HIPAA Privacy and Security Risk Assessment and Action Planning



Similar documents
Client Security Risk Assessment Questionnaire

HIPAA RISK ASSESSMENT

HIPAA Security Alert

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Supplier Information Security Addendum for GE Restricted Data

HIPAA Security COMPLIANCE Checklist For Employers

Procedure Title: TennDent HIPAA Security Awareness and Training

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Small Business IT Risk Assessment

Cybersecurity Health Check At A Glance

INFORMATION SECURITY FOR YOUR AGENCY

HIPAA Information Security Overview

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

VMware vcloud Air HIPAA Matrix

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

CHIS, Inc. Privacy General Guidelines

HIPAA Compliance Guide

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Retention & Destruction

Network and Security Controls

HIPAA Security. assistance with implementation of the. security standards. This series aims to

IT - General Controls Questionnaire

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Information Technology Security Procedures

Business Internet Banking / Cash Management Fraud Prevention Best Practices

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Business ebanking Fraud Prevention Best Practices

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

ULH-IM&T-ISP06. Information Governance Board

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

System Security Plan University of Texas Health Science Center School of Public Health

HIPAA ephi Security Guidance for Researchers

Datto Compliance 101 1

Security Control Standard

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Hosted Testing and Grading

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

How To Write A Health Care Security Rule For A University

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

HIPAA Compliance Guide

HIPAA Security Checklist

INCIDENT RESPONSE CHECKLIST

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Network Security Policy

HIPAA Security and HITECH Compliance Checklist

HIPAA Privacy & Security White Paper

Best Practices For Department Server and Enterprise System Checklist

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA: Bigger and More Annoying

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Rotherham CCG Network Security Policy V2.0

Payment Card Industry Self-Assessment Questionnaire

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Getting Your Multifunction Back On Your Network After A Router Or Network Change

Information Systems Security Assessment

GE Measurement & Control. Cyber Security for NEI 08-09

DriveHQ Security Overview

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Altius IT Policy Collection Compliance and Standards Matrix

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Network & Information Security Policy

Supplier Security Assessment Questionnaire

Server Security Checklist (2009 Standard)

Supplier IT Security Guide

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Preparing for the HIPAA Security Rule

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Unit 6 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Transcription:

HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account Lockout Password History Password Change Password Length and Complexity Emergency Access (TVS015, TVS026) Audit Logs (TVS014, TVS017, TVS019) Each user is assigned a unique name and/or number and password in order to access the EHR? Access to the EHR is configured based on the user s role within the Practice and privileges restricted to those roles? Applications accessing PHI are set to lock out user after multiple failed login attempts? EHR restricts use of previously used passwords,how often can a PW be reused? The EHR password is set to expire on a regular basis, i.e. after 90 days? Do applications accessing e-phi require a long, complex password eg >8 characters and containing >3 occurences of: Upper Case, Lower Case, Numbers, Special Characters -? Are procedures in place for obtaining e-phi remotely or in an emergency through a secure link? Audit logs are maintained for e-phi programs and they are reviewed regularly. w set to times, N/ A w set to times, N/ A w set to months, N/ A Should be months N/ A w set to Sys/Net Logs Audit: Should be set to times Should be set to times Should be set to months Should be set to Aplctn Logs Audit: HIPAA Privacy and Security Assessment v.pp.jun-26-2014 Page 1

e-phi Hosting Infrastructure Cloud, Hosted Server, or Locally Hosted Responsibility for techinical aspects of practice operations are outsoursed to vendors deemed knowledgeable and reliable in providing technology services. ephi is hosted by Cloud / ISP ISP/ Cloud Name: ephi is hosted Locally Firewall Review (TVS0019) Wireless Security Antivirus Protections (TVS018) OS Updates Servers and Clients (TVS024) The firewall has appropriate configuration and security - Access Cntl Lists, VPN s, Certs, updated maint, encrypted admin access, etc Wireless has been configured and tested for appropriate security using WEP / WPA encryption and other protections. Systems containing e-phi have antivirus software that is updated daily? All workstations and servers are regularly updated with the latest security patches, hotfixes, and service packs, i.e. Updated every 30 days or when updates are released? Tech Support Provided By: Maintained by Professional ISP / HOST Vendor Maintained by Local Professional : Server Anti-Virus: Client Anti-Virus: Yes, Hosting Protection Supplied by ISP/ASP ISP/ASP/ Name: ephi is hosted Locally Tech Support Provided By: HIPAA Privacy and Security Assessment v.pp.jun-26-2014 Page 2

e-phi Hosting Infrastructure Encryption of Host Systems - Server e-phi is fully encrypted? Y N - Practice relies on hosting vendor to fully protect e-phi according to FedRegs. Y N Encryption of Client Computers Encryption of Data Transmission Backups (TVS026) - Is there PHI on portable computers? Y N - Are host credentials save on them? Y N - Is there full-disk encryption in place? Y N - Is Encryption used with all permitted portable data storage? Y N e-phi transmits encrypted? Y N email w e-phi is encrypted? Y N e-phi Data transfers? Y N other way that e-phi is communicated over non-secure transmission paths. Backups of e-phi data files are performed nightly and taken offsite each week? - e-phi backups are fully encrypted? Y N - Practice relies on hosting vendor to fully protect e-phi according to FedRegs. Y N Local Backup Freq: Offsite Freq: Offsite Storage Location: HIPAA Privacy and Security Assessment v.pp.jun-26-2014 Page 3

Environmental/ & Disaster Plan Emergency power EHR technology is secured by anti-theft mechanisms EHR host is in environmentally secure location Offices have access to short-term emergency power to facilitate an orderly shutdown of systems and operations. Computers with access to EHR are protected from access or theft by physical location or anti-theft controls such as locked doors, cable locks, or other devices. The EHR system is positioned to minimize potential damage from environmental hazards such as flooding, fire, tornadoes, earthquake,... Practice Relies on Professional Hosting Vendor Local office power backup in place. Mins See Facility Walkthru Summary EHR protected by Fire detection and suppression The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. Disaster Recovery - Plan (TVS026) Disaster Recovery Testing (TVS026) A Disaster Recovery Plan to rapidly restore normal operations in the event of a catestrophic interuption has been devised and documented and personnel are trained to carry out the plan. Practice s Disaster Recovery plan has been tested to assure successful restoration and integrity of data and proper practice ops and tested on a quarterly basis? HIPAA Privacy and Security Assessment v.pp.jun-26-2014 Page 4

Administrative Security Officer Privacy and Security The key role of Security Officer is assigned, properly prepared, and their role is clearly communicated to the rest of the Practice.. Practice has documented its Privacy and Security policies and procedures including the items addressed in this checklist. Privacy and Security Policy in place: Y N Data Breach User Training on Delivery and Removal of PHI Records Practice executes BAAs Public and Patient Areas Protected Appropriately Visitors are authorized, recorded and escorted. Documention of policies and procedures to report and follow up on any suspected or confirmed data security breach. Practice requires employees learn the practice s Privacy and Security policies and procedures to follow in the event of a suspected Data Breach. Practice authorizes, monitors, and logs requests for and delivery of PHI entering and exiting the practice. Practice executes an appropriate Business Associate Agreements with each party that has access to its e-phi. Access to public and patient areas of the office are controlled in accordance with identified risk. (receptionist monitors waiting room, patients are escorted to exam rooms, use of after-hours locks or alarms, etc ) Physical access to non-patient areas is limited to authorized visitors who are verified with respect to identity and authorization. Y N Visitors are recorded (Including name, company, signature, times of entry & departure, and purpose of visit. Y N HIPAA Privacy and Security Assessment v.pp.jun-26-2014 Page 5

Administrative Access Security - Keys etc Inventory of Assets Access to systems with e-phi is restricted and monitored Communication Infrastructure is protected Monitors and Printer outputs are not visible Digital Output devices are protected Keys, access fobs, entry combinations, and all other passwords are assigned and/or physically secured and changes logged. Password/Key/Fob asgnmts tracked: Y N Key change on EE Termination Y As Needed N Practice maintains an inventory of physical and license assets and their disposition is tracked in case of emergency. Physical access to systems (e.g. servers) containing PHI is restricted and monitored. Physical access to critical infrastructure is restricted and monitored. (e.g. wiring cabinet is locked, cables are protected by conduit, no access to cables, routers, or switches in publicly accessible areas) Computer monitors and printerrs are protected from visibility by unauthorized individuals (e.g. by situating in such a way that they are not visible or security filters on screens) Access to devices such as digital printers and fax machines is restricted and monitored. Devices are powered off (or memory is cleared by some other means) when not in use. HIPAA Privacy and Security Assessment v.pp.jun-26-2014 Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information