backup? be locked at all time and any windows
secured/monitored.
- Building - Best practice to ensure proper temperature and
Emergency lighting? humidity for both server and wiring rooms.
Fire detection? - Wiring closets that contain switches, routers, and
Fire suppression? other networking equipment should also remain
Back door remains locked? locked and accessible by only authorized individuals.
Unauthorized parties gain physical Other doors remain locked? - The use of cable locks can help prevent theft of
access to facilities due to Water shut-off valves? mobile devices (laptops) and privacy screens can help
insufficient physical entry/exit Emergency power shut-off? prevent unauthorized viewing of computer
controls. [TVS010] Building alarm system? screens/monitors

If possible sensitive systems have a dedicated, and

isolated, computing environment. [RCM011]
- Network Configuration - Verify and ensure firewall capabilities exist between
Sensitive systems co-located with Medium Firewall in place? the public Internet and internal network beyond the
less sensitive systems are Wireless encryption? basic port blocking and NATing functions of the Cisco
accessed by unauthorized parties. Remote access type? router.
[TVS011] Remote access encryption?

Findings-Remediation (Step 3) 52 October 21, 2011

 Timely information about technical vulnerabilities of
information systems being used is obtained, the
organization's exposure to the vulnerabilities is
evaluated and appropriate measures are taken to
address the associated risk. [RCM013]
- Regular vulnerability testing can be performed using
High
free or commercial scanning tools. The results provide
information about technical vulnerabilities that may
need to be addressed within the systems.
Technical vulnerabilities are Example tools include: Microsoft Baseline Security
exploited to gain inappropriate or Analyzer, Nessus, and nmap.
unauthorized access to - Vulnerability assessments should include servers,
information systems due to lack of - No vulnerability testing currently workstations, switches, firewalls, routers, etc. to
controls for those vulnerabilities. being performed internally or from ensure all entry points within the systems are
[TVS013] a third party assessed for vulnerabilities.

A formal process is in place to control all external third

party network connections. [RCM014]
- Reviewing of logs from the EHR, servers,
networking systems, etc. should be reviewed on a
High
regular basis whether automated or reviewed
manually.
Unauthorized access is given to - Network connections from third party could also be
information over third party restricted to business hours or activated upon request
connections. [TVS014] 0 to help control the connections.

Findings-Remediation (Step 3) 53 October 21, 2011

 Formal procedures should be in place to control the
allocation of access rights to information systems and
services. [RCM015]
- It's good practice to limit access rights to local
workstations by using Restricted User access rights
for each authorized user to help control the installation
of software as well as to help minimize the impact of
malware
- Passwords should be changed regularly, i.e. 30, 60,
- EHR Password Security or 90 days
Password Change? - Minimum password length should be enforced, i.e. 8
Minimum Length? characters long
Complexity? - Password complexity and history of previously used
High
Password History? passwords should also be enforced, i.e. passwords to
Lockout? contain uppercase and lowercase letters and numbers
as well as not being able to reuse the last x amount of
- Windows Password Security passwords
Password Change? - Auto logoff should be enforced within the EHR to
Minimum Length? help prevent unauthorized access if the user walks
Complexity? away from the system, i.e. 15 minutes of inactivity
Password History? - Auto screenlock should also be enforced on the
Lockout? workstations and servers to help prevent unauthorized
access if the user walks away from the system, i.e. 15
- Auto Logoff minutes of inactivity
EHR? - Remote connectivity should be accomplished
Windows? through secure connections including, SSL/TLS,
IPSec VPN tunnels, or other secure methods. The
- Servers/Network Devices use of Remote Desktop external from the network
Unauthorized access is gained to Default Admin passwords have through port forwarding can introduce various
information systems. [TVS015] been changed? vulnerabilities.

All users are assigned a unique identifier (user ID) for

their business use. This unique ID shall be used
exclusively on computing systems within the medical
practice which process EPHI, and a suitable
High
authentication technique is chosen to validate the
Unauthorized users are able to - Unique user ID's are utilized identity of a user. [RCM016]
gain access to operating systems within the EHR. - Access to local workstations and other systems
by claiming to be an authorized - However, user ID's are NOT should also have unique user ID's and passwords in
user. [TVS016] unique for workstation access addition to the EHR itself

Findings-Remediation (Step 3) 54 October 21, 2011

 Management reviews and makes the appropriate
Medium corrections to the access right(s) of individual users at
Users that no longer have a - No regular review of accounts regular intervals using a formal process¹. [RCM017]
business need for information currently being performed within - Reviewing of user accounts could be accomplished
systems access still have access the EHR, servers, and other on a regular basis by comparing HR active employee
to the information. [TVS017] systems. lists to the lists within the EHR and other systems.

Policies and procedures for information system

monitoring have been established and implemented.
This is done to institute consistency and standards in
computer activity logging, computer activity monitoring
High and reporting of any system events. [RCM019]
- Reviewing of logs from the EHR, servers,
networking systems, etc. should be reviewed on a
Unauthorized information regular basis whether automated or reviewed
processing activities occur manually.
undetected due to lack of - Network connections from third party could also be
consistent logging and monitoring restricted to business hours or activated upon request
activities. [TVS019] 0 to help control the connections.

Operating procedures are established to protect

documents, computer media (e.g., tapes, disks),
input/output data and system documentation. This is
done to protect sensitive information from
unauthorized disclosure, modification, removal, and
destruction. [RCM020]
- The use of encryption that follows NIST 800-11 is
High recommended
- Encryption of the EHR database should be
considered as well as any file servers that contain
ePHI
Media (e.g., documents, computer - Utilizing full disk encryption on all desktops, laptops,
media (e.g. tapes, disks), USB drives, backup tapes, and/or other mobile
input/output data, system devices can also help prevent unauthorized access to
documentation) is compromised data if lost or stolen.
by unauthorized parties due to - The use of encryption can help give "safe harbor"
ineffective handling procedures. - Backups from breach notification the encrypted media
[TVS020] Are backups encrypted? becomes lost or stolen

Findings-Remediation (Step 3) 55 October 21, 2011

 Formal 'change policies and procedures' have been
- No internal tracking or reporting established to manage the implementation of changes
of changes to the systems to assure the adherence to standards and security
- EHR vendor does keep records practices. [RCM024]
Medium of any changes performed through - It is recommended to have all changes recorded
the use of their ticketing system and tracked. This is usually accomplished through a
The change management process helpdesk ticket system or even through the use of a
in place does not adequately - Windows Updates database or Excel spreadsheet in some cases.
protect the environment from Workstations update Appendix G of the information security policy template
disruptive changes in production. automatically? provided by the REC contains a Change Management
[TVS024] Servers are updated regularly? Tracking Log that can help in this area.

A consistent approach to managing information

security incidents, consistent with applicable law, is in
place to handle information security events and
weaknesses once they are reported. Activities such
as incident reporting, organizational response,
relocation of operations, evidence collection and
system recovery are all components of incident
Medium response. [RCM025]
- An incident response plan should include how
evidence is collected, whether performed internally or
from a third party.
- The ability to track and report on incidents is
recommended
- Incident response plans should be tested regularly
(i.e. annually).
Security incidents are not - No incident management - The Information Security Policy template provided
managed with a consistent and tracking / reporting software is by the REC contains a Security Incident Log in
effective approach. [TVS025] being utilized Appendix E that can help in this area.

Findings-Remediation (Step 3) 56 October 21, 2011

 Backup and Recovery plans are documented,
distributed through the organization and easily
obtained by office personnel in the event that an
event occurs. The DR Plan must identify the required
actions to undertake following interruption to, or failure
-EHR backup services are utilized of, critical IT systems. [RCM026]
Medium for secure offsite backups of the - Backups should be tested regularly and is a good
database. practice to document each test
- Test restore of backups are - A Disaster Recovery Plan (DRP) should also be
periodically completed especially tested regularly (i.e. annually).
as needed but not consistently - It is recommended that all backups be encrypted
Information systems cannot be tested on a regular basis utilizing NIST 800-111 for guidance
recovered due to a lack of written - No alternate facility available to - Full backups should be taken offsite at least once a
disaster recovery plans. [TVS026] recover from a disaster week and stored at a secure location

Findings-Remediation (Step 3) 57 October 21, 2011