EXHIBIT A. - HIPAA Security Assessment Template -

Similar documents
Policy and Procedure: SDM Guidance for HIPAA Business Associates

Meaningful Use & Security Protecting Electronic Health Information in Accordance with the HIPAA Security Rule

HIPAA Security Checklist

HIPAA Security Checklist

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA Security and Privacy Policies & Procedures

HIPAA Security Rule Policy Map

HIPAA Compliance Checklist

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Federal Security Rule H I P A A

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

A Security Risk Analysis is More Than Meaningful Use

SECURITY & PRIVACY DOCUMENTATION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Information Security Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Checklist: Credit Union Information Security and Privacy Policies

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

The Common Controls Framework BY ADOBE

Healthcare Privacy and Security:

Summary Analysis: The Final HIPAA Security Rule

The simplified guide to. HIPAA compliance

Support for the HIPAA Security Rule

HIPAA Security Manual

Integrating HIPAA into Your Managed Care Compliance Program

NMHC HIPAA Security Training Version

Trust Services Principles and Criteria

Putting It All Together:

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Lakeshore Technical College Official Policy

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Information Technology Update

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

HIPAA Enforcement Training for State Attorneys General

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Employee Security Awareness Training Program

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Regulation P & GLBA Training

Security and Privacy Breach Notification

Implementing an Audit Program for HIPAA Compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security Standards for Electric Market Participants

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Privacy, Security and Breach Notification 2018

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Vendor Security Questionnaire

Information Security Management

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Louisiana State University System

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Virginia Commonwealth University School of Medicine Information Security Standard

SECURITY PLAN DRAFT For Major Applications and General Support Systems

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Meeting the Meaningful Use Security and Privacy Measure

HIPAA & Privacy Compliance Update

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

HIPAA Privacy, Security and Breach Notification 2017

HIPAA COMPLIANCE FOR VOYANCE

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

2015 HFMA What Healthcare Can Learn from the Banking Industry

HIPAA Compliance and OBS Online Backup

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA RISK ADVISOR SAMPLE REPORT

Physical and Environmental Security Standards

HIPAA For Assisted Living WALA iii

Cyber Security Policy. September12, 2009

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Department of Public Health O F S A N F R A N C I S C O

7.16 INFORMATION TECHNOLOGY SECURITY

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Data Privacy Breach Policy and Procedure

NW NATURAL CYBER SECURITY 2016.JUNE.16

HIPAA Compliance Assessment Module

Start the Security Walkthrough

Identity Theft Prevention Policy

Information Security Data Classification Procedure

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Table of Contents. PCI Information Security Policy

01.0 Policy Responsibilities and Oversight

Projectplace: A Secure Project Collaboration Solution

Department of Public Health O F S A N F R A N C I S C O

Transcription:

Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. The purpose of this section is to determine whether the unit/department has established administrative functions required in HIPAA security rules with the corresponding implementation specifications to meet the security standards. Below are criteria to validate the reviewing department suggested by CMS and NIST publication 800-66: ADMINISTRATIVE SAFEGUARDS Security Management Process IMPLEMENTATION SPECIFICATION Risk Analysis (Required) The department is required to conduct accurate and thorough assessment of potential risks to ephi, considering all the relevant losses caused by unauthorized use and disclosure of ephi if the security measure is absent. SAMPLE QUESTIONS TO ASK OBSERVATIONS RECOMMENDATIONS Are there any prior risk assessments, audit comments, security requirements, and/or security test results? What are the current and planned controls? Is the facility located in a region prone to any natural disasters, such as earthquakes, floods, or fires? Has responsibility been assigned to check all hardware and software, including hardware and software used July 2014 1

Risk Management (Required) The department is required to detect and respond to security incidents, and implement sufficient security measures to reduce risks. for remote access, to determine whether selected security settings are enabled? Is there an analysis of current safeguards and their effectiveness relative to the identified risks? Have all processes involving ephi been considered, including creating, receiving, maintaining, and transmitting it? Do current safeguards ensure the confidentiality, integrity, and availability of all ephi? Do current safeguards protect against reasonably anticipated uses or disclosures of ephi that are not permitted by the Privacy Rule? Has the covered entity protected against all reasonably anticipated threats or hazards to the security and integrity of ephi? Has the covered entity assured compliance with all policies and procedures by its workforce? July 2014 2

Assigned Security Responsibility Sanction Policy (Required) Appropriate sanctions must be in place so that the department staff members understand the consequences of failing to comply with security policies and procedures. Information System Activity Review (Required) Audit logs and/or access reports process must be enforced to determine if any ephi is used or disclosed inappropriate manner. assign security responsibilities to one official. The responsibilities include management and supervision of use EXHIBIT A Is there a formal process in place to address system misuse, abuse, and fraudulent activity? Have employees been made aware of policies concerning sanctions for inappropriate access, use, and disclosure of ephi? How will managers and employees be notified regarding suspect activity? Who is responsible for the overall process and results? How often will reviews take place? How often will review results be analyzed? What is the organization s sanction policy for employee violations? Where will audit information reside (e.g., separate server)? Who in the organization o Oversees the development and communication of security policies and procedures? o Is responsible for July 2014 3

Workforce Security of security measures associated with this standard. Authorization and/or Supervision Staff members should be supervised or have clearance when working in locations where ephi is located. Workforce Clearance Procedure EXHIBIT A conducting the risk assessment? o Handles the results of periodic security evaluations and continuous monitoring? o Directs IT security purchasing and investment? o Ensures that security concerns have been addressed in system implementation? Who in the organization is authorized to accept risk from information systems on behalf of the organization? Are there written job descriptions that are correlated with appropriate levels of access? Have staff members been provided copies of their job descriptions, informed of the access granted to them, as well as the conditions by which this access can be used? Is there an implementation strategy that supports the July 2014 4

An established background check or screening process to verify that workforce members get appropriate access to ephi. Termination Procedures Termination procedures to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges. designated access authorities? Are applicants employment and educational references checked, if reasonable and appropriate? Have background checks been completed, if reasonable and appropriate? Do procedures exist for obtaining appropriate sign-offs to grant or terminate access to ephi? Are there separate procedures for voluntary termination (retirement, promotion, transfer, change of employment) vs. involuntary termination (termination for cause, reduction in force, involuntary transfer, and criminal or disciplinary actions), if reasonable and appropriate? Is there a standard checklist for all action items that should be completed when an employee leaves (return of all access devices, deactivation of logon accounts [including remote access], and delivery of July 2014 5

Information Access Management Security Awareness and Training Access Authorization Policies or procedures should be in place for access authorization to system with ephi. Access Establishment and Modification Policies or procedures should be in place for accounts establishment and modification for access to systems with ephi. Security Reminders EXHIBIT A any needed data solely under the employee s control)? Do the organization s IT systems have the capacity to set access controls? Are there documented job descriptions that accurately reflect assigned duties and responsibilities and enforce segregation of duties? Does the organization grant remote access to ephi? What method(s) of access control is (are) used (e.g., identity-based, role-based, location-based, or a combination)? Are duties separated such that only the minimum necessary ephi is made available to each staff member based on their job requirements? Have employees received a copy of, and do they have ready access to, the organization s security July 2014 6

implement documented reminders such as security notices in printed or electronic form, agenda items and specific discussion topics at monthly meetings, focused reminders posted in affected areas, or formal retraining on security policies and procedures. procedures and policies? Do employees know whom to contact and how to handle a security incident? Do employees understand the consequences of noncompliance with the stated security policies? Do employees who travel know how to handle physical laptop security issues and information security issues? Has the covered entity researched available training resources? Is dedicated training staff available for delivery of security training? If not, who will deliver the training? Protection from Malicious Software The department staff members should be trained regarding their role in protecting against malicious software. Do employees know the importance of timely application of system patches to protect against malicious software and exploitation of vulnerabilities? July 2014 7

Security Incident Procedures Log-in Monitoring The department staff members should be informed on how users log onto systems and how they are supposed to manage their passwords. Password Management The department staff members should be trained on how to safeguard the information by establishing guidelines for creating passwords and changing them periodically. Response and Reporting (Required) implement a procedure to describe how staff members are to respond to an incident, EXHIBIT A Are employees aware that log-in attempts may be monitored? Do employees that monitor log-in attempts know to whom to report discrepancies? Do employees understand their roles and responsibilities in selecting a password of appropriate strength, changing the password periodically (if required), and safeguarding their password? Has the organization determined that maintaining a staffed security incident hotline would be reasonable and appropriate? Has the organization determined reasonable and appropriate mitigation options July 2014 8

Contingency Plan such as preserving evidence, documenting the incident and the outcome, and evaluating and reporting the incidents as an ongoing risk management. Data Backup Plan (Required) establish and implement procedures EXHIBIT A for security incidents? Has the organization determined that standard incident report templates to ensure that all necessary information related to the incident is documented and investigated are reasonable and appropriate? Has the organization determined under what conditions information related to a security breach will be disclosed to the media? Have appropriate (internal and external) persons who should be informed of a security breach been identified and a contact information list prepared? Has a written incident response plan been developed and provided to the incident response team? Is there a formal, written contingency plan? Does it address disaster recovery and data backup? Do data backup procedures exist? Are responsibilities assigned to conduct backup activities? July 2014 9

for data backup. Are data backup procedures documented and available to other staff? Disaster Recovery Plan (Required) establish and implement procedures for disaster recovery. Have procedures related to recovery from emergency or disastrous events been documented? Has a coordinator who manages, maintains, and updates the plan been designated? Has an emergency call list been distributed to all employees? Have recovery procedures been documented? Has a determination been made regarding when the plan needs to be activated (anticipated duration of outage, tolerances for outage or loss of capability, impact on service delivery, etc.)? Emergency Mode Operation Plan (Required) establish and implement procedures for emergency mode operation. Have procedures been developed to continue the critical functions identified in Key Activity? If so, have those critical functions that also involve the use of ephi been identified? Would different staff, facilities, or systems be needed to perform those functions? Has the security of that ephi in that alternative mode of operation been assured? July 2014 10

Testing and Revision Procedures implement procedures for periodic testing, documenting, and revision of contingency plans. How is the plan to be tested? Does testing lend itself to a phased approach? Is it feasible to actually take down functions/services for the purposes of testing? Can testing be done during normal business hours or must it take place during off hours? If full testing is infeasible, has a tabletop scenario (e.g., a classroom-like exercise) been considered? How frequently is the plan to be tested (e.g., annually)? When should the plan be revised? Application and Data Criticality Analysis identify their applications that store, maintain, or transmit ephi to determine how important each is to patient care and business needs. What critical services must be provided within specified timeframes? o Patient treatment, for example, may need to be performed without disruption. o By contrast, claims processing may be delayed during an emergency with no long-term damage to the organization. Have cross-functional dependencies been identified July 2014 11

Evaluation Business Associate Contracts and Other Arrangements periodically evaluate technical and nontechnical security measures in response to changing environment, technology or operations. Written Contract or Other Arrangement (Required) obtain a written contract regarding satisfactory assurances of business associates that create, receive, maintain, or transmit ephi. EXHIBIT A so as to determine how the failure in one system may negatively impact another one? How much training will staff need on security-related technical and nontechnical issues? Have management, operational, and technical issues been considered? Do the elements of each evaluation procedure (questions, statements, or other components) address individual, measurable security safeguards for ephi? Do security policies specify that evaluations will be repeated when environmental and operational changes are made that affect the security of ephi? Do the business associate agreements written and executed contain sufficient language to ensure that required information types will be protected? Are there any new organizations or vendors that now provide a service or function on behalf of the organization? Such services may include the July 2014 12

following: o Claims processing or billing o Data analysis o Utilization review o Quality assurance o Benefit management o Practice management o Re-pricing o Hardware maintenance o All other HIPAAregulated functions Have outsourced functions involving the use of ephi been considered, such as the following: o Actuarial services o Data aggregation o Administrative services o Accreditation o Financial services? * Be sure to ask for documentations for the above administrative safeguards July 2014 13

2. Physical Safeguards: The HIPAA Security Rule defines physical safeguards as, physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. The purpose of this section is to determine if the department/unit has mechanisms to protect electronic systems, equipment, and data from threats, environmental hazards, and unauthorized intrusion, including restricting access to ephi and retaining offsite data backups. PHYSICAL SAFEGUARDS Facility Access Controls IMPLEMENTATION SPECIFICATION Contingency Operations establish procedures regarding contingency operations during an emergency. Facility Security Plan SAMPLE QUESTIONS TO ASK Who needs access to ephi in the event of a disaster? What is the backup plan for access to the facility and/or ephi? Who is responsible for the contingency plan for access to ephi? Who is responsible for implementing the contingency plan for access to ephi in each department, unit, etc.? Will the contingency plan be appropriate in the event of all types of potential disasters (fire, flood, earthquake, etc.)? If reasonable and appropriate, do nonpublic areas have locks and cameras? Are workstations protected OBSERVATIONS RECOMMENDATIONS July 2014 14

implement controls to ensure only authorized individuals have access to facilities and equipment that contain ephi. Access Control and Validation Procedures implement procedures to control and validate individuals access to facilities. from public access or viewing? Are entrances and exits that lead to locations with ephi secured? Do policies and procedures already exist regarding access to and use of facilities and equipment? Are there possible natural or man-made disasters that could happen in our environment? Do normal physical protections exist (locks on doors, windows, etc., and other means of preventing unauthorized access)? What are the policies and procedures in place for controlling access by staff, contractors, visitors, and probationary employees? How many access points exist in each facility? Is there an inventory? Is monitoring equipment necessary? Maintenance Records document repairs and Are records of repairs to hardware, walls, doors, and locks maintained? Has responsibility for maintaining these records been assigned? July 2014 15

Workstation Use Workstation Security modifications to the physical security components of the facilities. specify the proper functions to be performed by electronic computing devices by implement policies and procedures. protect electronic computing devices from unauthorized users. EXHIBIT A What tasks are commonly performed on a given workstation or type of workstation? Are all types of computing devices used as workstations identified along with the use of these workstations? How are workstations used in day-to-day operations? What are key operational risks that could result in a breach of security? Is there an inventory of all current workstation locations? Are any workstations located in public areas? Are laptops used as workstations? What safeguards are in place, i.e., locked doors, screen barriers, cameras, guards? Do any workstations need to be relocated to enhance physical security? July 2014 16

Device and Media Controls Disposal (Required) Procedures must be inplace to remove any ephi from computing devices before their disposal. Media Re-Use (Required) Procedures must be inplace to remove any ephi from computing devices before their reuse. Accountability maintain an inventory and record of the EXHIBIT A Have employees been trained on security? What data is maintained by the organization, and where? Is data on removable, reusable media such as tapes and CDs? Is there a process for destroying data on hard drives and file servers? What are the options for disposing of data on hardware? What are the costs? Do policies and procedures already exist regarding reuse of electronic media (hardware and software)? Is one individual and/or department responsible for coordinating the disposal of data and the reuse of the hardware and software? Are employees appropriately trained on security and risks to ephi when reusing software and hardware? Where is data stored (what type of media)? What procedures already exist regarding tracking of hardware and software within the company? If workforce members are July 2014 17

movements of hardware and electronic media and any person responsible therefore. Data Backup and Storage create an exact copy of ephi before movement of computing equipment to prevent the loss of data. allowed to remove electronic media that contain or may be used to access ephi, do procedures exist to track the media externally? Who is responsible for maintaining records of hardware and software? Are backup files maintained offsite to assure data availability in the event data is lost while transporting or moving electronic media containing ephi? If data were to be unavailable while media are transported or moved for a period of time, what would the business impact be? July 2014 18

3. Technical Safeguards: The HIPAA Security Rule defines technical safeguards as, the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. The purpose of this section is to determine if the reviewing department/unit has the processes to protect data and control access to data, which may include using authentication controls to verify that the person signing onto a computer is authorized to access ephi, and encrypting data at rest and in transmission. TECHNICAL SAFEGUARDS Access Control IMPLEMENTATION SPECIFICATION Unique User Identification (Required) Each staff members is required to have unique username for identifying and tracking identity. Emergency Access Procedure (Required) establish procedures for obtaining necessary ephi during an SAMPLE QUESTIONS TO ASK How should the identifier be established (length and content)? Should the identifier be selfselected or randomly generated? What are the procedures for new employee/user access to data and systems? Are there procedures for reviewing and, if appropriate, modifying access authorizations for existing users? When should the emergency access procedure be activated? Who is authorized to make the decision? Who has assigned roles in the process? Will systems automatically OBSERVATIONS RECOMMENDATIONS July 2014 19

emergency. Automatic Logoff All systems that access ephi should implement logoff feature to prevent unauthorized users from accessing ephi when it is left unattended for a period of time. Encryption and Decryption employ encryption on ephi if feasible to protect the data from being accessed and viewed by unauthorized users. default to settings and functionalities that will enable the emergency access procedure or will the mode be activated by the system administrator or other authorized individual? Are automatic logoff features available for any of the covered entity s operating systems or other major applications? If applications have been created or developed in-house, is it reasonable and appropriate to modify them to feature automatic logoff capability? What period of inactivity prior to automatic logoff is reasonable and appropriate for the covered entity? What encryption systems are available for the covered entity s ephi? Is encryption appropriate for storing and maintaining ephi ( at rest ), as well as while it is transmitted? July 2014 20

Audit Controls Integrity implement mechanisms to record and examine activities in information systems that contain ephi. Mechanism to Authenticate electronic protected health information implement mechanisms to ensure and confirm that ephi on systems (data at rest) has not been altered or EXHIBIT A What activities will be monitored (e.g., creation, reading, updating, and/or deleting of files or records containing ephi)? What should the audit record include (e.g., user ID, event type/date/time)? Who is responsible for the overall audit process and results? How often will audits take place? How often will audit results be analyzed? What is the organization s sanction policy for employee violations? Where will audit information reside (i.e., separate server)? How are users authorized to access the information? Is there a sound basis established as to why they need the access? Have they been trained on how to use the information? Is there an audit trail established for all accesses to the information? What are likely sources that could jeopardize information integrity? July 2014 21

Person or Entity Authentication Transmission Security destroyed in unauthorized manner. implement access authentication mechanism to verify a user authority, such as using password or PIN. Integrity Control implement mechanisms to ensure that ephi on transmission has not been modified improperly, such as hash function. Encryption apply appropriate encryption security measures for ephi during transmission. EXHIBIT A What can be done to protect the integrity of the information when it is residing in a system (at rest)? What authentication methods are available? Have formal authentication policy and procedures been established and communicated? Has necessary testing been completed to ensure that the authentication system is working as prescribed? What measures exist to protect ephi in transmission? What measures are planned to protect ephi in transmission? Is there assurance that information is not altered during transmission? Is encryption reasonable and appropriate for ephi in transmission? Is encryption needed to effectively protect the information? Is encryption feasible and costeffective in this environment? What encryption algorithms July 2014 22

EXHIBIT A and mechanisms are available? Does the covered entity have the appropriate staff to maintain a process for encrypting ephi during transmission? July 2014 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback