HIPAA SECURITY RISK

HIPAA Security Risk Assessment Guidelines v1.
0 April 28, 200
Page 1
Information Security Risk Assessment Guidelines

Introduction and Overview
In!"rmati"n security risk assessment is an "n#g"ing pr"cess "! disc"vering, c"rrecting and preventing security pr"$lems. %&e risk assessment is an integral part "! a risk management pr"cess designed t" pr"vide appr"priate levels "! security !"r in!"rmati"n systems. In!"rmati"n security risk assessments are part "! s"und security practices and are re'uired $y t&e ("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and related d"cumentati"n are als" an integral part "! c"mpliance )it& HIPAA security standards +see $el"),. %&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&e resulting security re'uirements !"r eac& system. %&e agency must t&en devise, implement and m"nit"r a set "! security measures t" address t&e level "! identi!ied risk. -"r a ne) system t&e risk assessment is typically c"nducted at t&e $eginning "! t&e System .evel"pment /i!e (ycle +S./(,. -"r an e0isting system, risk assessments may $e c"nducted "n a regular $asis t&r"ug&"ut t&e S./( and1"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&en ma2"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "r audit. %&is risk assessment met&"d"l"gy is $ased "n t&e CMS Information Security RA Methodology, devel"ped $y t&e !ederal .epartment "! Healt& and Human Services, (enters !"r 4edicare and 4edicaid Services +(4S,, )&ic& is availa$le at ))).cms.&&s.g"v1it1security1d"cs1RA5met&.pd!. It is presented in t&ree p&ases6
System ."cumentati"n P&ase Risk .eterminati"n P&ase Sa!eguard .eterminati"n P&ase

%&e risk assessment rep"rt6
Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security8 Includes a list "! t&reats and vulnera$ilities, t&e system3s current security c"ntr"ls, and its
risk levels8
Rec"mmends sa!eguards, and descri$es t&e e0pected level "! risk t&at )"uld remain i!
t&ese sa!eguards )ere put in place8 S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rk8 (an $e used as input t" t&e agency3s $usiness c"ntinuity plan8 Presents t&ese !indings t" management.
Note on HIPAA Security

("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s,, and t&"se )&" are 9usiness Ass"ciates "! (*3s, must c"mply )it& t&e HIPAA security rule, :; (-R parts 1<0, 1<2 and 1<:. %&e HIPAA security !rame)"rk calls !"r due diligence $ased "n g""d $usiness practices, !"r systems &andling electr"nic pr"tected &ealt& in!"rmati"n +*PHI,. (reating an In!"rmati"n Risk Assessment Rep"rt satis!ies t&e Rule3s re'uirements t" analy7e risks, !"rmulate appr"priate sa!eguards, and d"cument t&e risk management decisi"n#making pr"cess +:; (-R part 1<:. 08+a,+1,+ii,+A,+9,, and in!"rms t&e agency3s acti"ns in c"mplying )it& "t&er parts "! t&e rule.
HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200
Page 2
Team Members
A sample representative risk assessment team may include t&e !uncti"ns listed $el"). *ac& team mem$er may per!"rm m"re t&an "ne !uncti"n. HIPAA#a!!ected agencies s&"uld secure t&e inv"lvement "! t&eir HIPAA security "!!icer. S"me !uncti"ns "verlap, !"r !uncti"ns )&ere team mem$ers revie) eac& "t&er3s )"rk. See Appendi0 ( !"r m"re detail "n t&ese r"les. Risk assessment manager System "r net)"rk administrat"r %ec&nical revie)er System $usiness ")ner System tec&nical ")ner *0ecutive sp"ns"r In!"rmati"n security "!!icer
The Risk Assessment Report

A Risk Assessment +RA, Rep"rt applies t" a selected in!"rmati"n system. An in!"rmati"n system is a gr"up "! c"mputing and net)"rk c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n ")ners&ip and management. %&e Rep"rt )ill include6
A d"cumented system invent"ry, listing all system c"mp"nents and esta$lis&ing t&e
system $"undary !"r t&e purp"ses "! t&e Rep"rt8 ."cumentati"n "! t&e system3s p"licies and pr"cedures, and details "! its "perati"n8 /ist "! t&reat 1 vulnera$ility pairs, )it& severity "! impact and likeli&""d "! "ccurrence8 /ist "! sa!eguards !"r c"ntr"lling t&ese t&reats and vulnera$ilities8 /ist "! rec"mmended c&anges, )it& appr"0imate levels "! e!!"rt !"r eac&8 -"r eac& rec"mmended c&ange, t&e resulting reducti"n in risk8 %&e level "! residual risk t&at )"uld remain a!ter t&e rec"mmended c&anges are implemented.
%&e Rep"rt )ill re!lect t&e security p"licies and "$2ectives "! t&e agency3s in!"rmati"n tec&n"l"gy management. It )ill $e presented in a !ace#t"#!ace meeting )it& t&e system $usiness and tec&nical ")ners, t&e risk assessment manager, and "t&er pr"2ect team mem$ers. A Risk Assessment Rep"rt is n"t intended t" create "r include t&e !"ll")ing, &")ever it s&"uld $e used as input !"r6
A system security plan, ne) security arc&itecture, audit rep"rt, "r system accreditati"n8 System security p"licies, "r assignment "! sta!! resp"nsi$ility !"r system security8 .etailed data!l")s8 *0act d"llar c"st estimates "r 2usti!icati"ns8 Assignment "r acceptance "! legal resp"nsi$ility !"r t&e security "! t&e system8 In#dept& analysis "r res"luti"n "! speci!ic security incidents "r vi"lati"ns8 ("ntract revie).
Appendi0 . pr"vides a template !"r t&e d"cumentati"n "! t&e Risk Assessment rep"rt.
Page
Tasks
%&is c&art s&")s t&e se'uence "! &ig&#level tasks. %&e c"mplete list "! tasks and durati"ns )ill $e created, estimated and sc&eduled $y t&e team.
ID 1 2
Risk Assessment Project

% System Documentation Phase 1.0 Set $"undary !"r selected system 1.1 Rec"rd system identi!icati"n in!"rmati"n 1.2 ."cument system purp"se and desc. 1. ."cument t&e system security level 2 System Risk Determination Phase 2.1 Identi!y t&reats and vulnera$ilities 2.2 .escri$e risks 2. Identi!y e0isting c"ntr"ls 2.: .etermine likeli&""d "! "ccurrence 2.; .etermine severity "! impact 2.< .etermine risk levels 3 Safeguard Determination Phase .1 Rec"mmend c"ntr"ls and sa!eguards .2 .etermine residual likeli&""d "! "ccurrence . .etermine residual severity "! impact .: .etermine residual risk level Re!ort !resentation" archi#ing and sign$off
Mar 2003 5 6 7 8 !0 !! !2 !3 !" !5
: ; < = 8 > 10 11 12 1 1: 1; 1< 1= 18
System Documentation Phase

."cument system identi!icati"n8 ."cument system purp"se and descripti"n8 ."cument t&e system security level.
%&e team must make a decisi"n a$"ut )&ere t" dra) t&e $"undaries "! t&e system t" $e assessed.
Risk Determination Phase

Identi!y t&reats8 Identi!y vulnera$ilities8
HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200 Page :
.escri$e risks8 Identi!y e0isting c"ntr"ls8 .etermine likeli&""d "! "ccurrence8 .etermine severity "! impact8 .etermine risk level.
%&e team must decide )&et&er t" include "nly c"ntr"ls t&at are currently implemented, "r t" include c"ntr"ls t&at are $udgeted and sc&eduled !"r implementati"n.
Safeguard Determination Phase

Rec"mmend c"ntr"ls and sa!eguards8 .etermine residual +remaining, likeli&""d "! "ccurrence i! c"ntr"ls and sa!eguards are implemented8 .etermine residual severity "! impact i! candidate c"ntr"ls and sa!eguards are implemented8 .etermine residual risk levels.
Risk Assessment Process

1.0 System Documentation hase
%&e System ."cumentati"n P&ase pr"vides a descripti"n "! t&e system and t&e data it &andles, as c"mputing assets used t" !ul!ill t&e "rgani7ati"n3s $usiness missi"n. %&is p&ase esta$lis&es a !rame)"rk !"r su$se'uent risk assessment p&ases. %&e system ")ner pr"vides t&e system identi!icati"n, including t&e system descripti"n, $usiness !uncti"n and assets. -"r ne) systems, t&ese are de!ined )&en t&e system is !irst c"nceived and devel"ped during t&e S./(3s design and implementati"n p&ases +see Appendi0 9,. Phase %& 'ey (eam )em*er s& +ut!ut& Set t&e $"undaries !"r t&e set "! c"mp"nents t&at c"nstitute t&e in!"rmati"n system. An in!"rmati"n system is a gr"up "! c"mputing and supp"rting c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n ")ners&ip and management. System administrat"r %ec&nical revie)er System tec&nical ")ner Hig&#level d"cumentati"n and net)"rk diagram s&")ing t&e system and ad2acent systems, )it& a line s&")ing t&e cut#"!! !"r t&e sc"pe "! t&is risk assessment.
%,% System Identification

/ist t&e system name, "t&er related in!"rmati"n, and t&e resp"nsi$le "rgani7ati"n. See t&e System Identi!ication ta$le in Appendi0 .. (ask %,%& ("mplete and veri!y system identi!icati"n and resp"nsi$le c"ntacts.
Page ;
'ey (eam )em*er s& +ut!ut&
System administrat"r %ec&nical revie)er System tec&nical ")ner Risk assessment manager ("mplete !#! Sy$tem Identification ta$le in Appendi0 ..
%,2 System Pur!ose and Descri!tion

%" identi!y t&e assets c"vered $y t&e RA, pr"vide a $rie! descripti"n "! t&e !uncti"n and purp"se "! t&e system and t&e "rgani7ati"nal $usiness pr"cesses it supp"rts, including !uncti"ns and pr"cessing "! data.
(echnical Descri!tion and -n#ironmental .actors
General descripti"n "! !uncti"n and purp"se t&e system General !uncti"nal re'uirements 9usiness pr"cesses supp"rted Applicati"ns supp"rted, services running General in!"rmati"n !l") ?et)"rk diagram )it& system $"undaries .escripti"n "! p&ysical c"mp"nents P&ysical c"mp"nent asset and tag num$ers P&ysical l"cati"n, envir"nmental c"ntr"ls in place *nvir"nmental !act"rs t&at give rise t" security c"ncerns %ec&nical and $usiness users, list "! system user acc"unts System ")ners&ip6 S&ared "r dedicated
System /onnections and Information Sharing
("nnected c"mp"nents /A? and @A? c"nnecti"ns and t"p"l"gy, !ire)all c"n!igurati"ns S"!t)are dependencies Inter!aces ."cument t&e system3s $usiness !uncti"n, c"mp"nents, envir"nment, c"nnecti"ns. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner In!"rmati"n security "!!icer ("mplete !#2 Sy$tem %ur&o$e and De$cri&tion ta$le in Appendi0 ..
(ask %,2& 'ey (eam )em*er s& +ut!ut&
Page <
%,3 System Security 0e#el

.escri$e and d"cument t&e in!"rmati"n &andled $y t&e system, and identi!y t&e "verall system security level. %&e classi!icati"n levels and t&e categ"ries assigned t" di!!erent types "! in!"rmati"n s&"uld c"rresp"nd t" t&e agency3s in!"rmati"n classi!icati"n designati"ns. In!"rmati"n security levels and designati"ns s&"uld $e part "! t&e agency3s in!"rmati"n security p"licy. Appendi0 A, Information Security 'e(el$) pr"vides e0amples "! security levels and &") t&ey can $e assigned t" di!!erent categ"ries "! in!"rmati"n. -"r t&is step, t&e team )ill d"cument t&e sensitivity "! t&e in!"rmati"n &andled $y t&e system, t&en classi!y t&e resulting level "! security re'uirements !"r t&e system itsel!. %&is element includes a general descripti"n "! t&e in!"rmati"n, t&e in!"rmati"n3s sensitivity, and system criticality. It includes re'uirements !"r c"n!identiality, integrity, availa$ility, audita$ility and acc"unta$ility as dictated $y t&e agency3s in!"rmati"n security p"licy. (ask %,3& 'ey (eam )em*er s& +ut!ut& ."cument t&e criticality and sensitivity "! t&e in!"rmati"n t&e system &andles, )it& $rie! re!erences t" t&e agency3s in!"rmati"n security p"licy, and t&e "verall system security re'uirements. %ec&nical revie)er System $usiness ")ner System tec&nical ")ner ("mplete !#3 Information Security 'e(el$ and *(erall Sy$tem Security 'e(el ta$le in Appendi0 ..
".0 Risk Determination hase

%&e g"al "! t&e Risk .eterminati"n P&ase is t" calculate t&e level "! risk !"r eac& t&reat 1 vulnera$ility pair $ased "n t&e likeli&""d "! a t&reat e0pl"iting a vulnera$ility, and t&e severity "! impact t&at t&e e0pl"ited vulnera$ility )"uld &ave "n t&e system, its data and its $usiness !uncti"n. ("nsider t&e impact in terms "! l"ss "! c"n!identiality, integrity "r availa$ility "! t&e data classi!ied in %ask 1. . In!"rmati"n )ill $e c"llected in t&e !"rm "! 'uesti"nnaires, intervie)s, d"cumentati"n revie), and aut"mated scanning t""ls. %&e Risk .eterminati"n P&ase is c"mprised "! si0 steps6
1. Identi!y p"tential dangers t" in!"rmati"n and system +t&reats,. 2. Identi!y t&e system )eakness t&at c"uld $e e0pl"ited +vulnera$ilities, ass"ciated t"
generate t&e t&reat 1 vulnera$ility pair.
3. Identi!y e0isting c"ntr"ls t" reduce t&e risk "! t&e t&reat e0pl"iting t&e vulnera$ility. 4. .etermine t&e likeli&""d "! "ccurrence !"r a t&reat e0pl"iting a related vulnera$ility given 5. 6.
t&e e0isting c"ntr"ls. .etermine t&e severity "! impact "n t&e system $y an e0pl"ited vulnera$ility. .etermine t&e risk level !"r a t&reat1vulnera$ility pair given t&e e0isting c"ntr"ls.
%&is si0#step pr"cess !"r Risk .eterminati"n is c"nducted !"r eac& identi!ied t&reat 1 vulnera$ility pair. Ase t&e Risk .eterminati"n %a$le in Appendi0 . t" d"cument t&e analysis per!"rmed in t&is p&ase.
Page =
2,% Identify (hreats and 1ulnera*ilities

-irst, identi!y t&reats t&at c"uld e0pl"it system vulnera$ilities. Re!er t" t&e CMS +hreat Identification Re$ource +))).cms.&&s.g"v1it1security1d"cs1%&reat5I.5res"urce.pd!, !"r p"ssi$le envir"nmental, p&ysical, &uman, natural, and tec&nical t&reats. Asing t&e "utput "! task 1.2, c"nsider t&e system3s c"nnecti"ns, dependencies )it& "t&er systems, in&erited risks and c"ntr"ls, risks !r"m s"!t)are !aults and sta!! err"rs and malici"us intent, and suc& !act"rs as pr"0imity t" t&e Internet, inc"rrect !ile permissi"ns, risks !r"m maintenance pr"cedures and pers"nnel c&anges. ?e0t, c"nsider t&e p"tential vulnera$ilities ass"ciated )it& eac& t&reat, t" pr"duce a pair. A vulnera$ility can $e ass"ciated )it& "ne "r m"re t&reats. ("llect input !r"m previ"us risk assessments, audits, system de!iciency rep"rts, security advis"ries, scanning t""ls, security test results, system devel"pment testing, industry and g"vernment listings, suc& as sans."rg, security!"cus.c"m, vend"r advis"ries, and t&e ?IS% vulnera$ility data$ase at icat.nist.g"v.
(ask 2,%& 'ey (eam )em*er s& +ut!ut&
.escripti"ns "! t&reat1vulnera$ility pairs. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BItem ?".C, B%&reat ?ameC and BDulnera$ility ?ameC c"lumns in 2#0 Ri$, Determination ta$le in Appendi0 ..
2,2 Descri*e Risks

.escri$e &") eac& vulnera$ility creates a risk t" t&e system in terms "! c"n!identiality, integrity, availa$ility, audita$ility "r acc"unta$ility elements t&at may result in a c"mpr"mise "! t&e system.
(ask 2,2& 'ey (eam )em*er s& +ut!ut&
.escri$e risks in relati"n t" t&reat1vulnera$ility pairs. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BRisk .escripti"nC c"lumn "! t&e 2#0 Ri$, Determination ta$le in Appendi0 ..
2,3 Identify -2isting /ontrols

Identi!y e0isting c"ntr"ls t&at reduce t&e likeli&""d "r pr"$a$ility "! a t&reat e0pl"iting a system vulnera$ility, and1"r reduce t&e magnitude "! impact "! t&e e0pl"ited vulnera$ility "n t&e system. *0isting c"ntr"ls may $e management, "perati"nal "r tec&nical c"ntr"ls depending "n t&e t&reat 1 vulnera$ility and t&e risk t" t&e system. (ask 2,3& 'ey (eam .escripti"n "! system c"ntr"ls, cr"ss#re!erenced )it& t&reat 1 vulnera$ility pairs. System administrat"r %ec&nical revie)er
Page 8
)em*er s& +ut!ut&
System tec&nical ")ner ("mplete t&e B*0isting ("ntr"lsC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
2, Determine 0ikelihood of +ccurrence

*stimate t&e likeli&""d t&at a t&reat )ill e0pl"it a vulnera$ility. /ikeli&""d "! "ccurrence is $ased "n a num$er "! !act"rs t&at include system arc&itecture, system envir"nment, in!"rmati"n system access and e0isting c"ntr"ls8 t&e presence, m"tivati"n, tenacity, strengt& and nature "! t&e t&reat8 t&e presence "! vulnera$ilities8 and t&e e!!ectiveness "! e0isting c"ntr"ls. Re!er t" t&is ta$le t" )&en estimating t&e likeli&""d t&at t&e t&reat )ill $e reali7ed and e0pl"it t&e vulnera$ility "n t&e system. 0ikelihood of +ccurrence 0e#els Descri!tion Anlikely ever t" "ccur /ikely t" "ccur t)"1t&ree times every !ive years /ikely t" "ccur "nce every year "r less /ikely t" "ccur "nce every si0 m"nt&s "r less /ikely t" "ccur "nce per m"nt& "r less /ikely t" "ccur multiple times per m"nt& /ikely t" "ccur multiple times per day
0ikelihood ?egligi$le Dery /") /") 4edium Hig& Dery Hig& *0treme
(ask 2, & 'ey (eam )em*er s& +ut!ut&
%&reat 1 vulnera$ility pairs )it& likeli&""d "! success!ul e0pl"itati"n. System administrat"r %ec&nical revie)er System tec&nical ")ner (ateg"ri7e t&reat 1 vulnera$ility pairs $y likeli&""d "! "ccurrence, c"mplete t&e B/ikeli&""d "! EccurrenceC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
2,3 Determine Se#erity of Im!act

.etermine t&e magnitude "r severity "! impact "n t&e system3s "perati"nal capa$ilities and t&e in!"rmati"n it &andles, i! t&e t&reat is reali7ed and e0pl"its t&e ass"ciated vulnera$ility. .etermine t&e severity "! impact !"r eac& t&reat 1 vulnera$ility pair $y evaluating t&e p"tential l"ss in eac& security categ"ry +c"n!identiality, integrity, availa$ility, audita$ility, acc"unta$ility, $ased "n t&e system3s in!"rmati"n security level as e0plained in Appendi0 A.
Im!act Se#erity 0e#els Insigni!icant 4in"r Signi!icant .amaging Seri"us /ittle "r n" impact 4inimal e!!"rt t" repair, rest"re "r rec"n!igure Small $ut tangi$le &arm, may$e n"ticea$le $y a limited audience, s"me em$arrassment, s"me e!!"rt t" repair .amage t" reputati"n, l"ss "! c"n!idence, signi!icant e!!"rt t" repair ("nsidera$le system "utage, l"ss "! c"nnected cust"mers, $usiness c"n!idence, c"mpr"mise "! large am"unt in!"rmati"n
Page >
(ritical
*0tended "utage, permanent l"ss "! res"urce, triggering $usiness c"ntinuity pr"cedures, c"mplete c"mpr"mise "! in!"rmati"n
(ask 2,3& 'ey (eam )em*er s& +ut!ut&
%&reat 1 vulnera$ility pairs )it& severity "! success!ul e0pl"itati"n. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner (ateg"ri7e t&reat 1 vulnera$ility pairs $y severity "r magnitude "! impact, and c"mplete t&e BImpact SeverityC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
2,4 Determine Risk 0e#els

Risk level is t&e likeli&""d "! "ccurrence multiplied $y t&e severity "! impact. %&e !inal value is su$2ect t" t&e system $usiness and tec&nical ")ners3 discreti"n.
Risk determination -"r eac& t&reat 1 vulnera$ility pair, assess t&e !"ll")ing6 - /ikeli&""d "! t&e t&reat attempting t" e0ercise t&e vulnera$ility8 - 4agnitude "! impact i! t&e t&reat 1 vulnera$ility e0pl"it is success!ul8 - Ade'uacy "! planned "r e0isting security c"ntr"ls !"r reducing "r eliminating risk8 Note& (he !roject team must decide 5hether to use only currently im!lemented controls for this analysis" or to include controls that are *udgeted and scheduled for installation" and document that decision in the Re!ort, - Resulting risk t" t&e in!"rmati"n "n t&e system !r"m t&e t&reat and vulnera$ility.
%&is ta$le s&")s t&e resulting risk level, !"r eac& degree "! likeli&""d and eac& level "! severity. Risk 0e#els
0ikelihood of +ccurrenc e Im!act Se#erity Insignificant )inor Significant Damaging Serious /ritical
/") Negligi*l e 1ery 0o5 0o5 )edium High 1ery High -2treme /") /") /") /") /") /")
/")
/")
/")
/")
/")
/") /") /") 4"derate 4"derate 4"derate
/") 4"derate 4"derate Hig& Hig& Hig&
/") 4"derate Hig& Hig& Hig& Hig&
4"derate Hig& Hig& Hig& Hig& Hig&
4"derate Hig& Hig& Hig& Hig& Hig&
(ask 2,4&
%&reat 1 vulnera$ility pairs )it& assigned risk levels.

Page 10
'ey (eam )em*er s& +ut!ut&
System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("m$ine t&e likeli&""d "! "ccurrence )it& magnitude "! impact t" derive t&e risk level !"r eac& t&reat 1 vulnera$ility pair. ("nsider t&e risks t" t&e in!"rmati"n "n t&e system, and c"mplete t&e BRisk /evelC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..
#.0 Sa!e$uard Determination hase

%&e sa!eguard determinati"n p&ase inv"lves identi!icati"n "! additi"nal c"ntr"ls, sa!eguards "r c"rrective acti"ns t" minimi7e t&e t&reat e0p"sure and vulnera$ility t" e0pl"itati"n !"r eac& t&reat1 vulnera$ility pair )it& a m"derate "r &ig& risk level. %&e residual risk level is t&e am"unt "! risk t&at )"uld remain i! t&e rec"mmended c"ntr"l "r sa!eguard )ere implemented. Sa!eguard determinati"n steps6
1. Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk level "! eac& risk#t&reat pair, i! t&e risk 2. 3. 4.
level is m"derate "r &ig&. .etermine t&e residual likeli&""d "! "ccurrence "! t&e t&reat i! t&e rec"mmended sa!eguard is implemented. .etermine t&e residual impact severity "! t&e e0pl"ited vulnera$ility "nce t&e rec"mmended sa!eguard is implemented. .etermine t&e residual risk level !"r t&e system.
("nsider sa!eguards related t" testing and maintenance, impr"ved audit capa$ility, and restricting p&ysical access.
3,% Recommend /ontrols and Safeguards

Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk presented $y eac& t&reat 1 vulnera$ility pair )it& a m"derate "r &ig& risk level as identi!ied in t&e Risk .eterminati"n P&ase. @&en identi!ying a c"ntr"l "r sa!eguard, c"nsider6
1. 2. 3. 4. 5. 6.
Security area )&ere it $el"ngs, suc& as management, "perati"nal, tec&nical. 4et&"d it empl"ys t" reduce t&e "pp"rtunity !"r t&e t&reat t" e0pl"it t&e vulnera$ility. Its e!!ectiveness in mitigating t&e risk t" in!"rmati"n. P"licy and arc&itectural parameters re'uired !"r its implementati"n in t&e envir"nment. In!"rmati"n security categ"ry +c"n!identiality, integrity, availa$ility, access c"ntr"l, audit, etc., t" )&ic& t&e sa!eguard applies. @&et&er t&e c"st "! t&e sa!eguard is c"mmensurate )it& its reducti"n in risk.
I! m"re t&an "ne sa!eguard is identi!ied !"r t&e same t&reat 1 vulnera$ility pair, list t&em in t&is c"lumn in separate r")s and c"ntinue )it& t&e analysis steps. %&e residual risk level must $e evaluated during t&is p&ase "! t&e assessment and may $e !urt&er evaluated in risk management activities "utside t&e sc"pe "! t&is pr"2ect. I! t&e rec"mmended sa!eguard cann"t $e c"mpletely implemented in t&e envir"nment due t" c"st, management, "perati"nal "r tec&nical c"nstraints, d"cument t&e circumstances and c"ntinue )it& t&e analysis.
Page 11
("nsider c"ntr"l elements implemented as p"licies and pr"cedures, training, and impr"ved p"licy en!"rcement. (ask 3,%& 'ey (eam )em*er s& +ut!ut& (reate a list "! current, planned "r availa$le sa!eguards and c"ntr"ls suita$le !"r pr"tecting t&e in!"rmati"n System administrat"r System tec&nical ")ner %ec&nical revie)er /ist "! sa!eguards and c"ntr"ls, )it& implementati"n c"nsiderati"ns. ("mplete t&e BRec"mmended Sa!eguardC c"lumn in 3#0 Safeguard Determination ta$le in Appendi0 ..
3,2 Determine Residual 0ikelihood of +ccurrence

-"ll") t&e directi"ns in secti"n 2.: "! t&e Risk .eterminati"n p&ase, )&ile assuming t&e selected sa!eguard &as $een implemented. (ask 3,2& 'ey (eam )em*er s& +ut!ut& (ateg"ri7e t&reat 1 vulnera$ility pairs $y likeli&""d "! "ccurrence, assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BResidual /ikeli&""d "! EccurrenceC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..
3,3 Determine Residual Se#erity of Im!act

-"ll") t&e directi"ns in secti"n 2.; "! t&e Risk .eterminati"n p&ase )&ile assuming t&e selected sa!eguard &as $een implemented. (ask 3,3& 'ey (eam )em*er s& +ut!ut& (ateg"ri7e t&reat 1 vulnera$ility pairs $y severity "r magnitude "! impact "! a success!ul e0pl"itati"n, assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("mplete t&e BResidual Impact SeverityC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..
3, Determine Residual Risk 0e#els

.etermine t&e residual risk level !"r t&e t&reat1vulnera$ility pair and its ass"ciated risk "nce t&e rec"mmended sa!eguard is implemented. %&e residual risk level is determined $y e0amining t&e likeli&""d "! "ccurrence "! t&e t&reat e0pl"iting t&e vulnera$ility and t&e impact severity !act"rs in categ"ries "! ("n!identiality, Integrity and Availa$ility. -"ll") t&e directi"ns in Secti"n 2.< "! t&e Risk .eterminati"n p&ase t" determine t&e residual risk level "nce t&e rec"mmended sa!eguard is implemented.
Page 12
.epending "n t&e nature and circumstances "! t&reats and vulnera$ilities, a rec"mmended sa!eguard may reduce t&e risk level t" B/").C 4ake a n"te "! t&e situati"n )it& a descripti"n $el") t&e ta$le, i! needed, i! suc& special c"nditi"ns e0ist. -"r ne) systems, t&e ne0t steps )"uld include creating a sensitivity assessment, system security re'uirements, risk assessment rep"rt, and system security plan in t&e S./(. (ask 3, & 'ey (eam )em*er s& +ut!ut& Repeat t&e derivati"n t&e risk level !"r eac& t&reat 1 vulnera$ility pair !r"m task 2.<, t&is time assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("mplete t&e BResidual Risk /evelC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..
Page 1
A!!endi2 A& Information Security 0e#els

System $usiness and tec&nical ")ners must determine t&e appr"priate security levels $ased "n t&e "rgani7ati"n3s c"n!identiality, integrity and availa$ility re'uirements !"r t&e in!"rmati"n, as )ell as its criticality t" t&e "rgani7ati"n3s $usiness missi"n. %&ese re'uirements are usually c"ntained in t&e agency3s statut"ry, regulat"ry and p"licy !rame)"rks. %&is is t&e $asis !"r assessing t&e risks t" $usiness "perati"ns and assets and in selecting appr"priate security c"ntr"ls and tec&ni'ues. 9el") are sample in!"rmati"n security levels t&at esta$lis& c"mm"n criteria !"r security $y in!"rmati"n categ"ry. %&e !irst ta$le de!ines t&e in!"rmati"n security levels. %&e sec"nd ta$le pr"vides security level e0amples !"r t&e vari"us in!"rmati"n categ"ries. In cases )&ere in!"rmati"n "! varying security levels are c"m$ined in "ne system, t&e &ig&est security level takes precedence. It is each agency6s res!onsi*ility to determine information security le#els for each information category *ased on its !articular *usiness and legal re7uirements, (he e2am!les *elo5 are !ro#ided for illustration !ur!oses only,
Examples of Information Security Levels

Security %eve& /") Description 4"derately seri"us Dery seri"us '(p&anation ?"ticea$le impact "n an agency3s missi"ns, !uncti"ns, "r reputati"n. A $reac& "! t&is security level )"uld result in a negative "utc"me8 "r )"uld result in damage, re'uiring repairs, t" an asset "r res"urce. Severe impairment t" an agency3s missi"ns, !uncti"ns, image, and reputati"n. %&e impact )"uld place an agency at a signi!icant disadvantage8 "r )"uld result in ma2"r damage, re'uiring e0tensive repairs t" assets "r res"urces. ("mplete l"ss "! missi"n capa$ility !"r an e0tended peri"d8 "r )"uld result in t&e l"ss "! ma2"r assets "r res"urces and c"uld p"se a t&reat t" &uman li!e.
4"derate
Hig&
(atastr"p&ic
Examples of Information Security Levels by Information Category

In!ormation )ate$ory '(p&anation and '(amp&es System Security %eve&*
Page 1:
/a) en!"rcement and state security in!"rmati"n /i!e#critical in!"rmati"n In!"rmati"n a$"ut pers"ns
-inancial, $udgetary, c"mmercial, pr"prietary and trade secret in!"rmati"n Pu$lic in!"rmati"n
In!"rmati"n related t" investigati"ns !"r la) en!"rcement purp"ses8 security plans, c"ntingency plans, emergency "perati"ns plans, incident rep"rts, rep"rts "! investigati"ns, risk "r vulnera$ility assessments certi!icati"n rep"rts8 d"es n"t include general plans, p"licies, "r re'uirements. In!"rmati"n critical t" li!e#supp"rt systems +i.e., in!"rmati"n )&ere inaccuracy, l"ss, "r alterati"n c"uld result in l"ss "! li!e,. In!"rmati"n related t" pers"nnel, medical, and similar data +e.g., salary data, s"cial security in!"rmati"n, pass)"rds, user identi!iers +I.s,, **E, pers"nnel pr"!ile +including &"me address and p&"ne num$er,, medical &ist"ry, empl"yment &ist"ry +general and security clearance in!"rmati"n,, and arrest1criminal investigati"n &ist"ry,. In!"rmati"n related t" !inancial in!"rmati"n and applicati"ns, c"mmercial in!"rmati"n received in c"n!idence, "r trade secrets +i.e., pr"prietary, c"ntract $idding in!"rmati"n, sensitive in!"rmati"n a$"ut empl"yees "r citi7ens,. Als" included is in!"rmati"n a$"ut payr"ll, aut"mated decisi"n making, pr"curement, invent"ry, "t&er !inancially related systems, and site "perating and security e0penditures. Any in!"rmati"n t&at is declared !"r pu$lic c"nsumpti"n $y "!!icial aut&"rities. %&is includes in!"rmati"n c"ntained in press releases. It als" includes in!"rmati"n placed "n pu$lic access )"rld#)ide#)e$ servers.
Hig&
Hig& 4"derate
4"derate
/")
Page 1;
A!!endi2 8& Security in the System De#elo!ment 0ife /ycle

+!r"m CMS Information Security RA Methodology, Alt&"ug& in!"rmati"n security must $e c"nsidered in all p&ases "! t&e li!e "! a system, t&e System .evel"pment /i!e (ycle identi!ies !"ur speci!ic steps t&at are needed t" ensure t&at in!"rmati"n at (4S is pr"perly pr"tected. %&ese include t&e In!"rmati"n Sensitivity Assessment +Secti"n 10.; "! t&e 9usiness (ase Analysis,, System Re'uirements ."cument, t&e RA Rep"rt and t&e System Security Plan. Step 1 # %&e In!"rmati"n Sensitivity Assessment +ISA, Prior to !roject initiation" the system o5ner !re!ares a 8usiness /ase Analysis 98/A:" 5hich includes the ISA 9section %;,3 of the 8/A:, In this ste!" the system o5ner categori<es the data according to sensiti#ity and identifies high$le#el security re7uirements that a!!ly to the system under consideration for de#elo!ment, Information from the ISA is one of the factors considered in determining if the system 5ill go for5ard into de#elo!ment and 5hat le#el of information security 5ill *e needed, -lements from the ISA !ro#ide the initial in!ut to the RA, Step 2 FSystem Re'uirements ."cument +speci!ically Security Re'uirements, As an initial ste! of the de#elo!ment !rocess" system re7uirements are documented for e#ery system, (he security re7uirements ser#e as a *aseline for security 5ithin the system, (he /)S )inimum Information Security Standards is a tool to assist in defining security re7uirements, +ther re7uirements may *e determined *y *usiness or functional re7uirements, Step F Risk Assessment Rep"rt During the de#elo!ment !rocess" a risk assessment is conducted and the result RA Re!ort documents the #ulnera*ilities that ha#e *een identified in the system" the risks to the system resulting from the #ulnera*ilities and the efforts designed to reduce those risks" through the use of safeguards, (he RA Re!ort !ro#ides in!ut to the System Security Plan and other risk management acti#ities,
Step : F System Security Plan (he System Security Plan incor!orates all of the elements re7uired for the system o5ner to determine if the system should *e certified as meeting *oth /)S !olicy and *usiness re7uirements, Information from the RA Re!ort is incor!orated into the System Security Plan in Section 2 = )anagement /ontrols, Security steps als" c"rresp"nd t" p&ases in t&e Integrated I% Investment 4anagement R"ad 4ap +REA.4AP, !"r system devel"pment. %&e REA.4AP is (4S3s implementati"n standard !"r S./( and Investment 4anagement and can $e !"und at cms.&&s.g"v1it1r"admap. In -igure 9#1, t&e system devel"pment li!e cycle and REA.4AP are s&")n "n t&e rig&t and le!t sides )it& t&e in!"rmati"n security delivera$les and t""ls entered in t&e center secti"n $et)een t&em. %&is !"rmat illustrates t&e relati"ns&ip "! t&e in!"rmati"n security tasks t" $"t& pr"cesses.
Page 1<
Figure B-1. Security in the System evelopment Life Cycle an! C"S#s $oa!map
I( In#estment )anagement Road )a!
System Security in the SD0/

Security Deli#era*les 9rectangle: > Resources 9o#al:
Pre#.evel"pment
1. *0press need !"r system 2. Assess?determine data sensiti#ity 3. Define initial security re7uirements
9usiness (ase Analysis 10.; # In!"rmati"n Sensitivity
Ac'uisiti"ns
# 9(A 10.; F In!"rmati"n Sensitivity Assessment
.evel"pment
1. Identi!y detailed system security re'uirements during system design. 2. .evel"p appr"priate security c"ntr"ls )it& evaluati"n G test pr"cedures pri"r pr"curement acti"ns . .evel"p s"licitati"n d"cuments t" include security re'uirements G evaluati"n1test pr"cedures :. Apdate security re'uirements as tec&n"l"gies are implemented ;. Identi!y security re'uirements !"r pr"curement "! (E%S applicati"ns c"mp"nents <. Per!"rm design revie) t" ensure security c"ntr"ls are c"nsidered pri"r t" pr"ducti"n =. *nsure security !eatures are c"n!igured, ena$les, tested, and d"cumented during devel"pment 8. Apdate, design, per!"rm and d"cument ne)ly devel"ped security c"ntr"ls @, Document system security tests and risk assessment 10. *nsure c"mpliance )it& -ederal la)s, regulati"ns, p"licies and standards %%, /ertify system and o*tain system accreditation 12. Pr"vide security training
Re'uirements .e!initi"n
$ Define System Re7uirements # In!"rmati"n Security Risk Assessment
4inimum Security Standards
.esign and *ngineering

# Security %est Plan1(ases
Page 1=
System Re'uirements ."cument +includes security,
.evel"pment
# S"!t)are %est Plan # Pr"gram S"!t)are Anit and Integrati"n # %est (ase Scenari"s # %est .ata
%&reat Identi!icati"n Res"urce
%esting and Implementati"n

# Per!"rm System Acceptance %esting $ (est or 1alidation Result Re!ort # Security %est Results
P"st#.evel"pment
1. ."cument all security activities 2. Per!"rm security "perati"ns and administrati"n a. Per!"rm $ackups $. Pr"vide security training c. 4aintain G revie) user admin G access privileges d. Apdate security s"!t)are as re'uired e. Apdate security pr"cedures as re'uired . Per!"rm "perati"nal assurance a. Per!"rm G d"cument peri"dic security audits $. Per!"rm G d"cument m"nit"ring "! system security c. *valuate G d"cument results "! security m"nit"ring d. Per!"rm G d"cument c"rrective acti"ns
e. %est c"ntingency plans "n a regular $asis f. Perform Risk Assessment and u!date Security Plan" as needed" 5ith each configuration change or e#ery year
:. ."cument disp"sal "! in!"rmati"n ;. Ase c"ntr"ls t" ensure c"n!identiality "! in!"rmati"n
Identify -ulnera.ilitie$
Risk Assessment +Risk .eterminati"n
Page 18
and Sa!eguard *valuati"n,
Implementati"n $ System Security Risk Assessment # System Security Plan
System Security Plan
Risk Assessment and System Security Plan
Eperati"ns G 4aintenance
$ A!dated Risk Assessment $ A!dated System Security Plan
Page 1>
A!!endi2 /& Assessment (eam )em*ers and .unctions

-uncti"nal R"le Risk Assessment 4anager 9ackgr"und .rives t&e risk assessment pr"cess, c""rdinates tasks, delivera$les and sc&edule, c"mp"ses t&e rep"rt )it& input !r"m all team mem$ers. Eperates and maintains t&e system !r"m a tec&nical, day#t"# day standp"int8 usually t&e BPrimary System ("ntactC in t&e Sy$tem Identification ta$le. Anderstands t&e tec&nical c"mp"nents "! t&e system, $ut )as n"t inv"lved in designing, $uilding "r "perating t&e system $eing assessed. Resp"nsi$le !"r t&e system, "r t&e services it pr"vides, !r"m a $usiness "r cust"mer standp"int8 understands t&e system3s purp"se $ut n"t necessarily t&e details "! its tec&nical implementati"n. Has supervis"ry resp"nsi$ility !"r t&e "perati"n "! t&e system. *0ecutive management#level resp"nsi$ility !"r t&e system. Resp"nsi$le !"r t&e agency3s security p"licies and "$2ectives, and its "verall risk pr"!ile. Ergani7ati"n *mail P&"ne
System "r net)"rk administrat"r
%ec&nical Revie)er
System $usiness ")ner
System tec&nical ")ner *0ecutive sp"ns"r In!"rmati"n security "!!icer
Page 20
A!!endi2 D& Information Security Risk Assessment (em!late

1.0 System Documentation
%,% System Identification Agency ?ame E!!icial System ?ame System Acr"nym System 9usiness E)ner System %ec&nical E)ner System Security E)ner Additi"nal System Stake&"lders
System /"cati"n -ull Address ("ntract ?um$er, ("ntract"r names, p&"ne num$ers and emails, i! applica$le System type+s, +main!rame, applicati"n 1 data$ase 1 net)"rk 1 !ile server, )"rkstati"n, Primary System ("ntact+s,, ?ame and %itle +usually t&e system administrat"r, Ergani7ati"n ?ame -ull Address *mail Address P&"ne and pager num$ers
%,2 System Pur!ose and Descri!tion -uncti"n and purp"se "! t&e system
General !uncti"nal re'uirements
9usiness pr"cesses, applicati"ns and services supp"rted System c"mp"nents *nvir"nmental !act"rs ?et)"rk diagram )it& system $"undaries +attac&, General in!"rmati"n !l")
Page 21
%ec&nical and $usiness users +list, System ")ners&ip +s&ared "r dedicated,
%,3 Information Security 0e#els and +#erall System Security 0e#el In!"rmati"n (ateg"ry In!"rmati"n Security /evel In!"rmati"n (ateg"ry In!"rmati"n Security /evel In!"rmati"n (ateg"ry In!"rmati"n Security /evel Everall System Security /evel
".0 Risk Determination

2,; Risk Determination (a*le
Item No, (hreat Name 1ulnera$ *ility Name Risk Descri!$ tion -2isting /ontrols 0ikeli$ hood of +ccur$ rence Im!act Se#erity Risk 0e#el
Page 22
#.0 Sa!e$uard Determination

3,; Safeguard Determination (a*le Item No, 9from Risk Determination (a*le: Recommended Safeguard Descri!tion Residual 0ikelihood of +ccurrence Residual Im!act Se#erity Residual Risk 0e#el
Si$natures
Su$mitted $y6 55555555555555555555555 .ate6 555555555 Risk Assessment 4anager
Revie)ed $y6 H%itleI
55555555555555555555555 .ate6 555555555
Appr"ved $y6 H%itleI
55555555555555555555555 .ate6 555555555
Page 2

HIPAA SECURITY RISK

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

HIPAA SECURITY RISK

Enviado por

Direitos autorais:

Formatos disponíveis

HIPAA Security Risk Assessment Guidelines v1.

0 April 28, 200

Information Security Risk Assessment Guidelines

System ."cumentati"n P&ase Risk .eterminati"n P&ase Sa!eguard .eterminati"n P&ase

Note on HIPAA Security

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

The Risk Assessment Report

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Risk Assessment Project

Mar 2003 5 6 7 8 !0 !! !2 !3 !" !5

: ; < = 8 > 10 11 12 1 1: 1; 1< 1= 18

System Documentation Phase

Risk Determination Phase

Safeguard Determination Phase

Risk Assessment Process

%,% System Identification

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

'ey (eam )em*er s& +ut!ut&

%,2 System Pur!ose and Descri!tion

(echnical Descri!tion and -n#ironmental .actors

System /onnections and Information Sharing

(ask %,2& 'ey (eam )em*er s& +ut!ut&

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

%,3 System Security 0e#el

".0 Risk Determination hase

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

2,% Identify (hreats and 1ulnera*ilities

(ask 2,%& 'ey (eam )em*er s& +ut!ut&

2,2 Descri*e Risks

(ask 2,2& 'ey (eam )em*er s& +ut!ut&

2,3 Identify -2isting /ontrols

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

)em*er s& +ut!ut&

2, Determine 0ikelihood of +ccurrence

(ask 2, & 'ey (eam )em*er s& +ut!ut&

2,3 Determine Se#erity of Im!act

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

(ask 2,3& 'ey (eam )em*er s& +ut!ut&

2,4 Determine Risk 0e#els

/") /") /") 4"derate 4"derate 4"derate

/") 4"derate 4"derate Hig& Hig& Hig&

/") 4"derate Hig& Hig& Hig& Hig&

4"derate Hig& Hig& Hig& Hig& Hig&

4"derate Hig& Hig& Hig& Hig& Hig&

%&reat 1 vulnera$ility pairs )it& assigned risk levels.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

'ey (eam )em*er s& +ut!ut&

#.0 Sa!e$uard Determination hase

3,% Recommend /ontrols and Safeguards

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

3,2 Determine Residual 0ikelihood of +ccurrence

3,3 Determine Residual Se#erity of Im!act

3, Determine Residual Risk 0e#els

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

A!!endi2 A& Information Security 0e#els

Examples of Information Security Levels

Examples of Information Security Levels by Information Category

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

A!!endi2 8& Security in the System De#elo!ment 0ife /ycle

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

System Security in the SD0/