1. No category

HIPAA Risk Assessment Inventory Presentation version

1
HIPAA
Risk Assessment Inventory
July 26th, 2003
Risk Assessment Subcommittee
of the HIPAA Security Committee
of the UW-Madison HIPAA Task Force
Copyright (c) 2003, University of Wisconsin Board of Regents
2
Why are We Doing This?
• The HIPAA security regulation requires risk
assessment.
• UW-Madison policy developed by the HIPAA
Task Force, requires that each unit of the HCC do
a risk assessment inventory as part of the process
of submitting a migration plan to the HIPAA
Security Officer by October 14th, 2003.
Copyright (c) 2003, University of Wisconsin Board of Regents
3
Who Developed It?
• The UW-Madison HIPAA Task Force has a
Security Committee.
• The Security Committee appointed a risk
assessment subcommittee to develop guidance for
the units of the HCC.
• DoIT provided staff resources to assist that
subcommittee in building the spreadsheet and
related documents, such as this presentation.
Copyright (c) 2003, University of Wisconsin Board of Regents
4
Contents of the Packet
•
•
•
•
The Presentation
The Risk Assessment Inventory workbook
FAQ for the RA Inventory
List of HCC Unit Security Coordinators
Copyright (c) 2003, University of Wisconsin Board of Regents
5
Contents of the RA Inventory Workbook
(Workbook handout, page 1: ‘Contents’ sheet
Copyright (c) 2003, University of Wisconsin Board of Regents
6
Workbook Contents
• Section A. Explanations,
(four sheets, pages 1-4)
• Section B. The inventory itself that you
need to fill out, (four sheets, pages 5-8)
• Section C. The HIPAA Security Regulation,
and suggested scales for grading required
safeguards,
(one sheet, pages 9-12)
Copyright (c) 2003, University of Wisconsin Board of Regents
7
Overview
(Workbook handout, page 2: ‘Overview’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
8
The Model
In the model we’ve created for the
HIPAA Risk Assessment Inventory,
a unit of the HCC has:
• Technical Assets,
• Physical Sites, and
• Administrative Subunits.
Copyright (c) 2003, University of Wisconsin Board of Regents
9
• The HIPAA security regulation is divided into:
– Administrative Safeguards,
– Physical Safeguards, and
– Technical Safeguards.
• It is tempting to view these distinct groups of
safeguards as things dealt with by:
– a dept. administrator (runs an Admin Subunit).
– a site manager (runs a Physical Site).
– a system administrator (runs a Technical Asset).
Copyright (c) 2003, University of Wisconsin Board of Regents
10
• It almost works...
The way the regulation is written:
• there are quite a number of Administrative and
Physical Safeguards that apply to individual
technical assets.
• there are a few Technical Safeguards that apply to
physical sites.
Copyright (c) 2003, University of Wisconsin Board of Regents
11
Diagram of the Model
Copyright (c) 2003, University of Wisconsin Board of Regents
12
The Unit of the HCC
Examples:
• Medical School
• School of Nursing
• Hygiene Lab
Copyright (c) 2003, University of Wisconsin Board of Regents
13
Technical Assets
• A computer system
• A network device
• A workstation
• A peripheral
• A portable device (any type)
• An application
Copyright (c) 2003, University of Wisconsin Board of Regents
14
Safeguards that Apply to
Individual Technical Assets
• All Technical Safeguards, in most cases.
• All Physical Safeguards, in many cases.
• Most Administrative Safeguards,
except those under:
– Security Management Process, and
– Assigned Security Responsibility.
These represent broad administrative or human
resource activities, which are not specific to
an individual technical asset.
Copyright (c) 2003, University of Wisconsin Board of Regents
15
A Technical Asset is
• Owned and operated by one or more
Administrative Subunits
– Some assets are shared by multiple subunits, so
there may be overlap of sysadmins and users.
• Located at one or more
Physical Sites
– Some assets such as networks and application
are distributed among multiple physical sites.
Copyright (c) 2003, University of Wisconsin Board of Regents
16
Administrative Subunits
• Separate Administrative
Staff,
• Separate Human Resources Staff,
• Separate Information Technology Staff,
• Any combination of the above, or
• None of the above!
Key thought:
Has a significant degree of operational
autonomy.
Copyright (c) 2003, University of Wisconsin Board of Regents
17
Safeguards that Apply to Each
Administrative Subunit
• No Technical Safeguards,
• No Physical Safeguards,
• All Administrative Safeguards,
(as one might expect.)
Copyright (c) 2003, University of Wisconsin Board of Regents
18
Physical Sites
• A building complex,
• A single building,
• A wing or a floor
• Rooms scattered about a
building or complex, or
• An isolated room with
unique security needs.
Key thoughts:
are typically isolated from
each other, and
have differing security
issues.
Copyright (c) 2003, University of Wisconsin Board of Regents
19
Safeguards that Apply to Physical
Sites
• A few Technical Safeguards, related to:
– Emergency Access (can we get in?),
– Auditing (who has been there?)
– Authentication (are they who we think they are?)
• All Physical Safeguards
(as one might expect)
• No Administrative Safeguards
(but please don’t forget physical access and security when
writing the administrative policies and procedures!)
Copyright (c) 2003, University of Wisconsin Board of Regents
Process
(Workbook handout, page 3: ‘Process’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
20
21
Step 1: Inventory
Make lists (don’t assess risks yet!)
This is where you start to fill in the four sheets
of the Risk Assessment Inventory,
numbered I. through IV.
Details of those four sheets are covered later in
the presentation.
Copyright (c) 2003, University of Wisconsin Board of Regents
22
Step 2: Establish a Team
Suggestion:
Have IT, HR, and Management representatives.
Copyright (c) 2003, University of Wisconsin Board of Regents
23
Step 3: Score Risks
Suggestion:
Use a scale of A, B, C, D, & F where
A (excellent) is low risk and
F is high risk.
Copyright (c) 2003, University of Wisconsin Board of Regents
24
Where to concentrate
• Risk associated with all applicable safeguards
should be assessed, but spend the most time and
attention on the required safeguards.
• The 'HIPAA Security Regs' sheet in this workbook
includes a possible grading scale for each required
safeguard.
Copyright (c) 2003, University of Wisconsin Board of Regents
25
Descriptive Narrative
The narrative should explain “why”.
• Why were those physical sites and those
administrative subunits were selected.
• Why were various technical assets grouped
together.
• Why were particular scores given for key assets,
especially when the score was an “A”, “D” or “F”
Copyright (c) 2003, University of Wisconsin Board of Regents
26
Comments in Cells
• To shorten the narrative, comments may be added
to the cells of sheets II. through IV.
• When the inventory is printed, the comments will
follow each sheet.
Copyright (c) 2003, University of Wisconsin Board of Regents
27
Step 4: Prioritize Risks
• Not all D's and F's are equally important.
• Take into account the cost of intervention and the
business impact of loss of confidentiality, integrity,
or availability of data.
• Add the results from the prioritization to the
descriptive narrative.
Copyright (c) 2003, University of Wisconsin Board of Regents
28
Step 5: Deliver
• If you’re doing the risk assessment inventory for a
subunit, deliver it to your Security Coordinator by
October 1st.
• Security Coordinators should deliver the unit’s
migration plan (and the accompanying risk
assessment inventory) to the Security Officer
by October 14th.
• These dates are subject to change. Take them
seriously, (we need to do this!) but stay tuned.
Copyright (c) 2003, University of Wisconsin Board of Regents
29
Instructions
(Workbook handout, page 4: ‘Instructions’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
30
Organization of the Template
There are four sheets in the template:
I. HCC Unit
II. Tech Assets
III. Phys Site(s)
IV. Admin Subunit(s)
Copyright (c) 2003, University of Wisconsin Board of Regents
31
Fields on the Template Sheets
• The instructions primarily describe the fields for
the sheet ‘II. Tech Assets’.
• The others sheets are simpler, and are covered as
additional notes in the description of each field.
Copyright (c) 2003, University of Wisconsin Board of Regents
32
I. HCC Unit
(Workbook handout, page 5: ‘I. HCC Unit’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
33
I. HCC Unit
The ‘I. HCC Unit’ sheet is simply a place to enter:
• the name of the Unit of the HCC,
• the name of each physical site,
• the name of each administrative subunit.
The names are carried forward
onto sheets II. through IV.
If you discover that you have more sites and subunits than is
provided for, please contact me and I will produce an
expanded version for you.
Copyright (c) 2003, University of Wisconsin Board of Regents
34
II. Tech Assets
(Workbook handout, page 6: ‘II. Tech Assets’ sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
35
II. Tech Assets
HIPAA provisions across.
Technical
Assets
down.
Risk Scores Within
It is OK to group technical assets together, for example: all office
productivity workstations, all network switches, etc.
Refer back to the ‘Instructions’ sheet, where the fields are described
in some detail.
Refer forward to the ‘HIPAA Security Reg’ sheet, where the
regulation and some grading scales are summarized.
Copyright (c) 2003, University of Wisconsin Board of Regents
36
II. Tech Assets
Descriptive Information
• Technical Asset: name or other tag
(whatever makes sense.)
• Asset Category: one of six values
• Location: room, building, also:
– physical site (if multiple exist.)
– administrative subunit (if multiple exist.)
• Description: make/model, Operating System,
Major Subsystem(s), IP number...
(whatever makes sense.)
Copyright (c) 2003, University of Wisconsin Board of Regents
37
II. Tech Assets
Descriptive Information (cont.)
• Stores or processes PHI? (Y/N)
• Other critical or sensitive data? (Y/N)
What about technical assets that have neither?
They can still pose a risk to assets that do have PHI and
other critical or sensitive data.
• Internal or external to firewall? (I/E)
By default, a portable device is considered
external to the firewall.
Copyright (c) 2003, University of Wisconsin Board of Regents
38
Required and Addressable
Safeguards
• These are indicated with an (R) or (A).
• The required safeguards are ‘greyed out’ so they are
easily visible on the sheet.
• While you need to score all safeguards, the ones to
do first and to spend the most time on are the
required safeguards.
Copyright (c) 2003, University of Wisconsin Board of Regents
39
Required Safeguards (R)
• These must be implemented, (unless not
applicable to the technical asset).
• The degree of implementation and the particular
method of implementation are, for the most part,
not specified in the regulation.
• That was deliberate, because circumstances vary
and technology changes.
Copyright (c) 2003, University of Wisconsin Board of Regents
40
Addressable Safeguards (A)
Consider the extent to which the
implementation specification applies.
• If it is not applicable, give it an ‘n/a’.
• If you are already doing what is “reasonable and
appropriate” give it an ‘A’.
• Otherwise grade it according to the degree to which
improvement is needed to meet the standard of “reasonable
and appropriate”.
• Note that “reasonable and appropriate” implicitly includes
all the elements of risk: threats, vulnerabilities and value.
Copyright (c) 2003, University of Wisconsin Board of Regents
41
What is Risk?
• We are scoring risk, not just the degree of
compliance -- an important distinction.
• Risk = Threats * Vulnerabilities * Value
• If we are all exposed to roughly the same threats,
and if all PHI has roughly the same value, then
vulnerabilities is the most variable factor, and noncompliance with the regulation (i.e. best practices)
is an excellent measure of vulnerability.
• However, threats and value do vary, so it is
important to consider them when assessing risk.
Copyright (c) 2003, University of Wisconsin Board of Regents
42
Default Values
– Nearly all are ‘n/a’.
– They are based on Asset Category.
– The formula is present in each cell, simply overwrite it
with the actual data.
– A default value is only provided where that the value is
appropriate most of the time.
– Feel free to over-ride the default.
– You can change default values at the bottom of the
sheet (not visible on the printed copy).
Copyright (c) 2003, University of Wisconsin Board of Regents
43
Color Coding
The color coding is for convenience only:
– ‘A’ is Green
– ‘B’ and ‘C’ are Yellow
– ‘D’ and ‘F’ are Red
Copyright (c) 2003, University of Wisconsin Board of Regents
44
II. Tech Assets:
What is being scored?
• For Administrative and Physical Safeguards, the risk
is related to the degree to which the individual
technical asset is included or accounted for in the
policies and procedures of the each Administrative or
Physical Safeguard. Think: ‘inclusion in policies and
procedures’.
• For Technical Safeguards, the risk is related to the
degree to which each Technical Safeguard is directly
implemented on each individual technical asset.
Copyright (c) 2003, University of Wisconsin Board of Regents
III. Phys Site(s)
(Workbook handout, page 7: ‘III. Phys Site(s) sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
45
46
III. Phys Site(s)
• Physical Sites contain Technical Assets
– The Physical Site is a container: (walls, doors,
cabinets, lockdowns, etc.)
– Physical security is about access to the
container: (keys, codes, PINs, tokens, etc.
• Descriptive Information:
– Simple.
Copyright (c) 2003, University of Wisconsin Board of Regents
47
III. Phys Site(s):
What is being scored?
– For the Physical Safeguards, risk is mitigated
primarily by the physical security of the site, and
not the security of individual technical assets.
– For the Technical Safeguards, risk is mitigated by
the policies and procedures related to the access,
auditing, and authentication of persons who are
physically entering or within the site.
– Workstation Use and Workstation Security are
exceptions...
Copyright (c) 2003, University of Wisconsin Board of Regents
48
III. Phys Site(s)
Workstation Use and Security
• Workstation Use, includes a strong component of
appropriate use of the workstation, as well as
physical security.
• Workstation Security includes any physical
measures to restrict access to authorized users. The
need for such measures will vary with the degree of
physical exposure of the workstation at the site. (For
example: a workstation in a public area vs. one in a
locked office.)
Copyright (c) 2003, University of Wisconsin Board of Regents
49
Some Administrative Safeguards
Related to Physical Sites
Please include the physical security of your sites
when you write policies and procedure under
these five Administrative Safeguards:
– Access Authorization (who is allowed access).
– Access Establishment & Modification (implementing those authorizations,
e.g. issuing and recovering keys, etc.)
– Incident Response & Reporting (of physical breaches).
– Testing and Revision Procedure (testing the physical security measures).
– Periodic Evaluation (keeping it up-to-date).
Copyright (c) 2003, University of Wisconsin Board of Regents
50
IV. Admin Subunit(s)
(Handout, page 8: ‘IV. Admin Subunit(s) sheet)
Copyright (c) 2003, University of Wisconsin Board of Regents
51
IV. Admin Subunit(s)
Descriptive Information
• An Administrative Subunit owns and
operates Technical Assets.
• Descriptive Information:
– Simple.
Copyright (c) 2003, University of Wisconsin Board of Regents
52
IV. Admin Subunit(s)
What is being scored?
Administrative Safeguards are about:
• Various types of assessment and evaluation.
• Policies and procedures:
– Writing them,
– Implementing them,
– Testing and revising them.
• Contracting for services.
Copyright (c) 2003, University of Wisconsin Board of Regents
53
IV. Admin Unit(s):
What is being scored?
• There is risk associated with not doing assessment
and evaluation, and not having policies and
procedures that are adequate, implemented, and
up-to-date.
• Score the extent to which risk has been mitigated
by the required safeguards, or the reasonable and
appropriate level of activity within each
addressable safeguard.
Copyright (c) 2003, University of Wisconsin Board of Regents
54
HIPAA Security Regulation
(Handout, pages 9-12: ‘HIPAA Security Reg’ sheet)
• This is a summary of the regulation, with language
taken for the most part directly from the regulation.
• The definitions from the regulation of required and
addressable safeguards are included at the bottom of
each section.
• A possible grading scale for each required safeguard
is included in the rightmost column. That grading
scale is NOT part of the regulation! It is just a
suggestion, to give folks a starting point.
Copyright (c) 2003, University of Wisconsin Board of Regents
55
HIPAA Security Regulation...
• For addressable safeguards, the reasonable and
appropriate tests apply. This makes it very difficult
to suggest a consistent grading scale for such
safeguards.
• To complete the risk assessment, you will need to
understand the security regulation at least to the
extent presented in this section of the template. It
is as abbreviated as practical.
• You also need to review the UW-Madison policy
relevant to the various Safeguards. See:
http://www.wisc.edu/hipaa/privacymanual/
Copyright (c) 2003, University of Wisconsin Board of Regents
56
What does the regulation mean?
• A PDF and text copy of the final Security Regulation
from the Federal Register can be found at:
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
• There are 49 PDF pages in the files. These
correspond to “pages” in the Federal Register.
• The regulation text itself begins on “page” 8373.
• “Comments” on the proposed regulation and
“responses” from the regulators start on page 8335.
• The “responses” answer many questions, but you do
need to dig a little to find the relevant comments. Try
searching for keywords.
Copyright (c) 2003, University of Wisconsin Board of Regents
57
Files
• The files are located at:
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
• Files are:
– The excel workbook containing the template for the
HIPAA Risk Assessment Inventory.
– This presentation.
– The FAQ for the Risk Assessment Inventory.
– The 5/30/2003 list of Unit Security Coordinators
• There are also links and contacts on that page.
Copyright (c) 2003, University of Wisconsin Board of Regents
58
Questions?
• For questions about the interpretation of the
security regulation or UW-Madison policy,
please contact your Security Coordinator.
• Security Coordinators should contact the
Security Officer.
For questions about the template or other files,
(not the interpretation of the regulation please!),
contact me at: [email protected] or 265-6587.
Copyright (c) 2003, University of Wisconsin Board of Regents
59
Thanks!
Copyright (c) 2003, University of Wisconsin Board of Regents

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz