https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
| SRA Tool |
| Excel Workbook |
| Version 3.3 |
| See the SRA Tool User Guide available for download on HealthIT.gov for more detailed instructions and FAQs. |
| Instructions for Use: |
| This Excel based version of the SRA Tool contains the same content that can be found in the latest version of the Windows based SRA Tool (3.3).
The content is broken down into seven sections. Each section is contained in its own sheet of this workbook. Some elements of this workbook contain dropdown validation allowing the user to select a response. The “Response Indicator” column can be used to check a response for a given question. Responses which indicate risk will automatically be highlighted in yellow. Select one response per question. The check mark can be cleared by using backspace or delete. The “Likelihood” and “Impact” columns in the Threats and Vulnerabilities section of each sheet can be used to rate likelihood and impact as “Low”, “Medium”, or “High”. Likelihood and impact ratings will automatically combine to form a Risk Score. These can also be cleared using backspace or delete. NOTE: This workbook contains risk calculation logic (formulas) and conditional formatting that will break if disturbed. Responses where risk is indicated will be highlighted in yellow. |
| The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website. |
| NOTE: The NIST and HICP standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool. |
| Last Updated: 5/5/2022 |
Sheet 2: Section 1
| Section 1 – SRA Basics | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Has your practice completed a security risk assessment (SRA) before? | |||||||
| Yes. | Continuing to complete security risk assessments will help safeguard the confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability scan to improve your risk assesment. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 7, 10 |
|||||
| No. | Performing a security risk assessment periodically will help safeguard the confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability scan to improve your risk assesment. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 7, 10 |
|||||
| I don’t know. | Performing a security risk assessment periodically will help safeguard the confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability scan to improve your risk assesment. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 7, 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 7, 10 |
|||||
| Notes | ||||||||
| 2 | Do you review and update your SRA? | |||||||
| Yes. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. Document requirements to periodically update your risk assessment. You may also periodically conduct vulnerability scans. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 10 |
|||||
| No. | Consider reviewing and updating your security risk assessment periodically. Document requirements to periodically update your risk assessment. You may also periodically conduct vulnerability scans. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 10 |
|||||
| I don’t know. | Consider reviewing and updating your security risk assessment periodically. Document requirements to periodically update your risk assessment. You may also periodically conduct vulnerability scans. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 3 | How often do you review and update your SRA? | |||||||
| Periodically and in response to operational changes and/or security incidents. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: N/A |
|||||
| Periodically but not in response to operational changes and/or security incidents. | An accurate and thorough security risk assessment should be reviewed and updated periodically, or in response to operational changes, or security incidents. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: N/A |
|||||
| Only in response to operational changes and/or security incidents. | An accurate and thorough security risk assessment should be reviewed and updated periodically, or in response to operational changes, or security incidents. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: N/A |
|||||
| Ad hoc, without regular frequency. | An accurate and thorough security risk assessment should be reviewed and updated periodically, or in response to operational changes, or security incidents. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: N/A |
|||||
| I don’t know. | Consider looking into whether your organization reviews and/or updates your SRA periodically, or in response to operational changes, or security incidents. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: N/A |
|||||
| Notes | ||||||||
| 4 | Do you include all information systems containing, processing, and/or transmitting ePHI in your SRA? | |||||||
| Yes. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. A comprehensive security risk assessment should include all information systems that contain, process, or transmit ePHI. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1, Practice # 5 |
|||||
| No. | Include all information systems that contain, process, or transmit ePHI in your security risk assessment. In addition, document your systems in a complete inventory. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1, Practice # 5 |
|||||
| I don’t know. | Include all information systems that contain, process, or transmit ePHI in your security risk assessment. In addition, document your systems in a complete inventory. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1, Practice # 5 |
|||||
| Other. | Include all information systems that contain, process, or transmit ePHI in your security risk assessment. In addition, document your systems in a complete inventory. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1, Practice # 5 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1, Practice # 5 |
|||||
| Notes | ||||||||
| 5 | How do you ensure you are meeting current HIPAA security regulations? | |||||||
| We review our practice’s Security Policies and Procedures and compare to current regulations. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: N/A |
|||||
| We review the current regulations and do our best to meet them. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: N/A |
|||||
| We try to follow the best practices for securing our ePHI but we are not sure we’re meeting all the HIPAA security regulations. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: N/A |
|||||
| I don’t know. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: N/A |
|||||
| Other. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: N/A |
|||||
| Notes | ||||||||
| 6 | What do you include in your SRA documentation? | |||||||
| Our SRA documentation includes possible threats and vulnerabilities which we assign impact and likelihood ratings to. This allows us to determine severity. We develop corrective action plans as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data. IT asset management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization, including medical device management. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 4, 5, 9 |
|||||
| Our SRA documentation includes possible threats and vulnerabilities which we assign impact and likelihood ratings to. This allows us to determine severity. We do not include corrective action plans. | Corrective action plans should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data. IT asset management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization, including medical device management. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 4, 5, 9 |
|||||
| Our SRA documentation includes possible threats and vulnerabilities but does not include impact and likelihood ratings, severity ratings, or corrective action plans. | Threats and vulnerabilities should be documented and given impact and likelihood ratings. This will help determine severity and is the best way to safeguard and protect ePHI from potential threats and vulnerabilities. Corrective action plans should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data. IT asset management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization, including medical device management. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 4, 5, 9 |
|||||
| I don’t know. | Threats and vulnerabilities should be documented and given impact and likelihood ratings. This will help determine severity and is the best way to safeguard and protect ePHI from potential threats and vulnerabilities. Corrective action plans should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data. IT asset management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization, including medical device management. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 4, 5, 9 |
|||||
| Other. | Threats and vulnerabilities should be documented and given impact and likelihood ratings. This will help determine severity and is the best way to safeguard and protect ePHI from potential threats and vulnerabilities. Corrective action plans should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lost or compromised data. IT asset management is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization, including medical device management. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 4, 5, 9 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1, Practice # 4, 5, 9 |
|||||
| Notes | ||||||||
| 7 | Do you respond to the threats and vulnerabilities identified in your SRA? | |||||||
| Yes, we respond. We also maintain supporting documentation of our response. | This is the most effective option.Threats and vulnerabilities should be documented within your SRA and given impact and likelihood ratings to determine severity. Safeguards protecting ePHI from these threats and vulnerabilities should be evaluated for effectiveness. Corrective action plans with plan of action milestones should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Risks should be formally deemed “accepted” only when appropriate. Conduct routine patching of security flaws in servers, applications (including web applications), and third-party software. Maintain software at least monthly, implementing patches distributed by the vendor community, if patching is not automatic. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: TV1, Practice # 7 |
|||||
| Yes, we respond, but we do not maintain documentation of our response. | Threats and vulnerabilities should be documented within your SRA and given impact and likelihood ratings to determine severity. Safeguards protecting ePHI from these threats and vulnerabilities should be evaluated for effectiveness. Corrective action plans with plan of action milestones should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Risks should be formally deemed “accepted” only when appropriate. Conduct routine patching of security flaws in servers, applications (including web applications), and third-party software. Maintain software at least monthly, implementing patches distributed by the vendor community, if patching is not automatic. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: TV1, Practice # 7 |
|||||
| No, we don’t have a process to respond to identified threats and vulnerabilities. | Threats and vulnerabilities should be documented within your SRA and given impact and likelihood ratings to determine severity. Safeguards protecting ePHI from these threats and vulnerabilities should be evaluated for effectiveness. Corrective action plans with plan of action milestones should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Risks should be formally deemed “accepted” only when appropriate. Conduct routine patching of security flaws in servers, applications (including web applications), and third-party software. Maintain software at least monthly, implementing patches distributed by the vendor community, if patching is not automatic. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: TV1, Practice # 7 |
|||||
| I don’t know. | Threats and vulnerabilities should be documented within your SRA and given impact and likelihood ratings to determine severity. Safeguards protecting ePHI from these threats and vulnerabilities should be evaluated for effectiveness. Corrective action plans with plan of action milestones should be developed as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. Risks should be formally deemed “accepted” only when appropriate. Conduct routine patching of security flaws in servers, applications (including web applications), and third-party software. Maintain software at least monthly, implementing patches distributed by the vendor community, if patching is not automatic. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: TV1, Practice # 7 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: TV1, Practice # 7 |
|||||
| Notes | ||||||||
| 8 | Do you identify specific personnel to respond to and mitigate the threats and vulnerabilities found in your SRA? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Use internal or external experts to deploy security methodology. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP HICP: TV1, Practice # 7 |
|||||
| No. | Consider identifying specific workforce members to respond to and mitigate all threats and vulnerabilities identified in your SRA. Use internal or external experts to deploy security methodology. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP HICP: TV1, Practice # 7 |
|||||
| I don’t know. | Consider identifying specific workforce members to respond to and mitigate all threats and vulnerabilities identified in your SRA. Use internal or external experts to deploy security methodology. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP HICP: TV1, Practice # 7 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP HICP: TV1, Practice # 7 |
|||||
| Notes | ||||||||
| 9 | Do you communicate SRA results to personnel involved in responding to threats or vulnerabilities? | |||||||
| Yes. | This is the most effective option. Communicate to workforce members who review and sign off after reading policies over a specified timeframe. The goal is to establish a standard practice for workforce members to review applicable policies and attest to the review, and for the organization to monitor compliance with this standard. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP HICP: TV1, Practice # 10 |
|||||
| No. | You may not be able to implement effective safeguards to protect ePHI if you do not document and share the results of your SRA with the staff responsible for making risk management decisions, developing risk-related policies, and implementing risk mitigation safeguards for ePHI. Communicate to workforce members who review and sign off after reading policies over a specified timeframe. The goal is to establish a standard practice for workforce members to review applicable policies and attest to the review, and for the organization to monitor compliance with this standard. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP HICP: TV1, Practice # 10 |
|||||
| I don’t know. | You may not be able to implement effective safeguards to protect ePHI if you do not document and share the results of your SRA with the staff responsible for making risk management decisions, developing risk-related policies, and implementing risk mitigation safeguards for ePHI. Communicate to workforce members who review and sign off after reading policies over a specified timeframe. The goal is to establish a standard practice for workforce members to review applicable policies and attest to the review, and for the organization to monitor compliance with this standard. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 10 | How do you communicate SRA results to personnel involved in responding to identified threats or vulnerabilities? | |||||||
| Written and verbal communication as well as coordinated corrective action planning. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI.Written results of the risk assessment should be communicated to the personnel responsible for responding to identified threats and vulnerabilities. The responsible persons should be involved in the creation of corrective action plans to mitigate threats and vulnerabilities for which they are responsible. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: N/A |
|||||
| Written communication only. | Written results of your SRA should be communicated to the personnel responsible for responding to identified threats and vulnerabilities but also consider involving the personnel responsible for responding to identified threats and vulnerabilities in the creation of corrective action plans. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: N/A |
|||||
| Verbal communication only. | Written results of the risk assessment should be communicated to workforce members who will be responsible for responding to identified threats and vulnerabilities after the completion of the risk assessment. The responsible team members responsible for responding to identified threats and vulnerabilities should be involved in the creation of corrective action plans to mitigate threats and vulnerabilities for which they are responsible. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: N/A |
|||||
| We do not communicate risk assessment results to workforce members. | Written results of the risk assessment should be communicated to workforce members who will be responsible for responding to identified threats and vulnerabilities after the completion of the risk assessment. The responsible team members responsible for responding to identified threats and vulnerabilities should be involved in the creation of corrective action plans to mitigate threats and vulnerabilities for which they are responsible. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.RA, ID.RM, RS.MI HICP: N/A |
|||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Inadequate risk awareness or failure to identify new weaknessess | |||||||
| Non-physical threat(s) such as data corruption or information disclosure, interruption of system function and business processess, and/or legislation or security breaches | ||||||||
| Physical threats such as unauthorized facility access, hardware or equipment malfunction, collisions, trip/fire hazards, and/or hazardour materials (chemicals, magnets, etc.) | ||||||||
| Natural threat(s) such as damage from dust/particulates, extreme temperatures, severe weather events, and/or desctruction from animals/insects | ||||||||
| Man-Made threat(s) such as insider carelessness, theft/vandelism, terrorism/civil unrest, toxic emissions, or hackers/computer criminals | ||||||||
| Infrastructure threat(s) such as building/road hazards, power/telephone outages, water leakage (pipes, roof, sprinkler activation), unstable building conditions | ||||||||
| 2 | Failure to remediate known risk(s) | |||||||
| Information disclosure (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Penalties from contractual non-compliance with third-party vendors | ||||||||
| Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems | ||||||||
| Data deletion or corruption of records | ||||||||
| Prolonged exposure to hacker, computer criminal, malicious code, or careless insider | ||||||||
| Corrective enforcement from regulatory agencies (e.g. HHS, OCR, FTC, CMS, State or Local jurisdictions) | ||||||||
| Hardware/equipment malfunction | ||||||||
| 3 | Failure to meet minimum regulatory requirements and security standards | |||||||
| Corrective enforcement from regulatory agencies (e.g. HHS, OCR, FTC, CMS, State or Local jurisdictions) | ||||||||
| Damage to public reputation due to breach | ||||||||
| Failure to attain incentives or optimize value-based reimbursement | ||||||||
| Litigation from breach victims due to lack of reasonable and appropriate safeguards | ||||||||
| 4 | Inadequate Asset Tracking | |||||||
| Information disclosure (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems | ||||||||
| Unauthorized use of assets or changes to data within information systems | ||||||||
| Unauthorized installation of software or applications | ||||||||
| Loss, theft, or disruption of assets | ||||||||
| Improper operation/configuration of assets | ||||||||
| 5 | Unspecified workforce security responsibilities | |||||||
| Non-remediated weaknesses | ||||||||
| Prolonged duration of addressing non-remediated weaknesses | ||||||||
| Insider carelessness exposing ePHI or causing disruption to information systems and business processes | ||||||||
Sheet 3: Section 2
| Section 2 – Security Policies | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Do you maintain documentation of policies and procedures regarding risk assessment, risk management and information security activities? | |||||||
| Yes, we have a process by which management develops, implements, reviews, and updates security policies and procedures. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. | Required | HIPAA: §164.316(a) NIST CSF: ID.GV, ID.RA, PR.IP HICP: TV1, Practice # 10 |
|||||
| Yes, we have some documentation for our information security and risk management activities, but not all of our policies and procedures are documented. | You should document policies and procedures to ensure you consistently make informed decisions on the effective monitoring, identification, and mitigation of risks to ePHI. Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. | Required | HIPAA: §164.316(a) NIST CSF: ID.GV, ID.RA, PR.IP HICP: TV1, Practice # 10 |
|||||
| No, we do not maintain documentation on our information security activities or risk management. | You should document policies and procedures to ensure you consistently make informed decisions on the effective monitoring, identification, and mitigation of risks to ePHI. Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. | Required | HIPAA: §164.316(a) NIST CSF: ID.GV, ID.RA, PR.IP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(a) NIST CSF: ID.GV, ID.RA, PR.IP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 2 | Do you review and update your security documentation, including policies and procedures? | |||||||
| Yes, we review and update our security documentation periodically and as necessary. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Review an appropriate number of policies over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM HICP: TV1, Practice # 10 |
|||||
| Yes, we review and update our documentation periodically or as needed, but not both. | You should implement a process to periodically review and update your security policies and procedures. This will help you safeguard your facilities, information systems, and ePHI. Review an appropriate number of policies over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM HICP: TV1, Practice # 10 |
|||||
| Yes, we review our security documentation but we have not updated our documentation. | You should implement a process to periodically review and update your security policies and procedures. This will help you safeguard your facilities, information systems, and ePHI. Review an appropriate number of policies over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM HICP: TV1, Practice # 10 |
|||||
| No, we have never updated our documentation | You should implement a process to periodically review and update your security policies and procedures. This will help you safeguard your facilities, information systems, and ePHI. Review an appropriate number of policies over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM HICP: TV1, Practice # 10 |
|||||
| I don’t know. | You should implement a process to periodically review and update your security policies and procedures. This will help you safeguard your facilities, information systems, and ePHI. Review an appropriate number of policies over a specified timeframe. The goal is to establish a standard practice to review policies and to monitor compliance with this standard. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 3 | How do you update your security program documentation, including policies and procedures? | |||||||
| We have a periodic review of information security policies that formally evaluates their effectiveness. Policies and procedures are updated as needed. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| We update policies and procedures ad hoc, for example when an immediate need prompts the change. | You should conduct periodic reviews of information security policies and update them as needed. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| We do not have a process for updating our security documentation. | You should conduct periodic reviews of information security policies and update them as needed. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 4 | Is the security officer involved in all security policy and procedure updates? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| No. | You should have a designated security officer and any/all policy or procedure updates should be reported to the security officer. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| I don’t know. | You should have a designated security officer and any/all policy or procedure updates should be reported to the security officer. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| Other. | You should have a designated security officer and any/all policy or procedure updates should be reported to the security officer. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(2)(iii) NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 5 | How does documentation for your risk management and security procedures compare to your actual business practices? | |||||||
| Our risk management and security documentation completely and accurately reflects our actual business practices. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(1)(i) & (ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Our risk management and security documentation somewhat accurately reflects our business practices. | Risk management and security documentation should accurately reflect business practices. Ensure that your security documentation represents your actual security practices. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(1)(i) & (ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Our risk management and security documentation does not accurately reflect our business practices. | Risk management and security documentation should accurately reflect business practices. Ensure that your security documentation represents your actual security practices. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(1)(i) & (ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| I don’t know. | Considering reviewing how your risk management documentation and security procedures compare to your business practices. Risk management and security documentation should accurately reflect business practices. Ensure that your security documentation represents your actual security practices. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(1)(i) & (ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(1)(i) & (ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 6 | How long are information security management and risk management documents kept? | |||||||
| We maintain documents for at least six (6) years from the date of their creation or when they were last in effect, whichever is longer. These documents are maintained and backed up. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. The federal requirement is six (6) years retention of documentation, but your state or jurisdiction may have additional requirements. | Required | HIPAA: §164.316(b)(2)(i) NIST CSF: ID.BE, ID.RM, PR.IP HICP: N/A |
|||||
| We maintain documents for at least six (6) years from the date of their creation or when they were last in effect, whichever is longer. These documents are not backed up. | The federal requirement is six (6) years retention of documentation, but your state or jurisdiction may have additional requirements. Investigate the requirements for your state. Consider backing up information security and risk management documents. | Required | HIPAA: §164.316(b)(2)(i) NIST CSF: ID.BE, ID.RM, PR.IP HICP: N/A |
|||||
| We do not have a set amount of time to keep our documentation. | Ensure your policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer. Your state or jurisdiction may have additional requirements. Consider backing up these documents. | Required | HIPAA: §164.316(b)(2)(i) NIST CSF: ID.BE, ID.RM, PR.IP HICP: N/A |
|||||
| We do not maintain documents regarding security and risk management. | Ensure your policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer. Your state or jurisdiction may have additional requirements. Consider backing up these documents. | Required | HIPAA: §164.316(b)(2)(i) NIST CSF: ID.BE, ID.RM, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(2)(i) NIST CSF: ID.BE, ID.RM, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 7 | Do you make sure that information security and risk management documentation is available to those who need it? | |||||||
| Yes. Documentation is made available to appropriate workforce members in physical and/or electronic formats (for example, our practice’s shared drive or intranet). | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Documentation is reviewed with appropriate workforce members upon initial orientation to the practice, but is not reviewed on a periodic basis or available in physical and/or electronic format unless requested. | Documentation should be available to workforce members who need it to perform the security responsibilities associated with their role and reviewed on a periodic basis. Consider making the documentation available in writing, on a local shared drive, or other accessible place. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| No. We do not have a process to ensure documentation is available to appropriate workforce members who need it. | Documentation should be available to workforce members who need it to perform the security responsibilities associated with their role and reviewed on a periodic basis. Consider making the documentation available in writing, on a local shared drive, or other accessible place. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| I don’t know. | Documentation should be available to workforce members who need it to perform the security responsibilities associated with their role and reviewed on a periodic basis. Consider making the documentation available in writing, on a local shared drive, or other accessible place. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 8 | How do you ensure that security and risk management documentation is available to those who need it? | |||||||
| Appropriate workforce members receive instruction on our information security documentation and where to find it as part of their periodic privacy and security training. Documentation is securely made available to workforce members in physical or electronic formats. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Policies are established first and are then supplemented with procedures that enable the policies to be implemented. Policies describe what is expected, and procedures describe how the expectations are met. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA HICP: TV1, Practice # 10 |
|||||
| Documentation is reviewed with appropriate workforce members upon initial orientation to the practice. Documentation is securely made available to appropriate workforce members in physical or electronic formats and they are verbally instructed as to where it is. | Review your information security documentation with your appropriate workforce members upon hire and on an ongoing, periodic basis. Make sure workforce members know where to find the documentation for ongoing review. Policies are established first and are then supplemented with procedures that enable the policies to be implemented. Policies describe what is expected, and procedures describe how the expectations are met. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA HICP: TV1, Practice # 10 |
|||||
| Documentation is securely made available to appropriate workforce members in physical or electronic formats and they are verbally instructed as to where it is. | Review your information security documentation with your appropriate workforce members upon hire and on an ongoing, periodic basis. Make sure workforce members know where to find the documentation for ongoing review. Policies are established first and are then supplemented with procedures that enable the policies to be implemented. Policies describe what is expected, and procedures describe how the expectations are met. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA HICP: TV1, Practice # 10 |
|||||
| Other. | Review your information security documentation with your appropriate workforce members upon hire and on an ongoing, periodic basis. Make sure workforce members know where to find the documentation for ongoing review. Policies are established first and are then supplemented with procedures that enable the policies to be implemented. Policies describe what is expected, and procedures describe how the expectations are met. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.316(b)(2)(ii) NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Failure to update Policies & Procedures | |||||||
| Fines/penalties from mandated regulatory requirements | ||||||||
| Unstructured guidance for daily tasks and duties within workforce | ||||||||
| 2 | Failure to share security procedure information with appropriate parties | |||||||
| Unauthorized access to ePHI or sensitive information permitted | ||||||||
| Disruption of information system function | ||||||||
| ePHI exfiltrated to unauthorized entities | ||||||||
| Insider carelessness causing disruption | ||||||||
| Insider carelessness exposing ePHI | ||||||||
| 3 | Inconsistent/unclear risk management documentation | |||||||
| Unclear security coordination across workforce | ||||||||
| Unstructured guidance for daily tasks and duties | ||||||||
| 4 | No risk management documentation (or low retention of documentation) | |||||||
| Fines/penalties from regulatory enforcement | ||||||||
| Inability of workforce to perform proper security & privacy related tasks or access procedural documents | ||||||||
| Unstructured workforce coordination of risk management procedures | ||||||||
Sheet 4: Section 3
| Section 3 – Security & Workforce | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Who within your practice is responsible for developing and implementing information security policies and procedures? | |||||||
| The security officer is a member of the workforce identified by name in policy documents. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1, Practice # 10 |
|||||
| The role of security officer is described in our policy documentation, but the person who occupies that role is not named. | You should have a qualified and capable person appointed to the responsibility of security officer. Having a central point of contact helps ensure that information security practices are coordinated, consistent, and that the organization can be held accountable. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1, Practice # 10 |
|||||
| A member of our workforce. | You should have a qualified and capable person appointed to the responsibility of security officer. Having a central point of contact helps ensure that information security practices are coordinated, consistent, and that the organization can be held accountable. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1, Practice # 10 |
|||||
| The security officer is not formally named or otherwise identified in policy. | You should have a qualified and capable person appointed to the responsibility of security officer. Having a central point of contact helps ensure that information security practices are coordinated, consistent, and that the organization can be held accountable. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1, Practice # 10 |
|||||
| Other. | You should have a qualified and capable person appointed to the responsibility of security officer. Having a central point of contact helps ensure that information security practices are coordinated, consistent, and that the organization can be held accountable. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 2 | Do you identify and document the role and responsibilities of the security officer? | |||||||
| Yes. The security officer is identified by role and this is documented in our practices information security policies, which describes the role’s responsibilities. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP HICP: TV1, Practice # 10 |
|||||
| Yes. Our practice has a security officer, but there is no formal documentation of the position or the responsibilities. | You should document who is responsible for coordinating information security activities. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP HICP: TV1, Practice # 10 |
|||||
| No. We have not identified the role of the security officer. | You should document who is responsible for coordinating information security activities. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 3 | Is your security officer qualified for the position? | |||||||
| Yes. The security officer is an assigned member of the workforce familiar with security and has the ability to design, implement, and enforce security policies and procedures. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| No. The security officer does not have the ability to design, implement, and enforce security policies and procedures. | Assign responsibility of the security officer to a member of the workforce with the ability to ensure security policies are effective and followed consistently. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| I don’t know. We have not considered what qualifications would be appropriate for the security officer. | Assign responsibility of the security officer to a member of the workforce with the ability to ensure security policies are effective and followed consistently. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 4 | Do workforce members know who the security officer is? | |||||||
| Yes. Workforce members are aware of who our security officer is. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| No. Not all workforce members know who our security officer is. | If your workforce members do not know the name and contact information of the security officer, they may not be able to raise security concerns or execute mitigating actions when there are security problems. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| I don’t know. | If your workforce members do not know the name and contact information of the security officer, they may not be able to raise security concerns or execute mitigating actions when there are security problems. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 5 | Do workforce members know how and when to contact the security officer? | |||||||
| Workforce members are made aware of the identity of the security officer and reasons for contacting the security officer as part of their orientation to the practice (upon hire) as well as periodic reminders of our internal policies and procedures (e.g. periodic review). | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Information about who the security officer is and when they should be contacted is verbally communicated to workforce members, but this is not a formal process. | If your workforce members do not know the contact information and availability of the security officer, they may not be able to execute immediate and appropriate mitigating actions when there are security problems. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| We do not have a process to inform workforce members about the identity of the security officer or when the security officer needs to be contacted. | If your workforce members do not know the contact information and availability of the security officer, they may not be able to execute immediate and appropriate mitigating actions when there are security problems. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(2) NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 6 | Who do people contact for security considerations if there is NO security officer? | |||||||
| The practice manager. | In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Information Technology (IT) Manager. | In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures.If you do not have a designated security officer, your workforce may not be able to execute immediate and appropriate mitigating actions when there are security problems. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Lead physician in the practice. | In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures.If you do not have a designated security officer, your workforce may not be able to execute immediate and appropriate mitigating actions when there are security problems. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Lead nurse in practice. | In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures.If you do not have a designated security officer, your workforce may not be able to execute immediate and appropriate mitigating actions when there are security problems. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Lead consultant for the practice. | In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures.If you do not have a designated security officer, your workforce may not be able to execute immediate and appropriate mitigating actions when there are security problems. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Admi NISTrative support for the practice. |
In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures.If you do not have a designated security officer, your workforce may not be able to execute immediate and appropriate mitigating actions when there are security problems. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Other. | In order to meet the standard, you should identify a member of your workforce to serve as the security official and who will be responsible for the development and implementation of security policies and procedures.If you do not have a designated security officer, your workforce may not be able to execute immediate and appropriate mitigating actions when there are security problems. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | N/A | HIPAA: N/A NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 7 | How are roles and job duties defined as pertained to accessing ePHI? | |||||||
| We have written job descriptions, roles, and required qualifications documented for all workforce members with access to ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI.Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each users access to data, applications, systems, and endpoints. | Required | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP HICP: TV1, Practice # 3 |
|||||
| We have written job titles, but no written roles or responsibilities for workforce members with access to ePHI. | Consider implementing procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. If such procedures are determined to not be reasonable and appropriate, document the reason why and what is being done to compensate for these lack of procedures. Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each users access to data, applications, systems, and endpoints. | Required | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP HICP: TV1, Practice # 3 |
|||||
| We do not have written job roles or responsibilities for workforce members with access to ePHI. | Consider implementing procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. If such procedures are determined to not be reasonable and appropriate, document the reason why and what is being done to compensate for these lack of procedures. Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each users access to data, applications, systems, and endpoints. | Required | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 8 | Do you screen your workforce members to verify trustworthiness? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| No. | Unqualified or untrustworthy users could access your ePHI if policies and procedures do not require screening workforce members prior to enabling access to facilities, information systems, and ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| I don’t know. | Unqualified or untrustworthy users could access your ePHI if policies and procedures do not require screening workforce members prior to enabling access to facilities, information systems, and ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 9 | How are your workforce members screened to verify trustworthiness? | |||||||
| Professional references are collected and verified. Criminal background checks are performed in addition to verifying licenses, credentials, and certifications . | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| Professional references are collected and verified along with licenses, credentials, and certifications. We do not perform criminal background checks. | Consider which methods of personnel screening are reasonable and appropriate for your organization in order to verify the trustworthiness of workforce members who will access ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| We only collect professional references. | Consider which methods of personnel screening are reasonable and appropriate for your organization in order to verify the trustworthiness of workforce members who will access ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| We hire through external sources (local school externship or temp agency), and assume their vetting process is sufficient. | Consider which methods of personnel screening are reasonable and appropriate for your organization in order to verify the trustworthiness of workforce members who will access ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| Other. | Consider which methods of personnel screening are reasonable and appropriate for your organization in order to verify the trustworthiness of workforce members who will access ePHI. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(3)(ii)(B) NIST CSF: DE.DP, PR.AC, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 10 | Do you ensure that all workforce members (including management) are given security training? | |||||||
| Yes, we ensure all workforce members complete security training on a periodic basis. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Train and regularly remind users that they must never share their passwords. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT , ID.RM, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| Yes, we ensure all workforce members complete security training, but this not done periodically. | Provide periodic security trainings to all workforce members. The standard states that periodic security trainings be completed and documented for all workforce members, and the documentation is reviewed by your practice’s security officer. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Train and regularly remind users that they must never share their passwords. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT , ID.RM, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| No, we do not ensure that all workforce members have completed security training or that security training is completed on a periodic basis. | Provide periodic security trainings to all workforce members. The standard states that periodic security trainings be completed and documented for all workforce members, and the documentation is reviewed by your practice’s security officer. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Train and regularly remind users that they must never share their passwords. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT , ID.RM, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| I don’t know. | Provide periodic security trainings to all workforce members. The standard states that periodic security trainings be completed and documented for all workforce members, and the documentation is reviewed by your practice’s security officer. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Train and regularly remind users that they must never share their passwords. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT , ID.RM, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT , ID.RM, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 11 | How do you ensure that all workforce members are given security training? | |||||||
| We keep a list of workforce members who have completed security training. Trainings are provided upon hire and periodically thereafter. The list is reviewed and verified by the security officer. | This is an effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Train personnel to comply with organizational policies. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Provide staff with training on and awareness of phishing e-mails. Describe the mechanisms by which the workforce will be trained on cybersecurity practices, threats, and mitigations. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 1, 4, 10 |
|||||
| Our security training is provided by a vendor who keeps record of the trainings completed. The records are reviewed and verified by the security officer. | This is an effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Train personnel to comply with organizational policies. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Provide staff with training on and awareness of phishing e-mails. Describe the mechanisms by which the workforce will be trained on cybersecurity practices, threats, and mitigations. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 1, 4, 10 |
|||||
| Documentation of security training is maintained in the workforce members personnel file, but a single comprehensive record is not kept. | Provide training periodically and maintain a comprehensive record of all personnel who have completed training. Have the security officer review the list. Train personnel to comply with organizational policies. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Provide staff with training on and awareness of phishing e-mails. Describe the mechanisms by which the workforce will be trained on cybersecurity practices, threats, and mitigations. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 1, 4, 10 |
|||||
| We do not maintain records of privacy and security training for our workforce members. | Provide training periodically and maintain a comprehensive record of all personnel who have completed training. Have the security officer review the list. Train personnel to comply with organizational policies. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Provide staff with training on and awareness of phishing e-mails. Describe the mechanisms by which the workforce will be trained on cybersecurity practices, threats, and mitigations. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 1, 4, 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 1, 4, 10 |
|||||
| Notes | ||||||||
| 12 | How long are records of workforce member security training kept? | |||||||
| Records documenting the completion of required security trainings are kept for all workforce members (including management) and retained for at least six (6) years after completion of the training. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: N/A |
|||||
| Records documenting the completion of required security trainings are kept for all workforce members. Records are only retained for less than six (6) years. | Records documenting the completion of security trainings for all workforce members (including management) should be kept for a minimum of six (6) years. Your state or jurisdiction may have additional requirements beyond six (6) year retention. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: N/A |
|||||
| Records documenting the completion of required security training are kept for all workforce members. Records are only kept for the year in which training was completed. | Records documenting the completion of security trainings for all workforce members (including management) should be kept for a minimum of six (6) years. Your state or jurisdiction may have additional requirements beyond six (6) year retention. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(5)(i) NIST CSF: PR.AT, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 13 | Are procedures in place for monitoring log-in attempts and reporting discrepancies? | |||||||
| Yes, these procedures workforce members’ roles and responsibilities, log-in monitoring procedure, how to identify a log-in discrepancy and how to respond to an identified discrepancy. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement access management procedures to track and monitor user access to computers and programs. | Addressable | HIPAA: §164.308(a)(5)(ii)(C) NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT HICP: TV1, Practice # 3 |
|||||
| Yes, we have procedures, but these do not include all of the elements listed above. | Consider revising your procedures to include roles and responsibilities, how to identify a log-in discrepancy, and how to respond to an identified discrepancy. If doing so is determined to not be reasonable and appropriate, document the reason why and what compensating control takes its place. Implement access management procedures to track and monitor user access to computers and programs. | Addressable | HIPAA: §164.308(a)(5)(ii)(C) NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT HICP: TV1, Practice # 3 |
|||||
| Log-in monitoring tools are available but we do not actively utilize them. | Consider revising your procedures to include roles and responsibilities, how to identify a log-in discrepancy, and how to respond to an identified discrepancy. If doing so is determined to not be reasonable and appropriate, document the reason why and what compensating control takes its place. Implement access management procedures to track and monitor user access to computers and programs. | Addressable | HIPAA: §164.308(a)(5)(ii)(C) NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT HICP: TV1, Practice # 3 |
|||||
| No, our privacy and security procedures do not include log-in monitoring. | Consider revising your procedures to include roles and responsibilities, how to identify a log-in discrepancy, and how to respond to an identified discrepancy. If doing so is determined to not be reasonable and appropriate, document the reason why and what compensating control takes its place. Implement access management procedures to track and monitor user access to computers and programs. | Addressable | HIPAA: §164.308(a)(5)(ii)(C) NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(5)(ii)(C) NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 14 | Is protection from malicious software (including timely antivirus/security updates and malware protection) covered in your procedures? | |||||||
| Yes. Software protection is included in our procedures. This includes a review of our procedures for guarding against malware, and the mechanisms in place for protection, and how procedures for workforce members to follow can to detect and report malicious software. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Antivirus (AV) software is readily available at low cost and is effective at protecting endpoints from computer viruses, malware, spam, and ransomware threats. Each endpoint in your organization should be equipped with antivirus software that is configured to update automatically. For medical devices, the medical device manufacturer should directly support AV software, or it should be cleared for operation by the manufacturer. Ensure that a compliant AV technology is enabled. If AV cannot be implemented, compensating controls should enforce an AV scan whenever the device is serviced prior to reconnecting to the device network. | Addressable | HIPAA: §164.308(a)(5)(ii)(B) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 2, 9 |
|||||
| Yes. Our security procedures include a review of our practice’s procedure for guarding against malicious software, but does not cover how workforce members can detect and report malicious software or the protection mechanisms and system capabilities in place for malware protection. | Consider including software protection in your procedures, such as: 1. What protection mechanisms and system capabilities are in place for protection against malicious software, 2. Workforce members’ roles and responsibilities in malicious software protection procedures, 3. Steps to protect against and detect malicious software, and 4. Actions on how to respond to malicious software infections. Antivirus (AV) software is readily available at low cost and is effective at protecting endpoints from computer viruses, malware, spam, and ransomware threats. Each endpoint in your organization should be equipped with antivirus software that is configured to update automatically. For medical devices, the medical device manufacturer should directly support AV software, or it should be cleared for operation by the manufacturer. Ensure that a compliant AV technology is enabled. If AV cannot be implemented, compensating controls should enforce an AV scan whenever the device is serviced prior to reconnecting to the device network. | Addressable | HIPAA: §164.308(a)(5)(ii)(B) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 2, 9 |
|||||
| Protection from malicious software tools are available, but these are not included in our security procedures. | Consider including software protection in your procedures, such as: 1. What protection mechanisms and system capabilities are in place for protection against malicious software, 2. Workforce members’ roles and responsibilities in malicious software protection procedures, 3. Steps to protect against and detect malicious software, and 4. Actions on how to respond to malicious software infections. Antivirus (AV) software is readily available at low cost and is effective at protecting endpoints from computer viruses, malware, spam, and ransomware threats. Each endpoint in your organization should be equipped with antivirus software that is configured to update automatically. For medical devices, the medical device manufacturer should directly support AV software, or it should be cleared for operation by the manufacturer. Ensure that a compliant AV technology is enabled. If AV cannot be implemented, compensating controls should enforce an AV scan whenever the device is serviced prior to reconnecting to the device network. | Addressable | HIPAA: §164.308(a)(5)(ii)(B) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 2, 9 |
|||||
| No, protection from malicious software is not included in our security procedures. | Consider including software protection in your procedures, such as: 1. What protection mechanisms and system capabilities are in place for protection against malicious software, 2. Workforce members’ roles and responsibilities in malicious software protection procedures, 3. Steps to protect against and detect malicious software, and 4. Actions on how to respond to malicious software infections. Antivirus (AV) software is readily available at low cost and is effective at protecting endpoints from computer viruses, malware, spam, and ransomware threats. Each endpoint in your organization should be equipped with antivirus software that is configured to update automatically. For medical devices, the medical device manufacturer should directly support AV software, or it should be cleared for operation by the manufacturer. Ensure that a compliant AV technology is enabled. If AV cannot be implemented, compensating controls should enforce an AV scan whenever the device is serviced prior to reconnecting to the device network. | Addressable | HIPAA: §164.308(a)(5)(ii)(B) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 2, 9 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(5)(ii)(B) NIST CSF: PR.AT, PR.IP HICP: TV1, Practice # 2, 9 |
|||||
| Notes | ||||||||
| 15 | What password security elements are covered in your security training? | |||||||
| Our security procedures include what our workforce roles/responsibilities are in password security, how to safeguard passwords, how to respond to a compromised password, and how to properly change a password using various password characteristics (e.g. many characters long, easy to remember, avoiding easy to guess phrases). | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. To stay current with best practices on security procedures consider enforcing password security measures consistent with guidance in NIST SP 800-63-3. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. |
Addressable | HIPAA: §164.308(a)(5)(ii)(D) NIST CSF: PR.AT HICP: TV1, Practice # 2, 3 |
|||||
| Our security procedures include some but not all of the items noted above. | Consider enforcing password security measures consistent with guidance in NIST SP 800-63-3 as part of your security training. If this is not determined to be reasonable and appropriate, document the reason why along with your compensating control. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. |
Addressable | HIPAA: §164.308(a)(5)(ii)(D) NIST CSF: PR.AT HICP: TV1, Practice # 2, 3 |
|||||
| Password security is not covered in our security procedures. | Consider enforcing password security measures consistent with guidance in NIST SP 800-63-3 as part of your security training. If this is not determined to be reasonable and appropriate, document the reason why along with your compensating control. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. |
Addressable | HIPAA: §164.308(a)(5)(ii)(D) NIST CSF: PR.AT HICP: TV1, Practice # 2, 3 |
|||||
| Other. | Consider enforcing password security measures consistent with guidance in NIST SP 800-63-3 as part of your security training. If this is not determined to be reasonable and appropriate, document the reason why along with your compensating control. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. |
Addressable | HIPAA: §164.308(a)(5)(ii)(D) NIST CSF: PR.AT HICP: TV1, Practice # 2, 3 |
|||||
| I don’t know. | Consider enforcing password security measures consistent with guidance in NIST SP 800-63-3 as part of your security training. If this is not determined to be reasonable and appropriate, document the reason why along with your compensating control. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. |
Addressable | HIPAA: §164.308(a)(5)(ii)(D) NIST CSF: PR.AT HICP: TV1, Practice # 2, 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(5)(ii)(D) NIST CSF: PR.AT HICP: TV1, Practice # 2, 3 |
|||||
| Notes | ||||||||
| 16 | Do you ensure workforce members maintain ongoing awareness of security requirements? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| No. | Consider securing your workforce with formal, regular trainings as well as periodic reminders. If these steps are not determined to be reasonable and appropriate, document the reason why along with your compensating control. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| I don’t know. | Consider securing your workforce with formal, regular trainings as well as periodic reminders. If these steps are not determined to be reasonable and appropriate, document the reason why along with your compensating control. Establish and maintain a training program for your workforce that includes a section on phishing attacks. All users in your organization should be able to recognize phishing techniques. Train your workforce to comply with organizational procedures and ONC guidance when transmitting PHI through e-mail. Train staff never to back up data on uncontrolled storage devices or personal cloud services. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 17 | How does your practice ensure workforce members maintain ongoing awareness of security requirements? | |||||||
| Formal trainings and periodic security reminders | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Provide staff with training on and awareness of phishing e-mails. Train personnel to comply with organizational policies. At minimum, provide annual training onthe most salient policy considerations, such as the use of encryption and PHI transmission restrictions. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| Either formal trainings or periodic security reminders, but not both. | Consider securing your workforce with formal, regular trainings as well as periodic reminders. If these steps are not determined to be reasonable and appropriate, document the reason why along with your compensating control. Provide staff with training on and awareness of phishing e-mails. Train personnel to comply with organizational policies. At minimum, provide annual training onthe most salient policy considerations, such as the use of encryption and PHI transmission restrictions. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| I don’t know. | Consider securing your workforce with formal, regular trainings as well as periodic reminders. If these steps are not determined to be reasonable and appropriate, document the reason why along with your compensating control. Provide staff with training on and awareness of phishing e-mails. Train personnel to comply with organizational policies. At minimum, provide annual training onthe most salient policy considerations, such as the use of encryption and PHI transmission restrictions. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(5)(ii)(A) NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 18 | Do you have a sanction policy to enforce security procedures? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.IP HICP: N/A |
|||||
| No. | Consider implementing a sanction policy. It is required that your practice be able to apply appropriate sanctions against workforce members who fail to comply with your practice’s security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.IP HICP: N/A |
|||||
| I don’t know. | Consider looking into whether your practice has a sanction policy. It is required that your practice be able to apply appropriate sanctions against workforce members who fail to comply with your practice’s security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 19 | What is included in your sanction policy to hold personnel accountable if they do not follow your security policies and procedures? | |||||||
| Formal written documentation of the sanction and the reason for the sanction. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| A formal corrective action plan. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| Identification of the sanctions applied to compliance failures. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| Training to mitigate repeat offenses. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| Documentation of the sanction outcome. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| All of the above. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| None of the above. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| Other. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| I don’t know. | Consider which sanction policies and procedures are reasonable and appropriate for your organization in order to hold personnel accountable if they do not follow your security policies and procedures. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(C) NIST CSF: PR.AT, RS.CO, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Unqualified, uninformed, or lack of Security Officer | |||||||
| Unqualified workforce or untrained personnel on security standards and procedures | ||||||||
| Security policies not followed when not enforced | ||||||||
| Misuse of audit tools, information systems, and/or hardware | ||||||||
| Proliferation of unknown threats | ||||||||
| Insider carelessness exposing ePHI | ||||||||
| Unauthorized information disclosure (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems | ||||||||
| 2 | Untrustworthy employee or business associate | |||||||
| Information disclosure (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Disruption of business processes or information system function | ||||||||
| Sensitive data exposed or tampered with by insider | ||||||||
| Misuse of information systems and/or hardware | ||||||||
| Falsification or destruction of records and/or data corruption | ||||||||
| Unauthorized access granted to outsiders | ||||||||
| 3 | Inadequate cyber security & IT training | |||||||
| Information disclosure (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Disruption of business processes or information system function | ||||||||
| Social engineering attack or email phishing attack | ||||||||
| Misuse of information systems and/or hardware | ||||||||
| Information system or factility access granted to unauthorized personnel | ||||||||
| Installation of unauthorized software or applications | ||||||||
| 4 | Failure to hold workforce members accountable for undesired actions | |||||||
| Insider carelessness causing disruption to computer systems | ||||||||
| Insider carelessness exposing ePHI to unauthorized persons or entities | ||||||||
| Lack of interest for protecting sensitive information | ||||||||
Sheet 5: Section 4
| Section 4 – Security & Data | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Do you manage and control personnel access to ePHI, systems, and facilities? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| No. | Consider implementing policies and procedures to determine, authorize, and control access of workforce members to ePHI, systems, and facilities as appropriate. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Consider looking into whether you have policies and procedures to determine, authorize, and control access of workforce members to ePHI, systems, and facilities as appropriate. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| We manage and control personnel access to some but not all. | Consider implementing policies and procedures to determine, authorize, and control access of workforce members to ePHI, systems, and facilities as appropriate. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 2 | How do you manage and control personnel access to ePHI, systems, and facilities? | |||||||
| Detailed log of personnel and access levels based on role. Updates are reviewed by the security officer. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Log of personnel names. | You should develop, document, and disseminate to workforce members an access control policy. The access control policy should addresses purpose, scope, roles, responsibilities, management commitment, the expected coordination among organizational entities, and compliance requirements. You should also maintain a list of workforce members with their corresponding level of access. This list should be reviewed and updated by the security officer. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Access is granted by role, but we do not maintain a corresponding list of personnel. | Make sure your access control measures are effective and up-to-date. Implement a procedure for updating your log upon changes in the workforce to include access levels based on role within your practice. To meet the standard, any updates based on changes in the workforce should be verified by the security officer. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| We do not keep a detailed log of workforce members or designate access levels based on role. | Make sure your access control measures are effective and up-to-date. Implement a procedure for updating your log upon changes in the workforce to include access levels based on role within your practice. To meet the standard, any updates based on changes in the workforce should be verified by the security officer. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Detailed log of personnel and access levels based on role. | Make sure your access control measures are effective and up-to-date. Implement a procedure for updating your log upon changes in the workforce to include access levels based on role within your practice. To meet the standard, any updates based on changes in the workforce should be verified by the security officer. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Log of personnel names and access levels. | Make sure your access control measures are effective and up-to-date. Implement a procedure for updating your log upon changes in the workforce to include access levels based on role within your practice. To meet the standard, any updates based on changes in the workforce should be verified by the security officer. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Other. | Make sure your access control measures are effective and up-to-date. Implement a procedure for updating your log upon changes in the workforce to include access levels based on role within your practice. To meet the standard, any updates based on changes in the workforce should be verified by the security officer. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 3 | What is your process for authorizing, establishing, and modifying access to ePHI? | |||||||
| Our security procedures designate personnel authorized to grant, review, modify, and terminate access. Access levels are reviewed and modified as needed. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Addressable | HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)(C ) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Our security procedures designate personnel authorized to grant and terminate access. We do not have a procedure to review and modify access as needed. | You should implement formal procedures to review and modify personnel access. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Addressable | HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)(C ) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Access levels are granted, modified, and terminated as needed, but we do not have formal procedures. | You should implement a formal security procedure and designate authorized personnel to grant, review, modify, and terminate access. Access levels should be reviewed and modified as needed. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Addressable | HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)(C ) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| We do not have a process in place to grant, modify, or terminate access. | You should implement formal procedures to grant, modify, review, and terminate personnel access. Access levels should be reviewed and modified as needed. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Addressable | HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)(C ) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| I don’t know. | You should implement formal procedures to grant, modify, review, and terminate personnel access. Access levels should be reviewed and modified as needed. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Addressable | HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)(C ) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)(C ) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 4 | How much access to ePHI is granted to users or other entities? | |||||||
| Minimum access necessary based on the user’s formal role. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.502(b) NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS HICP: TV1, Practice # 3 |
|||||
| Access is granted based on user duties and activities but not on any formal role or minimum necessary consideration. | Policies and procedures outlining how users are granted only the minimum necessary access to ePHI should be documented and implemented based on the user role. Allowing a high degree of access to ePHI may have negative impacts to your practice. Unauthorized or inappropriate access to ePHI can compromise the confidentiality, integrity, and availability of your ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.502(b) NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS HICP: TV1, Practice # 3 |
|||||
| No limit to access. | Policies and procedures outlining how users are granted only the minimum necessary access to ePHI should be documented and implemented based on the user role. Allowing a high degree of access to ePHI may have negative impacts to your practice. Unauthorized or inappropriate access to ePHI can compromise the confidentiality, integrity, and availability of your ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.502(b) NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Policies and procedures outlining how users are granted only the minimum necessary access to ePHI should be documented and implemented based on the user role. Allowing a high degree of access to ePHI may have negative impacts to your practice. Unauthorized or inappropriate access to ePHI can compromise the confidentiality, integrity, and availability of your ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.502(b) NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.502(b) NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 5 | How are individual users identified when accessing ePHI ? | |||||||
| Unique IDs and individual passwords are created for authorized workforce members and contractors in order access ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). | Required | HIPAA: §164.312(a)(2)(i) NIST CSF: PR.AC, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| Unique IDs are required in order to access ePHI but these are not always used. Generic or shared accounts also exist which have access to ePHI and are not specific to unique users. | If you do not have policies requiring use of a unique identifier for all users accessing ePHI, you might not be able to keep track of authorized users and the roles and responsibilities assigned to them. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). | Required | HIPAA: §164.312(a)(2)(i) NIST CSF: PR.AC, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| Generic usernames and/or shared passwords are used in order to access ePHI. | If you do not have policies requiring use of a unique identifier for all users accessing ePHI, you might not be able to keep track of authorized users and the roles and responsibilities assigned to them. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). | Required | HIPAA: §164.312(a)(2)(i) NIST CSF: PR.AC, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| We do not have a process to authenticate users with unique IDs. | If you do not have policies requiring use of a unique identifier for all users accessing ePHI, you might not be able to keep track of authorized users and the roles and responsibilities assigned to them. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). | Required | HIPAA: §164.312(a)(2)(i) NIST CSF: PR.AC, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(a)(2)(i) NIST CSF: PR.AC, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 6 | Do you ensure all of your workforce members have appropriate access to ePHI? | |||||||
| Yes. We have written procedures to ensure workforce members’ access privileges are minimum necessary (i.e. “need to know”) based on their roles. These access privileges are approved by the security officer. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Yes. We have written procedures to ensure workforce members’ access privileges are minimum necessary but these are not always based on their roles. | You should implement and document procedures to ensure workforce members have access privileges based on their role and no higher than necessary to perform their duties. These procedures and access privileges should be appropriately approved and communicated. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Yes. We verbally communicate access privileges to our workforce members but we do not have written procedures. | You should implement and document procedures to ensure workforce members have access privileges based on their role and no higher than necessary to perform their duties. These procedures and access privileges should be appropriately approved and communicated. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| No. We do not have any procedures for ensuring appropriate workforce member access to ePHI. | You should implement and document procedures to ensure workforce members have access privileges based on their role and no higher than necessary to perform their duties. These procedures and access privileges should be appropriately approved and communicated. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 7 | How do you make sure that your workforce’s designated access to ePHI is logical, consistent, and appropriate ? | |||||||
| Workforce members are granted access based on the minimum amount necessary for their role. This is consistently applied across the practice and any changes must be formally approved and documented. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM HICP: TV1, Practice # 3 |
|||||
| Workforce members have a default level of access for their role, but exceptions are commonly granted. | Review role-based access to determine how specific you can designate access for users, based on their roles. Implement and document procedures to ensure minimum necessary access is in place across the board to the extent reasonable and appropriate. If access exceptions are commonly granted, they should be documented and policies should be in place outlining the procedure for access exceptions. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM HICP: TV1, Practice # 3 |
|||||
| Our software vendor designates access to users, e.g. based on their role as indicated in the system. | Review role-based access to determine how specific you can designate access for users, based on their roles. Implement and document procedures to ensure minimum necessary access is in place across the board to the extent reasonable and appropriate. If access exceptions are commonly granted, they should be documented and policies should be in place outlining the procedure for access exceptions. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM HICP: TV1, Practice # 3 |
|||||
| We do not have a procedure for ensuring user access is appropriate for their role. | Review role-based access to determine how specific you can designate access for users, based on their roles. Implement and document procedures to ensure minimum necessary access is in place across the board to the extent reasonable and appropriate. If access exceptions are commonly granted, they should be documented and policies should be in place outlining the procedure for access exceptions. Tailor access for each user based on the users specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(3)(i) NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 8 | Do you use encryption to control access to ePHI? | |||||||
| Yes. | This is the most effective option. Whenever reasonable and appropriate implement a mechanism to encrypt and decrypt ePHI. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. If supported by the manufacturer, medical devices should have local encryption enabled in case the device is stolen. Implement an e-mail encryption module that enables users to securely send e-mails to externalrecipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(a)(2)(iv) NIST CSF: PR.DS, PR.MA, PR.PT HICP: TV1, Practice # 1, 4 |
|||||
| No. | You might not be able to ensure access to ePHI is denied to unauthorized users if you do not use encryption/decryption methods to control access to ePHI and other health information. Whenever reasonable and appropriate implement a mechanism to encrypt and decrypt ePHI. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. If supported by the manufacturer, medical devices should have local encryption enabled in case the device is stolen. Implement an e-mail encryption module that enables users to securely send e-mails to externalrecipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(a)(2)(iv) NIST CSF: PR.DS, PR.MA, PR.PT HICP: TV1, Practice # 1, 4 |
|||||
| We have not comprehensively evaluated whether encryption is reasonable or appropriate to implement on our devices and information systems. | You should evaluate whether encryption is reasonable and appropriate to implement. You might not be able to ensure access to ePHI is denied to unauthorized users if you do not use encryption/decryption methods to control access to ePHI and other health information. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. If supported by the manufacturer, medical devices should have local encryption enabled in case the device is stolen. Implement an e-mail encryption module that enables users to securely send e-mails to externalrecipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(a)(2)(iv) NIST CSF: PR.DS, PR.MA, PR.PT HICP: TV1, Practice # 1, 4 |
|||||
| I don’t know. | You might not be able to ensure access to ePHI is denied to unauthorized users if you do not use encryption/decryption methods to control access to ePHI and other health information. Whenever reasonable and appropriate implement a mechanism to encrypt and decrypt ePHI. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. If supported by the manufacturer, medical devices should have local encryption enabled in case the device is stolen. Implement an e-mail encryption module that enables users to securely send e-mails to externalrecipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(a)(2)(iv) NIST CSF: PR.DS, PR.MA, PR.PT HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(a)(2)(iv) NIST CSF: PR.DS, PR.MA, PR.PT HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 9 | What procedures do you have in place to encrypt ePHI when deemed reasonable and appropriate? | |||||||
| Encryption is evaluated as part of our risk management process. We have procedures in place to encrypt data at rest (for example, USB drives or tapes) and in transit (for example, email or cloud EHR) whenever reasonable and appropriate, and find an alternative safeguard when not reasonable and appropriate. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. Provide regular training on encryption. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| We have procedures in place to encrypt data in transit (for example, email or cloud EHR) but not at rest (for example, USB drives or tapes) whenever reasonable and appropriate. | Consider encrypting ePHI when it is in transmission as well as when at rest as part of your risk management process. If encryption is determined not reasonable and appropriate, document the reason why and implement an equivalent, alternative safeguard. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. Provide regular training on encryption. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| We have procedures in place to encrypt data at rest (for example, USB drives or tapes) but not in transit (for example, email or cloud EHR) whenever reasonable and appropriate. | Consider encrypting ePHI when it is in transmission as well as when at rest as part of your risk management process. If encryption is determined not reasonable and appropriate, document the reason why and implement an equivalent, alternative safeguard.Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. Provide regular training on encryption. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| Other. | Consider encrypting ePHI when it is in transmission as well as when at rest as part of your risk management process. If encryption is determined not reasonable and appropriate, document the reason why and implement an equivalent, alternative safeguard. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. Provide regular training on encryption. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| I don’t know. | Consider encrypting ePHI when it is in transmission as well as when at rest as part of your risk management process. If encryption is determined not reasonable and appropriate, document the reason why and implement an equivalent, alternative safeguard. Install encryption software on every endpoint that connects to your EHR system, especially mobile devices such as laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. Provide regular training on encryption. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, PR.IP HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 10 | Do you use alternative safeguards in place of encryption? | |||||||
| Yes. When encryption is not reasonable or appropriate, we implement an alternative safeguard. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP HICP: TV1, Practice # 2 |
|||||
| No. We do not always have alternative safeguards when encryption is not reasonable or appropriate. | You might not be able to ensure access to ePHI is denied to unauthorized users if you do not use alternative safeguards or methods to control access to ePHI and other health information. Whenever encryption is not reasonable or appropriate, implement an alternative safeguard or mechanism to protect your ePHI. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP HICP: TV1, Practice # 2 |
|||||
| I don’t know. | You might not be able to ensure access to ePHI is denied to unauthorized users if you do not use alternative safeguards or methods to control access to ePHI and other health information. Whenever encryption is not reasonable and appropriate implement an alternative safeguard or mechanism to protect your ePHI. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP HICP: TV1, Practice # 2 |
|||||
| We have encryption in place for some devices and systems which access ePHI, but have not comprehensively evaluated the reasonable and appropriateness to do so for all devices and systems. We do not always have alternative safeguards when encryption is not reasonable and appropriate. | You might not be able to ensure access to ePHI is denied to unauthorized users if you do not use alternative safeguards or methods to control access to ePHI and other health information. Whenever encryption is not reasonable and appropriate implement an alternative safeguard or mechanism to protect your ePHI. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP HICP: TV1, Practice # 2 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP HICP: TV1, Practice # 2 |
|||||
| Notes | ||||||||
| 11 | When encryption is deemed unreasonable or inappropriate to implement, do you document the use of an alternative safeguard? | |||||||
| Yes. We have policies and procedures to identify encryption capabilities of our devices and information systems. When encryption is not reasonable or appropriate, we implement an alternative safeguard and document it. | Having policies and procedures to identify the encryption capabilities of your devices and information systems and then documenting when encryption is not reasonable or appropriate, and that you have implemented an alternative safeguard is the best practice. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: PR.DS HICP: TV1, Practice # 2 |
|||||
| No. We do not have policies or procedures to document alternative safeguards as a means of controlling access to ePHI on our devices and information systems. | Having policies and procedures to identify the encryption capabilities of your devices and information systems and then documenting when encryption is not reasonable or appropriate, and that you have implemented an alternative safeguard is the best practice. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: PR.DS HICP: TV1, Practice # 2 |
|||||
| I don’t know. | Having policies and procedures to identify the encryption capabilities of your devices and information systems and then documenting when encryption is not reasonable or appropriate, and that you have implemented an alternative safeguard is the best practice. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Addressable | HIPAA: NIST CSF: PR.DS HICP: TV1, Practice # 2 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: NIST CSF: PR.DS HICP: TV1, Practice # 2 |
|||||
| Notes | ||||||||
| 12 | Have you evaluated implementing any of the following encryption solutions in your local environment? (Full disk encryption, file/folder encryption, encryption of thumb drives or other external media) | |||||||
| All of the above. | Encryption in these areas is critical to protecting ePHI in your local environment. Encryption applications prevent hackers from accessing sensitive data, usually by requiring a key to encrypt and/or decrypt data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or computers. Require encryption of these mobile storage mediums before use. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM HICP: TV1, Practice # 2 |
|||||
| Some of the above. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Encryption applications prevent hackers from accessing sensitive data, usually by requiring a key to encrypt and/or decrypt data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or computers. Require encryption of these mobile storage mediums before use. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM HICP: TV1, Practice # 2 |
|||||
| None of the above. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Encryption applications prevent hackers from accessing sensitive data, usually by requiring a key to encrypt and/or decrypt data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or computers. Require encryption of these mobile storage mediums before use. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM HICP: TV1, Practice # 2 |
|||||
| I don’t know. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Encryption applications prevent hackers from accessing sensitive data, usually by requiring a key to encrypt and/or decrypt data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or computers. Require encryption of these mobile storage mediums before use. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM HICP: TV1, Practice # 2 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM HICP: TV1, Practice # 2 |
|||||
| Notes | ||||||||
| 13 | Have you evaluated implementing encryption solutions for any of the following cloud services? (Email service, file storage, web applications, remote system backups) | |||||||
| All of the above. | Encryption in these areas is critical to protecting ePHI in your cloud environments. Contracts with EHR vendors should include language that requires medical/PHI data to be encrypted both at rest and during transmission between systems. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1 |
|||||
| Some of the above. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Contracts with EHR vendors should include language that requires medical/PHI data to be encrypted both at rest and during transmission between systems. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1 |
|||||
| None of the above. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Contracts with EHR vendors should include language that requires medical/PHI data to be encrypted both at rest and during transmission between systems. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1 |
|||||
| Not applicable. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Contracts with EHR vendors should include language that requires medical/PHI data to be encrypted both at rest and during transmission between systems. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1 |
|||||
| I don’t know. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. Contracts with EHR vendors should include language that requires medical/PHI data to be encrypted both at rest and during transmission between systems. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1 |
|||||
| Notes | ||||||||
| 14 | Have you evaluated implementing any of the following encryption solutions for data in transit? (Encryption of internet traffic by means of a VPN, web traffic over HTTP encrypted email, or secure file transfer) | |||||||
| All of the above. | Encryption in these areas is critical to protecting ePHI in transit. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1, 4 |
|||||
| Some of the above. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1, 4 |
|||||
| None of the above. | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1, 4 |
|||||
| I don’t know | Consider reviewing and evaluating all the locations where you are processing, storing, or transmitting ePHI and whether it is reasonable to implement encryption. Encryption can help safeguard your ePHI, whether youre transmitting it over the Internet, backing it up on a server, or just carrying a mobile device or your laptop to and from your facility. Encrypting ePHI makes it completely unreadable to anyone but you or its intend recipient. At minimum, provide annual training on the most salient policy considerations, such as the use of encryption and PHI transmission restrictions. Implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(e)(2)(ii) NIST CSF: HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 15 | Do you periodically review your information systems for how security settings can be implemented to safeguard ePHI? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Patching (i.e., regularly updating) systems removes vulnerabilities that can be exploited by attackers. Each patch modifies a software application, rendering it more difficult for hackers to maintain programs that are aligned with the most current version of that software application. Configure endpoints to patch automatically and ensure that third-party applications (e.g., Adobe Flash) are patched as soon as possible. Schedule and conduct vulnerability scans on servers and systems under your control toproactively identify technology flaws.Remediate flaws based on the severity of the identified vulnerability. This method is considered an unauthenticated scan. The scanner has no extra sets of privileges to the server. It queries a server based on ports that are active and present for network connectivity. Each server isqueried for vulnerabilities based upon the level of sophistication of the software scanner.Conduct web application scanning of internet-facing webservers, such as web-based patientportals. Specialized vulnerability scanners can interrogate running web applications to identify vulnerabilities in the application design.Conduct routine patching of security flaws in servers, applications (including web applications),and third-party software. Maintain software at least monthly, implementing patches distributedby the vendor community, if patching is not automatic. Robust patch management processes mitigate vulnerabilities associated with obsolete software versions, whichare often easier for hackers to exploit. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM HICP: TV1, Practice # 2, 7 |
|||||
| No. | Consider periodically reviewing the security settings on all systems which process, store, or transmit ePHI for how you can implement mechanisms to protect ePHI. Patching (i.e., regularly updating) systems removes vulnerabilities that can be exploited by attackers. Each patch modifies a software application, rendering it more difficult for hackers to maintain programs that are aligned with the most current version of that software application. Configure endpoints to patch automatically and ensure that third-party applications (e.g., Adobe Flash) are patched as soon as possible. Schedule and conduct vulnerability scans on servers and systems under your control toproactively identify technology flaws.Remediate flaws based on the severity of the identified vulnerability. This method is considered an unauthenticated scan. The scanner has no extra sets of privileges to the server. It queries a server based on ports that are active and present for network connectivity. Each server isqueried for vulnerabilities based upon the level of sophistication of the software scanner.Conduct web application scanning of internet-facing webservers, such as web-based patientportals. Specialized vulnerability scanners can interrogate running web applications to identify vulnerabilities in the application design.Conduct routine patching of security flaws in servers, applications (including web applications),and third-party software. Maintain software at least monthly, implementing patches distributedby the vendor community, if patching is not automatic. Robust patch management processes mitigate vulnerabilities associated with obsolete software versions, whichare often easier for hackers to exploit. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM HICP: TV1, Practice # 2, 7 |
|||||
| I don’t know. | Consider looking into whether your practice periodically reviews the security settings on all systems which process, store, or transmit ePHI for how you can implement mechanisms to protect ePHI. Patching (i.e., regularly updating) systems removes vulnerabilities that can be exploited by attackers. Each patch modifies a software application, rendering it more difficult for hackers to maintain programs that are aligned with the most current version of that software application. Configure endpoints to patch automatically and ensure that third-party applications (e.g., Adobe Flash) are patched as soon as possible. Schedule and conduct vulnerability scans on servers and systems under your control toproactively identify technology flaws.Remediate flaws based on the severity of the identified vulnerability. This method is considered an unauthenticated scan. The scanner has no extra sets of privileges to the server. It queries a server based on ports that are active and present for network connectivity. Each server isqueried for vulnerabilities based upon the level of sophistication of the software scanner.Conduct web application scanning of internet-facing webservers, such as web-based patientportals. Specialized vulnerability scanners can interrogate running web applications to identify vulnerabilities in the application design.Conduct routine patching of security flaws in servers, applications (including web applications),and third-party software. Maintain software at least monthly, implementing patches distributedby the vendor community, if patching is not automatic. Robust patch management processes mitigate vulnerabilities associated with obsolete software versions, whichare often easier for hackers to exploit. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM HICP: TV1, Practice # 2, 7 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM HICP: TV1, Practice # 2, 7 |
|||||
| Notes | ||||||||
| 16 | How are you aware of the security settings for information systems which process, store, or transmit ePHI? | |||||||
| All systems which create, receive, maintain, or transmit ePHI (including any firewalls, databases, servers, and networked devices) have been examined to determine how security settings can be implemented to most appropriately protect ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Vulnerability scans may yield large amounts of data, which organizations urgently need to classify, evaluate, and prioritize to remediate security flaws before an attacker can exploit them. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA, PR.PT, DE.CM HICP: TV1, Practice # 7 |
|||||
| We are aware that systems have security settings to protect ePHI but have not reviewed all systems comprehensively. | Consider reviewing security settings for all systems which process, store, and transmit ePHI. Vulnerability scans may yield large amounts of data, which organizations urgently need to classify, evaluate, and prioritize to remediate security flaws before an attacker can exploit them. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA, PR.PT, DE.CM HICP: TV1, Practice # 7 |
|||||
| We do not have a process to review security settings for information systems which process, store, or transmit ePHI. | If you do not identify the access control security settings necessary for each of your information systems and electronic devices, you are not taking full advantage of the security features available in the hardware and software. Vulnerability scans may yield large amounts of data, which organizations urgently need to classify, evaluate, and prioritize to remediate security flaws before an attacker can exploit them. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA, PR.PT, DE.CM HICP: TV1, Practice # 7 |
|||||
| I don’t know. | If you do not identify the access control security settings necessary for each of your information systems and electronic devices, you are not taking full advantage of the security features available in the hardware and software. Vulnerability scans may yield large amounts of data, which organizations urgently need to classify, evaluate, and prioritize to remediate security flaws before an attacker can exploit them. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA, PR.PT, DE.CM HICP: TV1, Practice # 7 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(a)(1) NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA, PR.PT, DE.CM HICP: TV1, Practice # 7 |
|||||
| Notes | ||||||||
| 17 | Do you use security settings and mechanisms to record and examine system activity? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| No. | Consider implementing hardware, software, and/or procedural mechanisms to monitor system activity. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Consider looking into whether your practice has implemented hardware, software, and/or procedural mechanisms to monitor system activity. To meet the requirement, your practice should have system monitoring mechanisms in place where ePHI is accessible. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 18 | What mechanisms are in place to monitor or log system activity? | |||||||
| Monitoring of system users, access attempts, and modifications. This includes a date/time stamp. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Date/time stamp of system access attempts and modifications only. | Determine the mechanisms available to log and monitor system activity. Make sure a procedure to monitor system activity logs is implemented and documented. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Monitoring of system modifications only. | Determine the mechanisms available to log and monitor system activity. Make sure a procedure to monitor system activity logs is implemented and documented. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Identity of users accessing and modifying within the system. | Determine the mechanisms available to log and monitor system activity. Make sure a procedure to monitor system activity logs is implemented and documented. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| None of the above. | Determine the mechanisms available to log and monitor system activity. Make sure a procedure to monitor system activity logs is implemented and documented. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Other. | Determine the mechanisms available to log and monitor system activity. Make sure a procedure to monitor system activity logs is implemented and documented. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Determine the mechanisms available to log and monitor system activity. Make sure a procedure to monitor system activity logs is implemented and documented. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 19 | How do you monitor or track ePHI system activity? | |||||||
| System activity records are reviewed on a regular basis. The frequency of reviews is documented within our procedures. Results of activity reviews are also maintained, including activities which may prompt further investigation. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(a)(1)(ii)(D) NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| System activity records are reviewed as needed but not on a regular basis. Results of activity reviews are maintained, including activities which may prompt further investigation. | Ensure your practice is able to detect and prevent security incidents by regularly reviewing system activity information as part of its ongoing operations and following security incidents. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(a)(1)(ii)(D) NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| System activity records are reviewed as needed but not on a regular basis. Documentation of activity reviews are not maintained. | Ensure your practice is able to detect and prevent security incidents by regularly reviewing system activity information as part of its ongoing operations and following security incidents. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(a)(1)(ii)(D) NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| System activity records are not reviewed as needed or on a regular basis. | Ensure your practice is able to detect and prevent security incidents by regularly reviewing system activity information as part of its ongoing operations and following security incidents. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(a)(1)(ii)(D) NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(1)(ii)(D) NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE, DE.CM, RS.AN HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 20 | Do you have automatic logoff enabled on devices and platforms accessing ePHI? | |||||||
| Yes, automatic logoff is enabled on all devices and platforms to terminate access to ePHI after a set time of inactivity. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. | Addressable | HIPAA: §164.312(a)(2)(iii) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Yes, automatic logoff is enabled but not on all devices and platforms to terminate access to ePHI after a set time of inactivity. | Consider implementing automatic logoff on all devices and platforms which access ePHI. If this is not determined to be reasonable and appropriate, document the reason why and what compensating control is in its place. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. | Addressable | HIPAA: §164.312(a)(2)(iii) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Automatic time-out is enabled on electronic devices accessing ePHI, but automatic logoff to fully terminate the session is not enabled. | Consider implementing automatic logoff on all devices and platforms which access ePHI. If this is not determined to be reasonable and appropriate, document the reason why and what compensating control is in its place. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. | Addressable | HIPAA: §164.312(a)(2)(iii) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Automatic logoff is not enabled on devices or platforms accessing ePHI. | Consider implementing automatic logoff on all devices and platforms which access ePHI. If this is not determined to be reasonable and appropriate, document the reason why and what compensating control is in its place. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. | Addressable | HIPAA: §164.312(a)(2)(iii) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(a)(2)(iii) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 21 | Do you ensure users accessing ePHI are who they claim to be? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. The use of shared or generic accounts should be avoided. If shared accounts are required, train and regularly remind users that they must sign out upon completion of activity or whenever they leave the device, even for a moment. Passwords should be changed after each use. Sharing accounts exposes organizations to greater vulnerabilities. For example, the complexity of updating passwords for multiple users on a shared account may result in a compromised password remaining active and allowing unauthorized access over an extended period of time. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| No. | Procedures should be in place to verify users accessing ePHI are who they claim to be, such as user authentication. The use of shared or generic accounts should be avoided. If shared accounts are required, train and regularly remind users that they must sign out upon completion of activity or whenever they leave the device, even for a moment. Passwords should be changed after each use. Sharing accounts exposes organizations to greater vulnerabilities. For example, the complexity of updating passwords for multiple users on a shared account may result in a compromised password remaining active and allowing unauthorized access over an extended period of time. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Procedures should be in place to verify users accessing ePHI are who they claim to be, such as user authentication. The use of shared or generic accounts should be avoided. If shared accounts are required, train and regularly remind users that they must sign out upon completion of activity or whenever they leave the device, even for a moment. Passwords should be changed after each use. Sharing accounts exposes organizations to greater vulnerabilities. For example, the complexity of updating passwords for multiple users on a shared account may result in a compromised password remaining active and allowing unauthorized access over an extended period of time. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 22 | How do you ensure users accessing ePHI are who they claim to be? | |||||||
| Users authenticate themselves to access ePHI using the method authorized by our practices policy and procedure (for example, user name and password, physical token, or biometric feature). | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| Users authenticate themselves to access ePHI, but we do not have a policy or procedure prescribing the method. | Requiring that users utilize unique usernames and passwords, or other forms of authentication, helps to reduce the risk that unauthorized users can access ePHI and compromise access controls already in place. Ensure this is consistently implemented at your practice by having a documented procedures to verify that a person or entity seeking access to ePHI is the one claimed. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| Users do not always have unique authentication to access ePHI (for example, inadvisable practices such as sharing user names and passwords between multiple members of the workforce may occur). | Requiring that users utilize unique usernames and passwords, or other forms of authentication, helps to reduce the risk that unauthorized users can access ePHI and compromise access controls already in place. Ensure this is consistently implemented at your practice by having a documented procedures to verify that a person or entity seeking access to ePHI is the one claimed. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| We do not have a procedure for authenticating users. | Requiring that users utilize unique usernames and passwords, or other forms of authentication, helps to reduce the risk that unauthorized users can access ePHI and compromise access controls already in place. Ensure this is consistently implemented at your practice by having a documented procedures to verify that a person or entity seeking access to ePHI is the one claimed. Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 23 | How do you determine the means by which ePHI is accessed? | |||||||
| All systems, devices, and applications which access ePHI are identified, evaluated, approved, and inventoried. Users can only access ePHI through these approved systems, devices, and applications. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP HICP: TV1, Practice # 3 |
|||||
| Applications which access ePHI are identified, evaluated, approved, and inventoried, but we do not manage which devices can access these applications (e.g. workforce members personal devices accessing a cloud-based EHR without first identifying and approving the device) | Unsecured points could compromise data accessed through an otherwise secure application. Consider implementing a device management process to ensure security standards are in place for all points accessing ePHI. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP HICP: TV1, Practice # 3 |
|||||
| Devices and systems which access ePHI are identified, evaluated, approved, and inventoried, but we do not manage which applications can access these applications (e.g. ePHI is maintained in formats which can be used by many applications) | Secure devices can compromise data when the data itself is used by potentially insecure applications. Consider implementing a process to manage which applications access ePHI and how they will securely be enabled to do so. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP HICP: TV1, Practice # 3 |
|||||
| We do not have a procedure for determining the means by which ePHI can be accessed appropriately. | Failing to manage which devices and applications can access ePHI enables widespread access that may not be secure, increasing the chance for the confidentiality, integrity, and availability of ePHI to be compromised. Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage technologies that use multi-factor authentication (MFA) before permitting users to access data or applications on the device. Logins that use only a username and password are often compromised through phishing e-mails. Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(d) NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 24 | Do you protect ePHI from unauthorized modification or destruction? | |||||||
| Yes. We have developed and implemented policies and procedures to protect ePHI from improper alteration or destruction. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lostor compromised data. | Required | HIPAA: §164.312(c)(1) NIST CSF: PR.DS HICP: TV1, Practice # 4 |
|||||
| Yes. We have some procedures to protect the integrity of our ePHI but these may not be totally comprehensive. | Implement policies and procedures to protect ePHI from unauthorized modification or destruction, such as user activity monitoring or data validation tools. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lostor compromised data. | Required | HIPAA: §164.312(c)(1) NIST CSF: PR.DS HICP: TV1, Practice # 4 |
|||||
| No. We do not have policies or procedures to ensure the protection of ePHI. | Implement policies and procedures to protect ePHI from unauthorized modification or destruction, such as user activity monitoring or data validation tools. Organizational policies should address all user interactions with sensitive data and reinforce the consequences of lostor compromised data. | Required | HIPAA: §164.312(c)(1) NIST CSF: PR.DS HICP: TV1, Practice # 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(c)(1) NIST CSF: PR.DS HICP: TV1, Practice # 4 |
|||||
| Notes | ||||||||
| 25 | How do you confirm that ePHI has not been modified or destroyed without authorization? | |||||||
| We have mechanisms (e.g. integrity verification tools) to corroborate that ePHI has not been altered or destroyed in an unauthorized manner or detect if such alteration occurs. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Establish a data classification policy that categorizes data as, for example, Sensitive, InternalUse, or Public Use. Identify the types of records relevant to each category. Implement data loss prevention technologies to mitigate the risk of unauthorized access to PHI. | Addressable | HIPAA: §164.312(c)(2) NIST CSF: PR.DS, DE.CM, DE.AE HICP: TV1, Practice # 4 |
|||||
| We manually monitor changes made to ePHI in systems with audit log functionality, but do not have automated systems. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI.. You may want to consider implementing an automated electronic mechanisms and/or integrity verification tools. Establish a data classification policy that categorizes data as, for example, Sensitive, InternalUse, or Public Use. Identify the types of records relevant to each category. Implement data loss prevention technologies to mitigate the risk of unauthorized access to PHI. | Addressable | HIPAA: §164.312(c)(2) NIST CSF: PR.DS, DE.CM, DE.AE HICP: TV1, Practice # 4 |
|||||
| We do not have resources or procedures in place to verify the integrity of ePHI. | Your practice may not be able to safeguard its ePHI if it does not have authentication mechanisms and tools, such as log monitoring or data encryption validation, that can authenticate ePHI. Consider implementing a procedure to validate the integrity of your ePHI. If this is determined to not be reasonable and appropriate, document the reason why and what compensating control is in its place. Establish a data classification policy that categorizes data as, for example, Sensitive, InternalUse, or Public Use. Identify the types of records relevant to each category. Implement data loss prevention technologies to mitigate the risk of unauthorized access to PHI. | Addressable | HIPAA: §164.312(c)(2) NIST CSF: PR.DS, DE.CM, DE.AE HICP: TV1, Practice # 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.312(c)(2) NIST CSF: PR.DS, DE.CM, DE.AE HICP: TV1, Practice # 4 |
|||||
| Notes | ||||||||
| 26 | Do you protect against unauthorized access to or modification of ePHI when it is being transmitted electronically? | |||||||
| Yes. We have implemented technical security measures and procedures to prevent unauthorized access to and detect modification of transmitted ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. When e-mailing PHI, use a secure messaging application such as Direct Secure Messaging (DSM),which is a nationally adopted secure e-mail protocol and network for transmitting PHI. DSM can be obtained from EHR vendors and other health information exchange systems. It was developed and adopted through the Meaningful Use program, and many medical organizations nationwide now use DSM networks. When texting PHI, use a secure texting system. | Required | HIPAA: §164.312(e)(1) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 1, 4 |
|||||
| We have developed policies and procedures to guide workforce members on the secure transmission of ePHI, but no resources are in place (e.g. encrypted email). | Implement technical security measures to guard against unauthorized access to ePHI that is transmitted over an electronic communication network in addition to developing protocols and procedures. Consider implementing measures to detect modification of transmitted ePHI; if this is determined to not be reasonable and appropriate, document the reason why along with the compensating control in place. When e-mailing PHI, use a secure messaging application such as Direct Secure Messaging (DSM),which is a nationally adopted secure e-mail protocol and network for transmitting PHI. DSM can be obtained from EHR vendors and other health information exchange systems. It was developed and adopted through the Meaningful Use program, and many medical organizations nationwide now use DSM networks. When texting PHI, use a secure texting system. | Required | HIPAA: §164.312(e)(1) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 1, 4 |
|||||
| Workforce members are verbally instructed to use secure modes of ePHI transmission. | Implement technical security measures to guard against unauthorized access to ePHI that is transmitted over an electronic communication network in addition to developing protocols and procedures. Consider implementing measures to detect modification of transmitted ePHI; if this is determined to not be reasonable and appropriate, document the reason why along with the compensating control in place. When e-mailing PHI, use a secure messaging application such as Direct Secure Messaging (DSM),which is a nationally adopted secure e-mail protocol and network for transmitting PHI. DSM can be obtained from EHR vendors and other health information exchange systems. It was developed and adopted through the Meaningful Use program, and many medical organizations nationwide now use DSM networks. When texting PHI, use a secure texting system. | Required | HIPAA: §164.312(e)(1) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 1, 4 |
|||||
| No. We have not considered how to securely transmit ePHI. | Implement technical security measures to guard against unauthorized access to ePHI that is transmitted over an electronic communication network in addition to developing protocols and procedures. Consider implementing measures to detect modification of transmitted ePHI; if this is determined to not be reasonable and appropriate, document the reason why along with the compensating control in place. When e-mailing PHI, use a secure messaging application such as Direct Secure Messaging (DSM),which is a nationally adopted secure e-mail protocol and network for transmitting PHI. DSM can be obtained from EHR vendors and other health information exchange systems. It was developed and adopted through the Meaningful Use program, and many medical organizations nationwide now use DSM networks. When texting PHI, use a secure texting system. | Required | HIPAA: §164.312(e)(1) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 1, 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(e)(1) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice # 1, 4 |
|||||
| Notes | ||||||||
| 27 | Have you implemented mechanisms to record activity on information systems which create or use ePHI ? | |||||||
| Yes. Activity on systems which create or use ePHI is recorded and examined. This is documented in our procedures, including a complete inventory of systems that record activity and how it is examined. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, RS.AN, PR.MA HICP: TV1, Practice # 3 |
|||||
| Yes. Activity on systems which create or use ePHI is recorded and examined through hardware, software or procedural mechanisms. However, this process is not formally documented in our procedures. | Mechanisms in place to record and examine activity on information systems which contain or use ePHI should be documented in your security documentation. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, RS.AN, PR.MA HICP: TV1, Practice # 3 |
|||||
| Yes. Activity on systems which create or use ePHI should be recorded and examined per our procedures, but we do not have actual hardware, software or procedural mechanisms in place. | Mechanisms should be in place to record and examine activity on information systems which contain or use ePHI. These mechanisms should be documented in your security documentation. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, RS.AN, PR.MA HICP: TV1, Practice # 3 |
|||||
| No. We do not have procedures or mechanisms to record and examine activities and information systems which create or use ePHI. | Mechanisms should be in place to record and examine activity on information systems which contain or use ePHI. These mechanisms should be documented in your security documentation. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, RS.AN, PR.MA HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, RS.AN, PR.MA HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Inadequate access controls | |||||||
| Information disclosure, loss, or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Disruption of information system function or adversarial access to unauthorized network segments | ||||||||
| Malware installation on information systems or devices | ||||||||
| Unauthorized modification of sensitive information | ||||||||
| Information system access granted to unauthorized persons or entities | ||||||||
| 2 | Lack of documentation for controlling user access | |||||||
| Illegitimate assignment of permissions for users | ||||||||
| Unguided procedures when determining levels of user access | ||||||||
| 3 | Inadequate procedures for evaluating user activity logs | |||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Unknown source of a security/privacy related incident | ||||||||
| Information system access granted to unauthorized personnel | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| 4 | Users have more access rights than needed to complete daily tasks | |||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Unauthorized access to ePHI/sensitive information | ||||||||
| Unauthorized modification of critical network systems and data | ||||||||
| 5 | Non-unique login credentials for workforce members | |||||||
| Users violate security rules on information systems | ||||||||
| Unknown or unidentified security incidents or breaches occur | ||||||||
| Unauthorized user impersonating an authorized user | ||||||||
| 6 | Inadequate use of encryption for ePHI | |||||||
| Disclosure of passwords or login information | ||||||||
| Information disclosure, loss, or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Fines from regulatory enforcement (due to lack of encryption safeharbor) | ||||||||
| Information system access granted to unauthorized personnel | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| 7 | Inadequate review of computer systems to ensure maximum security | |||||||
| Accidental modification to ePHI/sensitive information | ||||||||
| Denial of service (DoS) to critical systems | ||||||||
| Disclosure of passwords and or login information | ||||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Exploitation of unpatched systems & software | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| 8 | Lack of automatic logoff/screen lock of computer systems | |||||||
| Unauthorized access to information systems or devices | ||||||||
| Malware installation on information systems or devices | ||||||||
| Disclosure of passwords and or login information | ||||||||
| Denial of service (DoS) to critical systems | ||||||||
| Accidental modification to ePHI | ||||||||
| Adversary access to unauthorized network segments | ||||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Exploitation of unpatched systems & software | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| 9 | Inadequate integrity verification of ePHI | |||||||
| Accidental modification to ePHI | ||||||||
| Damage to public reputation via misuse of patient chart data | ||||||||
| Inaccurate information given to patients or providers | ||||||||
| Unauthorized modification to ePHI | ||||||||
| 10 | ePHI in transit lacking encryption | |||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| Fines from regulatory enforcement (due to lack of encryption safeharbor) | ||||||||
Sheet 6: Section 5
| Section 5 – Security and the Practice | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Do you manage access to and use of your facility or facilities [i.e. that house information systems and ePHI]? | |||||||
| Yes. We have written procedures in place restricting access to and use of our facilities. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. Authorization of access to and use of our facilities is verbally communicated, but we do not have written procedures. | Consider implementing documented procedures to govern access to facilities. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| No. We do not have a process to restrict access to our facilities. | Consider implementing documented procedures to govern access to facilities. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 2 | What physical protections do you have in place to manage facility security risks? | |||||||
| We have methods for controlling and managing physical access to our facility such as, keypads, locks, security cameras, etc. We also have an inventory of our practice’s facilities that house equipment that create, maintain, receive, and transmit ePHI.Our policies and procedures outline managements’ involvement in facility access control and how authorization credentials for facility access are issued and removed for our workforce members and/or visitors. Workforce members’ roles and responsibilities in facility access control procedures are documented and communicated. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| We have written procedures documenting our managements’ involvement in facility access control procedures. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| We have written procedures documenting how authorization credentials for facility access are issued and removed for our workforce members and/or visitors. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| We have methods for controlling and managing physical access to our facility such as, keypads, locks, security cameras, etc. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| We have an inventory of our practice’s facilities that house equipment that create, maintain, receive, and transmit ePHI. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| We do not have physical protections in place to manage facility security risks. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| I don’t know. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| Other. | Ensure only authorized access to ePHI and facilities is allowed by implementing policies and procedures to limit physical access systems and facilities housing ePHI. Consider implementing policies and procedures to safeguard the facility and equipment from unauthorized tampering, theft, or physical access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network.In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(ii) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 3 | Do you restrict physical access to and use of your equipment [i.e. equipment that house ePHI]? | |||||||
| Yes. We have written policies and implemented procedures restricting access to equipment that house ePHI to authorized users only. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Restrict access to assets with potentially high impact in the event of compromise. This includes medical devices and internet of things (IoT) items (e.g., security cameras, badge readers, temperature sensors, building management systems). | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. We verbally authorize individuals to access equipment that house ePHI, but no written policies or procedures. | Ensure only authorized access to ePHI is allowed by implementing and documenting procedures to govern access to equipment that house ePHI. Restrict access to assets with potentially high impact in the event of compromise. This includes medical devices and internet of things (IoT) items (e.g., security cameras, badge readers, temperature sensors, building management systems). | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| No. We do not have a process to restrict access to equipment that house ePHI to authorized users. | Ensure only authorized access to ePHI is allowed by implementing and documenting procedures to govern access to equipment that house ePHI. Restrict access to assets with potentially high impact in the event of compromise. This includes medical devices and internet of things (IoT) items (e.g., security cameras, badge readers, temperature sensors, building management systems). | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(a)(1) NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 4 | Do you manage workforce member, visitor, and third party access to electronic devices? | |||||||
| Yes. We have written procedures for classifying electronic devices, based on their capabilities, connection, and allowable activities; access to electronic devices by workforce members, visitors, and/or third parties is determined based on their classification. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. We have written procedures for access to electronic devices, but not detailing all of the variables listed above. | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific electronic device or class of electronic device that can access ePHI. In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. We verbally instruct users on access to electronic devices, but do not have written procedures. | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific electronic device or class of electronic device that can access ePHI. In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| No. We do not have a process for managing workforce member, visitor, or third party access to electronic devices. | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific electronic device or class of electronic device that can access ePHI. In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 5 | Do you have physical protections in place, such as cable locks for portable laptops, screen filters for screen visible in high traffic areas, to manage electronic device security risks? | |||||||
| Yes. We have physical protections in place for all electronic devices and this is documented in policy and procedure. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 6 |
|||||
| Yes. We have some physical protections in place for some, but not all, electronic devices. | Implement physical safeguards for all electronic devices that access electronic protected health information, to restrict access to authorized users. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 6 |
|||||
| No. We do not have physical protections in place for our electronic devices. | Implement physical safeguards for all electronic devices that access electronic protected health information, to restrict access to authorized users. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 6 |
|||||
| I don’t know. | Implement physical safeguards for all electronic devices that access electronic protected health information, to restrict access to authorized users. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 6 | What physical protections do you have in place for electronic devices with access to ePHI? | |||||||
| We have robust procedures for electronic device access control such as, authorization for issuing new electronic device access and removing electronic device access. We also use screen filters, docking stations with locks, and/or cable locks for portable devices, privacy screens [walls or partitions], and/or secured proximity for servers and network equipment. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2, 6 |
|||||
| We have limited procedures for electronic device access control including some but not all of those listed above. | Consider which physical safeguards to protect access to ePHI can be reasonably and appropriately implemented in your practice. Consider an authorization process for issuing new electronic device access and removing electronic device access. Or using screen filters, docking stations with locks, and/or cable locks for portable devices, privacy screens [walls or partitions], and/or secured proximity for servers and network equipment. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2, 6 |
|||||
| We do not have any physical protections in place for electronic device access to ePHI. | Consider which physical safeguards to protect access to ePHI can be reasonably and appropriately implemented in your practice. Consider an authorization process for issuing new electronic device access and removing electronic device access. Or using screen filters, docking stations with locks, and/or cable locks for portable devices, privacy screens [walls or partitions], and/or secured proximity for servers and network equipment. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2, 6 |
|||||
| I don’t know. | Consider which physical safeguards to protect access to ePHI can be reasonably and appropriately implemented in your practice. Consider an authorization process for issuing new electronic device access and removing electronic device access. Or using screen filters, docking stations with locks, and/or cable locks for portable devices, privacy screens [walls or partitions], and/or secured proximity for servers and network equipment. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2, 6 |
|||||
| Other. | Consider which physical safeguards to protect access to ePHI can be reasonably and appropriately implemented in your practice. Consider an authorization process for issuing new electronic device access and removing electronic device access. Or using screen filters, docking stations with locks, and/or cable locks for portable devices, privacy screens [walls or partitions], and/or secured proximity for servers and network equipment. For devices that cannot be encrypted or that are managed by a third party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located. Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2, 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2, 6 |
|||||
| Notes | ||||||||
| 7 | Do you keep an inventory and a location record of all of its electronic devices? | |||||||
| Yes. Our inventory list of all electronic devices and their functions is currently documented and updated on a periodic basis. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. A complete and accurate inventory of the IT assets in your organization facilitates the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM HICP: TV1, Practice # 5 |
|||||
| Yes. We have a list of electronic devices and their functions but it has not been updated to reflect inventory changes. | Asset (electronic devices) inventory lists should be kept up-to-date to meet compliance and best practice standards. A complete and accurate inventory of the IT assets in your organization facilitates the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM HICP: TV1, Practice # 5 |
|||||
| No. We currently do not document and keep an active list of electronic devices and their functions. | Your practice may not be aware of threats to devices in use if your practice is not aware of the location of all of its electronic devices, laptops, printers, copiers, tablets, smart phones, monitors, and other electronic devices. ePHI can be exposed in a surrounding or environment that is not suitable for handling or accessing that information. A complete and accurate inventory of the IT assets in your organization facilitates the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM HICP: TV1, Practice # 5 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM HICP: TV1, Practice # 5 |
|||||
| Notes | ||||||||
| 8 | Do you have an authorized user who approves access levels within information systems and locations that use ePHI? | |||||||
| Yes. We have written procedures outlining who has the authorization to approve access to information systems, location, and ePHI; how access requests are submitted; and how access is granted. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Addressable | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP HICP: TV1, Practice # 10 |
|||||
| Yes. We have written procedures in place describing determination of user access levels to information systems, locations, and ePHI, but not detailing all of the variables described above. | Consider assigning an authorized user to approve access levels with information systems and locations that contain and use ePHI. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Addressable | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP HICP: TV1, Practice # 10 |
|||||
| Yes. We have a verbally communicated process for determining access to information systems, locations, and ePHI. | Consider assigning an authorized user to approve access levels with information systems and locations that contain and use ePHI. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Addressable | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP HICP: TV1, Practice # 10 |
|||||
| No. We do not have procedures to determine user access levels to information systems, locations, and ePHI. | Consider assigning an authorized user to approve access levels with information systems and locations that contain and use ePHI. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy. | Addressable | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 9 | Do you validate a person’s access to facilities (including workforce members and visitors) based on their role or function? | |||||||
| Yes. We have procedures for validating access to our facility. Access levels are based on role or function. We also have strict requirements for validating workforce members or visitors who seek access to our critical systems and software programs. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. We have procedures for validating a person’s access to our facility. Access levels are not based on role or function. | Access to facilities, especially areas which house ePHI, should be limited to the minimum amount necessary for workforce members or visitors to complete their legitimate functions. Consider implementing procedures to validate a person’s access to facilities based on their role. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. We have procedures for validating a persons access to the facility based on their role or function, but do not have additional validation requirements for access to our critical systems. | Access to facilities, especially areas which house ePHI, should be limited to the minimum amount necessary for workforce members or visitors to complete their legitimate functions. Consider implementing procedures to validate a person’s access to facilities based on their role. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Yes. We have an informal process for validating a persons access to facilities, with no written procedures in place. | Access to facilities, especially areas which house ePHI, should be limited to the minimum amount necessary for workforce members or visitors to complete their legitimate functions. Consider implementing procedures to validate a person’s access to facilities based on their role. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| No. We do not have a process for validating a persons access to facilities. | Access to facilities, especially areas which house ePHI, should be limited to the minimum amount necessary for workforce members or visitors to complete their legitimate functions. Consider implementing procedures to validate a person’s access to facilities based on their role. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 10 | How do you validate a person’s access to your facility? | |||||||
| We maintain lists of authorized persons and have controls in place to identify persons attempting to access the practice, grant access to authorized persons, and prevent access by unauthorized persons. | These are effective means of validating facility access. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| We have controls in place to identify persons attempting to access the practice, grant access to authorized persons, and prevent access by unauthorized persons but do not maintain documentation of who is authorized. | Consider appropriate methods of validating access to your facility. Implement and document safeguards determined to be reasonable and appropriate. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| We maintain lists of authorized persons but do not have controls in place to identify persons attempting to access the practice, grant access to authorized persons, or prevent access by unauthorized persons. | Consider appropriate methods of validating access to your facility. Implement and document safeguards determined to be reasonable and appropriate. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| We maintain lists of authorized persons and have controls in place to identify persons attempting to access the practice, but not to grant access to authorized persons or prevent access by unauthorized persons. | Consider appropriate methods of validating access to your facility. Implement and document safeguards determined to be reasonable and appropriate. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| We maintain lists of authorized persons and have controls in place to grant access to authorized persons or prevent access by unauthorized persons, but not to identify persons attempting to access the practice | Consider appropriate methods of validating access to your facility. Implement and document safeguards determined to be reasonable and appropriate. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| We do not have lists of authorized persons or controls in place to identify persons attempting to access the practice, grant access to authorized persons, or prevent access by unauthorized persons. | Consider appropriate methods of validating access to your facility. Implement and document safeguards determined to be reasonable and appropriate. Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 11 | Do you have access validation requirements for personnel and visitors seeking access to your critical systems (such as IT, software developers, or network admins)? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Just as you might restrict physical access to different parts of your medical office, its important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| No. | Consider implementing procedures to validate a person’s access to critical systems based on their role or function. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as you might restrict physical access to different parts of your medical office, its important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| I don’t know. | Consider implementing procedures to validate a person’s access to critical systems based on their role or function. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as you might restrict physical access to different parts of your medical office, its important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 12 | Does this include controlling access to your software programs for testing and revisions? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: N/A |
|||||
| No. | Consider implementing procedures to validate a person’s access to software programs based on their role or function. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: N/A |
|||||
| I don’t know. | Consider implementing procedures to validate a person’s access to software programs based on their role or function. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP HICP: N/A |
|||||
| Notes | ||||||||
| 13 | Do you have procedures for validating a third party persons access to the facility based on their role or function? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Just as you might restrict physical access to different parts of your medical office, its important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| No. | Consider implementing procedures to validate a third party person’s access to facilities based on their role or function. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as you might restrict physical access to different parts of your medical office, its important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| I don’t know. | Consider implementing procedures to validate a third party person’s access to facilities based on their role or function. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. Just as you might restrict physical access to different parts of your medical office, its important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(iii) NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM, DE.CP, PR.IP HICP: TV1, Practice # 6 |
|||||
| Notes | ||||||||
| 14 | Do you have hardware, software, or other mechanisms that record and examine activity on information systems with access to ePHI? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, HICP: TV1, Practice # 3 |
|||||
| No. | Implement and document mechanisms to record and examine system activity to ensure your practice is secure systems that contain or use ePHI. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Implement and document mechanisms to record and examine system activity to ensure your practice is secure systems that contain or use ePHI. Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM, HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 15 | What requirements are in place for retention of audit reports? | |||||||
| Our practice retains records of audit report review for a minimum of six (6) years, consistent with retention requirements for all information security documentation. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Your state or jurisdiction may have additional requirements beyond the six (6) year retention requirement. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP HICP: N/A |
|||||
| Requirements are in place to retain records of audit report review, but not for a minimum of six (6) years . | Records of audit report review should be retained for a minimum of six (6) years. Your state or jurisdiction may have additional requirements beyond the six (6) year retention requirement. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP HICP: N/A |
|||||
| Requirements are not in place to retain records of audit report review. | Records of audit report review should be retained for a minimum of six (6) years. Your state or jurisdiction may have additional requirements beyond the six (6) year retention requirement. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(b) NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 16 | Do you maintain records of physical changes upgrades, and modifications to your facility? | |||||||
| Yes. We have written procedures to document modifications to our facility. This includes documenting when physical security component repairs, modifications, or updates are needed and our workforce members’ roles and responsibilities in that process. Any changes to our facility’s security components go through an authorization process. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Addressable | HIPAA: §164.310(a)(2)(iv) NIST CSF: PR.DS, PR.MA HICP: N/A |
|||||
| Yes. We have written procedures to document modifications to our facility. This includes documenting when physical security component repairs, modifications, or updates are needed. Any changes to our facility’s security components go through an authorization process. | Consider including in your procedural documentation what your workforce members’ roles and responsibilities are in the repair and modification of physical security components within your facility. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. | Addressable | HIPAA: §164.310(a)(2)(iv) NIST CSF: PR.DS, PR.MA HICP: N/A |
|||||
| Yes. We have written procedures to document modifications to our facility. This includes documenting when physical security component repairs, modifications, or updates are needed. | Consider including in your procedural documentation workforce members’ roles and responsibilities as well as the authorization process for making repairs, modifications, and updates to your facility’s physical security components. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. | Addressable | HIPAA: §164.310(a)(2)(iv) NIST CSF: PR.DS, PR.MA HICP: N/A |
|||||
| No. We communicate and verbally authorize when repairs, modifications, or upgrades to the facility’s physical security components are needed, but we do not have written procedures for this process. | Consider including in your procedural documentation workforce members’ roles and responsibilities as well as the authorization process for making repairs, modifications, and updates to your facility’s physical security components. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. | Addressable | HIPAA: §164.310(a)(2)(iv) NIST CSF: PR.DS, PR.MA HICP: N/A |
|||||
| No. We do not maintain a log of changes, upgrades, or modifications to our facility. | Consider including in your procedural documentation workforce members’ roles and responsibilities as well as the authorization process for making repairs, modifications, and updates to your facility’s physical security components. If this is determined to not be reasonable and appropriate, document the reason why and implement a compensating control. | Addressable | HIPAA: §164.310(a)(2)(iv) NIST CSF: PR.DS, PR.MA HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(iv) NIST CSF: PR.DS, PR.MA HICP: N/A |
|||||
| Notes | ||||||||
| 17 | How do you maintain awareness of the movement of electronic devices and media? | |||||||
| We maintain a detailed inventory of all electronic devices and media which contain ePHI, including where they are located, which workforce members are authorized to access or possess the devices, and to where they are moved. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. | Addressable | HIPAA: §164.310(d)(2)(iii) NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS HICP: TV1, Practice # 5, 10 |
|||||
| We keep a basic list of devices but do not formally track their movement. | Devices should be tracked according to which workforce members have access to or possession of them, where they are located, and where they are moved. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. | Addressable | HIPAA: §164.310(d)(2)(iii) NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS HICP: TV1, Practice # 5, 10 |
|||||
| We rely on personal memory to maintain awareness of device location, movement, and access authorization. | Devices should be tracked according to which workforce members have access to or possession of them, where they are located, and where they are moved. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. | Addressable | HIPAA: §164.310(d)(2)(iii) NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS HICP: TV1, Practice # 5, 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(d)(2)(iii) NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS HICP: TV1, Practice # 5, 10 |
|||||
| Notes | ||||||||
| 18 | Are electronic devices secured? | |||||||
| Yes. We have procedures for safeguarding all electronic devices (such as screen guards, cable locks, locking storage rooms, cameras, and other physical features). | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. A small organizations endpoints must be protected. Endpoints include desktops, laptops, mobile devices, and other connected hardware devices (e.g., printers, medical equipment). | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2 |
|||||
| We secure electronic devices, but do not have documented procedures for these safeguards. | Secure electronic devices with appropriate safeguards, such as screen guards, cable locks, locking storage rooms, cameras, and other physical features. Document these safeguards in your policies and procedures. A small organizations endpoints must be protected. Endpoints include desktops, laptops, mobile devices, and other connected hardware devices (e.g., printers, medical equipment). | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2 |
|||||
| We do not have any procedures to secure electronic devices in our facility. | Secure electronic devices with appropriate safeguards, such as screen guards, cable locks, locking storage rooms, cameras, and other physical features. Document these safeguards in your policies and procedures. A small organizations endpoints must be protected. Endpoints include desktops, laptops, mobile devices, and other connected hardware devices (e.g., printers, medical equipment). | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(c) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM HICP: TV1, Practice # 2 |
|||||
| Notes | ||||||||
| 19 | Do you back up ePHI to ensure availability when devices are moved? | |||||||
| Yes. Our critical data and ePHI is centrally stored (such as in a cloud or active directory server) that can be accessed from any authorized device. | This is an effective option to protect the confidentiality, integrity, and availability of ePHI. Make sure backups will be available and functional when needed through periodic testing. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Leveraging the cloud for backup purposes is acceptable if you have established an agreement with the cloud vendor and verified the security of the vendors systems. | Addressable | HIPAA: §164.310(d)(2)(iv) NIST CSF: PR.DS, PR.IP HICP: TV1, Practice # 4 |
|||||
| Yes. We manage our own backups of all critical ePHI (using portable storage devices) that enables continued access during device movement. | This is an effective option to protect the confidentiality, integrity, and availability of ePHI. Make sure backups will be available and functional when needed through periodic testing. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Leveraging the cloud for backup purposes is acceptable if you have established an agreement with the cloud vendor and verified the security of the vendors systems. | Addressable | HIPAA: §164.310(d)(2)(iv) NIST CSF: PR.DS, PR.IP HICP: TV1, Practice # 4 |
|||||
| No. We do not ensure that data will be available when stored on a removed device. | ePHI can be lost, corrupted, or made inaccessible in the future if your practice does not create backup files that are retrievable and exact copies. Make sure backups will be available and functional when needed through periodic testing. Train staff never to back up data on uncontrolled storage devices or personal cloud services. Leveraging the cloud for backup purposes is acceptable if you have established an agreement with the cloud vendor and verified the security of the vendors systems. | Addressable | HIPAA: §164.310(d)(2)(iv) NIST CSF: PR.DS, PR.IP HICP: TV1, Practice # 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(d)(2)(iv) NIST CSF: PR.DS, PR.IP HICP: TV1, Practice # 4 |
|||||
| Notes | ||||||||
| 20 | Do you ensure devices which created, maintained, received, or transmitted ePHI are effectively sanitized when they are disposed of? | |||||||
| Yes. We remove any data storage or memory component from the device and then store it in a secure location. Data is wiped from the device prior to disposing of the device using a method that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. |
This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. | Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| Yes. Devices are given to a third-party, which wipes the data and disposes of the devices appropriately using a method that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. We are provided a certificate of destruction outlining the specific devices that were disposed of whenever this is performed. |
This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. | Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| Devices are given to a third-party, which wipes the data and disposes of the devices appropriately. We are not provided a certificate of destruction to confirm appropriate disposal. | Third parties should provide documentation certifying that equipment has been properly disposed of. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. | Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| We maintain a secure area where items are stored prior to disposal, and this is documented in our asset inventory listing. | ePHI on these devices should be purged using a method that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. |
Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| No. We place unused devices out of normal work areas but these are not secured. | Unused and old equipment should be stored in a secure area if it contains/contained ePHI. ePHI on these devices should be purged using a method that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. |
Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| No. We do not have procedures for the disposal of devices and media. | ePHI can be removed from your facilities without being observed and/or monitored if your practice does not have security policies and procedures to physically protect and securely store electronic devices and media. ePHI on these devices should be purged using a method that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Although it can be difficult to implement and sustain IT asset management processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device. |
Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(d)(1) NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP HICP: TV1, Practice # 5 |
|||||
| Notes | ||||||||
| 21 | How do you determine what is considered appropriate use of electronic devices and connected network devices? | |||||||
| We have documented policies and procedures in place outlining proper functions to be performed on electronic devices and devices (e.g. whether or not they should access ePHI), how those functions will be performed, who is authorized to use the devices, and the physical surroundings of the devices. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA HICP: TV1, Practice # 4, 5 |
|||||
| We verbally communicate appropriate use of equipment but do not have requirements outlined in writing. | Develop policies and procedures to enforce access control policies that define the appropriate use and surroundings of information systems, electronic devices, and other electronic devices that contain ePHI (such as laptops, printers, copiers, tablets, smart phones, monitors, and other devices). As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA HICP: TV1, Practice # 4, 5 |
|||||
| We do not have any policies or procedures outlining appropriate use of electronic devices and connected devices. | Workforce members, business associates, services providers, and the general public may not be aware of how to use devices appropriately, or how to secure those devices physically, if your practice does not implement policies and procedures that define expectations for proper use. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA HICP: TV1, Practice # 4, 5 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA HICP: TV1, Practice # 4, 5 |
|||||
| Notes | ||||||||
| 22 | Do you ensure access to ePHI is terminated when employment or other arrangements with the workforce member ends? | |||||||
| Yes. We have written procedures documenting termination or change of access to ePHI upon termination or change of employment, including recovery of access control devices (including organization-owned devices, media, and equipment), deactivation of information system access, appropriate changes in access levels and/or privileges pursuant to job description changes that necessitate more or less access to ePHI, time frames to terminate access to ePHI, and exit interviews that include a discussion of privacy and security topics regarding ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. When an employee leaves your organization, ensure that procedures are executed to terminate the employees access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. access based on the requirements for the new position. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employees former position before granting | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Yes. We have written procedures documenting termination or change of access to ePHI upon termination or change of employment, but not detailing all of the variables listed above. | Changes to access to ePHI should be documented in the event of device recovery, deactivation of user access, and changes in access levels or privileges. Policy documentation should include details on how the process is completed. When an employee leaves your organization, ensure that procedures are executed to terminate the employees access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. access based on the requirements for the new position. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employees former position before granting | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Yes. We have a verbal process to ensure access to ePHI is changed or terminated as needed, but no written procedures. | Changes to access to ePHI should be documented in the event of device recovery, deactivation of user access, and changes in access levels or privileges. Policy documentation should include details on how the process is completed. When an employee leaves your organization, ensure that procedures are executed to terminate the employees access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. access based on the requirements for the new position. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employees former position before granting | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| No. We do not have a process to ensure access to ePHI is changed or terminated as needed. | Individuals without a need to know can access your practices ePHI if it does not have documented policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists. When an employee leaves your organization, ensure that procedures are executed to terminate the employees access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. access based on the requirements for the new position. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employees former position before granting | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 23 | Do you have procedures for terminating or changing third-party access when the contract, business associate agreement, or other arrangement with the third party ends or is changed? | |||||||
| Yes | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. When an employee leaves your organization, ensure that procedures are executed to terminate the employees access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. access based on the requirements for the new position. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employees former position before granting | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| No | Ensure that access to ePHI by third parties is terminated or changed appropriately when your contractual relationship with them s or changes, respectively. When an employee leaves your organization, ensure that procedures are executed to terminate the employees access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. access based on the requirements for the new position. Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employees former position before granting | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.308(a)(3)(ii)(C) NIST CSF: PR.AC, PR.IP HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 24 | How do you ensure media is sanitized prior to re-use? | |||||||
| We have a process to completely purge data from all devices prior to re-use through device reimaging, degaussing, or other industry standard method; our method conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. |
This is an effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| We sometimes remove ePHI from devices using a method that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, but not always, prior to re-use. |
Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| We delete files with ePHI from devices but do not do anything else to purge data prior to re-use. | Deleting files does not fully purge data from the device. Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| We do not have a process to remove ePHI from devices prior to re-use. | Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| We have a third party business associate sanitize devices for the practice prior to their re-use. The business associate does not provide a certificate of proper disposal identifying the sanitized devices individually (e.g. with serial numbers). | Document procedures for removal of ePHI from electronic media before the media are made available for re-use. Make sure your practice maintains detailed records of the sanitization performed and have a BAA in place with the business associate. Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| We have a third party business associate sanitize devices for the practice prior to their re-use. The business associate always provide a certificate of proper disposal identifying the sanitized devices individually (e.g. with serial numbers). | This is an effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Ensure that obsolete data are removed or destroyed properly so they cannot be accessed by cyber-thieves. Just as paper medical and financial records must be fully destroyed by shredding or burning, digital data must be properly disposed of to ensure that they cannot be inappropriately recovered. Discuss options for properly disposing of outdated or unneeded data with your IT support. Do not assume that deleting or erasing files means that the data are destroyed. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.310(d)(2)(ii) NIST CSF: PR.IP, PR.MA HICP: TV1, Practice # 4 |
|||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Inadequate facility access management procedures where information systems reside | |||||||
| Unauthorized access to facility occurs undetected | ||||||||
| Workforce and visitors access critical or sensitive business areas without authorization | ||||||||
| Increased response time to respond to facility security incidents | ||||||||
| Inconsistency in granting access to facilities | ||||||||
| 2 | Inadequate physical protection for information systems | |||||||
| Access allowed by unauthorized personnel | ||||||||
| Adversary access to unauthorized network segments (via wireless penetration or USB/removable media) | ||||||||
| Insider tampering of sensitive network equipment | ||||||||
| Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems | ||||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Exploitation of unpatched systems & software | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| Adversarial sniffing/wiretapping/eavesdropping on network traffic | ||||||||
| 3 | Undocumented location of equipment or assets | |||||||
| Unconfirmed identity of connected physical devices/equipment | ||||||||
| Unauthorized devices gaining access to the network | ||||||||
| Unconfirmed identity of connected devices/equipment | ||||||||
| Exploitation of unsecured computer systems | ||||||||
| 4 | Inadequate access controls for business associate and vendor access | |||||||
| Adversary leverages third party access to gain access to facility and devices | ||||||||
| Adversary leverages third party access to exfiltrate data or assets | ||||||||
| Uncontrolled access used to disrupt or steal equipment or data | ||||||||
| Damage to public reputation due to breach | ||||||||
| ePHI accessed by unauthorized entities | ||||||||
| Inability to confirm identity of visitor throughout the facility | ||||||||
| Inability to monitor physical location of business associates and vendors within the facility | ||||||||
| Tampering of sensitive network equipment | ||||||||
| 5 | Inadequate sanitation of media | |||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Disclosure of passwords and or login information | ||||||||
| Unauthorized access to ePHI/sensitive information | ||||||||
| Unknown disposition of unused devices and data | ||||||||
| Unauthorized modification of user accounts and/or permissions | ||||||||
| 6 | Inadequate procedures for proper workstation and connected network device security | |||||||
| Appropriate security settings may not be applied to all devices/equipment | ||||||||
| Unauthorized connected devices/equipment on the network | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Workstations or devices tampered with, lost, or destroyed | ||||||||
| 7 | Failure to ensure user accounts are configured with appropirate permissions | |||||||
| Access granted to and maintained by unauthorized persons | ||||||||
| Adversary gaining access to unauthorized areas of the facility | ||||||||
| Adversary retains presence within or access to information systems | ||||||||
| Damage to public reputation due to breach | ||||||||
| Disclosure of passwords and or login information | ||||||||
| ePHI exfiltrated to unauthorized entities | ||||||||
| Exploiting unpatched systems & software | ||||||||
| Tampering of sensitive network equipment | ||||||||
| Unauthorized access to ePHI | ||||||||
| Unauthorized access to sensitive information | ||||||||
| Unauthorized modification to ePHI | ||||||||
Sheet 7: Section 6
| Section 6 – Security and Business Associates | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Do you contract with business associates or other third-party vendors? | |||||||
| Yes. | Make sure all business associates and third-party vendors have been evaluated to determine whether or not they require a Business Associate Agreement. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| No. | If you don’t have expertise to perform operational, security, or other tasks, contracting with third-party vendors and business associates can augment your practice’s capabilities. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| I don’t know. | If you don’t have expertise to perform operational, security, or other tasks, contracting with third-party vendors and business associates can augment your practice’s capabilities. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| Notes | ||||||||
| 2 | Do you allow third-party vendors to access your information systems and/or ePHI? | |||||||
| Yes. | Make sure all business associates and third-party vendors have been evaluated to determine whether or not they require a Business Associate Agreement. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: TV1, Practice # 3 |
|||||
| No. | Working with business associates and third-party vendors can be beneficial to your practice, as long as reasonable and appropriate security precautions are taken for business associates accessing ePHI. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: TV1, Practice # 3 |
|||||
| I don’t know. | Consider looking into whether your practice allows business associates or third-party vendors to access your information systems. Your practice may be at risk and unable to safeguard your ePHI if unauthorized third parties have access to your information systems. User accounts enable organizations to control and monitor each users access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 3 | How do you identify which business associates need access to create, receive, maintain, or transmit ePHI? | |||||||
| We review business associate contracts to determine which vendors or contractors require access to ePHI and we include a Business Associate Agreement (BAA) in our contract with them. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| We assume that business associates who need access to our ePHI will indicate that and include a BAA with their contract with us. | Take an active role in protecting your ePHI. Review your business associate contracts to determine which business associates require a BAA and ensure fully executed BAAs are in place with all required business associates. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| I don’t know. We have not formally considered which of our business associates require access to ePHI. | Take an active role in protecting your ePHI. Review your business associate contracts to determine which business associates require a BAA and ensure fully executed BAAs are in place with all required business associates. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| We have informal discussions to evaluate whether access to our ePHI is required. | Take an active role in protecting your ePHI. Review your business associate contracts to determine which business associates require a BAA and ensure fully executed BAAs are in place with all required business associates. As user accounts are established, the accounts must be granted access to the organizations computers and programs, as appropriate to each user. Consider following the minimum necessary principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that users job or role in the organization. This limits the organizations exposure to unauthorized access, loss, and theft of data if the users identity or access is compromised. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 4 | How does your practice enforce or monitor access for each of these business associates? | |||||||
| We determine degree of access based on the amount of ePHI accessed, the types of devices or mechanisms used for access, and our ability to control and monitor third-party access. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 3 |
|||||
| We assume that all business associate access is equal with regard to determining risk. | Take an active role in protecting your ePHI. Determine the degree of access a business associate has by reviewing the amount of ePHI accessed, the types of devices and mechanisms used for access, and your ability to control and monitor their access. Document your procedures in your security policies. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 3 |
|||||
| We do not consider degree of access as it pertains to business associates. | Take an active role in protecting your ePHI. Determine the degree of access a business associate has by reviewing the amount of ePHI accessed, the types of devices and mechanisms used for access, and your ability to control and monitor their access. Document your procedures in your security policies. Implement access management procedures to track and monitor user access to computers and programs. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 3 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM HICP: TV1, Practice # 3 |
|||||
| Notes | ||||||||
| 5 | How do business associates communicate important changes in security practices, personnel, etc. to you? | |||||||
| Our BAAs include language describing how security-relevant changes should be communicated to our organization. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| We rely on our business associates to communicate with us in a manner they deem effective. | Consider including language in Business Associate Agreements describing their communication of relevant security changes to your practice. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| We are not sure how our business associates manage security or communicate changes to our practice. | Consider including language in Business Associate Agreements describing their communication of relevant security changes to your practice. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: N/A NIST CSF: ID.GV HICP: N/A |
|||||
| Notes | ||||||||
| 6 | Have you executed business associate agreements with all business associates who create, receive, maintain, or transmit ePHI on your behalf? | |||||||
| Yes. We ensure all business associates have a fully executed BAA with us before creating, receiving, maintaining, or transmitting ePHI on our behalf. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(b)(3) NIST CSF: PR.AC HICP: N/A |
|||||
| Yes. We assume business associates with whom we require a BAA will prompt us to put one in place. | Make sure all business associates who access ePHI have a fully executed BAA with your practice before being granted access. Include this requirement in your security policies and procedures. | Required | HIPAA: §164.308(b)(3) NIST CSF: PR.AC HICP: N/A |
|||||
| No. We do not execute BAAs when we have business associates accessing ePHI. | Make sure all business associates who access ePHI have a fully executed BAA with your practice before being granted access. Include this requirement in your security policies and procedures. | Required | HIPAA: §164.308(b)(3) NIST CSF: PR.AC HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(b)(3) NIST CSF: PR.AC HICP: N/A |
|||||
| Notes | ||||||||
| 7 | How do you maintain awareness of business associate security practices? (e.g. in addition to Business Associate Agreements) | |||||||
| Our practice performs extra due diligence in the form of monitoring third-party connections to our information systems or other forms of access, in addition to including language for security compliance in our Business Associate Agreements (BAAs). | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: N/A NIST CSF: PR.AT, RS.CO, DE.CM HICP: N/A |
|||||
| We rely on the language of our BAAs to ensure that business associates are securing ePHI. | Consider monitoring, auditing, or obtaining information from business associates to ensure the security of ePHI and include language about this in Business Associate Agreements. | Required | HIPAA: N/A NIST CSF: PR.AT, RS.CO, DE.CM HICP: N/A |
|||||
| We are not sure how to maintain awareness of our business associates’ security practices. | Consider monitoring, auditing, or obtaining information from business associates to ensure the security of ePHI and include language about this in Business Associate Agreements. | Required | HIPAA: N/A NIST CSF: PR.AT, RS.CO, DE.CM HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: N/A NIST CSF: PR.AT, RS.CO, DE.CM HICP: N/A |
|||||
| Notes | ||||||||
| 8 | Do you include satisfactory assurances within your Business Associate Agreements pertaining to how your business associates safeguard ePHI? | |||||||
| Yes. Our Business Associate Agreements include specifications on authorized use and disclosure of ePHI as well as other requirements as required by the Omnibus Rule updates to HIPAA. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.314(a)(1)(i) NIST CSF: ID.GV HICP: N/A |
|||||
| Yes. BAAs include specifications on authorized use and disclosure of ePHI. | Ensure all BAAs have been updated to meet the requirements of the HIPAA Security Rule and Omnibus Rule updates to HIPAA. | Required | HIPAA: §164.314(a)(1)(i) NIST CSF: ID.GV HICP: N/A |
|||||
| No. We are not sure about what satisfactory assurances are included in our BAAs. | Ensure all BAAs have been updated to meet the requirements of the HIPAA Security Rule and Omnibus Rule updates to HIPAA. | Required | HIPAA: §164.314(a)(1)(i) NIST CSF: ID.GV HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.314(a)(1)(i) NIST CSF: ID.GV HICP: N/A |
|||||
| Notes | ||||||||
| 9 | What terms are in your BAA’s to outline how your business associates ensure subcontractors access ePHI securely? | |||||||
| In addition to language in our BAAs, our Business Associates provide specific assurances to us, including how they ensure subcontractors secure ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.314(a)(2)(iii) NIST CSF: DE.AE, DE.DP, RS.CO HICP: N/A |
|||||
| Our BAAs include language requiring the business associate to obtain satisfactory assurances from subcontractors as to how they protect ePHI. | Consider reviewing with your business associates how they manage security expectations for their subcontractors. | Required | HIPAA: §164.314(a)(2)(iii) NIST CSF: DE.AE, DE.DP, RS.CO HICP: N/A |
|||||
| We are not sure how to obtain satisfactory assurances from subcontractors. | Ensure your practice can safeguard ePHI by ensuring the terms and conditions of your practices BAAs outline appropriate requirements for your BAAs with subcontractors. | Required | HIPAA: §164.314(a)(2)(iii) NIST CSF: DE.AE, DE.DP, RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.314(a)(2)(iii) NIST CSF: DE.AE, DE.DP, RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 10 | Do your BAA’s require your third-party vendors to report security incidents to your practice in a timely manner? | |||||||
| Yes. Our BAAs describe requirements to provide satisfactory assurances for the protection of ePHI, obtain the same assurances from its subcontractors, and report security incidents (experienced by the Business Associate or its subcontractors) to our practice in a timely manner. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Make sure your point of contact with your business associate knows whom to contact at your organization to provide information about security incidents. | Required | HIPAA: §164.314(a)(2)(i)( c) NIST CSF: ID.RA, DE.AE, DE.DP, RS.CO HICP: TV1, Practice # 8 |
|||||
| No. We are not sure how this requirement is described within our BAAs. | Your practice may not be able to safeguard its information systems and ePHI if your practices Business Associates are not required to provide satisfactory assurances for the protection of ePHI, obtain the same assurances from its subcontractors, and report security incidents (experienced by the Business Associate or its subcontractors) to you in a timely manner. Make sure your point of contact with your business associate knows whom to contact at your organization to provide information about security incidents. | Required | HIPAA: §164.314(a)(2)(i)( c) NIST CSF: ID.RA, DE.AE, DE.DP, RS.CO HICP: TV1, Practice # 8 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.314(a)(2)(i)( c) NIST CSF: ID.RA, DE.AE, DE.DP, RS.CO HICP: TV1, Practice # 8 |
|||||
| Notes | ||||||||
| 11 | Have you updated all your BAA’s to reflect the requirements in the 2013 Omnibus Rule updates to HIPAA? | |||||||
| We have reviewed all BAAs and have confirmed their compliance with the Omnibus Rule updates to HIPAA. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.314(a)(1) NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV HICP: N/A |
|||||
| We have reviewed all BAAs and are in the process of updating formerly out-of-date BAAs. | Update BAAs to reflect Omnibus Rule updates to HIPAA and HIPAA compliance. | Required | HIPAA: §164.314(a)(1) NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV HICP: N/A |
|||||
| We assume all BAAs are up to date with the Omnibus Rule updates to HIPAA but have not reviewed the agreements to make sure. | All BAAs should be reviewed to ensure compliance with the Omnibus Rule updates to HIPAA and HIPAA compliance. | Required | HIPAA: §164.314(a)(1) NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV HICP: N/A |
|||||
| We are not sure if our BAAs are up to date with Omnibus Rule requirements. | All BAAs should be reviewed to ensure compliance with the Omnibus Rule updates to HIPAA and HIPAA compliance. | Required | HIPAA: §164.314(a)(1) NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.314(a)(1) NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV HICP: N/A |
|||||
| Notes | ||||||||
| 12 | How does your practice document all of its business associates requiring access to ePHI? | |||||||
| We maintain a current listing of all business associates with access to ePHI in addition to having Business Associate Agreements (BAAs) on file with any business associates with access to ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: N/A |
|||||
| We maintain copies of fully executed BAAs on file for any business associates with access to ePHI. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI.Note that the Office for Civil Rights may request an inventory listing of your Business Associates in the event of an audit or investigation. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: N/A |
|||||
| We are not sure how these business associate relationships are documented. | Knowing who provides services to your practice and the nature of the services is an important component of your security plan. Note that the Office for Civil Rights may request an inventory listing of your Business Associates in the event of an audit or investigation. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(b)(1) NIST CSF: ID.AM, PR.AC, PR.DS HICP: N/A |
|||||
| Notes | ||||||||
| 13 | Do you obtain Business Associate Agreements (BAAs) from business associates who access another covered entity’s ePHI on your behalf? | |||||||
| Yes. We make sure to have BAAs in place with covered entities for which we are Business Associates as well as subcontractors to those covered entities who contract with us. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(b)(2) NIST CSF: N/A HICP: N/A |
|||||
| Yes. We make sure to have BAAs in place with covered entities for which we are Business Associates. | Make sure your practice has BAAs in place with covered entities for which your practice is a Business Associate as well as subcontractors to those covered entities who contract with your practice | Required | HIPAA: §164.308(b)(2) NIST CSF: N/A HICP: N/A |
|||||
| No. We do not obtain assurances from business associates who access another covered entitys ePHI on our behalf. | Make sure your practice has BAAs in place with covered entities for which your practice is a Business Associate as well as subcontractors to those covered entities who contract with your practice | Required | HIPAA: §164.308(b)(2) NIST CSF: N/A HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(b)(2) NIST CSF: N/A HICP: N/A |
|||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Uncontrolled access to ePHI to business associates/vendors | |||||||
| Access to unauthorized segments of the network | ||||||||
| Carelessness causing disruption to computer systems | ||||||||
| Carelessness exposing ePHI | ||||||||
| Damage to public reputation due to breach | ||||||||
| Disclosure of passwords and or login information | ||||||||
| ePHI exfiltrated to unauthorized entities | ||||||||
| Exploiting unpatched systems & software | ||||||||
| Unauthorized access to ePHI | ||||||||
| Unauthorized modification to ePHI | ||||||||
| 2 | Inadequate business associate/vendor agreements | |||||||
| Inability to hold third parties accountable to securing your ePHI | ||||||||
| Breach goes unreported due to lack of established communication requirements with third-party | ||||||||
| Provide sensitive information and ePHI without authorization | ||||||||
| Loss of support services or contracts | ||||||||
| Damage to public reputation or litigation | ||||||||
| 3 | No security or privacy assurances obtained from business associates/vendors | |||||||
| Information system or factility access granted to unauthorized personnel | ||||||||
| Adversarial access to unauthorized network segments | ||||||||
| Corrective enforcement outcomes from regulatory agencies | ||||||||
| Disclosure of passwords and or login information | ||||||||
| Social engineering or hacking attack affecting third-party impacts your practice’s data | ||||||||
| Disruption of access to data due to inadequate contractor security controls | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| Exploitation of unsecured third-party systems & software | ||||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| 4 | Failure to update or review business associate contracts | |||||||
| Contract termination due to expiration | ||||||||
| Provide sensitive information and ePHI without authorization | ||||||||
| Disruption of access to data due to contract dispute or lapse | ||||||||
| Inability to determine the criticality of access granted to third parties | ||||||||
| Fines, litigation, and financial penalties from non-compliance | ||||||||
Sheet 8: Section 7
| Section 7 – Contingency Planning | ||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk Indicated | Required? | Reference | |
| Section Questions | ||||||||
| 1 | Does your practice have a contingency plan in the event of an emergency? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 8 |
|||||
| No. | Ensure your practice can operate effectively and efficiently under emergency by having a contingency plan. This should be included in your documented policies and procedures. The contingency plan should be reviewed, tested, and updated periodically. As part of this you should determine what critical services and ePHI must be available during an emergency. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 8 |
|||||
| I don’t know. | Ensure your practice can operate effectively and efficiently under emergency by having a contingency plan. This should be included in your documented policies and procedures. The contingency plan should be reviewed, tested, and updated periodically. As part of this you should determine what critical services and ePHI must be available during an emergency. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 8 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 8 |
|||||
| Notes | ||||||||
| 2 | Is your contingency plan documented? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| No. | Your contingency plan should be documented in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| I don’t know. | Your contingency plan should be documented in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| Notes | ||||||||
| 3 | Do you periodically update your contingency plan? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, RS.IM, RC.IM HICP: N/A |
|||||
| Yes, but only if there are changes in our practice. | Consider reviewing and updating your contingency plan on a periodic basis. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, RS.IM, RC.IM HICP: N/A |
|||||
| No. | Consider reviewing and updating your contingency plan on a periodic basis. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, RS.IM, RC.IM HICP: N/A |
|||||
| I don’t know. | Consider reviewing and updating your contingency plan on a periodic basis. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, RS.IM, RC.IM HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, RS.IM, RC.IM HICP: N/A |
|||||
| Notes | ||||||||
| 4 | How do you ensure that your contingency plan is effective and updated appropriately? | |||||||
| We periodically review the plans contents, perform tests of the plan, and record the results. We revise the plan as needed and document this in policy. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| We periodically review the plan’s contents but do not perform any tests or exercises of the plans effectiveness. | Consider periodically testing the contingency plan for effectiveness. Maintain documentation of contingency plan testing and revisions in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| We periodically run tests or exercises of the plan’s effectiveness, but we do not document these tests. We have not made updates to our contingency plan yet. | Consider maintaining documentation of contingency plan testing and revisions in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| We do not review or test our contingency plan. | Consider periodically reviewing and testing the contingency plan for effectiveness. Maintain documentation of contingency plan testing and revisions in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| I don’t know. | Consider periodically reviewing and testing the contingency plan for effectiveness. Maintain documentation of contingency plan testing and revisions in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| Other. | Depending on what other actions your practice does to ensure your contingency plan is updated appropriately, you may want to consider periodically reviewing and testing the contingency plan for effectiveness. Maintain documentation of contingency plan testing and revisions in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(ii)(D) NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE HICP: N/A |
|||||
| Notes | ||||||||
| 5 | Have you considered what kind of emergencies could damage critical information systems or prevent access to ePHI within your practice? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| No. | You should consider all natural and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. You should also document how you would respond in these situations to maintain security of ePHI in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| I don’t know. | You should consider all natural and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. You should also document how you would respond in these situations to maintain security of ePHI in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| Notes | ||||||||
| 6 | What types of emergencies have you considered? | |||||||
| We have considered natural disasters, such as wildfire, damaging winds, floods, hurricanes, tornadoes, or earthquakes. | You should consider infrastructure and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| We have considered man-made disasters, such as vandalism, biochemical warfare, toxic emissions, or civil unrest/terrorism. | You should consider all infrastructure and natural disasters that could affect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| We have considered infrastructure issues, such as blackouts, road blocks, building hazards, network or data center outages. | You should consider all natural and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| All of the above. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| Other. | You should consider infrastructure, natural, and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, ID.RA HICP: N/A |
|||||
| Notes | ||||||||
| 7 | Have you documented in your policies and procedures various emergency types and how you would respond to them? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| No. | Consider all natural and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. Documented how you would respond in these situations to maintain security of ePHI in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| I don’t know. | Consider all natural and man-made disasters that could affect the confidentiality, integrity, and availability of ePHI. Documented how you would respond in these situations to maintain security of ePHI in your policies and procedures. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: N/A |
|||||
| Notes | ||||||||
| 8 | Does your practice have policies and procedures in place to prevent, detect, and respond to security incidents? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP HICP: N/A |
|||||
| No. | Your practice may not be able to safeguard its information systems, applications, and ePHI if it does not have policies and procedures designed to help prevent, detect and respond to security incidents. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP HICP: N/A |
|||||
| I don’t know. | Your practice may not be able to safeguard its information systems, applications, and ePHI if it does not have policies and procedures designed to help prevent, detect and respond to security incidents. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP HICP: N/A |
|||||
| Notes | ||||||||
| 9 | How does your practice prevent, detect, and respond to security incidents? | |||||||
| We have a security incident response plan documented in our policies and procedures. | Consider testing the security incident response plan periodically using a documented process. The incident plan should cover broad categories of incidents to prepare for. Testing the incident plan is an effective means of preparation and training. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| As part of training exercises we periodically test our security incident response plan. | Testing your incident response plan is an effective means of preparation and training. The incident plan should cover a range of categories to prepare for and should be documented in your policies and procedures.Also consider tracking security incident responses and outcomes and communicating them to the appropriate workforce members for security incident awareness and mitigation. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| We track all security incident responses and outcomes and report them to our security officer. We then ensure proper mitigation procedures are followed in a timely manner. | Consider documenting your incident response plan in your policies and procedures and testing the plan periodically using a documented process. The incident plan should cover broad categories of incidents to prepare for. Testing the incident plan is an effective means of preparation and training. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| We communicate recent security incident responses and outcomes to our workforce for additional security awareness and prevention. | Consider documenting your incident response plan in your policies and procedures and testing the plan periodically using a documented process. The incident plan should cover broad categories of incidents to prepare for. Testing the incident plan is an effective means of preparation and training. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| All of the above. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| Our security incident response plan is tested as needed (for example, when activated in real-world situations) but not on a periodic basis. | Consider documenting your incident response plan in your policies and procedures and testing the plan periodically using a documented process. The incident plan should cover broad categories of incidents to prepare for. Testing the incident plan is an effective means of preparation and training. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| We do not have a process for managing security incidents or an incident response testing plan. | Develop an incident response plan that covers broad categories of incidents to prepare for. Ensure that security incident response, reporting, and mitigation procedures are followed by workforce members, are conducted in a timely manner, and their outcomes are properly documented and communicated to the appropriate workforce members. Also consider testing the plan to ensure its effectiveness. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| I don’t know. | Develop an incident response plan that covers broad categories of incidents to prepare for. Ensure that security incident response, reporting, and mitigation procedures are followed by workforce members, are conducted in a timely manner, and their outcomes are properly documented and communicated to the appropriate workforce members. Also consider testing the plan to ensure its effectiveness. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| Other. | Consider developing an incident response plan that covers broad categories of incidents to prepare for. Ensure that security incident response, reporting, and mitigation procedures are followed by workforce members, are conducted in a timely manner, and their outcomes are properly documented and communicated to the appropriate workforce members. Also consider testing the plan to ensure its effectiveness. Describe requirements for users to report suspicious activities in the organization and for the cybersecurity department to manage incident response. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(6)(i) NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP HICP: TV1, Practice # 8 |
|||||
| Notes | ||||||||
| 10 | Has your practice identified specific personnel as your incident response team? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Before an incident occurs, make sure you understand who will lead your incident investigation. Additionally, make sure you understand which personnel will support the leader during each phase of the investigation. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV HICP: TV1, Practice # 8 |
|||||
| No. | Identify workforce members who need access to facilities in the event of an emergency, identify roles and responsibilities, and create a backup plan for accessing facilities and critical data. Before an incident occurs, make sure you understand who will lead your incident investigation. Additionally, make sure you understand which personnel will support the leader during each phase of the investigation. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV HICP: TV1, Practice # 8 |
|||||
| I don’t know. | Identify workforce members who need access to facilities in the event of an emergency, identify roles and responsibilities, and create a backup plan for accessing facilities and critical data. Before an incident occurs, make sure you understand who will lead your incident investigation. Additionally, make sure you understand which personnel will support the leader during each phase of the investigation. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV HICP: TV1, Practice # 8 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV HICP: TV1, Practice # 8 |
|||||
| Notes | ||||||||
| 11 | How are members of your incident response team identified and trained? | |||||||
| Workforce members are trained on their role and responsibilities as part of the incident response team (upon hire) as well as periodic reminders of our internal policies and procedures and testing exercises. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| Workforce members are trained on their role and responsibilities as part of the incident response team (upon hire). | Train members of your incident response team both upon hire and during periodic review. Testing your incident response plan can be an effective training method. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| Workforce members are verbally communicated about what their role and responsibility is on the incident response team, but this is not a formal process. | Consider formally documenting and training workforce members on matters regarding their role and responsibility on the incident response team. Testing your incident response plan can be an effective training method. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| We do not have a process to inform workforce members about their role and responsibility on the incident response team. | Your practice may not be able to safeguard its information systems, applications, and ePHI if it does not identify members of its incident response team and assure workforce members are trained and that incident response plans are tested. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| I don’t know. | Your practice may not be able to safeguard its information systems, applications, and ePHI if it does not identify members of its incident response team and assure workforce members are trained and that incident response plans are tested. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| Other. | Your practice may not be able to safeguard its information systems, applications, and ePHI if it does not identify members of its incident response team and assure workforce members are trained and that incident response plans are tested. At minimum, you should identify the top security expert who will provide direction to the supporting personnel. Ensure that the leader is fully authorized to execute all tasks required to complete the investigation. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(6)(ii) NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE, DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.RA HICP: TV1, Practice # 8 |
|||||
| Notes | ||||||||
| 12 | Has your practice evaluated and determined which systems and ePHI are necessary for maintaining business-as-usual in the event of an emergency? | |||||||
| Yes, we have a process of evaluating all hardware and software systems, including those of business associates, to determine criticality of the systems and ePHI that would be accessed by executing our contingency plan. This is documented along with our asset inventory. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 10 |
|||||
| Yes, we have identified which information systems are more critical than others, including those of business associates, but have not formally documented this in our contingency plan. | Consider documenting this process and include all mission-critical systems in your contingency plan. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 10 |
|||||
| No, we have not implemented a process for identifying and assessing criticality of information systems. | Consider evaluating all hardware and software systems, including those of business associates, to determine criticality of the systems and ePHI that would be accessed. Document this process and include all mission-critical systems in your contingency plan. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 10 |
|||||
| I don’t know. | Consider evaluating all hardware and software systems, including those of business associates, to determine criticality of the systems and ePHI that would be accessed. Document this process and include all mission-critical systems in your contingency plan. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 10 |
|||||
| Other. | Consider evaluating all hardware and software systems, including those of business associates, to determine criticality of the systems and ePHI that would be accessed. Document this process and include all mission-critical systems in your contingency plan. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 13 | How would your practice maintain access to ePHI in the event of an emergency, system failure, or physical disaster? | |||||||
| We have established procedures and mechanisms for obtaining necessary electronic protected health information during an emergency. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA, PR.PT, RS.RP, RS.CO HICP: N/A |
|||||
| We have mechanisms in place to obtain access to ePHI during an emergency but do not have procedures documenting how these mechanisms are to be utilized. | Document procedures to describe how your practice will maintain access to ePHI in the event of an emergency, system failure, or physical disaster. Your practice might not be able to recover ePHI and other health information during an emergency or when systems become unavailable if it does not backup ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment). | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA, PR.PT, RS.RP, RS.CO HICP: N/A |
|||||
| We do not have procedures or mechanisms to maintain access to ePHI in the event of an emergency. | Document procedures to describe how your practice will maintain access to ePHI in the event of an emergency, system failure, or physical disaster. Your practice might not be able to recover ePHI and other health information during an emergency or when systems become unavailable if it does not backup ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment). | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA, PR.PT, RS.RP, RS.CO HICP: N/A |
|||||
| I don’t know. | Document procedures to describe how your practice will maintain access to ePHI in the event of an emergency, system failure, or physical disaster. Your practice might not be able to recover ePHI and other health information during an emergency or when systems become unavailable if it does not backup ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment). | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA, PR.PT, RS.RP, RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA, PR.PT, RS.RP, RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 14 | How would your practice maintain security of ePHI and crucial business processes before, during, and after an emergency? | |||||||
| We have robust contingency plans which provide for alternate site or other means for continued access to ePHI. We test them periodically to ensure continuity of security processes in an emergency setting. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(7)(ii)(C) NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO, RS.AN, RC.CO, RC.RP HICP: N/A |
|||||
| We have contingency plans which will be used to maintain continuity of security processes during an emergency setting. | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. | Required | HIPAA: §164.308(a)(7)(ii)(C) NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO, RS.AN, RC.CO, RC.RP HICP: N/A |
|||||
| We have not implemented a means of ensuring continuity of security processes in an emergency setting. | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. | Required | HIPAA: §164.308(a)(7)(ii)(C) NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO, RS.AN, RC.CO, RC.RP HICP: N/A |
|||||
| I don’t know. | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. | Required | HIPAA: §164.308(a)(7)(ii)(C) NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO, RS.AN, RC.CO, RC.RP HICP: N/A |
|||||
| Other. | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. | Required | HIPAA: §164.308(a)(7)(ii)(C) NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO, RS.AN, RC.CO, RC.RP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(7)(ii)(C) NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO, RS.AN, RC.CO, RC.RP HICP: N/A |
|||||
| Notes | ||||||||
| 15 | Do you have a plan for backing up and restoring critical data? | |||||||
| Yes, we have a plan for determining which data is critically needed, creating retrievable, exact copies of critical data and how to restore that data, including from alternate locations. We also test and revise the plan, as needed. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required & Addressable | HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)(B), and §164.308(a)(7)(ii)(E) NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP, RS.RP, RS.CO, RC.CO, RC.RP, PR.DS HICP: TV1, Practice # 10 |
|||||
| Yes, we have a plan for creating retrievable, exact copies of critical data and how to restore that data. We do not have a process for testing and revising this plan. | Consider conducting periodic tests of backup recovery procedures. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required & Addressable | HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)(B), and §164.308(a)(7)(ii)(E) NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP, RS.RP, RS.CO, RC.CO, RC.RP, PR.DS HICP: TV1, Practice # 10 |
|||||
| We do not have a data backup and restoration plan. | You should establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Consider implementing, documenting, and testing a data backup and restoration plan. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required & Addressable | HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)(B), and §164.308(a)(7)(ii)(E) NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP, RS.RP, RS.CO, RC.CO, RC.RP, PR.DS HICP: TV1, Practice # 10 |
|||||
| I don’t know. | You should establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Consider looking into whether your practice is implementing, documenting, and testing a data backup and restoration plan. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans. | Required & Addressable | HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)(B), and §164.308(a)(7)(ii)(E) NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP, RS.RP, RS.CO, RC.CO, RC.RP, PR.DS HICP: TV1, Practice # 10 |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required & Addressable | HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)(B), and §164.308(a)(7)(ii)(E) NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP, RS.RP, RS.CO, RC.CO, RC.RP, PR.DS HICP: TV1, Practice # 10 |
|||||
| Notes | ||||||||
| 16 | How is your practice’s emergency procedure activated? | |||||||
| Upon identification or initiation of an emergency situation, emergency procedures are activated according to documented procedure, such as by formal communication from the security officer or other designated personnel. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP, RS.CO HICP: N/A |
|||||
| We do not have a procedure to ensure that the emergency procedure is activated consistently when emergency events are identified. | Details about how and when to activate should be documented in the emergency procedure. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP, RS.CO HICP: N/A |
|||||
| I don’t know. | Details about how and when to activate should be documented in the emergency procedure. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP, RS.CO HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP, RS.CO HICP: N/A |
|||||
| Notes | ||||||||
| 17 | How is access to your facility coordinated in the event of disasters or emergency situations? | |||||||
| We have written policies and procedures outlining facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. Members of the workforce who need access to the facility in an emergency have been identified. Roles and responsibilities have been defined. A backup plan for accessing the facility and critical data is in place. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Addressable | HIPAA: §164.310(a)(2)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, PR.DS, RS.CO, RC.RP HICP: N/A |
|||||
| We have written policies and procedures outlining facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency, but it does not include all of the variables described above. | Implement written policies and procedures outlining facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. Ensure members of the workforce who need access to the facility in an emergency have been identified. Define workforce member roles and responsibilities. Ensure that a backup plan for accessing the facility and critical data is in place. | Addressable | HIPAA: §164.310(a)(2)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, PR.DS, RS.CO, RC.RP HICP: N/A |
|||||
| We do not have a written plan for accessing the facility in the event of disasters or emergency situations. | Implement written policies and procedures outlining facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. Ensure members of the workforce who need access to the facility in an emergency have been identified. Define workforce member roles and responsibilities. Ensure that a backup plan for accessing the facility and critical data is in place. | Addressable | HIPAA: §164.310(a)(2)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, PR.DS, RS.CO, RC.RP HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Addressable | HIPAA: §164.310(a)(2)(i) NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP, PR.DS, RS.CO, RC.RP HICP: N/A |
|||||
| Notes | ||||||||
| 18 | How is your emergency procedure terminated after the emergency circumstance is over? | |||||||
| Upon the conclusion of the emergency situation, normal operations are resumed according to documented procedure, such as by formal communication from the security officer or other designated personnel. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: N/A HICP: N/A |
|||||
| We do not have a procedure to ensure that normal operations are resumed after the conclusion of an emergency. | Details about how and when to terminate should be documented in the emergency procedure. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: N/A HICP: N/A |
|||||
| I don’t know. | Details about how and when to terminate should be documented in the emergency procedure. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: N/A HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.312(a)(2)(ii) NIST CSF: N/A HICP: N/A |
|||||
| Notes | ||||||||
| 19 | Do you formally evaluate the effectiveness of your security safeguards, including physical safeguards? | |||||||
| Yes. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| No. | Consider conducting technical and non-technical evaluations of security policies and procedures. This should be done periodically and in response to changes in the security environment. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| I don’t know. | Consider conducting technical and non-technical evaluations of security policies and procedures. This should be done periodically and in response to changes in the security environment. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| Notes | ||||||||
| 20 | How do you evaluate the effectiveness of your security safeguards, including physical safeguards? | |||||||
| We have procedures in place to evaluate the effectiveness of our security policies and procedures, physical safeguards, and technical safeguards. Our evaluation is conducted periodically and in response to changes in the security environment. | This is the most effective option among those provided to protect the confidentiality, integrity, and availability of ePHI. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| We have procedures in place to evaluate the effectiveness of our security policies and procedures, physical safeguards, and technical safeguards but we do not update them with any set frequency. | Consider conducting technical and non-technical evaluations of security policies and procedures periodically and in response to changes in the security environment. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| We do not have a formal process to evaluate the effectiveness of our security safeguards. | Consider conducting technical and non-technical evaluations of security policies and procedures. This should be done periodically and in response to changes in the security environment. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the “Flagged Questions” report. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
|||||
| Flag this question for later. | Required | HIPAA: §164.308(a)(8) NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE, DE.CM, DE.DP, RS.MI, RS.IM, RC.MI HICP: N/A |
||||||
| Notes | ||||||||
| Threats & Vulnerabilities | Likelihood | Impact | Risk Score | |||||
| 1 | Failure to adopt a documented business contingency plan | |||||||
| Corrective enforcement outcomes from regulatory agencies | ||||||||
| Failure to define purpose, scope, roles/responsibilities, and/or management commitment | ||||||||
| Inability to demonstrate recovery objectives and restoration priorities | ||||||||
| Litigation due to not meeting minimum security requirements | ||||||||
| Unguided procedures during downtime or unexpected event | ||||||||
| 2 | Failure to update or review contingency plan procedures | |||||||
| Information disclosure or theft (ePHI, proprietary, intellectual, or confidential) | ||||||||
| Unauthorized access to or modification of ePHI/sensitive information | ||||||||
| Out-of-date documentation not reflecting the most recent expected procedures | ||||||||
| Inconsistent or inadequate contingency response due to uncertainty | ||||||||
| Unguided procedures during downtime or unexpected event | ||||||||
| 3 | Lack of consideration to reasonably anticipated environmental threats | |||||||
| Damage to public reputation due to information breach/loss | ||||||||
| Physicial damage to facility | ||||||||
| Financial loss from increased downtime of information systems | ||||||||
| Inability to recovery from system failure | ||||||||
| Increased recovery time during unexpected downtime of information systems | ||||||||
| Injury or death of personnel (employee, patient, guest) | ||||||||
| Loss of productivity | ||||||||
| Overheating of network devices due to increased ambient temperature | ||||||||
| Physical access granted to unauthorized persons or entities | ||||||||
| Power outage affecting the availability of critical security and information systems | ||||||||
| 4 | Infrequent training provided to staff and personal regarding business contingency procedures | |||||||
| Damage to public reputation due to information breach/loss | ||||||||
| Financial loss from increased downtime of information systems | ||||||||
| Inability to recovery from system failure | ||||||||
| Increased recovery time during unexpected downtime of information systems | ||||||||
| Loss of productivity | ||||||||
| 5 | Inadequate written procedures for security incident tracking and monitoring | |||||||
| Adversaries maintain exploitation capability due to security incidents being undetected or undocumented | ||||||||
| Failure to adopt remediation plan based on identified security incidents | ||||||||
| Failure to define purpose, scope, roles, responsibilities, and or management commitment pertaining to the tracking of security incidents | ||||||||
| 6 | Lack of access to ePHI during emergency events | |||||||
| Damage to public reputation | ||||||||
| Lost revenue from canceled appointments | ||||||||
Sheet 9: Risk_Logic
| Low | Low | LowLow | Low |
| Low | Medium | LowMedium | Medium |
| Low | High | LowHigh | High |
| Medium | Low | MediumLow | Low |
| Medium | Medium | MediumMedium | Medium |
| Medium | High | MediumHigh | Critical |
| High | Low | HighLow | Medium |
| High | Medium | HighMedium | High |
| High | High | HighHigh | Critical |
