• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,114
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
27
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Columbia University Medical Center Information Security Risk Questionnaire and Documentation (Limited Access) Version 1.1, Mar 1, 2005 All CUMC Electronic Protected Health Information (EPHI) asset owners and systems must follow CUMC EPHI security policies. Protected Health Information (PHI) is defined as health or medical information identifiably linked to a specific individual including Identity information (demographic and financial data) and medical condition and treatment information (clinical data), and Electronic Protected Health Information is defined as PHI stored on or transmitted via our computers and networks, including CDs, PDAs, tapes, and clinical equipment. An EPHI asset is a collection, application, or database of EPHI that is used for specific purposes in care delivery, or for research or education. Owner of an asset is the principal who has required and likely funded the asset to exist for care, research or education purposes, and is responsible for overall use of the information. Custodians of an asset are responsible for day-to-day operations and maintenance of hardware and software used for the asset. Institutional applications may have ownership determined by a committee of institutional stakeholders; all other assets usually have individual owners. An Information Technology person or a system administrator cannot usually be the owner of an EPHI asset. To demonstrate compliance with the policies (specifically for EPHI assets as required by the HIPAA regulations), the owners must complete a security risk analysis for their asset. This document represents documentation for Tier B assets as defined in Information Security Management Process (# EPHI1) policy. Specifically, Tier B assets are defined as an information system or data collection (database, files, etc.) with: 1. 20 users or less; and 2. 10 devices with EPHI or less (servers and workstations that store EPHI data including medical devices but not workstations used only to access EPHI using an application). There are total 11 questions, and sample answers to the questionnaire are available at the end of the document. For any additional information, please contact security@cumc.columbia.edu, or the Information Security Officer. Confidential and Privileged Page 1 of 26
  • 2. ASSET INFORMATION Provide information about the Asset. Asset Name Asset Description Owner Name Owner Title and Dept Owner Phone Owner Email Custodian Name(s) Custodian Title and Dept Custodian Phone(s) Custodian Email(s) Date of submission IRB Institution(s), if research Active IRB Number(s), if research Confidential and Privileged Page 2 of 26
  • 3. QN 1. AUTHENTICATION Sign-on with UserID and secret password for all services and data access methods associated with the EPHI is required. Provide a list of users and custodians who can access this asset (add lines as necessary). All custodians, including system administrators, should be listed and may be aggregated under a group name without UserID. A common generic UserID to access clinical data is strongly discouraged and is usually not permitted. Specifically, for less than 20 users, defining accounts for individual users is not considered an onerous or hard task. It is recommended that the asset software is configured to turn off or severely restrict the use of common generic UserIDs. If, however, such a generic UserID is used, appropriate justification must be provided in the response below. Response: User ID User Name Title/Dept Confidential and Privileged Page 3 of 26
  • 4. QN 2. AUTHORIZATION A written access authorization grid or rule is required that specifies which user has/had what kind of access to the EPHI, and why. Provide this information below (add lines as necessary). A system administrator (custodian) who manages the computer should also be listed. Response: User ID Asset Role/Reason Status Start End function (Active/ date Date (Read/ Term) Update/ All/ Administer/ etc.) Confidential and Privileged Page 4 of 26
  • 5. QN 3. AUDIT LOGS Audit logs of an asset show who accessed what EPHI of which patient and when. Audit logs are highly desirable when investigating security incidents, and to punish the violators and to protect the innocents. They also help in understanding how and when the asset is accessed. Investigate with custodians what kinds of audit logs are possible and are available at the system, database, and/or application level for the asset, and have them enabled to the maximum possible extent. Describe below what level of Audit logs are maintained for the asset. Response: Confidential and Privileged Page 5 of 26
  • 6. QN 4. DEVICE EXPOSURE Information assets include the collection of EPHI data as well as devices that are used to store data. Identify the number of hardware devices used to store or to access EPHI below. The total number of devices that contain PHI should be less than 10 to qualify for filling this questionnaire. Response: Servers that contain EPHI (within Institution)......... Workstations that contain EPHI) (within Institution)... Servers that contain EPHI (outside Institution)........ Workstations that contain EPHI (outside Institution)... Biomedical devices that contain EPHI....... Total devices that contain EPHI... All workstations, PDA, etc. that access EPHI.... Total devices that store or access EPHI... Confidential and Privileged Page 6 of 26
  • 7. QN 5. PROTECTION AGAINST MALICIOUS SOFTWARE All devices that store or access EPHI must have basic security protections. Currently, Anti-virus software and Anti-spyware software are required. These protect from malicious software stealing or damaging data, hijacking and improper use of the devices, stealing passwords, etc. Additional protections are desirable – for example, all devices within the institution are protected by a firewall from attacks and threats from the Internet. Some devices such as Biomedical devices and servers in central data centers are additionally protected using building or data center firewalls. Computers such as Windows XP (SP2), Macintosh OS X, Linux and variations of Unix must have local (or personal) host-based firewalls turned on. This security protection permits only controlled and pre-defined access to the systems and data on the computers. Other desirable protections include periodic testing of ‘password strength check’ as well as ‘host integrity checks’ software that proactively protect the servers, workstations and access devices. Finally, all software in the devices, specifically the operating system, databases, web and other servers must be frequently monitored for security vulnerabilities as announced by the software vendors, and security patches and updates to anti-virus and anti- spyware software must be applied as and when they are made available by the vendors. Indicate below the protections that are in place currently, and the person who is responsible for monitoring of the same. Response: Protection Type How implemented? (such Userid/Name description R: Required as: Name of software or of the D: Desirable vendors, versions, responsible reports or logs, etc.) person/group Anti-virus, regular R updates Anti-spyware, regular R updates Vulnerability checks R Patching of security R updates for the OS, database, etc. Special network D firewalls Local/personal R firewalls Other checks D Confidential and Privileged Page 7 of 26
  • 8. QN 6. ENCRYPTION AND INTEGRITY EPHI carried or transmitted outside of institutional network requires special consideration for encryption and information integrity. Specifically, if EPHI is accessed over the Internet or Wireless networks, both of which are inherently at higher risk than the institutional network, then such transmission should be encrypted and should occur over reliable network protocols (such as TCP), Alternately, if EPHI is stored on mobile devices such as laptops and Personal Digital Assistant devices, the mobile device must implement user sign-on with strong passwords and/or encryption of data to reduce risk of exposure due to device theft or accidents. It is highly desirable to implement both security protection mechanisms. On many operating systems (Windows XP, Mac OS X), one can encrypt the data stored on the system by encrypting the folders; such encryption of EPHI at rest is highly recommended. Explain in detail how the EPHI transmission and storage are encrypted, and identify the person who implemented the solutions. Response: Security Describe mechanism Userid/Name Protection of the responsible person/group Encryption on EPHI transmission over the Internet Encryption of EPHI storage in laptop/ EPHI Sign on to access laptop/EPHI Confidential and Privileged Page 8 of 26
  • 9. QN 7. PHYSICAL SECURITY All devices that contain EPHI must be physically secured. EPHI, however, is additionally stored in passive storage media (Floppy disks, CD-Rom, USB storage devices, Tapes). Regular backups are recommended to protect against loss of data; the backup tapes contain clinical data, and must be maintained securely. Similarly, data may be exchanged or backed up using Floppy disks, CD-Rom, USB storage devices, and other storage media. An important protection is to monitor where such media are kept, how they are handled, and also to take steps to remove and destroy all clinical data once the purpose of that data is completed. Sometimes, it may be appropriate to physically destroy the media. Describe below the physical security environment of the asset and the associated media. Response: Security consideration Describe management Userid/Name of the responsible person/group Physical access to devices containing EPHI (door locks, computer locks, card access, etc.) Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.) Types of passive media used for backup (tapes, disks), and its physical protection Types of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.) Disposal of devices and media when they are no longer required Confidential and Privileged Page 9 of 26
  • 10. QN 8. CONTINGENCY If the EPHI asset is used to deliver or influence the delivery of ongoing patient care, one must carefully consider the availability of such asset. Specifically, such assets must guard against ‘system down’ situations by considering information backup, physical device backup, formal methods to retrieve backups and make the asset available to users, and prior determination of procedures that users should follow when the asset is unavailable for short-term as well as long term. These considerations of availability of the asset are placed in the Contingency Plan for the asset. Explain the Contingency Plan below. Response: Contingency plan Describe process in place, if Userid/Name considerations applicable of the responsible person/group Is the asset used for ongoing patient care? If yes above, describe backup methods in place to address short-term unavailability If yes above, describe end-user processes to address short-term unavailability of the asset If yes above, describe disaster recovery methods in place to address long- term unavailability If yes above, describe end-user processes to address long-term unavailability of the asset Confidential and Privileged Page 10 of 26
  • 11. QN 9. EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT If EPHI are sent to or received from other assets (using methods like ftp, copy, tape or CD transfers, etc.), it is necessary to ensure that there is legal basis that the information will be protected. If transfer is to an entity that is not covered under HIPAA regulations, a legal contract with specific language (called a Business Associate agreement) is required. This agreement is also required for vendors who access our systems for maintenance purposes, and thus be able to access EPHI. If the transfer is over public networks, appropriate encryption solutions are required. You should include all transfers that are electronic, even if they are not real-time transfers, such as data copied onto tapes or CDs. Provide information about the partners that receive or send EPHI below. Response: Descrip- Recv Partner Owner name HIPAA EPHI moves/ BA Agre- tion of From asset name/ and cove- transfers ement transfer (F) description contact red? over (Yes/ red EPHI or info (Yes/ Internet? No/ Not Send No) (Yes/No) If Appl) To yes, is the (T) transfer or encrypted? Acce (Yes/No/ ss Not Appl) (A) Confidential and Privileged Page 11 of 26
  • 12. QN 10. TRAINING All EPHI users should be trained for user responsibility towards EPHI security. The relevant information security policies are in the areas of password management, sign on and sign off, workstation use and security, and security incident reporting procedures. Various training material are available. The owners of EPHI assets should use asset questionnaires as the basis of responsibilities associated with management of an asset, and should understand the Information Security policies and procedures. Response: Are their regular review and reinforcement of individual and team responsibilities towards EPHI privacy and security by the owner? (Yes/No) QN 11. SECURITY INCIDENT REPORTING Significant security issues should be investigated and reported to appropriate authorities as described in Security Incident Reporting policy. Such issues include malicious infections with Trojans and Keyloggers, unauthorized access and accidental or malicious exposure or destruction of EPHI information, etc. IRB may be informed if it is an IRB approved research. Identify the person who will document and report a Security Incident as required in Security Incident Report Policy. Response: Identify the person responsible for Security Incident Reporting Confidential and Privileged Page 12 of 26
  • 13. Questionnaire Samples Case 1. A set of EPHI files stored on local PC used for clinical operations. ASSET INFORMATION Asset Name Quality report for State Registry Asset Description Cardiac Cath data Owner Name Qadir Smith Owner Title and Dept Manager, Finance recovery Owner Phone 212-305-9989 Owner Email qas2@columbia.edu Custodian Name(s) Custodian Title and Dept Custodian Phone(s) Custodian Email(s) Date of submission 4/15/2005 IRB Institution(s), if research Active IRB Number(s), if research AUTHENTICATION User ID User Name Title/Dept Qas2 Qadir Smith Manager, Finance recovery Bal99 Barry A London QA, Finance Recovery Md2 Monalisa Davinci Temp Programmer, Finance recovery AUTHORIZATION User ID Asset Role/Reason Status Start End Date function (Active/ date (Read/ Term) Update/ All/ Admin/ etc.) Qas2 All Manager Active 5/10/03 Bal99 Update Quality Analyst Active 5/10/03 CUBHIS Manage Manage computer Active - - Desktop computers group Md2 Update Programmer Term 5/10/03 4/15/04 AUDIT LOGS See examples in the next case. DEVICE EXPOSURE Confidential and Privileged Page 13 of 26
  • 14. Servers that contain EPHI (within Institution)......... 0 Workstations that contain EPHI) (within Institution)... 3 Servers that contain EPHI (outside Institution)........ 0 Workstations that contain EPHI (outside Institution)... 0 Biomedical devices that contain EPHI....... 0 Total devices that contain EPHI... 3 All workstations, PDA, etc. that access but not store EPHI... 0 Total devices that store or access EPHI... 3 PROTECTION AGAINST MALICIOUS SOFTWARE Protection Type How implemented? (such Userid/Name description R: Required as: Name of software or of the D: Desirable vendors, versions, responsible reports or logs, etc.) person/group Anti-virus, regular R Symantec Anti-virus 9.0 CUBHIS updates Anti-spyware, regular R Microsoft Giant (to be CUBHIS updates implemented) Vulnerability checks R Workstations configured CUBHIS securely by CUBHIS Patching of security R Updates through CUBHIS updates for the OS, Microsoft SUS database, etc. Special network D Internet Firewall CUBHIS firewalls Local/personal R Use of XP SP2 local CUBHIS firewalls firewall Other checks D None ENCRYPTION AND INTEGRITY Security Describe mechanism Userid/Name Protection of the responsible person/group Encryption on EPHI WinZIP with AES encryption, VPN WinZIP by transmission over connectivity qas2, VPN by the Internet IS Core Resources Encryption of EPHI None storage in laptop/ EPHI Sign on to access None laptop/EPHI PHYSICAL SECURITY Security consideration Describe management Userid/Name of the responsible person/group Physical access to devices Workstations are in Qas2 Confidential and Privileged Page 14 of 26
  • 15. containing EPHI (door restricted area. locks, computer locks, card access, etc.) Environmental management Usual office environment Qas2 of the location where these devices are placed (Humidity, Temperature, Dust, etc.) Types of passive media CDs as backup Bal99 used for backup (tapes, disks), and its physical protection Types of passive media None (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.) Disposal of devices and Workstation disposal CUBHIS media when they are no longer required CONTINGENCY Contingency plan Describe process in place, if Userid/Name considerations applicable of the responsible person/group Is the asset used for No ongoing patient care? If yes above, describe Not Applicable backup methods in place to address short-term unavailability If yes above, describe Not Applicable end-user processes to address short-term unavailability of the asset If yes above, describe Not Applicable disaster recovery methods in place to address long- term unavailability If yes above, describe Not Applicable end-user processes to address long-term unavailability of the asset EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT Descrip- Recv Partner Owner name HIPAA EPHI moves/ BA Agre- tion of From asset name/ and cove- transfers ement transfer (F) description contact red? over (Yes/ Confidential and Privileged Page 15 of 26
  • 16. red EPHI or info (Yes/ Internet? No/ Not Send No) (Yes/No) If Appl) To yes, is the (T) transfer or encrypted? Acce (Yes/No/ ss Not Appl) (A) Report T NY State GG Lowery, No, Yes, Yes NA of all Error Albany, but (Winzip (govt.) cardiac registry gglowery@e govt. password) cath rreg.ny.us adverse results TRAINING Are their regular review and reinforcement of individual Yes, and team responsibilities towards EPHI privacy and reviewed security by the owner? (Yes/No) during weekly meeting. SECURITY INCIDENT REPORTING Identify the person responsible for Security Incident Qas2 Reporting Confidential and Privileged Page 16 of 26
  • 17. Case 2. An EPHI database stored on a local server used for research. ASSET INFORMATION Asset Name Cardiology Research Name Asset Description Database of Electrocardiogram reports and tracings Owner Name Joseph Brown Owner Title and Dept Asst Prof, Cardiology, Medicine Owner Phone 212-305-9998 Owner Email Jb23@columbia.edu Custodian Name(s) John Smith Custodian Title and Dept System Admin, Medicine Custodian Phone(s) 212-342-9989 Custodian Email(s) johnsmith@medicine.columbia.edu Date of submission 3/22/2005 IRB Institution(s), if Columbia University research Active IRB Number(s), if IG98945 research AUTHENTICATION User ID User Name Title/Dept JOEBROWN Joseph Brown Asst Prof, Cardiology, Medicine MATHSMART Matthew Smart Assoc Res Scientist, Biostatistics PUTTGTHER Putnam T Gather Coordinator, Medicine, Service Corporation JRPROGRAM Junior Programmer Programmer, Medicine JOHNSMITH John Smith System Admin, Medicine OLDSMITH Olden Smith System Admin, Medicine DAVINCM Monalisa Davinci Temp Programmer, Medicine AUTHORIZATION User ID Asset Role/Reason Status Start End Date function (Active/ date (Read/ Term) Update/ All/ Admin/ etc.) JOEBROWN All Principle Active 3/7/04 Investigator MATHSMART Read Statistician Active 3/7/04 PUTTGTHR Update Coordinator Active 1/1/05 JRPROGRAM Admin Programmer Active 4/10/04 JOHNSMITH Manage Local System Active 3/7/04 computer Administrator Confidential and Privileged Page 17 of 26
  • 18. OLDSMITH Used to Local System Term 3/7/04 12/31/04 manage Administrator computer DAVINCM Update Programmer Term 5/10/03 4/15/04 AUDIT LOGS Example 1 (Weak) There are no audit logs with the files. The files are exchanged using floppies and CDs between the users. All users understand that there are no audit logs, and therefore it is assumed that all users have seen all data in the asset. Example 2 (Weak, but better) There are only server sign-on logs (userid and date-time) available, which are kept for 60 days. The users understand that if they sign-on to the server, it is assumed that they have seen all data in the asset. Example 3 (Weak, but better) The web-based application has a sign-on log (userid, date-time, browser IP address, URL). The logs are rotated every week, and kept for past 8 weeks. The users understand that if they sign-on to the web application, it is assumed that they have seen all data in the asset. Example 4 (Good) There are 2 kinds of logs: (1) sign-on log to the server (userid and date-time), and (2) an access log to specific files in the asset by an individual who has signed-on (userid, date-time, filename). The logs are kept for past 30 days on the system. Example 5 (Very Good) An application log exists that logs user sign-on as well as the patient records that were accessed by the user. The log includes userid, date- time, sign-on, MRN of a patient, date-time when that patient record was accessed. The logs are kept locally for last 3 months, but are also sent daily to the central audit log storage facility for long term storage and correlation with other access. Example 6 (Excellent) An application log exists that logs user sign-on (userid, date-time, client IP address) as well as details of each access by the user (date- time of access, MRN of a patient, type of data that was accessed (demographics, orders, EKG, Lab, Discharge Summary, etc.) and kind of access (read, add, update, print, etc.). The logs are kept locally for Confidential and Privileged Page 18 of 26
  • 19. last 7 days, but are also sent daily to the central audit log storage facility for long term storage and correlation with other access. DEVICE EXPOSURE Servers that contain EPHI (within Institution)......... 1 Workstations that contain EPHI) (within Institution)... 3 Servers that contain EPHI (outside Institution)........ 1 Workstations that contain EPHI (outside Institution)... 0 Biomedical devices that contain EPHI....... 0 Total devices that contain EPHI... 5 All workstations, PDA, etc. that access but not store EPHI... 3 Total devices that store or access EPHI... 8 PROTECTION AGAINST MALICIOUS SOFTWARE Protection Type How implemented? (such Userid/Name description R: Required as: Name of software or of the D: Desirable vendors, versions, responsible reports or logs, etc.) person/group Anti-virus, regular R Symantec Anti-virus 9.0 CUBHIS updates Anti-spyware, regular R CA PestPatrol CUBHIS updates Vulnerability checks R Workstations configured CUBHIS securely by CUBHIS Patching of security R Planned updates CUBHIS updates for the OS, database, etc. Special network D Internet Firewall Core firewalls Resources Local/personal R Use of Linux and XP SP2 JOHNSMITH firewalls local firewall Other checks D Tripwire for host CUBHIS integrity check ENCRYPTION AND INTEGRITY Security Describe mechanism Userid/Name Protection of the responsible person/group Encryption on EPHI Ssh access, SSL-based Web server JOHNSMITH transmission over the Internet Encryption of EPHI Encrypting File System on Windows XP JOHNSMITH storage in laptop/ EPHI Sign on to access Windows XP Signon, Palm and JOHNSMITH Confidential and Privileged Page 19 of 26
  • 20. laptop/EPHI Blackberry Signon PHYSICAL SECURITY Security consideration Describe management Userid/Name of the responsible person/group Physical access to devices Servers are in a physically CUBHIS containing EPHI (door restricted area in the data locks, computer locks, center, access permitted card access, etc.) authorized personnel Environmental management These are controlled in the CUBHIS of the location where Data Center these devices are placed (Humidity, Temperature, Dust, etc.) Types of passive media These are controlled in the CUBHIS used for backup (tapes, Data Center disks), and its physical protection Types of passive media CDs can be created to copy JOHNSMITH, (CDs, DVDs, USB devices, research data. CDs are Researchers Zip disks, etc.) used for managed by the research information exchange, and members. PDA’s have sign on their physical protection protection, and have been (locked cabinets, registered with the Physical destruction, etc.) Security department Disposal of devices and Tapes are broken before CUBHIS, media when they are no disposal. JOHNSMITH longer required CONTINGENCY Contingency plan Describe process in place, if Userid/Name considerations applicable of the responsible person/group Is the asset used for No ongoing patient care? If yes above, describe Not Applicable backup methods in place to address short-term unavailability If yes above, describe Not Applicable end-user processes to address short-term unavailability of the asset If yes above, describe Not Applicable disaster recovery methods in place to address long- term unavailability If yes above, describe Not Applicable end-user processes to Confidential and Privileged Page 20 of 26
  • 21. address long-term unavailability of the asset EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT Descrip- Recv Partner Owner name HIPAA EPHI moves/ BA Agre- tion of From asset name/ and cove- transfers ement transfer (F) description contact red? over (Yes/ red EPHI or info (Yes/ Internet? No/ Not Send No) (Yes/No) If Appl) To yes, is the (T) transfer or encrypted? Acce (Yes/No/ ss Not Appl) (A) ADT Info F Eagle AM Brown, Yes No NA System, via Finance, EGate. 212-305-99 99 EKG F GE Muse AM Jones, Yes No NA Reports System, via Medicine, EGate. 212-305-99 99 EKG F Other AM Rivera, Yes Yes, Yes No (Res Reports system at a Director, (SSL) agreem- and satellite Sateliite ent, Traces care Facility, both are facility 212-305-99 HIPAA 99 covered) TRAINING Are their regular review and reinforcement of individual Yes, and team responsibilities towards EPHI privacy and discussed security by the owner? (Yes/No) weekly by JOEBROWN SECURITY INCIDENT REPORTING Identify the person responsible for Security Incident JOHNSMITH, Reporting JOEBROWN Confidential and Privileged Page 21 of 26
  • 22. Case 3. An MRI system ASSET INFORMATION Asset Name Power MRI Imaging system Asset Description MRI machine with 3T Magnet and Spectra software Owner Name BM Jordan, Maura Jones Owner Title and Dept VP, Operations, Director, MRI Services Owner Phone 212-305-4433, 212-305-9989 Owner Email bmj2@columbia.edu, mj204@columbia.edu Custodian Name(s) PM Rich Custodian Title and Dept MRI Vendor Custodian Phone(s) 212-222-7767 Custodian Email(s) rich@mrivendor.com Date of submission 4/1/2005 IRB Institution(s), if research Active IRB Number(s), if research AUTHENTICATION User ID User Name Title/Dept POWER All users This is a generic userid. The system is physically protected in a restricted area accessible to authorized users. The userid has a strong password, is changed every 3 months or when a tech who knew the password leaves the institution, and is known only to the 12 users. Additionally the system is protected by special network and host-level firewalls to protect against remote access. The vendor does not support individual userid accounts. AUTHORIZATION User ID Asset Role/Reason Status Start End Date function (Active/ date (Read/ Term) Update/ All/ Admin/ Confidential and Privileged Page 22 of 26
  • 23. etc.) POWER All Full access Active 5/10/03 account AUDIT LOGS See Case 2. DEVICE EXPOSURE Servers that contain EPHI (within Institution)......... 2 Workstations that contain EPHI) (within Institution)... 3 Servers that contain EPHI (outside Institution)........ 0 Workstations that contain EPHI (outside Institution)... 0 Biomedical devices that contain EPHI....... 3 Total devices that contain EPHI... 8 All workstations, PDA, etc. that access but not store EPHI... 0 Total devices that store or access EPHI... 8 PROTECTION AGAINST MALICIOUS SOFTWARE Protection Type How implemented? (such Userid/Name description R: Required as: Name of software or of the D: Desirable vendors, versions, responsible reports or logs, etc.) person/group Anti-virus, regular R None on devices and CUBHIS updates workstations – vendor non-support, Symantec AV on servers Anti-spyware, regular R None on devices and - updates workstations – vendor non-support Vulnerability checks R Devices scanned for CUBHIS vulnerability at install time Patching of security R Manual updates Vendor updates for the OS, database, etc. Special network D Internet Firewall, Core firewalls Medical device firewall Resources at Allen Local/personal R None on devices and - firewalls workstations – vendor non-support Other checks D None - ENCRYPTION AND INTEGRITY Security Describe mechanism Userid/Name Protection of the responsible person/group Confidential and Privileged Page 23 of 26
  • 24. Encryption on EPHI Site-to-Site VPN for system CUBHIS, transmission over maintenance Vendor the Internet Encryption of EPHI None storage in laptop/ EPHI Sign on to access None laptop/EPHI PHYSICAL SECURITY Security consideration Describe management Userid/Name of the responsible person/group Physical access to devices Devices, workstations and Maura Jones, containing EPHI (door servers are all together in a Manager, MRI locks, computer locks, physically restricted area, system card access, etc.) access permitted only to operators and other authorized personnel Environmental management These are controlled as Maura Jones, of the location where medical device environmental Manager, MRI these devices are placed issues system (Humidity, Temperature, Dust, etc.) Types of passive media Tapes are stored in the same Maura Jones, used for backup (tapes, room Manager, MRI disks), and its physical system protection Types of passive media CDs can be created to copy Researchers (CDs, DVDs, USB devices, images. CDs are carried away Zip disks, etc.) used for by the researchers. information exchange, and their physical protection (locked cabinets, destruction, etc.) Disposal of devices and Tapes are broken before Maura Jones, media when they are no disposal. Servers and Manager, MRI longer required Workstations are on lease system from the vendor. With assistance from the vendor, the disks are erased before disposal CONTINGENCY Contingency plan Describe process in place, if Userid/Name considerations applicable of the responsible person/group Is the asset used for Yes Maura Jones ongoing patient care? If yes above, describe The data in the system are PACS group, Confidential and Privileged Page 24 of 26
  • 25. backup methods in place to copied to a separate PACS Maura Jones address short-term system unavailability If yes above, describe Patients are scheduled to Maura Jones, end-user processes to other MRI machines Radiology address short-term operations unavailability of the group asset If yes above, describe None disaster recovery methods in place to address long- term unavailability If yes above, describe Patients are scheduled to Maura Jones, end-user processes to other MRI machines Radiology address long-term operations unavailability of the group asset EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT Descrip- Recv Partner Owner name HIPAA EPHI moves/ BA Agre- tion of From asset name/ and cove- transfers ement transfer (F) description contact red? over (Yes/ red EPHI or info (Yes/ Internet? No/ Not Send No) (Yes/No) If Appl) To yes, is the (T) transfer or encrypted? Acce (Yes/No/ ss Not Appl) (A) Images T PACS system PM Brown, Yes No NA Radiology, 212-305-99 99 All data A MRI Vendor PM Rich, Bo Yes, Yes Yes MRI Vendor, 212-222-77 67 TRAINING Are their regular review and reinforcement of individual Yes, and team responsibilities towards EPHI privacy and discussed security by the owner? (Yes/No) monthly by Maura Jones SECURITY INCIDENT REPORTING Identify the person responsible for Security Incident Maura Jones Reporting Confidential and Privileged Page 25 of 26
  • 26. Confidential and Privileged Page 26 of 26