Copyright (c) 2003, University of Wisconsin Board of Regents 1 HIPAA Risk Assessment Inventory July...

Copyright (c) 2003, University of Wisconsin Board of Regents

1

HIPAARisk Assessment Inventory

July 26th, 2003

Risk Assessment Subcommittee

of the HIPAA Security Committee

of the UW-Madison HIPAA Task Force


2

Why are We Doing This?

• The HIPAA security regulation requires risk assessment.

• UW-Madison policy developed by the HIPAA Task Force, requires that each unit of the HCC do a risk assessment inventory as part of the process of submitting a migration plan to the HIPAA Security Officer by October 14th, 2003.


3

Who Developed It?• The UW-Madison HIPAA Task Force has a

Security Committee.• The Security Committee appointed a risk

assessment subcommittee to develop guidance for the units of the HCC.

• DoIT provided staff resources to assist that subcommittee in building the spreadsheet and related documents, such as this presentation.


4

Contents of the Packet

• The Presentation

• The Risk Assessment Inventory workbook

• FAQ for the RA Inventory

• List of HCC Unit Security Coordinators


5

Contents of the RA Inventory Workbook (Workbook handout, page 1: ‘Contents’ sheet


6

Workbook Contents

• Section A. Explanations, (four sheets, pages 1-4)

• Section B. The inventory itself that you need to fill out, (four sheets, pages 5-8)

• Section C. The HIPAA Security Regulation,and suggested scales for grading requiredsafeguards, (one sheet, pages 9-12)


7

Overview(Workbook handout, page 2: ‘Overview’ sheet)


8

The Model

In the model we’ve created for theHIPAA Risk Assessment Inventory,a unit of the HCC has:

• Technical Assets, • Physical Sites, and• Administrative Subunits.


9

• The HIPAA security regulation is divided into: – Administrative Safeguards,– Physical Safeguards, and– Technical Safeguards.

• It is tempting to view these distinct groups of safeguards as things dealt with by:– a dept. administrator (runs an Admin Subunit).– a site manager (runs a Physical Site).– a system administrator (runs a Technical Asset).


10

• It almost works...

The way the regulation is written:• there are quite a number of Administrative and

Physical Safeguards that apply to individual technical assets.

• there are a few Technical Safeguards that apply to physical sites.


11

Diagram of the Model


12

The Unit of the HCC

Examples:

• Medical School

• School of Nursing

• Hygiene Lab


13

Technical Assets

• A computer system• A network device• A workstation• A peripheral• A portable device (any type)• An application


14

Safeguards that Apply to Individual Technical Assets

• All Technical Safeguards, in most cases.• All Physical Safeguards, in many cases.• Most Administrative Safeguards,

except those under:– Security Management Process, and– Assigned Security Responsibility. These represent broad administrative or human

resource activities, which are not specific to an individual technical asset.


15

A Technical Asset is

• Owned and operated by one or more Administrative Subunits– Some assets are shared by multiple subunits, so

there may be overlap of sysadmins and users.

• Located at one or morePhysical Sites– Some assets such as networks and application

are distributed among multiple physical sites.


16

Administrative Subunits

• Separate Administrative Staff,• Separate Human Resources Staff,• Separate Information Technology Staff,• Any combination of the above, or• None of the above!

Key thought:Has a significant degree of operational autonomy.


17

Safeguards that Apply to Each Administrative Subunit

• No Technical Safeguards,• No Physical Safeguards,• All Administrative Safeguards,

(as one might expect.)


18

Physical Sites

• A building complex,• A single building,• A wing or a floor • Rooms scattered about a building or complex, or• An isolated room with unique security needs.

Key thoughts:are typically isolated from each other, andhave differing security issues.


19

Safeguards that Apply to Physical Sites

• A few Technical Safeguards, related to:– Emergency Access (can we get in?),

– Auditing (who has been there?)

– Authentication (are they who we think they are?)

• All Physical Safeguards (as one might expect)

• No Administrative Safeguards (but please don’t forget physical access and security when writing the administrative policies and procedures!)


20

Process (Workbook handout, page 3: ‘Process’ sheet)


21

Step 1: Inventory

Make lists (don’t assess risks yet!)

This is where you start to fill in the four sheets of the Risk Assessment Inventory,numbered I. through IV.

Details of those four sheets are covered later in the presentation.


22

Step 2: Establish a Team

Suggestion:Have IT, HR, and Management representatives.


23

Step 3: Score Risks

Suggestion:

Use a scale of A, B, C, D, & F whereA (excellent) is low risk and

F is high risk.


24

Where to concentrate

• Risk associated with all applicable safeguards should be assessed, but spend the most time and attention on the required safeguards.

• The 'HIPAA Security Regs' sheet in this workbook includes a possible grading scale for each required safeguard.


25

Descriptive Narrative

The narrative should explain “why”.• Why were those physical sites and those

administrative subunits were selected.• Why were various technical assets grouped

together.• Why were particular scores given for key assets,

especially when the score was an “A”, “D” or “F”


26

Comments in Cells

• To shorten the narrative, comments may be added to the cells of sheets II. through IV.

• When the inventory is printed, the comments will follow each sheet.


27

Step 4: Prioritize Risks

• Not all D's and F's are equally important.• Take into account the cost of intervention and the

business impact of loss of confidentiality, integrity, or availability of data.

• Add the results from the prioritization to the descriptive narrative.


28

Step 5: Deliver

• If you’re doing the risk assessment inventory for a subunit, deliver it to your Security Coordinator by October 1st.

• Security Coordinators should deliver the unit’s migration plan (and the accompanying risk assessment inventory) to the Security Officerby October 14th.

• These dates are subject to change. Take them seriously, (we need to do this!) but stay tuned.


29

Instructions(Workbook handout, page 4: ‘Instructions’ sheet)


30

Organization of the Template

There are four sheets in the template:

I. HCC Unit

II. Tech Assets

III. Phys Site(s)

IV. Admin Subunit(s)


31

Fields on the Template Sheets

• The instructions primarily describe the fields for the sheet ‘II. Tech Assets’.

• The others sheets are simpler, and are covered as additional notes in the description of each field.


32

I. HCC Unit (Workbook handout, page 5: ‘I. HCC Unit’ sheet)


33

The ‘I. HCC Unit’ sheet is simply a place to enter:• the name of the Unit of the HCC,• the name of each physical site,• the name of each administrative subunit.

The names are carried forward onto sheets II. through IV.

If you discover that you have more sites and subunits than is provided for, please contact me and I will produce an expanded version for you.

I. HCC Unit


34

II. Tech Assets (Workbook handout, page 6: ‘II. Tech Assets’ sheet)


35

HIPAA provisions across.

TechnicalAssets Risk Scores Within

down. It is OK to group technical assets together, for example: all office

productivity workstations, all network switches, etc.

Refer back to the ‘Instructions’ sheet, where the fields are described in some detail.

Refer forward to the ‘HIPAA Security Reg’ sheet, where the regulation and some grading scales are summarized.

II. Tech Assets


36

II. Tech AssetsDescriptive Information

• Technical Asset: name or other tag (whatever makes sense.)

• Asset Category: one of six values• Location: room, building, also:

– physical site (if multiple exist.)– administrative subunit (if multiple exist.)

• Description: make/model, Operating System, Major Subsystem(s), IP number... (whatever makes sense.)


37

• Stores or processes PHI? (Y/N)• Other critical or sensitive data? (Y/N) What about technical assets that have neither?

They can still pose a risk to assets that do have PHI and other critical or sensitive data.

• Internal or external to firewall? (I/E)By default, a portable device is considered

external to the firewall.

II. Tech AssetsDescriptive Information (cont.)


38

Required and Addressable Safeguards

• These are indicated with an (R) or (A).• The required safeguards are ‘greyed out’ so they are

easily visible on the sheet.• While you need to score all safeguards, the ones to

do first and to spend the most time on are the required safeguards.


39

Required Safeguards (R)• These must be implemented, (unless not

applicable to the technical asset).• The degree of implementation and the particular

method of implementation are, for the most part, not specified in the regulation.

• That was deliberate, because circumstances vary and technology changes.


40

Addressable Safeguards (A)

Consider the extent to which the implementation specification applies.

• If it is not applicable, give it an ‘n/a’.

• If you are already doing what is “reasonable and appropriate” give it an ‘A’.

• Otherwise grade it according to the degree to which improvement is needed to meet the standard of “reasonable and appropriate”.

• Note that “reasonable and appropriate” implicitly includes all the elements of risk: threats, vulnerabilities and value.


41

What is Risk?• We are scoring risk, not just the degree of

compliance -- an important distinction.• Risk = Threats * Vulnerabilities * Value• If we are all exposed to roughly the same threats,

and if all PHI has roughly the same value, then vulnerabilities is the most variable factor, and non-compliance with the regulation (i.e. best practices) is an excellent measure of vulnerability.

• However, threats and value do vary, so it is important to consider them when assessing risk.


42

Default Values– Nearly all are ‘n/a’.

– They are based on Asset Category.

– The formula is present in each cell, simply overwrite it with the actual data.

– A default value is only provided where that the value is appropriate most of the time.

– Feel free to over-ride the default.

– You can change default values at the bottom of the sheet (not visible on the printed copy).


43

Color Coding

The color coding is for convenience only:– ‘A’ is Green– ‘B’ and ‘C’ are Yellow– ‘D’ and ‘F’ are Red


44

II. Tech Assets:What is being scored?

• For Administrative and Physical Safeguards, the risk is related to the degree to which the individual technical asset is included or accounted for in the policies and procedures of the each Administrative or Physical Safeguard. Think: ‘inclusion in policies and procedures’.

• For Technical Safeguards, the risk is related to the degree to which each Technical Safeguard is directly implemented on each individual technical asset.


45

III. Phys Site(s) (Workbook handout, page 7: ‘III. Phys Site(s) sheet)


46

III. Phys Site(s)

• Physical Sites contain Technical Assets– The Physical Site is a container: (walls, doors,

cabinets, lockdowns, etc.)– Physical security is about access to the

container: (keys, codes, PINs, tokens, etc.

• Descriptive Information: – Simple.


47

III. Phys Site(s):What is being scored?

– For the Physical Safeguards, risk is mitigated primarily by the physical security of the site, and not the security of individual technical assets.

– For the Technical Safeguards, risk is mitigated by the policies and procedures related to the access, auditing, and authentication of persons who are physically entering or within the site.

– Workstation Use and Workstation Security are exceptions...


48

III. Phys Site(s)Workstation Use and Security

• Workstation Use, includes a strong component of appropriate use of the workstation, as well as physical security.

• Workstation Security includes any physical measures to restrict access to authorized users. The need for such measures will vary with the degree of physical exposure of the workstation at the site. (For example: a workstation in a public area vs. one in a locked office.)


49

Some Administrative Safeguards Related to Physical Sites

Please include the physical security of your siteswhen you write policies and procedure underthese five Administrative Safeguards:

– Access Authorization (who is allowed access).

– Access Establishment & Modification (implementing those authorizations, e.g. issuing and recovering keys, etc.)

– Incident Response & Reporting (of physical breaches).

– Testing and Revision Procedure (testing the physical security measures).

– Periodic Evaluation (keeping it up-to-date).


50

IV. Admin Subunit(s) (Handout, page 8: ‘IV. Admin Subunit(s) sheet)


51

IV. Admin Subunit(s)Descriptive Information

• An Administrative Subunit owns and operates Technical Assets.

• Descriptive Information: – Simple.


52

IV. Admin Subunit(s)What is being scored?

Administrative Safeguards are about:• Various types of assessment and evaluation.• Policies and procedures:

– Writing them,– Implementing them,– Testing and revising them.

• Contracting for services.


53

IV. Admin Unit(s):What is being scored?

• There is risk associated with not doing assessment and evaluation, and not having policies and procedures that are adequate, implemented, and up-to-date.

• Score the extent to which risk has been mitigated by the required safeguards, or the reasonable and appropriate level of activity within each addressable safeguard.


54

HIPAA Security Regulation (Handout, pages 9-12: ‘HIPAA Security Reg’ sheet)

• This is a summary of the regulation, with language taken for the most part directly from the regulation.

• The definitions from the regulation of required and addressable safeguards are included at the bottom of each section.

• A possible grading scale for each required safeguard is included in the rightmost column. That grading scale is NOT part of the regulation! It is just a suggestion, to give folks a starting point.


55

HIPAA Security Regulation...• For addressable safeguards, the reasonable and

appropriate tests apply. This makes it very difficult to suggest a consistent grading scale for such safeguards.

• To complete the risk assessment, you will need to understand the security regulation at least to the extent presented in this section of the template. It is as abbreviated as practical.

• You also need to review the UW-Madison policy relevant to the various Safeguards. See:http://www.wisc.edu/hipaa/privacymanual/


56

What does the regulation mean?• A PDF and text copy of the final Security Regulation

from the Federal Register can be found at:http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html

• There are 49 PDF pages in the files. These correspond to “pages” in the Federal Register.

• The regulation text itself begins on “page” 8373.• “Comments” on the proposed regulation and

“responses” from the regulators start on page 8335.• The “responses” answer many questions, but you do

need to dig a little to find the relevant comments. Try searching for keywords.


57

Files• The files are located at:

http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html

• Files are:– The excel workbook containing the template for the

HIPAA Risk Assessment Inventory.

– This presentation.

– The FAQ for the Risk Assessment Inventory.

– The 5/30/2003 list of Unit Security Coordinators

• There are also links and contacts on that page.


58

Questions?• For questions about the interpretation of the

security regulation or UW-Madison policy, please contact your Security Coordinator.

• Security Coordinators should contact the Security Officer.

For questions about the template or other files,(not the interpretation of the regulation please!), contact me at: [email protected] or 265-6587.


59

Thanks!

Copyright (c) 2003, University of Wisconsin Board of Regents 1 HIPAA Risk Assessment Inventory July...

Documents

Transcript of Copyright (c) 2003, University of Wisconsin Board of Regents 1 HIPAA Risk Assessment Inventory July...