Copyright (c) 2003, University of Wisconsin Board of Regents 1 HIPAA Risk Assessment Inventory July...
-
Upload
journey-holling -
Category
Documents
-
view
216 -
download
1
Transcript of Copyright (c) 2003, University of Wisconsin Board of Regents 1 HIPAA Risk Assessment Inventory July...
Copyright (c) 2003, University of Wisconsin Board of Regents
1
HIPAARisk Assessment Inventory
July 26th, 2003
Risk Assessment Subcommittee
of the HIPAA Security Committee
of the UW-Madison HIPAA Task Force
Copyright (c) 2003, University of Wisconsin Board of Regents
2
Why are We Doing This?
• The HIPAA security regulation requires risk assessment.
• UW-Madison policy developed by the HIPAA Task Force, requires that each unit of the HCC do a risk assessment inventory as part of the process of submitting a migration plan to the HIPAA Security Officer by October 14th, 2003.
Copyright (c) 2003, University of Wisconsin Board of Regents
3
Who Developed It?• The UW-Madison HIPAA Task Force has a
Security Committee.• The Security Committee appointed a risk
assessment subcommittee to develop guidance for the units of the HCC.
• DoIT provided staff resources to assist that subcommittee in building the spreadsheet and related documents, such as this presentation.
Copyright (c) 2003, University of Wisconsin Board of Regents
4
Contents of the Packet
• The Presentation
• The Risk Assessment Inventory workbook
• FAQ for the RA Inventory
• List of HCC Unit Security Coordinators
Copyright (c) 2003, University of Wisconsin Board of Regents
5
Contents of the RA Inventory Workbook (Workbook handout, page 1: ‘Contents’ sheet
Copyright (c) 2003, University of Wisconsin Board of Regents
6
Workbook Contents
• Section A. Explanations, (four sheets, pages 1-4)
• Section B. The inventory itself that you need to fill out, (four sheets, pages 5-8)
• Section C. The HIPAA Security Regulation,and suggested scales for grading requiredsafeguards, (one sheet, pages 9-12)
Copyright (c) 2003, University of Wisconsin Board of Regents
7
Overview(Workbook handout, page 2: ‘Overview’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
8
The Model
In the model we’ve created for theHIPAA Risk Assessment Inventory,a unit of the HCC has:
• Technical Assets, • Physical Sites, and• Administrative Subunits.
Copyright (c) 2003, University of Wisconsin Board of Regents
9
• The HIPAA security regulation is divided into: – Administrative Safeguards,– Physical Safeguards, and– Technical Safeguards.
• It is tempting to view these distinct groups of safeguards as things dealt with by:– a dept. administrator (runs an Admin Subunit).– a site manager (runs a Physical Site).– a system administrator (runs a Technical Asset).
Copyright (c) 2003, University of Wisconsin Board of Regents
10
• It almost works...
The way the regulation is written:• there are quite a number of Administrative and
Physical Safeguards that apply to individual technical assets.
• there are a few Technical Safeguards that apply to physical sites.
Copyright (c) 2003, University of Wisconsin Board of Regents
12
The Unit of the HCC
Examples:
• Medical School
• School of Nursing
• Hygiene Lab
Copyright (c) 2003, University of Wisconsin Board of Regents
13
Technical Assets
• A computer system• A network device• A workstation• A peripheral• A portable device (any type)• An application
Copyright (c) 2003, University of Wisconsin Board of Regents
14
Safeguards that Apply to Individual Technical Assets
• All Technical Safeguards, in most cases.• All Physical Safeguards, in many cases.• Most Administrative Safeguards,
except those under:– Security Management Process, and– Assigned Security Responsibility. These represent broad administrative or human
resource activities, which are not specific to an individual technical asset.
Copyright (c) 2003, University of Wisconsin Board of Regents
15
A Technical Asset is
• Owned and operated by one or more Administrative Subunits– Some assets are shared by multiple subunits, so
there may be overlap of sysadmins and users.
• Located at one or morePhysical Sites– Some assets such as networks and application
are distributed among multiple physical sites.
Copyright (c) 2003, University of Wisconsin Board of Regents
16
Administrative Subunits
• Separate Administrative Staff,• Separate Human Resources Staff,• Separate Information Technology Staff,• Any combination of the above, or• None of the above!
Key thought:Has a significant degree of operational autonomy.
Copyright (c) 2003, University of Wisconsin Board of Regents
17
Safeguards that Apply to Each Administrative Subunit
• No Technical Safeguards,• No Physical Safeguards,• All Administrative Safeguards,
(as one might expect.)
Copyright (c) 2003, University of Wisconsin Board of Regents
18
Physical Sites
• A building complex,• A single building,• A wing or a floor • Rooms scattered about a building or complex, or• An isolated room with unique security needs.
Key thoughts:are typically isolated from each other, andhave differing security issues.
Copyright (c) 2003, University of Wisconsin Board of Regents
19
Safeguards that Apply to Physical Sites
• A few Technical Safeguards, related to:– Emergency Access (can we get in?),
– Auditing (who has been there?)
– Authentication (are they who we think they are?)
• All Physical Safeguards (as one might expect)
• No Administrative Safeguards (but please don’t forget physical access and security when writing the administrative policies and procedures!)
Copyright (c) 2003, University of Wisconsin Board of Regents
20
Process (Workbook handout, page 3: ‘Process’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
21
Step 1: Inventory
Make lists (don’t assess risks yet!)
This is where you start to fill in the four sheets of the Risk Assessment Inventory,numbered I. through IV.
Details of those four sheets are covered later in the presentation.
Copyright (c) 2003, University of Wisconsin Board of Regents
22
Step 2: Establish a Team
Suggestion:Have IT, HR, and Management representatives.
Copyright (c) 2003, University of Wisconsin Board of Regents
23
Step 3: Score Risks
Suggestion:
Use a scale of A, B, C, D, & F whereA (excellent) is low risk and
F is high risk.
Copyright (c) 2003, University of Wisconsin Board of Regents
24
Where to concentrate
• Risk associated with all applicable safeguards should be assessed, but spend the most time and attention on the required safeguards.
• The 'HIPAA Security Regs' sheet in this workbook includes a possible grading scale for each required safeguard.
Copyright (c) 2003, University of Wisconsin Board of Regents
25
Descriptive Narrative
The narrative should explain “why”.• Why were those physical sites and those
administrative subunits were selected.• Why were various technical assets grouped
together.• Why were particular scores given for key assets,
especially when the score was an “A”, “D” or “F”
Copyright (c) 2003, University of Wisconsin Board of Regents
26
Comments in Cells
• To shorten the narrative, comments may be added to the cells of sheets II. through IV.
• When the inventory is printed, the comments will follow each sheet.
Copyright (c) 2003, University of Wisconsin Board of Regents
27
Step 4: Prioritize Risks
• Not all D's and F's are equally important.• Take into account the cost of intervention and the
business impact of loss of confidentiality, integrity, or availability of data.
• Add the results from the prioritization to the descriptive narrative.
Copyright (c) 2003, University of Wisconsin Board of Regents
28
Step 5: Deliver
• If you’re doing the risk assessment inventory for a subunit, deliver it to your Security Coordinator by October 1st.
• Security Coordinators should deliver the unit’s migration plan (and the accompanying risk assessment inventory) to the Security Officerby October 14th.
• These dates are subject to change. Take them seriously, (we need to do this!) but stay tuned.
Copyright (c) 2003, University of Wisconsin Board of Regents
29
Instructions(Workbook handout, page 4: ‘Instructions’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
30
Organization of the Template
There are four sheets in the template:
I. HCC Unit
II. Tech Assets
III. Phys Site(s)
IV. Admin Subunit(s)
Copyright (c) 2003, University of Wisconsin Board of Regents
31
Fields on the Template Sheets
• The instructions primarily describe the fields for the sheet ‘II. Tech Assets’.
• The others sheets are simpler, and are covered as additional notes in the description of each field.
Copyright (c) 2003, University of Wisconsin Board of Regents
32
I. HCC Unit (Workbook handout, page 5: ‘I. HCC Unit’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
33
The ‘I. HCC Unit’ sheet is simply a place to enter:• the name of the Unit of the HCC,• the name of each physical site,• the name of each administrative subunit.
The names are carried forward onto sheets II. through IV.
If you discover that you have more sites and subunits than is provided for, please contact me and I will produce an expanded version for you.
I. HCC Unit
Copyright (c) 2003, University of Wisconsin Board of Regents
34
II. Tech Assets (Workbook handout, page 6: ‘II. Tech Assets’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
35
HIPAA provisions across.
TechnicalAssets Risk Scores Within
down. It is OK to group technical assets together, for example: all office
productivity workstations, all network switches, etc.
Refer back to the ‘Instructions’ sheet, where the fields are described in some detail.
Refer forward to the ‘HIPAA Security Reg’ sheet, where the regulation and some grading scales are summarized.
II. Tech Assets
Copyright (c) 2003, University of Wisconsin Board of Regents
36
II. Tech AssetsDescriptive Information
• Technical Asset: name or other tag (whatever makes sense.)
• Asset Category: one of six values• Location: room, building, also:
– physical site (if multiple exist.)– administrative subunit (if multiple exist.)
• Description: make/model, Operating System, Major Subsystem(s), IP number... (whatever makes sense.)
Copyright (c) 2003, University of Wisconsin Board of Regents
37
• Stores or processes PHI? (Y/N)• Other critical or sensitive data? (Y/N) What about technical assets that have neither?
They can still pose a risk to assets that do have PHI and other critical or sensitive data.
• Internal or external to firewall? (I/E)By default, a portable device is considered
external to the firewall.
II. Tech AssetsDescriptive Information (cont.)
Copyright (c) 2003, University of Wisconsin Board of Regents
38
Required and Addressable Safeguards
• These are indicated with an (R) or (A).• The required safeguards are ‘greyed out’ so they are
easily visible on the sheet.• While you need to score all safeguards, the ones to
do first and to spend the most time on are the required safeguards.
Copyright (c) 2003, University of Wisconsin Board of Regents
39
Required Safeguards (R)• These must be implemented, (unless not
applicable to the technical asset).• The degree of implementation and the particular
method of implementation are, for the most part, not specified in the regulation.
• That was deliberate, because circumstances vary and technology changes.
Copyright (c) 2003, University of Wisconsin Board of Regents
40
Addressable Safeguards (A)
Consider the extent to which the implementation specification applies.
• If it is not applicable, give it an ‘n/a’.
• If you are already doing what is “reasonable and appropriate” give it an ‘A’.
• Otherwise grade it according to the degree to which improvement is needed to meet the standard of “reasonable and appropriate”.
• Note that “reasonable and appropriate” implicitly includes all the elements of risk: threats, vulnerabilities and value.
Copyright (c) 2003, University of Wisconsin Board of Regents
41
What is Risk?• We are scoring risk, not just the degree of
compliance -- an important distinction.• Risk = Threats * Vulnerabilities * Value• If we are all exposed to roughly the same threats,
and if all PHI has roughly the same value, then vulnerabilities is the most variable factor, and non-compliance with the regulation (i.e. best practices) is an excellent measure of vulnerability.
• However, threats and value do vary, so it is important to consider them when assessing risk.
Copyright (c) 2003, University of Wisconsin Board of Regents
42
Default Values– Nearly all are ‘n/a’.
– They are based on Asset Category.
– The formula is present in each cell, simply overwrite it with the actual data.
– A default value is only provided where that the value is appropriate most of the time.
– Feel free to over-ride the default.
– You can change default values at the bottom of the sheet (not visible on the printed copy).
Copyright (c) 2003, University of Wisconsin Board of Regents
43
Color Coding
The color coding is for convenience only:– ‘A’ is Green– ‘B’ and ‘C’ are Yellow– ‘D’ and ‘F’ are Red
Copyright (c) 2003, University of Wisconsin Board of Regents
44
II. Tech Assets:What is being scored?
• For Administrative and Physical Safeguards, the risk is related to the degree to which the individual technical asset is included or accounted for in the policies and procedures of the each Administrative or Physical Safeguard. Think: ‘inclusion in policies and procedures’.
• For Technical Safeguards, the risk is related to the degree to which each Technical Safeguard is directly implemented on each individual technical asset.
Copyright (c) 2003, University of Wisconsin Board of Regents
45
III. Phys Site(s) (Workbook handout, page 7: ‘III. Phys Site(s) sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
46
III. Phys Site(s)
• Physical Sites contain Technical Assets– The Physical Site is a container: (walls, doors,
cabinets, lockdowns, etc.)– Physical security is about access to the
container: (keys, codes, PINs, tokens, etc.
• Descriptive Information: – Simple.
Copyright (c) 2003, University of Wisconsin Board of Regents
47
III. Phys Site(s):What is being scored?
– For the Physical Safeguards, risk is mitigated primarily by the physical security of the site, and not the security of individual technical assets.
– For the Technical Safeguards, risk is mitigated by the policies and procedures related to the access, auditing, and authentication of persons who are physically entering or within the site.
– Workstation Use and Workstation Security are exceptions...
Copyright (c) 2003, University of Wisconsin Board of Regents
48
III. Phys Site(s)Workstation Use and Security
• Workstation Use, includes a strong component of appropriate use of the workstation, as well as physical security.
• Workstation Security includes any physical measures to restrict access to authorized users. The need for such measures will vary with the degree of physical exposure of the workstation at the site. (For example: a workstation in a public area vs. one in a locked office.)
Copyright (c) 2003, University of Wisconsin Board of Regents
49
Some Administrative Safeguards Related to Physical Sites
Please include the physical security of your siteswhen you write policies and procedure underthese five Administrative Safeguards:
– Access Authorization (who is allowed access).
– Access Establishment & Modification (implementing those authorizations, e.g. issuing and recovering keys, etc.)
– Incident Response & Reporting (of physical breaches).
– Testing and Revision Procedure (testing the physical security measures).
– Periodic Evaluation (keeping it up-to-date).
Copyright (c) 2003, University of Wisconsin Board of Regents
50
IV. Admin Subunit(s) (Handout, page 8: ‘IV. Admin Subunit(s) sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
51
IV. Admin Subunit(s)Descriptive Information
• An Administrative Subunit owns and operates Technical Assets.
• Descriptive Information: – Simple.
Copyright (c) 2003, University of Wisconsin Board of Regents
52
IV. Admin Subunit(s)What is being scored?
Administrative Safeguards are about:• Various types of assessment and evaluation.• Policies and procedures:
– Writing them,– Implementing them,– Testing and revising them.
• Contracting for services.
Copyright (c) 2003, University of Wisconsin Board of Regents
53
IV. Admin Unit(s):What is being scored?
• There is risk associated with not doing assessment and evaluation, and not having policies and procedures that are adequate, implemented, and up-to-date.
• Score the extent to which risk has been mitigated by the required safeguards, or the reasonable and appropriate level of activity within each addressable safeguard.
Copyright (c) 2003, University of Wisconsin Board of Regents
54
HIPAA Security Regulation (Handout, pages 9-12: ‘HIPAA Security Reg’ sheet)
• This is a summary of the regulation, with language taken for the most part directly from the regulation.
• The definitions from the regulation of required and addressable safeguards are included at the bottom of each section.
• A possible grading scale for each required safeguard is included in the rightmost column. That grading scale is NOT part of the regulation! It is just a suggestion, to give folks a starting point.
Copyright (c) 2003, University of Wisconsin Board of Regents
55
HIPAA Security Regulation...• For addressable safeguards, the reasonable and
appropriate tests apply. This makes it very difficult to suggest a consistent grading scale for such safeguards.
• To complete the risk assessment, you will need to understand the security regulation at least to the extent presented in this section of the template. It is as abbreviated as practical.
• You also need to review the UW-Madison policy relevant to the various Safeguards. See:http://www.wisc.edu/hipaa/privacymanual/
Copyright (c) 2003, University of Wisconsin Board of Regents
56
What does the regulation mean?• A PDF and text copy of the final Security Regulation
from the Federal Register can be found at:http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
• There are 49 PDF pages in the files. These correspond to “pages” in the Federal Register.
• The regulation text itself begins on “page” 8373.• “Comments” on the proposed regulation and
“responses” from the regulators start on page 8335.• The “responses” answer many questions, but you do
need to dig a little to find the relevant comments. Try searching for keywords.
Copyright (c) 2003, University of Wisconsin Board of Regents
57
Files• The files are located at:
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
• Files are:– The excel workbook containing the template for the
HIPAA Risk Assessment Inventory.
– This presentation.
– The FAQ for the Risk Assessment Inventory.
– The 5/30/2003 list of Unit Security Coordinators
• There are also links and contacts on that page.
Copyright (c) 2003, University of Wisconsin Board of Regents
58
Questions?• For questions about the interpretation of the
security regulation or UW-Madison policy, please contact your Security Coordinator.
• Security Coordinators should contact the Security Officer.
For questions about the template or other files,(not the interpretation of the regulation please!), contact me at: [email protected] or 265-6587.