Security Assessment Template

Transcription

1 Security Assessment Template Step 1: Define the organization s current state Step 2: Assess the degree to which the organization s systems currently comply compare standards to current systems/practices and define gaps Step 3: Determine intersections and impacts on current strategic plans what is currently planned and how will that change in order to meet compliance standards? Step 4: Prioritize gaps between current and future systems from most critical to least critical Step 5: Determine alternatives and solutions to close the gap Step 6: Select the best solution (which may be to do nothing) Step 7: Remediate/Implement/Acquire systems as needed Areas of Organization Requiring Assessment Computers hardware and location Application programs system-wide and departmental Interfaces Communications infrastructure Telephones Fax machines Connections and networks Internet access Physical security around computers and networks Administrative safeguards including Policies and procedures Information Management Systems department Departments Security Awareness training Contractual relationships and contracts Back-ups and disaster recovery Personnel Security Officer and Security Staff Employee skill levels and workloads Granting access to systems, password assignment Authentication Termination procedures 2003 Lisa L. Dahm. All rights reserved.

2 Security Assessment Template Department Name Section I: Department Profile 1. How many employees are in your department? Full-time employees Part-time employees Full-time equivalents ne 2. Does your department contract with third parties for any data processing? (e.g., billing, data entry, transcription) If yes, please list the names of the third parties/vendors, and briefly describe their responsibilities. 3. Are any of the individuals who work in your department not within the employ of the organization? 4. Does your department use or access electronic protected health information? (specify) If, using which technology(ies)? (Check all that apply.) Main computer system Departmental computer system Workstation or PC Internet Internal Communication Network or Intranet 5. Does your department send or communicate electronic protected health information to anyone within the organization? (specify) If, using which technology(ies)? (Check all that apply.) Main computer system Departmental computer system Workstation or PC Internet Internal Communication Network or Intranet 1

3 Department Name 6. Are there formal policies and procedures that describe how electronic protected health information is to be sent or communicated within the organization? (specify) Please list the policies and procedures and/or obtain copies of them. 7. Does your department send or communicate electronic protected health information to anyone outside the organization? (specify) 8. Is the protected health information is communicated outside of the organization via the Internet or any other open networks? (specify) 9. Are there any computers or computer systems within your department? If, using which technology(ies)? (Check all that apply.) Main computer system Departmental computer system Workstation or PC Internet Please check the open networks your department uses: Internet Other: Other: Other: Other: If yes, please provide the names of the systems your department uses: Main computer system. Departmental computer system or systems. Workstation or PC. Internet Other: 2

4 Department Name 10. Please provide a brief description of the primary functions of your department. 11. Please provide a brief summary of your job responsibilities. 3

5 Department Name Section II. Information Technology Usage 12. Does an inventory of the organization s hardware and software exist? 13. How many of the staff in the department have access to the main computer system? ne Less than 5 5 to to 20 More than 21 List the part(s) of the main computer system that each individual can use (by job title): Are functions within the main computer system restricted in any way (such that not everyone in the department can perform the same tasks or functions)? 14. How many of the staff in the department have access to a departmental system? ne Less than 5 5 to to 20 More than 21 List the part(s) of the departmental system(s) that each individual can use (by job title): Are functions within the departmental system(s) restricted in any way (such that not everyone in the department can perform the same tasks or functions)? 4

6 Department Name 15. How many of the staff in the department have access to a personal computer? ne Less than 5 5 to to 20 More than 21 If any of the personal computers are stand-alone computers, what software is run on them? Are any of the personal computers stand-alone? (t connected to the network) 16. Does each user in your department have his/her own individual user id and password? 17. Does each user in your department have more than one user id? (To access more than one system) 18. Does each user in your department have more than one password? (To access different parts of a system or different systems) 19. Do users receive training on how to report discrepancies? 5

7 Department Name 20. Can users within your department access information or perform functions that are not related to their normal job functions? 21. Can a user within your department be logged on to two or more different computers at the same time? 22. Does the organization perform security testing including: Hands-on functional testing? Penetration testing? Verification testing? 6

8 Section III. Administrative Safeguards Each covered entity must develop, formally document, implement, and maintain Administrative Safeguards administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the organization s workforce as regards protection of that information. 23. Does your organization have a Security Management Process? Has your organization implemented formal policies and procedures to prevent, detect, contain, and correct security violations? If, does the Security Management Process include each of the following components? (Check which components are included.) Risk Analysis (To conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.) Risk Management (Security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.) Sanction Policy Information System Activity Review (To regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports.) 24. Has your organization identified an individual who is responsible for the development and implementation of security policies and procedures? Who is your Security Officer? Is this individual also serving as the Privacy Officer for your organization? Who is your Privacy Officer? 7

9 25. Has your organization implemented Workforce Security measures? Are there formal policies and procedures to ensure all workforce members have appropriate access to electronic protected health information? Do the following procedures exist? (Check all that exist.) Authorization and/or Supervision Workforce Clearance Termination Procedures Are there formal policies and procedures to prevent those workforce members who do not have access to electronic protected health information from obtaining access to it? 26. Does your organization have an Information Access Management process? Are there formal policies and procedures describing how access to electronic protected health information is authorized? 27. Has your organization implemented a Security Awareness and Training program for all workforce members? If, is the policy and procedure for granting access separate from the policy and procedure describing how a user s right to access is reviewed and/or modified? Access Authorization separate policy and procedure Access Establishment and Modification separate policy and procedure Single policy and procedure addressing both If, does the program include or address: (Check all that apply.) Security Reminders (periodic updates) Protection from Malicious Software (procedures for guarding against, detecting, and reporting malicious software) Log-in Monitoring (to monitor attempts and report discrepancies) Password Management (creating, changing, and safeguarding passwords) 8

10 28. Has your organization implemented Security Incident Procedures? 29. Is there a written Contingency Plan that defines how your organization will respond to system emergencies? If, do the policies and procedures address each of the following required components? (Check all that apply.) Documenting security incidents and their outcomes Identifying and responding to suspected or known security incidents Mitigating, to the extent practicable, harmful effects of security incidents that are known to the organization Does the Contingency Plan include a data back-up plan? Does the Contingency Plan include a disaster recovery plan? Does the Contingency Plan include an emergency mode operation plan? 30. Does the Contingency Plan include procedures for periodic testing and revision of the Contingency Plan? 31. Does the Contingency Plan allow the organization to assess the relative criticality of specific applications and data in support of other Contingency Plan components? 9

11 32. Does your organization perform periodic technical and non-technical Evaluations to determine the extent to which its security policies and procedures meet the requirements of the Security Standards? 33. Does your organization have in place a Business Associate Contract with each of its business associates who create, receive, maintain, or transmit electronic protected health information on your organization s behalf? Does each Business Associate Contract require the business associate to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information the business associate creates, receives, maintains, or transmits on your organization s behalf? Does each Business Associate Contract require the business associate to ensure that any agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect electronic protected health information? Does each Business Associate Contract require the business associate to report to your organization any security incident of which it becomes aware? Does each Business Associate Contract authorize termination of the contract by your organization if the business associate violates a material term? 10

12 Section IV. Physical Safeguards Each covered entity must develop, formally document, implement, and maintain Physical Safeguards physical measures, policies, and procedures that protect the organization s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 34. Has your organization implemented policies and procedures to limit physical access to electronic information systems? 35. Has your organization implemented policies and procedures to limit physical access to the facility or facilities in which electronic information systems are housed? 36. Does your Disaster Recovery Plan include a Contingency Operations Plan that describes how access to your facility will be granted in order to restore lost data in the event of an emergency? 37. Has your organization developed a Facility Security Plan that describes how the facility and the equipment will be protected from unauthorized physical access, tampering, and theft? 38. Do procedures exist to control and validate a person s access to your facilities based on the individual s role or function? 11

13 39. Do procedures exist to control and validate a visitor s access to your facilities? 40. Do procedures exist to control and validate access to your organization s software programs for testing and revision? 41. Does your organization maintain detailed Maintenance Records related to the security of the physical components of your facility such as hardware, walls, doors, and locks? 42. Does your organization have formal policies and procedures governing Workstation Use? Do the policies and procedures identify the functions that are/will be performed at the workstation? Doe the policies and procedures describe the manner in which the functions that are performed at the workstation are to be performed? Do the policies and procedures describe the required physical attributes of the immediate areas surrounding the workstation or class of workstations? 12

14 43. Are Workstations Secure? Are physical safeguards implemented for those workstations that access electronic protected health information to restrict access to authorized users only? 44. Has the organization implemented Device and Media Controls policies and procedures to govern the receipt and removal of hardware and electronic media containing electronic protected health information? Do the Controls address receipt of hardware and electronic media by the organization? Do the Controls address removal of hardware and electronic media from the organization? Do the Controls address movement of hardware and electronic media within the organization? 45. Do the Device and Media Controls require maintenance of a written record of the movements of hardware and electronic media and any person responsible for such movements? Has your organization implemented policies and procedures to describe how electronic protected health information will be disposed of? Has your organization implemented policies and procedures to describe how hardware and/or electronic media containing electronic protected health information will be disposed of? Has your organization implemented a procedure requiring removal of electronic protected health information from media that is/will be re-used? 13

15 46. Do the Device and Media Controls require the creation of a retrievable, exact copy of electronic protected health information before any electronic equipment containing such information is moved? 14

16 Section V. Technical Safeguards Computer/Application Program Each covered entity must develop, formally document, implement, and maintain Technical Safeguards the technology and the policies and procedures that protect electronic protected health information and control access to it. This section should be completed for each computer and/or software program (including the communication network) that transmits and/or maintains electronic protected health information implemented at the organization. 47. Has the organization adopted and implemented Access Control policies and procedures for each computer and/or application program? Does each user have his/her own unique user name and/or number so that his/her access to electronic protected health information can be identified and tracked? Do formal procedures exist that define how access to electronic protected health information will be obtained during an emergency? 48. Do the Access Control policies and procedures require automatic termination of an electronic session after a predetermined period of inactivity? 49. Do the Access Control policies and procedures address and/or require encryption and decryption of electronic protected health information? 15

17 Computer/Application Program 50. Are Audit Controls in place to record and examine system activity of systems that contain or use electronic protected health information? (Applies to hardware, software, and/or procedural mechanisms.) 51. Has the organization adopted and implemented Integrity policies and procedures to protect electronic protected health information from improper alteration or destruction? 52. Do the Integrity policies and procedures define electronic means to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner? 53. Does the organization have Authentication mechanisms in place to corroborate that the person seeking access electronic protected health information is the person he/she claims to be? 54. Does the organization have Entity Authentication mechanisms in place to corroborate that the entity seeking access electronic protected health information is the entity it claims to be? 16

18 Computer/Application Program 55. Does the organization have Transmission Security measures in place to guard against unauthorized access to electronic protected health information being transmitted over electronic communications network? 56. Do the Transmission Security measures include Integrity Controls to ensure that electronically transmitted protected health information is not improperly modified without detection until it is disposed of? 57. Do the Transmission Security measures require encryption of electronically transmitted protected health information whenever such encryption is deemed appropriate? 17

19 Section VI. Business Relationships, Policies and Procedures, Documentation The remaining standards included in the final HIPAA Security Standards (1) define requirements associated with business associates or other arrangements; (2) require written (or electronically stored) policies and procedures; and (3) define documentation requirements. 58. Does the organization have business associates who create, receive, maintain, or transmit electronic protected health information on behalf of the organization? Is there a Business Associate Contract between the organization and each of its business associates? Does the Business Associate Contract contain all the required provisions? (See Question #30 above.) 59. Does the organization have reasonable and appropriate policies and procedures that comply with the standards, implementation specification, or other requirements of the HIPAA Security Standards? Do these policies and procedures include provisions describing how and when they may be changed by the organization? Do these policies and procedures define how changes to policies and procedures will be documented and implemented? 60. Are policies and procedures maintained and accessible electronically? 18

20 61. Will all documentation, including policies and procedures, be maintained for a minimum of six (6) years from the date of its creation or the date it was last in effect, whichever is later? 62. Will all documentation, including policies and procedures, be available to those person responsible for implementing the procedures to which the documentation pertains? 63. Does the organization have procedures in place to periodically review and update documentation in response to environmental or operational changes affecting the security of electronic protected health information? 19

21 Contact Information Lisa L. Dahm DDF & Associates Houston, Texas (713)