Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program (R) Implementation Specifications (R)=Required, (A)=Addressable Met Not Met Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Workforce Security 164.308(a)(3) Personnel Security Authorization and/or Supervision (A) Information Access Management IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I 164.308(a)(4) Data Security Workforce Clearance Procedure Termination Procedures (A) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training 164.308(a)(5) Personnel Security Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures 164.308(a)(6) Information Security Program Response and Reporting (R) Contingency Plan 164.308(a)(7) Business Continuity Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation 164.308(a)(8) Information Security Program (R) Business Associate Contracts and Other Arrangement 164.308(b)(1) Business Associate Oversight Written Contract or Other Arrangement (R) NAME: DATE: IT Risk Analysis_CHCACT Page 1
Information Security Program Risk Analysis 164.308(a)(1) Have a quantitative, semi-quantitative, and qualitative risk analysis been completed? Has a NIST SP800-30 risk assessment been completed? Does your Risk Analysis report contain the following: Introduction, IT System Characterization, Risk/Threat/Vulnerability identification, Control Analysis, Risk Likelihood Determination, Risk Impact Analysis, Overall Risk Determination, Control Recommendation, Results Documentation? Has the Risk Assessment Matrix been created and updated? Has your IT System Boundary Diagram been created and updated? Has your IT Department Information flow diagram been created and updated? Risk Management 164.308(a)(1) Sanction Policy 164.308(a)(1) Information System Activity Review 164.308(a)(1) Does your Risk Management planning address processes, categories, reporting roles, responsibilities, tools, budget, deliverables, and meetings procedures? Does your plan include risk identification, risk analysis, response planning, and risk control? Does your plan follow the NIST SP-800 guidelines? Do you have appropriate sanctions against workforce members who fail to comply with the security policies and procedures? Do you have Corrective Action Policies with the Level of Breaches, Disciplinary Sanctions, Disciplinary Process, and Appeal Process? Does your IT Department regularly review records of activity on the information systems containing EPHI? Do you have appropriate hardware, software, and/or procedural auditing mechanisms for systems that that contain or use EPHI? Do your level and type of auditing mechanisms align with your risk analysis process? Do you have formal documented processes that record significant activities and appropriate reviewer? IT Risk Analysis_CHCACT Page 2
Assigned Security Responsibility 164.308(a)(2) Has a Security Official (SO) been identify who is responsible for the development, implementation and enforcement of the policies and procedures as defined in HIPAA standards for General Security Standards, Administrative Safeguards and Physical Safeguards, as those terms are used in federal regulations at 42 CFR 164.306 through 164.310 (inclusive of revisions or additions to these sections that occur from time-to-time)? Does the SO approve and manage all Security procedures and policies that detail and document actual mechanisms and controls? Response and Reporting 164.308(a)(6) Evaluation 164.308(a)(8) Have you defined appropriate reporting mechanisms to identify, document, and communicate suspected security incidents, to provide accountability in validating incident identification, response and reporting? Have you established a plan to evaluate infrastructure, operations, and all policies and procedures related to the IT Department? Have you established a schedule in which to evaluate the efficacy of each security policy and procedure and publish a monthly report, including all findings and corrective actions plans, as appropriate, and is it located in the Configuration Management Database(CMDB)? Personnel Security Authorization and/or Supervision 164.308(a)(3) Workforce Clearance Procedure 164.308(a)(3) Have you designated who is responsible for employees with job description, security and drug testing procedures? Have you implemented procedures for the authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed? Have you documented investigation types, validated position sensitivity, duties management, requirements, schedule and security briefings? Have you implemented procedures to determine that the access of an employee to EPHI is appropriate? IT Risk Analysis_CHCACT Page 3
Termination Procedures 164.308(a)(3) Have you implemented policies and procedures for terminating access to EPHI when an employee is hired, transferred, and/or terminated? Is there a process for requesting, establishing, issuing, and closing user accounts? Is there a process to update assets when employee has been terminated? Security Reminders 164.308(a)(5) Protection from Malicious Software 164.308(a)(5) Log-in Monitoring 164.308(a)(5) Password Management 164.308(a)(5) Are you providing mandatory annual security training and awareness to department? Are methods employed to make employees aware of security, i.e., posters, booklets? Are you meeting technology protection standards that includes anti-virus protection and patches? Is malware detection and elimination installed and activated on all appropriate devices, including servers, workstations, and portable devices? Are malware signature files routinely updated? Are malware scans automatic? Are malware reports consistently reviewed and acted on in a timely manner? Do the logical access controls restrict users to authorized transactions and functions? Can the security controls detect unauthorized access attempts? Is access monitored to identify apparent security violations and are such events investigated and documented? Are you monitoring hardware, software, internal & external logs? Are you meeting password requirements according with HIPAA policy? Have you created and updated password management procedures? Have you provided a local administrator password management service to standardize, control, and report on administrator rights changes? Are passwords transmitted and stored using secure protocols/algorithms? IT Risk Analysis_CHCACT Page 4
Data Security Isolating Health care Clearinghouse Function 164.308(a)(4) Access Authorization 164.308(a)(4) Has your health care clearinghouse implemented policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by any larger organization? Does each healthcare clearinghouse in your infrastructure use the specified standards for electronic health transactions procedures? Have you instituted security controls (e.g., firewalls, intrusion detection systems, host-based access controls) to isolate clearinghouse functions from the larger organization? Have the policies and procedures for granting access to electronic protected health information (EPHI) been implemented, documented and updated? Has your IT director assigned each employee to the appropriate group(s) for access control purposes, and/or assigned specific user-based access settings on the master access list? Have you created right-to-access-modification policies and procedures? Access Establishment and Modification 164.308(a)(4) Have you implemented the access authorization policies, to establish, document, review, and modify a user's right of access to a workstation, transaction, program, or processes? Have you included a regular review process and access control lists? Business Continuity Data Backup Plan 164.308(a)(7) Does your Backup and Recovery Plan for your HIPAA infrastructure include all servers, application software, user files and datasets? Can you provide a plan for server data storage backup that is consistent with the federal NIST guidelines and requirements? Is your backup data being validated and tested annually? Can you demonstrate on a periodic basis, that all backup and recovery systems are fully functional, by performing a recovery, using a backup from the implemented storage media types? IT Risk Analysis_CHCACT Page 5
Disaster Recovery Plan 164.308(a)(7) Does your Disaster Recovery Plan contain information, resources, systems, vendor support, regulations, procedures and return-to-service plans to protect your infrastructure either on-site or off-site? Does your Security Officer annually review & test the IT Infrastructure per multiple disaster scenarios? Does your plan adequately protect your general network considerations, LAN, WAN and network infrastructure applications? Emergency Mode Operation Plan 164.308(a)(7) Does your IT Department have a formal, documented emergency mode operations plan for protecting its information systems containing EPHI during and immediately after a crisis situation? Do your IT workforce members receive regular training and awareness on the emergency mode operations plan? Does your plan identify a team to determine extent of emergency, invoke the plan, inform customers and business associates, and restore business operations at a backup site infrastructure? Testing and Revision Procedure 164.308(a)(7) Does your IT Department use a version control Configuration Management Database (CMDB), that provides updates and records maintenance for the IT Infrastructure, and includes multiple documents from testing to revision procedures? Does your IT Department use an Enterprise Testing Center to measure the performance of the network and system components against industry standards? Do you have policies and procedures for the Enterprise Testing Team? Does your Enterprise Testing Team periodically prepare and document system testing (including regression testing) to mitigate the risks of outages due to system changes and assure that system enhancements work before they are deployed? Has a change control review board been establish to ensure authorization planning, scheduling, communication and execution? Has the IT Department developed a revision-of-contingency plan for each change, including backup and recovery as necessary, and tested the plan, including all dependencies? Have Emergency, Normal and Standard change categories been established and recorded? IT Risk Analysis_CHCACT Page 6
Applications and Data Criticality Analysis 164.308(a)(7) Have you assessed the relative criticality of specific applications, database, hardware and network information in support of Disaster Recovery or Emergency Mode plan components? Have you created a prioritized list of programs and information to be recovered or restored in the event of system failure? Have you documented the availability of scheduling information and electronic medical records as your highest priority if a facility is damaged? Have you taken data aging into consideration when prioritizing recovery and restoration efforts? Is the assessment of data and application criticality conducted periodically and at least annually to ensure that appropriate procedures are in place for data and applications at each level of risk? Business Associate Oversight Business Associate Contracts and Other Arrangement 164.308(b)(1) Have you established written contracts or other arrangements with your trading partners that documents satisfactory assurances requirements? Do the contracts effectively manage Business Associates (BA) security risk, and BAs understanding their compliance requirements and liability under HIPAA and HITECH regarding protecting protected health information (PHI)? Has each Business Associate created a systematic and well-documented process for evaluating and prioritizing risk of a BA PHI data breach or HIPAA Security Rule compliance violation, by determining that the BAs have the necessary technical, physical and administrative safeguards in place to protect shared PHI? Do you have a process that systematically reduces risk in a rapid and cost-effective manner, with a repeatable process that ensures accountability and documents the organization s dedication to a robust information security program? IT Risk Analysis_CHCACT Page 7