Hipaa Risk Analysis

Purpose
This template provides an approach for assessing risk to Electronic Protected Health Information (ePHI) in your department. This template is based on:
* Office for Civil Rights (“OCR”) HIPAA Security Standards: Guidance on Risk Analysis Requirements under the HIPAA Security Rule - http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
* Dept. of Health and Human Service (HHS) HIPAA Security Series: Basics of Risk Analysis and Risk Management -
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
* UCSC's Practices for HIPAA Security Rule Compliance: http://its.ucsc.edu/policies/hipaa-practices.html
Each UCSC unit that works with ePHI is required to complete a risk analysis for that data. This template is a suggested way to complete that risk analysis and begin the process of risk management. Completed risk analyses
are to be maintained by the unit and also submitted to the campus HIPAA Security Official for review.
Disclaimer
This template has been developed for UCSC HIPAA entities as a tool in the process of analyzing and documenting risk to ePHI, as required under HIPAA. It is based on industry best practice, and has been targeted for our
environment. UCSC makes no guarantee of compliance based on completion of this form.
Any data collected as a result of using this template, including the completed analysis, itself, should be considered sensitive and confidential and must be safeguarded as such.
Please direct questions to the office of the campus HIPAA Security Official: itpolicy@ucsc.edu
Instructions
To perform the risk analysis:
1. Use the "Inventory" tab of the spreadsheet to identify where ePHI is created, stored, received, or transmitted by your unit. This includes identifying external sources of ePHI, such as vendors or consultants who create,
receive, maintain or transmit ePHI.
2. Use the "Access" tab to identify who can access your unit's ePHI (intentional and risk of unintentional). Identification by role is acceptable.
3. Review the Security Concerns/Threats/Vulnerabilities in the "Vuln Threat Pair" tab. Add any unit-specific items to the placeholders at the end of the list. If there are none, delete these placeholders. Do not delete any of the
other items.
4. In the "Risk Level" tab: The security concerns are carried over for you from the previous tab.
A. Assess whether each security concern applies to your unit or not. For items that aren't applicable, indicate N/A and a reason in the "Existing Mitigations/Control" box. Leave everything else blank for the N/A items.
B. For each security concern that applies to your unit:
i) Identify the existing mitigations/controls
- Please note that the questions in italics in the "Existing Mitigations/Controls" boxes of the template are examples of possible controls, not a list of requirements for HIPAA compliance. Replace the questions
with actual,
existing mitigations/controls.
- Although the questions are examples, they should all be considered. If the answer to any of the questions is "no," consider whether that implies a risk that should be addressed in "Next steps" (see 6,
below).
ii) Indicate the Maturity Level of each existing mitigation/control (see "Definitions" tab for maturity level definitions)
iii) Indicate the numerical Likelihood and Impact of each concern actually happening given the controls currently in place. Likelihood is either (.1, .5 or 1), and Impact is variable Low (10,20,30,40) Medium
(50,60,70,80,90) and
High (100). See the "Definitions" tab to help with this step.
iv) The spreadsheet will automatically calculate the result and residual risk rating by multiplying Likelihood x Impact.
C. Reminder: add any unit-specific security concerns to the placeholders at the end of the list in the "Vuln Threat Pair" tab.
5. The "Risk Analysis" tab automatically displays the security concerns, existing mitigations and risk levels (residual risk) from the "Risk Level" tab. Use the "Is residual risk accepted?" column to document whether or not the
residual risk (if any) is accepted as-is or not. If the residual risk is not accepted as-is, use the remaining columns to identify any additional recommended controls and next steps (action items and owners) needed to further
mitigate the risk to an acceptable level, along with the effort/cost (high/med/low) associated with each action item.
6. Next steps: Conclusions should be reviewed by the Campus HIPAA Compliance Team. Identified action items should be added to the appropriate action item lists that the HIPAA Team maintains and tracked.
Template Rev. 12/19/13
000000Template rev. 5/25/11 000000hipaa@ucsc.edu

000000HIPAA Departmental System Risk Analysis
(Department)
Date:
Unit:
Contact (name and email):
Inventory:
Identify where ePHI is created, stored, received, or transmitted. This includes identifying external sources of ePHI,
Please also indicate whether there is a documented process for updating the inventory.

(Department)
external sources of ePHI, such as vendors or consultants who create, receive, maintain or transmit ePHI.

(Department)
Date:
Unit:
Contact (name and email):
Access:
Identify who can access ePHI (intentional and risk of unintentional). Identification by role is acceptable.

(Department)
nal). Identification by role is acceptable.

(Department)
Vulnerability Threat Source Pair
Security Concern/
Threat/Vulnerability
1 [System]
Data accessed or corrupted by hacker through
exploiting OS or application/ database weaknesses.
2 [System/Human]
Disclosure due to unauthorized account access
(shared, stolen, hacked, phished credentials)
3 [System]
Data loss, disclosure, or inability to access data due to
malware. Includes remote access by a hacker due to
malware.
4 [System/Human]
Disclosure or data loss due to application or OS
weaknesses introduced by users on workstations /
laptops/portable devices/electronic media
5 [System]
Unauthorized access to a system via 0-day exploit
6 [System]
Disclosure due to theft of workstation/ laptop/portable
device/electronic media
7 [System]
Disclosure due to physical access of a workstation /
laptop/portable device/electronic media (use, not theft)
8 [System]
Disclosure due to storage of ePHI on non-University
devices
9 [System]
Disclosure/unauthorized access due to inadequate
security controls on non-University workstations /
laptops/portable devices/electronic media used for
10 remote
[Network]access of ePHI
Disclosure due to an attacker re-routing network traffic
to their system (ARP spoofing / man-in-the-middle
11 attack)
[Network]
Disclosure due to traffic sniffer
12 [System]
Disclosure due to physical keylogger
13 [System]
Disclosure due to software keylogger
14 [Network]
Unauthorized device on network used to capture traffic
or credentials
15 [System]
Unauthorized access through modem connection from
a networked PC.
000000Risk Analysis Template.xls 000000Vuln Threat Pair Page 6 of 20 000000rev <date>

(Department)
16 [Human]
Unauthorized access to workstation/laptop or
application/database/server/media by former
employees, employees on leave or disability,
employees whose job duties no longer include
authorized access to ePHI; includes data corruption by
these employees.
17 [Human]
Unauthorized access to or corruption of data by
authorized employees
18 [Environmental]
Data loss or data access loss due to non-Data Center
SHS, SHR, or County Health server(s) outage by
failure or environmental causes
19 [Environmental]
Data loss or data access loss due to Data Center
server(s) outage by failure or environmental causes.
20 [Environmental]
Data access loss due to SHS, SHR, Fire Dept building
closure.
21 [Environmental]
Data access loss due to Data Center building closure.
22 [Human]
Data loss or data access loss due to non-Data Center
SHS, SHR, or County Health server(s) failure from
physical sabotage
23 [Human]
Data loss or data access loss due to Data Center
server(s) failure from physical sabotage
24 [Network]
Data access loss due to network interruption from a
hacker/virus/worm exploiting network insecurities
25 [Network]
Data access loss due to network interruption from
environmental factors or sabotage
26 [Human]
Disclosure due to inadvertent transmission of data
(includes misdirected data transmissions)
27 [Human]
Disclosure due to intentional transmission of data
(malicious or out of ignorance)
28 [Human]
Disclosure due to email being hijacked or stolen by
29 hackers
[Human]
Disclosure due to printing to unintended printer, faxing
to unintended fax machine, emailing to unintended
recipient, leaving material in copy machine,
misaddressed paper mail
30 [Human]
Disclosure due to authorized employee lack of
knowledge regarding ePHI security requirements
31 [Human]
Delay in detection of disclosure due to improper or lack
of incident reporting
32 [System]
Disclosure due to improper disposal of equipment
(Department)
33 [System]
Loss of access to External Service Provider from a
system failure on the remote end.
34 [Network]
Loss of access to External Service Provider system
from a connection failure caused by hacker, virus or
worm, or network outage.
35 [System]
Loss of access to External Service Provider system
from a local workstation failure caused by hacker, virus
or worm.
36 [System]
Disclosure or lack of availability due to an inadequate
data backup and recovery plan
37 [Human]
Disclosure due to improper handling of backups
containing ePHI
38 [Human]
Disclosure due to inadequate tracking of the
movements of hardware and electronic media
containing ePHI
39 [System]
Lack of discovery of disclosure or unauthorized data
modification/ destruction due to inadequate information
system activity review/log monitoring
40 [Human]
Disclosure due to improper protection of ePHI by third
-parties
41 [Servers]
Disclosure due to theft of server or a server drive,
including printers, copiers, fax machines, etc.
42 [Servers]
Disclosure due to physical access to servers (to pull
data, mirror drive, install a malicious device)
43 [Servers]
Disclosure or data corruption due to server OS or
application weaknesses or malware on servers
44 [Servers]
Disclosure, loss of data access or data corruption due
to corrupt admins
45 [Servers]
Disclosure due to use of stored passwords
46 Unit-Specific Risk #1
51
52
53
54
55
56
57
58
59

(Department)
60

(Department)
Low = 0.1 Low = 10 - 40 Low 1 to 9
Med = 0.5 Med = 50 - 90 Med 10 to <50
High = 1.0 High = 100 Likelihood *Impact High 50 to 100
Existing Mitigations/Controls
Threat
Security Concern/ (possible controls/suggestions in italics; Maturity Level Impact
Likelihood
Threat/Vulnerability * = part of UCSC’s Minimum 0-5 (See Result Risk Rating
(See
Requirements) (See Definitions) Definitions)
Definitions)
[System] 1. Are patches current?* 1.
Data accessed or corrupted by hacker through 2. Have default passwords been changed? 2.
exploiting OS or application/ database 3. Are unnecessary services disabled?* 3.
weaknesses. 4. Are firewalls installed/enabled?* 4.
5. Is access to databases/applications technically 5.
limited based on IP address, domain, or VPN? 6.
1 6. Are proper software development/ coding 7. 0 Low
practices used for in-house apps? 8.
7. Is a host-based intrusion detection/ prevention 9.
system (HIDS/HIPS)[1] used?
8. Are DB/file access monitoring/ alerting
applications used (e.g. Imperva, IBM Guardium,
etc.)?
9. Is printer software kept up to date?
[System/Human] 1. Does the server have anti-phishing controls? 1.
Disclosure due to unauthorized account access 2. Is instant messaging (IM) controlled? 2.
(shared, stolen, hacked, phished credentials) 3. Are users educated about IM & email safety, 3.
phishing, phone scams, other social engineering, 4.
password policy? 5.
4. Are individuals issued unique accounts for 6.
access to ePHI? 7.
5. Are strong passwords technically enforced 8.
where possible? 9.
6. Are apps set not to remember passwords? 10.
2 0 Low
7. Is anti-virus/anti-malware current?* 11.
8. Is installation of unauthorized applications
disallowed (technically or procedurally)?
9. Are session timeouts/screen locking
administratively and technically enforced –
including for workstations with shared or generic
logins, if any?*
10. Is HIDS/HIPS[1] used?
11. Are authentication systems periodically tested
and upgraded when upgrades are available?
[System] 1. Is anti-virus/anti-malware current?* 1.
Data loss, disclosure, or inability to access data 2. Is more than one anti-virus being run? 2.
due to malware. Includes remote access by a 3. Are patches current?* 3.
hacker due to malware. 4. Is web surfing to known malware sites blocked 4.
technically? 5.
5. Are appropriate and inappropriate uses of 6.
workstations, including shared-access 7.
workstations, defined? 8.
6. Is installation of unauthorized applications 9.
disallowed (technically or procedurally)? 10.
7. Is user education in place? 11.
3 8. Are browser security standards implemented? 12. 0 Low
9. Have default logins/passwords been changed or 13.
removed? 14.
10. Are unnecessary services disabled?* 15.
11. Have proper file/directory
ownership/permissions been set?
12. Is email malicious code filtering implemented?
13. Are firewalls installed/enabled?*
14. Are periodic network vulnerability scans
performed?
000000Risk Analysis Template.xls 000000Risk Level Page 10 of 20 000000rev <date>

(Department)
Low = 0.1 Low = 10 - 40 Low 1 to 9
Med = 0.5 Med = 50 - 90 Med 10 to <50
Threat
Likelihood
(See
Definitions)
[System/Human] 1. Are patches current?* 1.
Disclosure or data loss due to application or OS 2. Is anti-virus/anti-malware current?* 2.
weaknesses introduced by users on workstations 3. Is education about safe computing practices in 3.
/ laptops/portable devices/electronic media place? 4.
4. Is web surfing to known malware sites blocked 5.
4 technically? 6. 0 Low
6. Are users set not to run as admin?
7. Are appropriate controls in place to restrict
remote system access, or is remote access
disabled?
Unauthorized access to a system via 0-day 2. Is access to databases/applications technically 2.
5 exploit limited based on IP address, domain, or VPN? 3. 0 Low
3. Are users set not to run as admin? 4.
[System] 1. Is stored ePHI encrypted? 1.
Disclosure due to theft of workstation/ 2. Are workstations and laptops containing ePHI 2.
laptop/portable device/electronic media physically secured?* 3.
3. Is ePHI not stored on portable devices? 4.
4. Are portable devices and electronic media 5.
6 containing ePHI physically secured when 6. 0 Low
unattended?*
5. Is there a policy against leaving portable devices
containing ePHI in vehicles?
6. Are systems and electronic media containing
ePHI in physically secure locations?
[System] 1. Are applications configured not to remember 1.
Disclosure due to physical access of a passwords? 2.
workstation / laptop/portable device/electronic 2. Are screen locks or session timeouts in place – 3.
media (use, not theft) including for workstations with shared or generic 4.
logins, if any?* 5.
3. Is ePHI not stored? 6.
4. Is stored ePHI encrypted? 7.
5. Are strong passwords required to access system 8.
or resume session?* 9.
7 6. Is installation of unauthorized applications 10. 0 Low
disallowed technically?
7. Do typical users not have admin access?
8. Are workstations and other devices containing
ePHI housed in physically secure facilities?
9. Are workstations that may display ePHI
positioned to only allow viewing by authorized
individuals?
10. Are workstations physically restricted to limit
access to only authorized personnel?
[System] 1. Is ePHI not stored on non-University equipment 1.
8 Disclosure due to storage of ePHI on non- (except by a third party with a HIPAA BAA)? 0 Low
University devices

(Department)
Low = 0.1 Low = 10 - 40 Low 1 to 9
Med = 0.5 Med = 50 - 90 Med 10 to <50
Threat
Likelihood
(See
Definitions)
[System] 1. Is management approval required for accessing 1.
Disclosure/unauthorized access due to ePHI from a non-University device? 2.
inadequate security controls on non-University 2. Are all required HIPAA protections applied to 3.
workstations / laptops/portable devices/electronic non-University devices used to remotely access 4.
media used for remote access of ePHI ePHI, and are they verified periodically? 5.
3. Are non-University devices used to remotely 6.
access ePHI not shared with others, including
9 family members? 0 Low
4. Are procedures in place to log out of programs
and remove all viewable ePHI before leaving the
device unattended?
5. Are non-University devices configured not to
save passwords that provide access to ePHI?
6. Is ePHI never accessed from a public, non-
University device?
[Network] 1. Are switches hardened? (This is a question for 1.

Disclosure due to an attacker re-routing network ITS.) 2.
10 0 Low
traffic to their system (ARP spoofing / man-in- 2. Is all traffic encrypted, including remote access?
the-middle attack)
[Network] 1. Is all traffic encrypted, including remote access? 1.
Disclosure due to traffic sniffer 2. Are Network Interface Cards (NICs) controlled? 2.
11 (This is a question for ITS.) 3. 0 Low
3. Are sniffer detectors used (e.g. some AV detects
activity associated with this)?
[System] 1. Are computers regularly examined for foreign 1.
Disclosure due to physical keylogger devices? 2.
12 2. Does Desktop Support do #1 when they work on 3. 0 Low
a system in person?
3. Are USB ports disabled?
Disclosure due to software keylogger 2. Is user education in place? 2.
3. Is web surfing to known malware sites blocked 3.
13 technically? 4. 0 Low
5. Is HIDS/HIPS[1] used
[Network] 1. Is all traffic encrypted, including remote access? 1.
Unauthorized device on network used to capture 2. Are there port based restrictions on who/what 2.
traffic or credentials can connect to network? (This is a questions for 3.
14 ITS.) 0 Low
3. Is Network Access Control/ Protection
(NAC/NAP) implemented? (This technically
enforces requiring host systems to meet a
specified security standard before being granted
[System] 1. Is there a policy against installing unapproved 1.
Unauthorized access through modem connection modems? 2.
from a networked PC. 2. Are computers regularly examined for foreign 3.
devices? 4.
15 3. Is auto-answer disabled on modems? 5. 0 Low
4. Does the modem application require
authentication when answering?
5. Are strong passwords used for modem access,
and have default passwords been changed?

(Department)
Low = 0.1 Low = 10 - 40 Low 1 to 9
Med = 0.5 Med = 50 - 90 Med 10 to <50
Threat
Likelihood
(See
Definitions)
[Human] 1. Are accounts & access terminated or disabled 1.
Unauthorized access to workstation/laptop or ASAP upon separation or leave, including security 2.
application/database/server/media by former codes & admin access? 3.
employees, employees on leave or disability, 2. Are passwords to shared accounts changed? 4.
employees whose job duties no longer include 3. Are shared or generic accounts known and 5.
authorized access to ePHI; includes data documented? 6.
corruption by these employees. 4. Are passwords to shared or generic 7.
accounts/logins changed when someone leaves 8.
the group? 9.
5. Are keys/access cards collected, lock codes 10.
cancelled, and shared codes changed? 11.
6. Is log monitoring proactive?
16 7. Is a Data Loss Protection (DLP) system 0 Low
implemented (to identify sensitive cleartext
information leaving the network)?
applications used (e.g. Imperva, IBM Guardium,
etc.)?
10. Is there a periodic review of individuals with
accounts/ codes/keys that provide access to ePHI
or to secure facilities that house ePHI?
11. Are there separate procedures for terminating
access to ePHI for voluntary and involuntary
separations?
[Human] 1. Is log monitoring proactive? 1.
Unauthorized access to or corruption of data by 2. Are employees educated about appropriate and 2.
17 0 Low
authorized employees inappropriate access? 3.
3. Is a DLP system implemented? (see above)
[Environmental] 1. Is data backed up regularly? 1.
Data loss or data access loss due to non-Data 2. Is there spare hardware? 2.
Center SHS, SHR, or County Health server(s) 3. Are data recovery procedures documented? 3.
18 outage by failure or environmental causes 4. Are data restoration procedures tested 4. 0 Low
periodically? 5.
5. Are there backups and redundant systems in an 6.
alternate location?
6. Are UPSs & UPS alerts in place?
Data loss or data access loss due to Data Center 2. Is there spare hardware? 2.
server(s) outage by failure or environmental 3. Are data recovery procedures documented? 3.
19 causes. 4. Are data restoration procedures tested 4. 0 Low
periodically? 5.
alternate location?
Data access loss due to SHS, SHR, Fire Dept 2. Are there backups and redundant systems in an 2.
20 building closure. alternate location? 3. 0 Low
3. Are alternate work or data access procedures
documented?
Data access loss due to Data Center building 2. Are there backups and redundant systems in an 2.
closure. alternate location? 3.
21 3. Can Data Center systems be administered 4. 0 Low
remotely?
4. Are alternate work or data access procedures
documented?

(Department)
Low = 0.1 Low = 10 - 40 Low 1 to 9
Med = 0.5 Med = 50 - 90 Med 10 to <50
Threat
Likelihood
(See
Definitions)
[Human] 1. Are physical access controls in place? 1.
Data loss or data access loss due to non-Data 2. Is data backed up regularly? 2.
Center SHS, SHR, or County Health server(s) 3. Is there spare hardware? 3.
failure from physical sabotage 4. Are there backups and redundant systems in an 4.
22 alternate location? 5. 0 Low
5. Are alternate work or data access procedures 6.
documented? 7.
6. Are data restoration procedures tested
periodically?
[Human] 1. Are physical access controls in place? 1.
Data loss or data access loss due to Data Center 2. Is data backed up regularly? 2.
server(s) failure from physical sabotage 3. Is there spare hardware? 3.
documented? 7.
periodically?
[Network] 1. Is there spare hardware? 1.
Data access loss due to network interruption 2. Are data recovery procedures documented? 2.
from a hacker/virus/worm exploiting network 3. Are data restoration procedures tested 3.
insecurities periodically? 4.
documented?
7. Are there redundant pathways w/automatic
switching? (This is a question for ITS.)
[Network] 1. Is there spare hardware? 1.
Data access loss due to network interruption 2. Are data recovery procedures documented? 2.
from environmental factors or sabotage 3. Are data restoration procedures tested 3.
periodically? 4.
documented?
7. Are there redundant pathways w/automatic
switching? (This is a question for ITS.)
[Human] 1. Is education in place? 1.
26 Disclosure due to inadvertent transmission of 2. Is automatic monitoring and blocking in place for 2. 0 Low
data (includes misdirected data transmissions) unencrypted traffic?
[Human] 1. Is education in place? 1.
Disclosure due to intentional transmission of data 2. Is automatic monitoring and blocking in place for 2.
27 0 Low
(malicious or out of ignorance) unencrypted traffic? 3.
3. Are background checks performed?

(Department)
(1) (2) (3)
Security Concern/ Existing Controls Risk Level Is residual risk accepted? Recommended Controls Next Steps
Threat/Vulnerability Identified Action Items and Owners
[System] 1. Are patches current?*

Data accessed or corrupted by hacker 2. Have default passwords been
through exploiting OS or application/ changed?
database weaknesses. 3. Are unnecessary services disabled?*
5. Is access to databases/applications
technically limited based on IP address,
domain, or VPN?
1 6. Are proper software development/ Low
coding practices used for in-house apps?
7. Is a host-based intrusion detection/
prevention system (HIDS/HIPS)[1] used?
applications used (e.g. Imperva, IBM
Guardium, etc.)?
9. Is printer software kept up to date?
[System/Human] 1. Does the server have anti-phishing
Disclosure due to unauthorized account controls?
access (shared, stolen, hacked, phished 2. Is instant messaging (IM) controlled?
credentials) 3. Are users educated about IM & email
safety, phishing, phone scams, other
social engineering, password policy?
4. Are individuals issued unique accounts
for access to ePHI?
5. Are strong passwords technically
enforced where possible?
6. Are apps set not to remember
passwords?
2 7. Is anti-virus/anti-malware current?* Low
8. Is installation of unauthorized
applications disallowed (technically or
procedurally)?
9. Are session timeouts/screen locking
administratively and technically enforced
– including for workstations with shared or
generic logins, if any?*
11. Are authentication systems
periodically tested and upgraded when
upgrades are available?
[System] 1. Is anti-virus/anti-malware current?*
Data loss, disclosure, or inability to 2. Is more than one anti-virus being run?
access data due to malware. Includes 3. Are patches current?*
remote access by a hacker due to 4. Is web surfing to known malware sites
malware. blocked technically?
5. Are appropriate and inappropriate uses
of workstations, including shared-access
workstations, defined?
procedurally)?
7. Is user education in place?
8. Are browser security standards
3 implemented? Low
9. Have default logins/passwords been
changed or removed?
10. Are unnecessary services disabled?*
11. Have proper file/directory
ownership/permissions been set?
12. Is email malicious code filtering
implemented?
14. Are periodic network vulnerability
scans performed?
000000Risk Analysis Template.xls 000000Risk Analysis Page 15 of 20 000000rev <date>

(Department)
(1) (2) (3)
[System/Human] 1. Are patches current?*

Disclosure or data loss due to application 2. Is anti-virus/anti-malware current?*
or OS weaknesses introduced by users 3. Is education about safe computing
on workstations / laptops/portable practices in place?
devices/electronic media 4. Is web surfing to known malware sites
blocked technically?
4 5. Is installation of unauthorized Low
procedurally)?
7. Are appropriate controls in place to
restrict remote system access, or is
remote access disabled?
Unauthorized access to a system via 0- 2. Is access to databases/applications
day exploit technically limited based on IP address,
5 Low
domain, or VPN?
[System] 1. Is stored ePHI encrypted?
Disclosure due to theft of workstation/ 2. Are workstations and laptops
laptop/portable device/electronic media containing ePHI physically secured?*
3. Is ePHI not stored on portable devices?
4. Are portable devices and electronic
media containing ePHI physically secured
6 when unattended?* Low
5. Is there a policy against leaving
portable devices containing ePHI in
vehicles?
6. Are systems and electronic media
containing ePHI in physically secure
locations?
[System] 1. Are applications configured not to
Disclosure due to physical access of a remember passwords?
workstation / laptop/portable 2. Are screen locks or session timeouts in
device/electronic media (use, not theft) place – including for workstations with
shared or generic logins, if any?*
3. Is ePHI not stored?
4. Is stored ePHI encrypted?
5. Are strong passwords required to
access system or resume session?*
7 applications disallowed technically? Low
7. Do typical users not have admin
access?
8. Are workstations and other devices
containing ePHI housed in physically
secure facilities?
9. Are workstations that may display ePHI
positioned to only allow viewing by
authorized individuals?
10. Are workstations physically restricted
to limit access to only authorized
personnel?
[System] 1. Is ePHI not stored on non-University
8 Disclosure due to storage of ePHI on equipment (except by a third party with a Low
non-University devices HIPAA BAA)?

(Department)
(1) (2) (3)
[System] 1. Is management approval required for

Disclosure/unauthorized access due to accessing ePHI from a non-University
inadequate security controls on non- device?
University workstations / laptops/portable 2. Are all required HIPAA protections
devices/electronic media used for remote applied to non-University devices used to
access of ePHI remotely access ePHI, and are they
verified periodically?
3. Are non-University devices used to
remotely access ePHI not shared with
9 others, including family members? Low
4. Are procedures in place to log out of
programs and remove all viewable ePHI
before leaving the device unattended?
5. Are non-University devices configured
not to save passwords that provide
access to ePHI?
6. Is ePHI never accessed from a public,
non-University device?
[Network] 1. Are switches hardened? (This is a

Disclosure due to an attacker re-routing question for ITS.)
10 Low
network traffic to their system (ARP 2. Is all traffic encrypted, including remote
spoofing / man-in-the-middle attack) access?
[Network] 1. Is all traffic encrypted, including remote
Disclosure due to traffic sniffer access?
2. Are Network Interface Cards (NICs)
11 Low
controlled? (This is a question for ITS.)
3. Are sniffer detectors used (e.g. some
AV detects activity associated with this)?
[System] 1. Are computers regularly examined for
Disclosure due to physical keylogger foreign devices?
12 2. Does Desktop Support do #1 when Low
they work on a system in person?
3. Are USB ports disabled?
Disclosure due to software keylogger 2. Is user education in place?
3. Is web surfing to known malware sites
13 blocked technically? Low
procedurally)?
5. Is HIDS/HIPS[1] used
[Network] 1. Is all traffic encrypted, including remote
Unauthorized device on network used to access?
capture traffic or credentials 2. Are there port based restrictions on
who/what can connect to network? (This
is a questions for ITS.)
14 3. Is Network Access Control/ Protection Low
(NAC/NAP) implemented? (This
technically enforces requiring host
systems to meet a specified security
standard before being granted full
network access.)
[System] 1. Is there a policy against installing
Unauthorized access through modem unapproved modems?
connection from a networked PC. 2. Are computers regularly examined for
foreign devices?
3. Is auto-answer disabled on modems?
15 4. Does the modem application require Low
authentication when answering?
5. Are strong passwords used for modem
access, and have default passwords been
changed?

(Department)
(1) (2) (3)
[Human] 1. Are accounts & access terminated or

Unauthorized access to disabled ASAP upon separation or leave,
workstation/laptop or including security codes & admin access?
application/database/server/media by 2. Are passwords to shared accounts
former employees, employees on leave changed?
or disability, employees whose job duties 3. Are shared or generic accounts known
no longer include authorized access to and documented?
ePHI; includes data corruption by these 4. Are passwords to shared or generic
employees. accounts/logins changed when someone
leaves the group?
5. Are keys/access cards collected, lock
codes cancelled, and shared codes
changed?
6. Is log monitoring proactive?
7. Is a Data Loss Protection (DLP) system
16 implemented (to identify sensitive Low
cleartext information leaving the
network)?
applications used (e.g. Imperva, IBM
Guardium, etc.)?
10. Is there a periodic review of
individuals with accounts/ codes/keys that
provide access to ePHI or to secure
facilities that house ePHI?
11. Are there separate procedures for
terminating access to ePHI for voluntary
and involuntary separations?
[Human] 1. Is log monitoring proactive?

Unauthorized access to or corruption of 2. Are employees educated about
17 data by authorized employees appropriate and inappropriate access? Low
3. Is a DLP system implemented? (see
above)
[Environmental] 1. Is data backed up regularly?
Data loss or data access loss due to non- 2. Is there spare hardware?
Data Center SHS, SHR, or County Health 3. Are data recovery procedures
server(s) outage by failure or documented?
18 environmental causes 4. Are data restoration procedures tested Low
periodically?
5. Are there backups and redundant
systems in an alternate location?

Data loss or data access loss due to Data 2. Is there spare hardware?
Center server(s) outage by failure or 3. Are data recovery procedures
environmental causes. documented?
19 4. Are data restoration procedures tested Low
periodically?
Data access loss due to SHS, SHR, Fire 2. Are there backups and redundant
20 Dept building closure. systems in an alternate location? Low
3. Are alternate work or data access
procedures documented?
Data access loss due to Data Center 2. Are there backups and redundant
building closure. systems in an alternate location?
21 3. Can Data Center systems be Low
administered remotely?

(Department)
(1) (2) (3)
[Human] 1. Are physical access controls in place?

Data loss or data access loss due to non- 2. Is data backed up regularly?
Data Center SHS, SHR, or County Health 3. Is there spare hardware?
server(s) failure from physical sabotage 4. Are there backups and redundant
22 5. Are alternate work or data access Low
periodically?
[Human] 1. Are physical access controls in place?

Data loss or data access loss due to Data 2. Is data backed up regularly?
Center server(s) failure from physical 3. Is there spare hardware?
sabotage 4. Are there backups and redundant
23 5. Are alternate work or data access Low
periodically?
[Network] 1. Is there spare hardware?
Data access loss due to network 2. Are data recovery procedures
interruption from a hacker/virus/worm documented?
exploiting network insecurities 3. Are data restoration procedures tested
periodically?
24 Low
7. Are there redundant pathways
w/automatic switching? (This is a question
for ITS.)
[Network] 1. Is there spare hardware?

Data access loss due to network 2. Are data recovery procedures
interruption from environmental factors or documented?
sabotage 3. Are data restoration procedures tested
periodically?
25 Low
7. Are there redundant pathways
w/automatic switching? (This is a question
for ITS.)
[Human] 1. Is education in place?

Disclosure due to inadvertent 2. Is automatic monitoring and blocking in
26 Low
transmission of data (includes place for unencrypted traffic?
misdirected data transmissions)
[Human] 1. Is education in place?
Disclosure due to intentional transmission 2. Is automatic monitoring and blocking in
27 Low
of data (malicious or out of ignorance) place for unencrypted traffic?
3. Are background checks performed?

Likelihood Level Likelihood Definition Threat Impact
High (1.0) The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from being
exercised are ineffective. Likelihood Low Medium High
Medium (0.5) The threat-source is motivated and capable, but controls are 10-40 50-90 100
in place that may impede successful exercise of the
Low (0.1) The threat-source lacks motivation or capability, or controls High (1.0) 10 x 1.0 = 10 50 x 1.0 = 100 x 1.0
are in place to prevent, or at least significantly impede, the 50 = 100
vulnerability from being exercised.
Medium (0.5) 10 x 0.5 = 5 50 x 0.5 = 100 x 0.5
25 = 50
Magnitude of Impact Impact Definition Low (0.1) 10 x 0.1 = 1 50 x 0.1 = 100 x 0.1
5 = 10
High (100) Exercise of the vulnerability (1) may result in the very costly
loss of major tangible assets or resources; (2) may
significantly violate, harm, or impede an organization’s
function, reputation, or interest; or (3) may result in human
Medium (50-90) death or serious
Exercise injury.
of the vulnerability (1) may result in the costly loss
of tangible assets or resources; (2) may violate, harm, or
impede an organization’s function, reputation, or interest; or
(3) may result in human injury.
Low (10-40) Exercise of the vulnerability (1) may result in the loss of
some tangible assets or resources or (2) may noticeably
affect an organization’s function, reputation, or interest.
Maturity Levels (from IS-3 Assessment) - from CobIT, v 4.1

0 Non-Existent: Complete lack of any recognizable processes. The institution has not even recognized that there is an issue to be
1 Initial/Ad-Hoc: There is evidence that the institution has recognized that the issues exist and need to be addressed. There are, however,
no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall
approach to management is disorganized.
2 Repeatable but Intuitive: Processes have developed to the stage where similar procedures are followed by different people undertaking
the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a
high degree of reliance on the knowledge of individuals and, therefore, errors are likely.
3 Defined Process: Procedures have been standardized and documented, and communicated through training. It is mandated that these
processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but
are the formalization of existing practices.
4 Managed and Measurable: Management monitors and measures compliance with procedures and takes action where processes appear
not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a
limited or fragmented way.
5 Optimized: Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity
modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and
effectiveness, making the enterprise quick to adapt.
Footnotes
[1] Host-based intrusion detection/prevention system (HIDS/HIPS): Host based intrusion prevention system (HIDS)/host based intrusion
prevention system (HIPS). These are software packages installed on a host system that detect attacks against the host and take action
against such attacks, such as tuning host based firewall rules to shunt/block attacking IPs. Tools such as Blackice Defender, Verisys,
Tripwire, and OSSEC (which is what IT Security uses) would be considered HIDS/HIPS apps.

Hipaa Risk Analysis

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Hipaa Risk Analysis

Загружено:

Авторское право:

Доступные форматы

Purpose

Template Rev. 12/19/13

000000Template rev. 5/25/11 000000hipaa@ucsc.edu

000000Template rev. 5/25/11 000000hipaa@ucsc.edu

000000Template rev. 5/25/11 000000hipaa@ucsc.edu

000000Template rev. 5/25/11 000000hipaa@ucsc.edu

nal). Identification by role is acceptable.

000000Template rev. 5/25/11 000000hipaa@ucsc.edu

000000Risk Analysis Template.xls 000000Vuln Threat Pair Page 6 of 20 000000rev <date>

000000Risk Analysis Template.xls 000000Vuln Threat Pair Page 8 of 20 000000rev <date>

000000Risk Analysis Template.xls 000000Vuln Threat Pair Page 9 of 20 000000rev <date>

000000Risk Analysis Template.xls 000000Risk Level Page 10 of 20 000000rev <date>

000000Risk Analysis Template.xls 000000Risk Level Page 11 of 20 000000rev <date>

[Network] 1. Are switches hardened? (This is a question for 1.

000000Risk Analysis Template.xls 000000Risk Level Page 12 of 20 000000rev <date>

000000Risk Analysis Template.xls 000000Risk Level Page 13 of 20 000000rev <date>

000000Risk Analysis Template.xls 000000Risk Level Page 14 of 20 000000rev <date>

[System] 1. Are patches current?*

000000Risk Analysis Template.xls 000000Risk Analysis Page 15 of 20 000000rev <date>

[System/Human] 1. Are patches current?*

000000Risk Analysis Template.xls 000000Risk Analysis Page 16 of 20 000000rev <date>

[System] 1. Is management approval required for

[Network] 1. Are switches hardened? (This is a

000000Risk Analysis Template.xls 000000Risk Analysis Page 17 of 20 000000rev <date>

[Human] 1. Are accounts & access terminated or

[Human] 1. Is log monitoring proactive?

[Environmental] 1. Is data backed up regularly?

000000Risk Analysis Template.xls 000000Risk Analysis Page 18 of 20 000000rev <date>

[Human] 1. Are physical access controls in place?

[Human] 1. Are physical access controls in place?

[Network] 1. Is there spare hardware?

[Human] 1. Is education in place?

000000Risk Analysis Template.xls 000000Risk Analysis Page 19 of 20 000000rev <date>

Maturity Levels (from IS-3 Assessment) - from CobIT, v 4.1

000000Template rev. 5/25/11 000000hipaa@ucsc.edu

Вам также может понравиться