Академический Документы
Профессиональный Документы
Культура Документы
<To customize this template document, replace all of the text that is presented in angle brackets
(i.e. “<” and “>”) with text that is appropriate to your organization and circumstances. After
completing the customization of this document, the document should be reviewed by an attorney
who is familiar with health privacy laws and regulations in the state(s) in which the organization
maintains its facilities, and who is in a position to provide legal counsel to your organization. >
Owners:
[Typically this should be owned by the Security Official as well as other individuals involved in
HIPAA compliance and/or the actual risk remediation like IT and the Privacy Official.]
Background
This HIPAA Security Risk Management Plan represents the <Insert Name> ongoing risk
management program based upon:
Plan Execution
Each risk management item is backed up by documentation regarding the project plan for
managing or mitigating the risk. The specific owners and resources for execution are listed on this
secondary plan.
Monthly review by the team owners of the risk management plan status
Identification of any areas of deficiency in meeting the plan resulting in a status report to
the CEO
Updating the plan with revised timelines is subject to the approval of the CEO
The plan may also be updated and revised based upon:
o New HIPAA or other security incidents
o Regulatory changes
o Increased threat levels due to internal or external factors
o Vendor and resource support issues
Plan:
<Insert Year> HIPAA SRA Risk or Best Practice and Mitigation Plan Risk Mitigation
Gap Completion Date
SECURITY RISK HIGH
<Insert your specific SRA High <Insert your specific Best Practice and <Insert each step of your
Risk/Gap here (there may be more Mitigation Plan here> Mitigation plan with a “to
than one)> be completed by” date>
[EXAMPLE: Backup tapes are stored in the
[EXAMPLE: Legacy backup tapes are IT closet; a full inventory should be [EXAMPLE: Inventory
not encrypted] completed including identifying those that completed by 2-15-2014
are not encrypted and either encrypting,
copying to an encrypted storage device, or Encryption/disposal plan
securely destroying. While the practice has by 5-30-2014
improved physical security controls, it is
not impermeable and thus the backups Completion by 7-30-
remain a risk for a security incident and 2014]
Breach if stolen.]
<Insert Year> SRA Risk or Gap Best Practice and Mitigation Plan Risk Mitigation
Completion Date
SECURITY RISK MEDIUM
<Insert your specific SRA Medium <Insert your specific Best Practice and <Insert each step of
Risk/Gaps here (there may be Mitigation Plan here> your Mitigation plan with
several)> a “to be completed by”
date>
[EXAMPLE 1: [EXAMPLE 1:
Facility Security plan and controls Increase visitor access controls [EXAMPLE 1:
can be improved including: through the use of more vigilant In remediation-visitor
Visitor Access and visitor sign in and authentication access, swipe cards,
authentication by improved (including issuing a unique badge). biometric data center
controls and video
front desk training and Increase physical security controls surveillance controls are
monitoring by the use of video surveillance.
being implemented in
Improve access monitoring Implement the use of March 2014
and management of smartcard/swipe card access
perimeter doors as well as controls integrated with photo ID Updated training by 4-
high risk interior areas such badges and eventually proximity 31-2014
as the data center controls for network access.
Implement additional biometric Full deployment of photo
controls on the data center. ID cards to staff by 5-1-
Implement photo ID badges for 2014
vendors who have ongoing access
requirements; this can also include Deployment of enhanced
a Code of Conduct requirement for vendor authentication
key vendors.] and badge controls by 5-
15-2014
<Insert your specific SRA Medium <Insert your specific Best Practice and <Insert each step of your
Risk/Gaps here> Mitigation Plan here> Mitigation plan with a “to
be completed by” date>
[EXAMPLE 2: Mobile device [EXAMPLE 2: Implement a third party
safeguards and management mobile security software and ensure that [EXAMPLE 2: by 4-31-
settings can be updated] encryption of cached mail and text 2014]
messages is enabled.]
<Insert your specific SRA Medium <Insert your specific Best Practice and <Insert each step of your
Risk/Gaps here> Mitigation Plan here> Mitigation plan with a “to
be completed by” date>
[EXAMPLE 3: Replace all Windows [EXAMPLE 3. Replace Windows XP
XP workstations.] operating system with Windows 7 or 8. As [EXAMPLE 3: 4-8-2014]
of April 8, 2014 Windows will no longer
provide support or updates for Windows
XP, leaving systems at risk.]
<Insert Year> HIPAA SRA Risk or Best Practice and Mitigation Plan Risk Mitigation
Gap Completion Date