3. HIPAA Remediation Project
NOTICE
This is a scholarly paper that is published to further the art of compliance with the
HIPAA Security Rule. It is a sample project charter, which is a high level document
designed to articulate the components of a project.
There is no warranty (implied or expressed) provided with this information. Readers
may use this information at their own risk. This document should not be construed as
legal advice.
..
Non-legal advice 11/7/14 Page 3
7. HIPAA Remediation Project
Security Management Governance
Security Management Process § 164.308(a)(1)
Implement policies and procedures to prevent, detect, contain and correct security violations.
The Institution XYZ HIPAA Remediation Project identified the need to strengthen
Information Technology (I.T.) Governance.
I.T. Security Governance addresses the effective application and regulation of I.T.
systems through the implementation of best practices to mitigate security and privacy
risks.
The International Standards Organization (ISO) 27001 and 27002 models provide an
adequate framework to implement an I.T. Security Governance model at XYZ.
ISO 27001/2 is a leading industry best practices approach to information security,
compliance management and risk management.
ISO 27001/2 provides a framework of principles to use when evaluating, directing and
monitoring the security and privacy protection of I.T. resources at XYZ.
Objectives
The primary objective of the XYZ I.T. Security Governance framework is to promote the
effective, efficient, and the acceptable use of I.T. resources to promote security and
privacy protection. Additionally it shall:
• Provide confidence to stakeholders that, if the governance framework
is followed, they can have increased confidence in the ability of XYZ to
adequately protect data entrusted to the company.
• Provide the basis for objective evaluation of the corporate information
security protection program.
• Establish clearly understand responsibilities for stakeholders touched
by the security governance framework.
• Help ensure that I.T. practices conform within regulatory requirements
for information security and privacy protection.
• Govern the use of regulatory protected data throughout the
organization.
Non-legal advice 11/7/14 Page 7
8. HIPAA Remediation Project
Implementation of the Security Governance framework
The ISO 27001/2 framework shall be simultaneously implemented during the
remediation of findings and gaps as part of the HIPAA Remediation Project. In this
context, the implementation of ISO 27001/2 is a major sub-project of the Remediation
Project.
Deployment of ISO 27001/2 will help facilitate the structuring of security-centric policies
and procedures that will be created to remediate risks to information security.
The roll-out of ISO 27001/2 is synchronized with the remediation of audit findings and
gaps (HIPAA Remediation Project) as the implementation of this security governance
framework is a major remediation activity to address findings/gaps related to security
management at XYZ.
It is understood at the onset that there are various levels of maturity and process
improvement at the organization.
There may be bottom-up policy development activities that incorporate current
procedures and guidelines already in use within the organization.
End-state of the Security Governance framework
The goal of the ISO 27001/2 implementation is to develop various policies, processes,
and control structures to safely access, modify, move and store sensitive information.
At the end of the implementation cycle, there shall be adequate evidence to
demonstrate to third party auditors that:
• Sensitive information is protected from unauthorized access.
• Development of relevant risk management plans and processes has
taken place.
• Relevant risks to security management have been addressed and/or
mitigated (remediation, or in the alternative Corrective Action Plans are
in place to address the risk).
• Relevant high-level policies that help create a control environment and
provide guidance for stakeholders are in-place.
• Guidance directs stakeholders how to implement appropriate I.T.
controls.
Non-legal advice 11/7/14 Page 8
9. HIPAA Remediation Project
Roles and Responsibilities
The Corporate Privacy and Security Officer (PSO) shall implement the I.T. Security
Governance framework by acting as a conduit between senior management and I.T.
engineering workforce members. This is a coordination position that requires an overall
view of all P&S activities in-place or planned for the enterprise.
The Chief Information Security Officer (CISO) shall participate in policy reviews and
compliance audits to assist the PSO in preparing packages to demonstrate compliance
with relevant I.T. Privacy and Security Rules. Additionally, the CISO will promulgate
relevant policies and procedures to the workforce in his/her department for
implementation and solicit cooperation with compliance audits.
The General Counsel shall provide over-arching consultation and advice with regards
to programmatic impacts on the organization and the current requirements for legal,
governance and oversight requirements. The General Counsel may become intimately
involved in some policy implementation, such as: Data Breach Notification, Incident
Response Policy, etc.
The Director of Human Resources shall provide a method of publishing and
promulgating those workforce security policies that apply to the general I.T. user
community. This includes issues related to security awareness training, HIPAA
awareness training, Acceptable User Policies, Sanction Policies, etc.
Management’s Intent
Senior management is committed to the effective implementation of a standards-based
I.T. Security Governance framework. The program described within this document is
aligned with business strategy and objectives as the company is a Business Associate
and as such must demonstrate compliance to the HIPAA Privacy & Security Rules.
Senior management understands that the organization needs a control environment for
identifying, assessing and controlling risks facing the organization.
Non-legal advice 11/7/14 Page 9
10. HIPAA Remediation Project
Risk Management Framework
Risk Analysis § 164.308(a)(1)(ii)(A)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health information held by the
covered entity. REQUIRED
Risk Management § 164.308(a)(1)(ii)(B)
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and
appropriate level to comply with §164.306(a). REQUIRED
The risk management processes and policies should align with the present (and
dynamic) objectives and processes of XYZ. The goal is to integrate the risk
management activities within the Security Management Framework. Risk management
planning should incorporate existing policies and procedures – where appropriate – and
relevant policies and procedures should be modified to align with the risk management
framework. Where possible, senior management of XYZ, should monitor and approve
of risk management activities.
Risk management is linked to business process, as it is the goal of risk management to
protect information assets developed by those processes.
Objectives
It is necessary to ascertain the XYZ appetite for risk to effectively fashion a risk
management program. Acceptable risk levels need to be defined to understand the risk
culture (how much risk will be tolerated to accomplish business objectives). External
and internal impacts to risk should be evaluated; for instance:
External risk environment:
• Regulatory requirements (HIPAA); and,
• Risk of litigation (duty of care); and,
• Data breach consequences (reputational damage)
Internal risk environment:
• Security of infrastructure and assets; and,
• Culture of compliance and controls (ISO 27001/2)
Non-legal advice 11/7/14 Page 10
11. HIPAA Remediation Project
Risk management is the authorizing of the effective design and implementation of
controls to monitor and assess risk.
Risk assessment is process of prioritizing risks based upon impact to the organization.
Risk analysis is the process of coalescing vulnerabilities, threats, probability and impact.
Non-legal advice 11/7/14 Page 11
12. HIPAA Remediation Project
Incident Response and Management
The Institution XYZ HIPAA risk assessment identified the need to strengthen the
governance incident response and management and improve operational capabilities.
This type of capability is addressed in the HIPAA Security Rule; quoting in relevant part:
“ 42 C.F.R. § 164.308(a)(6)(i) Administrative safeguards – Standard: Security incident
procedures
(a) A covered entity must, in accordance with § 164.306:
(6)(i) Standard: Security incident procedures. Implement policies and procedures to
address security incidents.
(ii) Implementation specification: Response and Reporting (Required).
Identify and respond to suspected or known security incidents; mitigate, to the extent
practicable, harmful effects of security incidents that are known to the covered entity;
and document security incidents and their outcomes0”
Non-legal advice 11/7/14 Page 12
13. HIPAA Remediation Project
In general terms, incident management addresses the managerial, technical and
administrative responses to a cyber incident; which can include:
• Stolen or lost laptops, tablets (e.g. Nexus 7) or iPhones/Androids
• Injection of a malware or virus infection in the enterprise
• Security/data breaches, cyber abuses, etc.
• Hacking attacks, such as Denial of Service (DoS) attacks
Incident management is a multi-disciplinary approach to cyber incidents, as incidents
may involve legal issues, technical issues, customer service issues, reputational issues,
etc.
Incident management and response capabilities include:
• Procedures to follow when an incident is detected
• Phased approach: planning, detecting, handling, recording &
evaluating
• Escalation procedures (legal, human resources, owners, etc.)
• Evidence collection, storage and archival
• Provides policies and procedures to guide personnel when security
has been penetrated
The development of an incident response/management (IR/M) policy and capability is
needed to accomplish the following:
• Secure systems after the incident
• Secure evidence that can be used to prosecute bad “actors”
• Take measures to prevent a re-occurrence of the incident
• Appropriate training amongst cooperative departments
Non-legal advice 11/7/14 Page 13
14. HIPAA Remediation Project
Developing IR/M capabilities
IR/M capabilities can be broken down into four main categories:
• Planning and preparation (developing system resilency)
• Detection and analysis (communicate with relevant stakeholders)
• Containment, eradication, and recovery (removing threats)
• Post-incident activity (analysis, improvement plan)
Planning and Preparation
The development of defined procedures for effectively dealing with and prioritizing
incidents is needed. Defining actions to be taken, and assigning roles to appropriate
parties, will discourage panic-driven and ad hoc “helter-skelter” responses during an
actual incident. Well documented procedures should be readily available to team
members in the event a team lead is unavailable to function as part of the IR/M.
Detection and Analysis
Ascertaining the extent of damage will need to be accomplished in a confidential
manner. Polices need to establish a level of confidentiality as to operations.
Embarrassing information can be discovered during IR/M and may need to be kept
confidential; e.g. avoiding “tipping off” an individual under investigation. Additionally, the
possibility of law enforcement involvement exists and could expand the incident. Again,
this speaks to the need of confidentiality of operations.
Containment, eradication, and recovery
Returning the compromised system back to a secure state is an objective that should be
balanced with the need to collect evidence and ascertain damages. The extent of loss
or damage that has occurred should be quantified and documented. Possible damage
that could still occur should be noted. Options should be investigated; such as:
investigation of causes and specifics, containment by allowing incident to proceed while
documenting evidence, use of hot swap systems to restore full functionality of a system,
prevention of further problems with the immediate deployment of countermeasures (that
will most likely destroy evidence), etc.
Non-legal advice 11/7/14 Page 14
15. HIPAA Remediation Project
After Action Report (Documentation)
Policies should dictate the creation of reports that describe what actions were taken
during the incident. Actions should be discussed as to appropriateness and their
success in mitigating the incident. Improvement Plans (IP) can suggest corrective
actions to avoid a repeat of these circumstances.
Non-legal advice 11/7/14 Page 15
16. HIPAA Remediation Project
Enterprise Vulnerability Assessments
The Institution XYZ HIPAA risk assessment identified the need to strengthen the
governance and justification of infrastructure vulnerability scanning.
System vulnerabilities can be exploited by compromising security controls to gain
unauthorized or inappropriate access to system resources, breaching electronic
protected health information (e/PHI).
The downstream consequences of a system exploit (penetration) and an e/PHI data
breach can cause reputational damage, business loss, loss of revenues and invite
lawsuits.
It is worth noting that individuals with extraordinary computing skills are actively seeking
out e/PHI in a malicious and destructive manner. In this sense, XYZ is defending itself
against organized crime gang activity and cyber terrorists (see cyber ransom activities).
External threats have industrialized the exploit of system vulnerabilities with the use of
network scanning tools, port mappers and vulnerability scanner to collect information as
to vulnerabilities in XYZ systems, which is then extracted for use in the design of an
attack or exploit.
The end goal of the attacker is to gain access into the computing environment; via
operating systems, application-level or via the network.
At the time of this writing application-layer vulnerability scanning has taken place on two
web applications for a yearly subscription cost of $10,000/application ($20,000 in sum).
However, no scanning or pen-testing is undertaken for internal systems (“behind” the
firewall), which may be the most vulnerable components that could cause the most
damage to the organization (in the case of a virus outbreak that destroys e/PHI).
System vulnerabilities assessments and penetration testing
Vulnerability assessments focus on the discovery of the vulnerabilities in a particular
stand-alone information system.
Penetration testing is an approach that uses a vulnerability assessment to attempt a
successfully exploit of the vulnerability into the system as a mock attacker.
Non-legal advice 11/7/14 Page 16
17. HIPAA Remediation Project
Vulnerability scanning and penetration testing (pen-testing) are industry best practices
that document vulnerabilities (that could be exploited) within network infrastructure,
servers, host platforms, web sites, application code, etc. Although it is considered an
industry best practice the HIPAA Security Rule does not specifically call out vulnerability
scanning, per se.
The Office of Civil Rights (OCR) has provided supplemental guidance on this issue in
the form of a memo, entitled HIPAA Security Standards: Guidance on Risk Analysis
(dated May 7, 2010); citing in relevant part:
“..Organizations must identify and document reasonably anticipated threats to e-PHI.
(See 45 C.F.R. 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different
threats that are unique to the circumstances of their environment. Organizations must
also identify and document vulnerabilities which, if triggered or exploited by a threat,
would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R.
**164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).) [emphasis added]
Additionally, 45 C.F.R. § 164.308(a)(8)) requires a technical evaluation of risks; quoting
in relevant part:
“...Perform a periodic technical and nontechnical evaluation, based initially upon the
standards implemented under this rule and subsequently, in response to environmental
or operations changes affecting the security of electronic protected health information,
that establishes the extent to which an entity’s security policies and procedures meet
the requirements of this subpart [the Security Rule]. “
Non-legal advice 11/7/14 Page 17
18. HIPAA Remediation Project
Objectives of a testing program
The primary objective an XYZ I.T. vulnerability assessment/penetration testing program
should be to:
• Identify vulnerabilities that would allow individuals to gain unauthorized
access to systems
• Test organizational security configuration settings and parameters.
• Demonstrate to external parties that vulnerabilities are identified, the
impact of a threat to exploit the vulnerability has been measured and
suitable countermeasures have been considered to mitigate the risk of
exploit.
• Assist in making the organization more proactive in preventing possible
security incidents.
The development of a vulnerability scanning and penetration testing program should be
a long-term goal for XYZ. Such testing assesses the security model of the organization
as a while. It reveals the real consequences of an attacker “breaking into” the network.
Business justifications for such a capability include:
• Reduce XYZ’s expenditure on IT security related investments to
enhance security mediation only where it is needed most.
• Supports compliance with the HIPAA Security Rule.
• Helps in the evaluation of network security devices; such as: firewalls,
routers and web servers.
• External pen-testing will help protect public facing web-sites and
internal pen-testing will help close system vulnerabilities (internal pen-testing
provides an analysis of threats and risks that lie within the
organization).
Types of testing tools and capabilities
• There are a various open source (free) testing applications and
software that can be utilized to conduct such testing; such as:
networking mapping, Operating System (O/S) finger printing, spoofing
attempts, network sniffing, Trojan attacks, password cracking, etc.
• Proper planning, test designing, scheduling and documentation are
required to adequately conduct such tests.
Non-legal advice 11/7/14 Page 18
19. HIPAA Remediation Project
Business Impact Assessments
The Institution XYZ HIPAA Remediation Project identified the need to strengthen and
develop business continuity planning (BCP).Contingency planning is a requirement of
the HIPAA Security Rule and requires five sub-plans:
• Data backup plan
• Disaster recovery plan
• Emergency mode operation plan
• Testing and revision procedures
• Application and data criticality analysis (Business Impact Analysis
(BIA)).
Business continuity is the overarching planning activity that addresses downtime of
corporate operations and proposes corrective measures. Downtime costs refer to the
costs of incurred as a result of the impact or disruptions (hours, days, weeks).
Corrective action costs include those costs associated with continuity planning,
activation the plan.
Objectives
Define and refine cross-departmental and inter-disciplinary interactions that support
recovery operations during a business outage or during disaster recovery. Plans should
develop – through progressive elaboration – specifics to address downtime and
recovery operations designed to reduce costs. Tangible goals of this project phase
include:
• Complete a BIA to annualize loss expectancy of critical, vital, sensitive
and non-sensitive business systems and processes.
o Critical systems cannot be replaced with manual alternative
o Vital processes can be carried out manually for a short period
o Sensitive functions can be carried out manually for an extended
period of time
o Non-sensitive functions can be down without significant impact
• Define all pertinent stakeholders and team members who will
participate in recovery operations
• Define circumstances under which disasters may be declared.
• Defines mobilization and evacuation procedures.
• Definition of testing procedures to test plans.
• Define resources required to recovery operations.
• Development of an Incident Management/Response Plan.
Non-legal advice 11/7/14 Page 19
20. HIPAA Remediation Project
Roles and responsibilities will be developed to outline stakeholder expectations and
duties during disaster recovery operations. This is an organizational-wide effort to
facilitate and coordinate the inter-play between relevant departments and organizations.
Composition of Business Continuity Plan
The BCP shall address the following key areas:
• Goals of each phase of the recovery process.
• Available resources, to include employee responsible for performing
the required tasks.
• Outline of alternate facilities required to perform certain operations.
• Identify critical information resources required to continue operations.
• Contact diagram, or phone tree, that provides stakeholder contact info.
• Key business associate contacts (such as utilities, Internet providers,
software vendors, recovery facilities, insurance contacts, etc.).
• Address insurance coverage (business interruption).
• Storage and recovery of important documents and records.
End-state of the BCP process
At the end of the implementation project cycle, there shall be adequate evidence to
demonstrate to third party auditors that:
• Contingency Planning Policies are in development and maturing.
• Business Impact Analysis is near completion or completed.
• Preliminary preventive measures have been identified.
• Recovery Strategy is under development or completed.
• Data Backup Plan and Disaster Recovery Plan are completed and
tested.
• Emergency Mode Operations plan is under development or completed.
• Testing and revision procedures are in place to provide governance
over the PCP process and sub-plans.
Non-legal advice 11/7/14 Page 20
21. HIPAA Remediation Project
Human Resources
The Institution XYZ HIPAA Remediation Project identified the need to strengthen the
interaction and involvement of the Human Resources (HR) department with I.T. Security
Governance.
Objectives
Effective HR management directly impacts and influences the functions of Information
Technology (I.T.) operations directly and indirectly. HR functions that can be embedded
with the I.T. Security Governance framework include:
• Selection and on-boarding processes support workforce clearance with
background and reference checks; which becomes a clearance
process to verify responsible access to electronic Protected Health
Information (ePHI).
• Training activities and coordination can support the need for workforce
initial ePHI privacy and security protection awareness and on-going
training requirements.
• Establishes key business guidelines, acceptable behavior policies and
other such standards that support workforce proper usage of ePHI.
• Provisioning of facility access control cards with appropriate data of the
employee.
• Code of Conduct polices and standards delivered to employees that
describe sanction policies and emergency procedures.
• Provides an impartial forum to assess potential employee non-compliance
with standards and guidelines designed to protect PHI.
In sum, HR has the ability to support and reinforce the I.T. Security Governance
framework. Effective and strong HR performance in their duties and responsibilities
helps ensure that the information security and governance posture at XYZ will be just as
robust.
Non-legal advice 11/7/14 Page 21
22. HIPAA Remediation Project
HR Support to the I.T. Security Governance framework
Sanction Policy. HR should serve as the lead department to successfully implement
the Sanction Policy, or Workforce Security Policy. Such a policy will address
consequences for the inappropriate access to, modification of, deletion of, or theft of
e/PHI.
Security Awareness and Training. HR shall coordinate the development of materials
and training schedules with the objective to increase understanding and awareness of
the importance of information security. Such training to make the workforce aware of
new trends in threats to the e/PHI entrusted to the organization.
Use of Subcontractors. HR should ensure that contingency staff augmentation
workforce members comply with the standards created for the entire workforce (e.g.
ePHI security and privacy standards). Additionally, HR should review business
associate agreements for language regarding information technology awareness
training requirements.
Termination Procedures. HR needs to be aware of the technical processes required
to perform routine and emergency termination of a workforce member. User accounts,
access cards, configurations in I.T. servers, etc. should all be appropriately terminated
and documented. This will require coordination with the I.T. staff.
Assigned Security Responsibility. HR shall record and store memorandums and
documents that described the duties and responsibilities of the designated Privacy and
Security Officer (PSO).
Workforce Clearance. Review of staff member background and credentials as part of
the normal hiring process. This includes criminal background and reference checks.
Proper Workstation Use. HR shall promulgate policies and guidelines related to
appropriate use of workstations, desktops, laptops, etc. This includes reminders that
workforce members with access to e/PHI should limit exposure of the workstation to
others or the public. This also includes using screen lockers when leaving the
workstation unattended and physical security of the workstation.
Non-legal advice 11/7/14 Page 22
23. HIPAA Remediation Project
End-state of HR to the Support Security Governance framework
At the end of the implementation project cycle, there shall be adequate evidence to
demonstrate to third party auditors that:
• HR has implemented workforce clearance procedures to verify
individual backgrounds and need for e/PHI access.
• HR has designed and/or initiated a quarterly information security
awareness training session to keep the workforce informed of
technology threats and trends.
• HR has implemented and/or planned to implement comprehensive
termination procedures that coordinate the termination of all
appropriate user access accounts with I.T. services, as verified by
operational evidence in employee records.
• HR has ensured that subcontractor personnel have received
information security awareness training and understand the need to
protect e/PHI, as documented by operational evidence in a personnel
file.
HR has implemented a Sanction Policy or Workforce Security Policy to educate the
workforce concerning the consequences of misusing e/PHI.
Non-legal advice 11/7/14 Page 23