Inventory Assets (Preparation)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Asset Type

Does this asset process, store or transmit EPHI?

People/Process or Technology Asset?

 

 

 

 


Screening Questions (Step 1)

Topic

Question

Response

Threat Vulnerability Statement

Notes/Comments

1.  Security Program

1.1

Roles & Responsibilities

[1.1] Has your organization formally appointed a central point of contact for security coordination?
a)    If so, whom, and what is their position within the organization?

 

Management has not defined responsibilities for the information security program. [TVS001]

 

1.2

External Parties

[1.2] Do you work with third parties, such as IT service providers, that have access to your patient's information?
a)    Does your organization have Business Associate agreements in place with these third parties?
b)    If not, what controls does your organization have in place to monitor and assess third parties?

 

Security breaches occur when dealing with third parties due to a lack of security considerations in the related third party agreement. [TVS002]

 

2.  Security Policy

2.1

Information Security Policy & Procedures

[2.1] Do you have documented information security policies and procedures?
a)     Do you have a formal information classification procedure? Please describe it.  In particular, how would patient data be categorized?  For example, critical, essential, and normal.
b)    Have formal acceptable use rules been established for assets? Example assets include data assets, computer equipment, communications equipment, etc.
Do you have formal processes in place for security policy maintenance and deviation?

 

Management does not set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security. [TVS003]

 

3.  Risk Management & Compliance

3.1

Risk Assessment

[3.1] Do you have a process that addresses: the identification and measurement of potential risks, mitigating controls (measures taken to reduce risk), and the acceptance or transfer (Insurance policies, warranties for example) of the remaining (residual) risk after mitigation steps have been applied?

 

Information around risks and related control options are not presented to management before management decisions are made. [TVS004]

 

3.2

Compliance with Legal Requirements - Identification of applicable legislation

[3.2] Does a process exist to identify new laws and regulations with IT security implications? (e.g., new state breach notification requirements)?

 

Legislative, statutory, regulatory or contractual obligations related to security are violated due to lack of controls. [TVS005]

 

4.  Training & Awareness

4.1

During Employment – Training, Education & Awareness

[4.1] Have your employees been provided formal information security training? Have policies been communicated to your employees?   Are periodic security reminders provided?

 

Applications and technology solutions are not correctly and securely used since a training curriculum for employees has not been established or regularly updated. [TVS006]

 

5.  Personnel Security

5.1

Background Checks

[5.1] Does your organization perform background checks to examine and assess an employee’s or contractor’s work and criminal history?

 

Background verification checks are not carried out and management is not aware of academic, professional, credit or criminal backgrounds of employees. [TVS007]

 

5.2

Prior to Employment - Terms and Conditions of Employment

[5.2] Are your employees required to sign a non-disclosure agreement? If so, are employees required to sign the non-disclosure agreement annually?

 

Employees or contractors do not agree or sign terms or conditions of employment. [TVS008]

 

5.3

Termination or Change in Employment

[5.3] Do you have a formal process to manage the termination and or transfer of employees?

 

Employee, contractor or third party user terminations or change of responsibilities could result in a security breach due to lack of a defined management process for terminations or changes in responsibilities. [TVS009]

 

6.  Physical Security

6.1

Secure Areas

[6.1] Do you have effective physical access controls (e.g., door locks) in place that prevent unauthorized access to facilities and a facility security plan?
a)     Are there plans in place to handle/manage contingent events or circumstances (e.g. what if the person with the key to the server room is sick)? 
b)     Is there a facility security plan? 
c)     How are physical access controls authorized (who is responsible for ensuring that only appropriate persons have keys or codes to the facility and to locations within the facility with ePHI)?
d)    Are there policies and procedures to document repairs and modifications to physical components of the facility that are related to security?

 

Unauthorized parties gain physical access to facilities due to insufficient physical entry/exit controls. [TVS010]

 

7.  Network Security

7.1

Application and Information Access Control - Sensitive System Isolation

[7.1] Describe your network configuration.   Has your IT vendor provided information regarding how your Electronic Health Record (EHR) system is protected?
a)     Are systems and networks that host, process and or transfer sensitive information ‘protected’ (isolated or separated) from other systems and or networks? 
b)    Are internal and external networks separated by firewalls with access policies and rules?
c)     Is there a standard approach for protecting network devices to prevent unauthorized access/ network related attacks and data-theft? 

 

Sensitive systems co-located with less sensitive systems are accessed by unauthorized parties. [TVS011]

 

7.2

Encryption

[7.2] Is sensitive information transferred to external recipients?  If so, are controls in place to protect sensitive information when transferred (e.g. with encryption)?

 

Information involved in electronic messaging is compromised. [TVS012]

 

7.3

Vulnerability Assessment

[7.3] How often do you perform periodic vulnerability scans on your information technology systems, networks and supporting security systems?

 

Technical vulnerabilities are exploited to gain inappropriate or unauthorized access to information systems due to lack of controls for those vulnerabilities. [TVS013]

 

7.4

Monitoring

[7.4] Are third party connections to your network monitored and reviewed to confirm  authorized access and appropriate usage?

 

Unauthorized access is given to information over third party connections. [TVS014]

 

8.  Logical Access

8.1

Identity & Access Management

[8.1] Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information) ?
a)     How are systems and applications configured to restrict access only to authorized individuals? 
b)    Is there a list maintained of authorized users with access (administrative access) to operating systems?
c)     Does a list of 'accepted mobile devices' (e.g., smart phones, cell phones) exist based on testing?
f)      Is sensitive information (e.g., social security numbers) removed from, or encrypted within,  documents and or websites before it is distributed?
e)     Is software installation restricted for desktops, laptops and servers?
d)    Is access to source application code restricted? If so, how? Is a list of authorized users maintained?

 

Unauthorized access is gained to information systems. [TVS015]

 

8.2

Identity Management

[8.2] Are user IDs for your system uniquely identifiable?

 

Unauthorized users are able to gain access to operating systems by claiming to be an authorized user. [TVS016]

 

8.3

Entitlement Reviews

[8.3] Do you have a process to review user accounts and related access?

 

Users that no longer have a business need for information systems access still have access to the information. [TVS017]

 

9.  Operations Management

9.1

Antivirus

[9.1] Has antivirus software been deployed and installed on your computers and supporting systems (e.g., desktops, servers and gateways)?

 

Systems and data are exposed to malicious software and/or unauthorized use. [TVS018]

 

9.2

Security Monitoring

[9.2] Are systems and networks monitored for security events?  If so, please describe this monitoring.

 

Unauthorized information processing activities occur undetected due to lack of consistent logging and monitoring activities. [TVS019]

 

9.3

Media Handling

[9.3] Do procedures exist to protect documents, computer media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and destruction? Is sensitive data encrypted when stored on laptop, desktop and server hard drives, flash drives, backup tapes, etc.?

 

Media (e.g., documents, computer media (e.g. tapes, disks), input/output data, system documentation) is compromised by unauthorized parties due to ineffective handling procedures. [TVS020]

 

9.4

Secure Disposal

[9.4] Are there security procedures for the decommissioning (replacement) of IT equipment and IT storage devices which contain or process sensitive information?

 

Unauthorized parties access data from discarded media. [TVS021]

 

9.5

Segregation of Computing Environment

[9.5] Are development, test and production environments separated from operational IT environments to protect production (actively used) applications from inadvertent changes or disruption?

 

The production environment is impacted due to the lack of separation of development and production environments. [TVS022]

 

9.6

Segregation of Duties

[9.6] Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets?

 

The integrity of a business process is compromised due to the lack of segregation of duties (e.g., maker & checker). [TVS023]

 

9.7

Change Management

[9.7] Do formal change management procedures exist for networks, systems, desktops, software releases, deployments, and software vulnerability (e.g., Virus or Spyware) patching activities?

 

The change management process in place does not adequately protect the environment from disruptive changes in production. [TVS024]

 

10.  Incident Management

10.1

Process & Procedures

[10.1] How do you identify, respond to and mitigate suspected or known security incidents?
a)     During the investigation of a security incident, is evidence properly collected and maintained?
b)     Are incidents identified, investigated, and reported according to applicable legal requirements?
c)     How are incidents escalated and communicated? 

 

Security incidents are not managed with a consistent and effective approach. [TVS025]

 

11.  Business Continuity Management

11.1

Disaster Recovery Plan & Backups

[11.1] Do you have a mechanism to back up critical IT systems and sensitive data?
a)  Have you had to restore files after a systems outage? 
Does a Disaster Recovery plan exist for the organization and does it consider interruption to, or failure of, critical IT systems?
a)  Are disaster recovery plans updated at least annually?
b)  If not, has the backup and restoration process been tested?

 

Information systems cannot be recovered due to a lack of written disaster recovery plans. [TVS026]

 

 

 

 


People and Processes (Step 2a)

 

 

Perform Control Analysis

Exposure

Assess Risk

Asset Management Category

Threat-Vulnerability Statement

Recommended Control Measures

Existing Control

Existing Control Effectiveness

Exposure Potential

Likelihood

Impact

Risk Rating

Security Program

Management has not defined responsibilities for the information security program. [TVS001]

All information security responsibilities are clearly documented .  This is to ensure timely, safe and effective handling of all situations, administration user accounts- including additions, deletions, and modifications. [RCM001]

 

 

 

 

 

 

Security Program

Security breaches occur when dealing with third parties due to a lack of security considerations in the related third party agreement. [TVS002]

Agreements with third parties, such as IT vendors,  which involve accessing, processing, communicating with or managing the organization's information or information processing facilities, or adding products or services to information processing facilities cover all relevant security requirements.
Contracts between business associates and covered entities address administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information. [RCM002]

 

 

 

 

 

Security Policy

Management does not set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security. [TVS003]

An information security policy is approved by management in accordance with business requirements and all relevant laws and regulations. [RCM003]

 

 

 

 

 

 

Risk Management & Compliance

Information around risks and related control options are not presented to management before management decisions are made. [TVS004]

Risk assessments are conducted to identify, quantify, prioritize and manage risks.  The prioritization is accomplished by creating and using criteria for risk acceptance and objectives which are important to the organization. [RCM004]

 

 

 

 

 

 

Risk Management & Compliance

Legislative, statutory, regulatory or contractual obligations related to security are violated due to lack of controls. [TVS005]

Controls, which are applicable to each situation, have been applied to avoid violations of any legal obligations (e.g. statutory, regulatory, or contractual), and of any security requirements.  Access controls could be door locks or computer passwords, while other controls could be firewalls and anti-virus software. [RCM005]

 

 

 

 

 

 

Training & Awareness

Applications and technology solutions are not correctly and securely used since a training curriculum for employees has not been established or regularly updated. [TVS006]

A training curriculum for employees has been established to educate and train users for correct and secure use of applications and technology solutions. [RCM006]

 

 

 

 

 

 

Personnel Security

Background verification checks are not carried out and management is not aware of academic, professional, credit or criminal backgrounds of employees. [TVS007]

Background verification checks on all candidates for employment, contractors and third party computer system users are carried out in accordance with relevant laws, regulations and ethics, and relevant to the business requirements, the classification of the information to be accessed, and the perceived risks. [RCM007]

 

 

 

 

 

 

Personnel Security

Employees or contractors do not agree or sign terms or conditions of employment. [TVS008]

As part of their terms of employment or contractual agreements, employees, contractors and third party users agree and sign the terms and conditions of their employment contract, which should state their responsibilities and the organizations responsibilities for information security. [RCM008]

 

 

 

 

 

 

Personnel Security

Employee, contractor or third party user terminations or change of responsibilities could result in a security breach due to lack of a defined management process for terminations or changes in responsibilities. [TVS009]

Procedures are in place to ensure the properly managed exit from the organization of employees, contractors or third parties and that all equipment is returned and the removal of all access rights are completed. [RCM009]

 

 

 

 

 

 

Physical Security

Unauthorized parties gain physical access to facilities due to insufficient physical entry/exit controls. [TVS010]

A facility security plan is implemented, which protects the facility with appropriate entry/exit controls to ensure that only authorized personnel are allowed access, removal of equipment from the facility is restricted to authorized individuals, and repair/modification of physical components of the facility are documented and monitored. Workstations are protected from removal by unauthorized individuals.  A contingency plan is implemented for permitting and enabling physical access to alternate authorized individuals (e.g. in the event primary authorized individuals are sick or not available). [RCM010]

 

 

 

 

 

 

Network Security

Sensitive systems co-located with less sensitive systems are accessed by unauthorized parties. [TVS011]

If possible sensitive systems have a dedicated, and isolated, computing environment. [RCM011]

 

 

 

 

 

 

Network Security

Information involved in electronic messaging is compromised. [TVS012]

Information involved in electronic messaging is appropriately protected. [RCM012]

 

 

 

 

 

 

Network Security

Technical vulnerabilities are exploited to gain inappropriate or unauthorized access to information systems due to lack of controls for those vulnerabilities. [TVS013]

Timely information about technical vulnerabilities of information systems being used is obtained, the organization's exposure to the vulnerabilities is evaluated and appropriate measures are taken to address the associated risk. [RCM013]

 

 

 

 

 

 

Network Security

Unauthorized access is given to information over third party connections. [TVS014]

A formal process is in place to control all external third party network connections. [RCM014]

 

 

 

 

 

 

Logical Access

Unauthorized access is gained to information systems. [TVS015]

Formal procedures should be in place to control the allocation of access rights to information systems and services. [RCM015]

 

 

 

 

 

 

Logical Access

Unauthorized users are able to gain access to operating systems by claiming to be an authorized user. [TVS016]

All users are assigned a unique identifier (user ID) for their business use.  This unique ID shall be used exclusively on computing systems within the medical practice which process EPHI, and a suitable authentication technique is chosen to validate the identity of a user. [RCM016]

 

 

 

 

 

 

Logical Access

Users that no longer have a business need for information systems access still have access to the information. [TVS017]

Management reviews and makes the appropriate corrections to the access right(s) of individual users at regular intervals using a formal processą. [RCM017]

 

 

 

 

 

 

Operations Management

Systems and data are exposed to malicious software and/or unauthorized use. [TVS018]

Policies and procedures are implemented that address the prevention, detection and removal of malicious code in the computer operating environment. This would cover all computers or devices, such as printers and thumb drives, which connect to computers. [RCM018]

 

 

 

 

 

 

Operations Management

Unauthorized information processing activities occur undetected due to lack of consistent logging and monitoring activities. [TVS019]

Policies and procedures for information system monitoring have been established and implemented.  This is done to institute consistency and standards in computer activity logging, computer activity monitoring and reporting of any system events. [RCM019]

 

 

 

 

 

 

Operations Management

Media (e.g., documents, computer media (e.g. tapes, disks), input/output data, system documentation) is compromised by unauthorized parties due to ineffective handling procedures. [TVS020]

Operating procedures are established to protect documents, computer media (e.g., tapes, disks), input/output data and system documentation.  This is done to protect sensitive information from unauthorized disclosure, modification, removal, and destruction. [RCM020]

 

 

 

 

 

 

Operations Management

Unauthorized parties access data from discarded media. [TVS021]

Equipment containing storage media (e.g. fixed hard disks, CD-ROMs, thumb drives) is checked to ensure that any sensitive data and licensed software has been removed or overwritten prior to disposal. [RCM021]

 

 

 

 

 

 

Operations Management

The production environment is impacted due to the lack of separation of development and production environments. [TVS022]

Development, test, and operational facilities are separated from one another.  This is done to reduce the risks of unauthorized access or unauthorized changes to the computer operational system or to any software applications running upon the operating system. [RCM022]

 

 

 

 

 

 

Operations Management

The integrity of a business process is compromised due to the lack of segregation of duties (e.g., maker & checker). [TVS023]

Employee duties and employees 'areas of responsibility' are separated; this is to reduce potential opportunities for unauthorized or unintentional modification or misuse of the organization's computing systems or assets. [RCM023]

 

 

 

 

 

 

Operations Management

The change management process in place does not adequately protect the environment from disruptive changes in production. [TVS024]

Formal 'change policies and procedures'  have been established to manage the implementation of changes to assure the adherence to standards and security practices. [RCM024]

 

 

 

 

 

 

Incident Management

Security incidents are not managed with a consistent and effective approach. [TVS025]

A consistent approach to managing information security incidents, consistent with applicable law, is in place to handle information security events and weaknesses once they are reported. Activities such as incident reporting, organizational response, relocation of operations, evidence collection and system recovery are all components of incident response. [RCM025]

 

 

 

 

 

 

Business Continuity Management

Information systems cannot be recovered due to a lack of written disaster recovery plans. [TVS026]

Backup and Recovery plans are documented, distributed through the organization and easily obtained by office personnel in the event that an event occurs. The DR Plan must identify the required actions to undertake following interruption to, or failure of, critical IT systems. [RCM026]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Technology (Step 2b)

 

 

Perform Control Analysis

Exposure

Assess Risk

Asset Management Category

Threat-Vulnerability Statement

Recommended Control Measures

Existing Control

Existing Control Effectiveness

Exposure Potential

Likelihood

Impact

Risk Rating

Security Program

Security breaches occur when dealing with third parties due to a lack of security considerations in the related third party agreement. [TVS002]

Agreements with third parties, such as IT vendors,  which involve accessing, processing, communicating with or managing the organization's information or information processing facilities, or adding products or services to information processing facilities cover all relevant security requirements.
Contracts between business associates and covered entities address administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information. [RCM002]

 

 

 

 

 

 

Risk Management & Compliance

Information around risks and related control options are not presented to management before management decisions are made. [TVS004]

Risk assessments are conducted to identify, quantify, prioritize and manage risks.  The prioritization is accomplished by creating and using criteria for risk acceptance and objectives which are important to the organization. [RCM004]

 

 

 

 

 

 

Training & Awareness

Applications and technology solutions are not correctly and securely used since a training curriculum for employees has not been established or regularly updated. [TVS006]

A training curriculum for employees has been established to educate and train users for correct and secure use of applications and technology solutions. [RCM006]

 

 

 

 

 

 

Personnel Security

Employees or contractors do not agree or sign terms or conditions of employment. [TVS008]

As part of their terms of employment or contractual agreements, employees, contractors and third party users agree and sign the terms and conditions of their employment contract, which should state their responsibilities and the organizations responsibilities for information security. [RCM008]

 

 

 

 

 

 

Personnel Security

Employee, contractor or third party user terminations or change of responsibilities could result in a security breach due to lack of a defined management process for terminations or changes in responsibilities. [TVS009]

Procedures are in place to ensure the properly managed exit from the organization of employees, contractors or third parties and that all equipment is returned and the removal of all access rights are completed. [RCM009]

 

 

 

 

 

 

Physical Security

Unauthorized parties gain physical access to facilities due to insufficient physical entry/exit controls. [TVS010]

A facility security plan is implemented, which protects the facility with appropriate entry/exit controls to ensure that only authorized personnel are allowed access, removal of equipment from the facility is restricted to authorized individuals, and repair/modification of physical components of the facility are documented and monitored. Workstations are protected from removal by unauthorized individuals.  A contingency plan is implemented for permitting and enabling physical access to alternate authorized individuals (e.g. in the event primary authorized individuals are sick or not available). [RCM010]

 

 

 

 

 

 

Network Security

Sensitive systems co-located with less sensitive systems are accessed by unauthorized parties. [TVS011]

If possible sensitive systems have a dedicated, and isolated, computing environment. [RCM011]

 

 

 

 

 

 

Network Security

Information involved in electronic messaging is compromised. [TVS012]

Information involved in electronic messaging is appropriately protected. [RCM012]

 

 

 

 

 

 

Network Security

Technical vulnerabilities are exploited to gain inappropriate or unauthorized access to information systems due to lack of controls for those vulnerabilities. [TVS013]

Timely information about technical vulnerabilities of information systems being used is obtained, the organization's exposure to the vulnerabilities is evaluated and appropriate measures are taken to address the associated risk. [RCM013]

 

 

 

 

 

 

Network Security

Unauthorized access is given to information over third party connections. [TVS014]

A formal process is in place to control all external third party network connections. [RCM014]

 

 

 

 

 

 

Logical Access

Unauthorized access is gained to information systems. [TVS015]

Formal procedures should be in place to control the allocation of access rights to information systems and services. [RCM015]

 

 

 

 

 

 

Logical Access

Unauthorized users are able to gain access to operating systems by claiming to be an authorized user. [TVS016]

All users are assigned a unique identifier (user ID) for their business use.  This unique ID shall be used exclusively on computing systems within the medical practice which process EPHI, and a suitable authentication technique is chosen to validate the identity of a user. [RCM016]

 

 

 

 

 

 

Logical Access

Users that no longer have a business need for information systems access still have access to the information. [TVS017]

Management reviews and makes the appropriate corrections to the access right(s) of individual users at regular intervals using a formal processą. [RCM017]

 

 

 

 

 

 

Operations Management

Systems and data are exposed to malicious software and/or unauthorized use. [TVS018]

Policies and procedures are implemented that address the prevention, detection and removal of malicious code in the computer operating environment. This would cover all computers or devices, such as printers and thumb drives, which connect to computers. [RCM018]

 

 

 

 

 

 

Operations Management

Unauthorized information processing activities occur undetected due to lack of consistent logging and monitoring activities. [TVS019]

Policies and procedures for information system monitoring have been established and implemented.  This is done to institute consistency and standards in computer activity logging, computer activity monitoring and reporting of any system events. [RCM019]

 

 

 

 

 

 

Operations Management

Media (e.g., documents, computer media (e.g. tapes, disks), input/output data, system documentation) is compromised by unauthorized parties due to ineffective handling procedures. [TVS020]

Operating procedures are established to protect documents, computer media (e.g., tapes, disks), input/output data and system documentation.  This is done to protect sensitive information from unauthorized disclosure, modification, removal, and destruction. [RCM020]

 

 

 

 

 

 

Operations Management

The production environment is impacted due to the lack of separation of development and production environments. [TVS022]

Development, test, and operational facilities are separated from one another.  This is done to reduce the risks of unauthorized access or unauthorized changes to the computer operational system or to any software applications running upon the operating system. [RCM022]

 

 

 

 

 

 

Operations Management

The change management process in place does not adequately protect the environment from disruptive changes in production. [TVS024]

Formal 'change policies and procedures'  have been established to manage the implementation of changes to assure the adherence to standards and security practices. [RCM024]

 

 

 

 

 

 

Incident Management

Security incidents are not managed with a consistent and effective approach. [TVS025]

A consistent approach to managing information security incidents, consistent with applicable law, is in place to handle information security events and weaknesses once they are reported. Activities such as incident reporting, organizational response, relocation of operations, evidence collection and system recovery are all components of incident response. [RCM025]

 

 

 

 

 

 

Business Continuity Management

Information systems cannot be recovered due to a lack of written disaster recovery plans. [TVS026]

Backup and Recovery plans are documented, distributed through the organization and easily obtained by office personnel in the event that an event occurs. The DR Plan must identify the required actions to undertake following interruption to, or failure of, critical IT systems. [RCM026]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Findings-Remediation (Step 3)

Number of High Risks

0

Number of Medium Risks

0

Total Number of High and Medium Risks

0

High and Medium Risks Findings and Remediation

Risks Found
(High and Medium Only)

Risk Rating

Existing Control Measures Applied

Recommended Control Measures

Additional Steps

People and Processes

Technology