Your SlideShare is downloading. ×
SAMPLE
SECURITY
RISK
ASSESSMENT
REPORT

January 29

2014

This security risk assessment exercise has been performed to sup...
Table of Contents
1. Executive Summary
2. Risk Assessment Approach
3. Scoping
4. System Characterization
5. Threat Stateme...
EXECUTIVE SUMMARY
Under the HIPAA Privacy and Security Rule, business associates are required to perform active
risk preve...
authoritative sources along with expertise from decades of experiences in protecting IT systems
and complying with several...
a. Background checks for employees
b. IT professionals administering data need to be provided more in depth security
and c...
Upcoming SlideShare
Loading in...5
×

EHR meaningful use security risk assessment sample document

3,137

Published on

Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI).
This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations

Published in: Health & Medicine
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,137
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "EHR meaningful use security risk assessment sample document"

  1. 1. SAMPLE SECURITY RISK ASSESSMENT REPORT January 29 2014 This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Prepared for <Company Name>
  2. 2. Table of Contents 1. Executive Summary 2. Risk Assessment Approach 3. Scoping 4. System Characterization 5. Threat Statement 6. Risk Assessment Results 7. Summary 2, Davis Drive NC 27709 | ehr20.com | info@ehr20.com | 802-448 2255
  3. 3. EXECUTIVE SUMMARY Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI). This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations. RISK ASSESSMENT APPROACH Our risk assessment approach is expected to identify only reasonably anticipated threats or hazards to the security or integrity of electronic Protected Health Information (“ePHI”). Assessing risks is only a first step. The results of the risk assessment have to be used to develop and implement appropriate policies and procedures. IT, management and support representatives have been interviewed in order to complete the risk assessment. Interviews, questionnaires and automated scanning tools are used for gathering information required for this security risk analysis. When mitigating significant risks, not all are equally important. Take into account the cost of intervention and the business impact of loss of confidentiality, integrity, or availability of data. SCOPING Please refer to the ePHI inventory sheet for the complete list of system hardware, software and other applications that are processing electronic Protected Health Information (ePHI). Scoping exercise is done on systems, processes and applications based ePHI data created, shared, stored and transmitted. SYSTEM CHARACTERIZATION Systems are characterized, including hardware (server, router, switch), software (e.g., application, operating system, protocol), system interfaces (e.g., communication link), data, and users based on ownership of the systems, ePHI processing and location of data. THREAT STATEMENT EHR 2.0 has conducted risk assessment to determine the extent of the potential threat and the risk associated with IT systems owned or operated by Company Name To determine the likelihood of a future adverse event, threats to ePHI handled by Company Name Inc. are analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT systems. EHR 2.0’s assessment framework includes guidance from NIST, US-CERT, and other 2, Davis Drive NC 27709 | ehr20.com | info@ehr20.com | 802-448 2255
  4. 4. authoritative sources along with expertise from decades of experiences in protecting IT systems and complying with several regulatory requirements including PCI-DSS, SoX, and HIPAA. RISK ASSESSMENT RESULTS Risk Topics Addressed High Medium Not Addressed High Medium Partially Addressed High Medium Grand Total Total Number of Domains 10 9 1 15 5 10 20 14 6 45 For a detailed list of observation please review the risk analysis sheet. Following are the list the key observations: 1. Encryption of data at rest a) Desktop –based applications which could potentially store PHI data need to have at least encrypted volume for storage 2. Business continuity and disaster recover planning a. Need to identify key systems which are required without which Company Name provide service and validate the plan by testing the backup. SAMPLE 3. Information Access Review and Auditing a. Key system access need to be reviewed periodically including AD service accounts and exception based monitoring to be in place 4. Network scanning a. It’s a good practice to continuously run basic vulnerability scanning of the network to make sure the network infrastructure is patched, ports restricted, etc. 5. Administrative Controls 2, Davis Drive NC 27709 | ehr20.com | info@ehr20.com | 802-448 2255
  5. 5. a. Background checks for employees b. IT professionals administering data need to be provided more in depth security and compliance training 6. Information security policy a. Develop comprehensive information security policy (master doc.) b. Develop simple, easy-to-use department-wise policy on information access, usage and sharing. This policy document needs to be used for training each department employees handling ePHI. SAMPLE 7. Insurance a. Ensure any potential network breach, virus infection and regulatory fines are covered under your business general liability insurance or cover using specialty products like Cyber Liability insurance. Detail line items are available in the risk analysis spreadsheet with specific next steps. SUMMARY Since cost, timeliness, and ease of use are a few of the many important factors in managing the identified risks, Company Name should attempt to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. In addition, an active security risk management plan needs to be in place to handle any evolving security threats. Disclaimer: EHR 2.0 conducts assessment and prepares recommendations based on point-in-time interaction with customer’s workforce, analysis of systems and existing processes. EHR 2.0 is not directly liable for any inaccuracies reported due to the change in processes, people and technology. 2, Davis Drive NC 27709 | ehr20.com | info@ehr20.com | 802-448 2255

×