Security Risk Assessment


https://compliance.hmcexperts.com/shop/risk-assessment-guide-and-worksheet/

Practice Name:  

Location Address:  

 

Security Risk Assessment Answer Sheet

       
 

©Healthcare Management Consulting

 

 

 

 

ID

Question

Y/N

Reason for No Answer
1 - Cost
2 - Practice Size
3 - Complexity
4 - Alternate Solution

Status of Remediation
1 - In Progress
2 - Solution Needed
3 - Other-See Notes

Flag for Follow Up

A01

Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its ePHI?

 

 

A02

Does your practice have a process for periodically reviewing its risk analysis policies and procedures and making updates as necessary?

 

 

A04

Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment?

 

 

A05

Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis?

 

 

A07

Does your practice document the results of its risk analysis and assure the results are distributed to appropriate members of the workforce who are responsible for mitigating the threats and vulnerabilities to ePHI identified through the risk analysis?

 

 

A08

Does your practice formally document a security plan?

 

 

A14

Is your practice's security point of contact qualified to assess its securityprotections as well as serve as the point of contact for security policies, procedures, monitoring, and training?

 

 

A57

Does your practice maintain and implement policies and procedures for assessing risk to ePHI and engaging in a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of your practice's ePHI?

 

 

A58

Does your practice periodically monitor its physical environment, business operations, and information system to gauge the effectiveness of security safeguards?

 

 

A59

Does your practice identify the role responsible and accountable for assessing risk and engaging in ongoing evaluation, monitoring, and reporting?

 

 

PO01

Do your practice's processes enable the development and maintenance of policies and procedures that implement risk analysis, informed risk-based decision making for security risk mitigation, and effective mitigation and monitoring that protects the privacy, confidentiality, integrity, and availability of ePHI?

 

 

PO02

Does your practice assure that its policies and procedures are maintained in a manner consistent with other business records?

 

 

PO03

Does your practice assure that its other security program documentation is maintained in written manuals or in electronic form?

 

 

PO04

Does your practice assure that its policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer?

 

 

PO05

Does your practice assure that its policies, procedures and other security program documentation are available to those who need it to perform the responsibilities associated with their role?

 

 

PO06

Does your practice assure that it periodically reviews and updates (when needed) its policies, procedures, and other security program documentation?

 

 

PH10

Do you have a written facility security plan?

 

 

PH11

Do you take the steps necessary to implement your facility security plan?

 

 

PH20

Has your practice developed and implemented workstation use policies and procedures?

 

 

T25

Does your practice categorize its activities and information systems that create, transmit or store ePHI as high, moderate or low risk based on its risk analyses?

 

 

T37

Does your practice protect the confidentiality of the documentation containingaccess control records (list of authorized users and passwords)?

 

 

A03

Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable?

 

 

PH19

Does your practice keep an inventory and a location record of all of its workstation devices?

 

 

PH25

Does your practice use laptops and tablets as workstations? If so, does your practice have specific policies and procedures to safeguard these workstations?

 

 

A20

Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?

 

 

A21

Has your practice chosen someone whose job duty is to decide who can access ePHI (and under what conditions) and to create ePHI access rules that others can follow?

 

 

A23

Does your practice have policies and procedures for access authorization that support segregation of duties?

 

 

A24

Does your practice implement procedures for authorizing users and changing authorization permissions?

 

 

A25

Do your practice's policies and procedures for access authorization address the needs of those who are not members of its workforce?

 

 

A26

Does your organization have policies and procedures that authorize members of your workforce to have access to ePHI and describe the types of access that are permitted?

 

 

A28

Does your practice have policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists?

 

 

A29

Does your practice have formal policies and policies and procedures to support when a workforce member's employment is terminated and/or a relationship with a business associate is terminated?

 

 

A30

Do your practice's policies and procedures describe the methods it uses to limit access to its ePHI?

 

 

A31

Does your practice have policies and procedures that explain how it grants access to ePHI to its workforce members and to other entities (business associates)?

 

 

A32

Do the roles and responsibilities assigned to your practice's workforce members support and enforce segregation of duties?

 

 

A33

Does your practice's policies and procedures explain how your practice assigns user authorizations (privileges), including the access that are permitted?

 

 

PH13

Do you periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access?

 

 

PH14

Does your practice have procedures to control and validate someone's access to your facilities based on that person's role or job duties?

 

 

PH21

Has your practice documented how staff, employees, workforce members, and non-employees access your workstations?

 

 

PH22

Does your practice have policies and procedures that describe how to prevent unauthorized access of unattended workstations?

 

 

PH29

Do your policies and procedures set standards for workstations that are allowed to be used outside of your facility?

 

 

T01

Does your practice have policies and procedures requiring safeguards to limit access to ePHI to those persons and software programs appropriate for their role?

 

 

T02

Does your practice have policies and procedures to grant access to ePHI based on the person or software programs appropriate for their role?

 

 

T03

Does your practice analyze the activities performed by all of its workforce and service providers to identify the extent to which each needs access to ePHI?

 

 

T04

Does your practice identify the security settings for each of its information systems and electronic devices that control access?

 

 

T05

Does your practice have policies and procedures for the assignment of a unique identifier for each authorized user?

 

 

T06

Does your practice require that each user enter a unique user identifier prior to obtaining access to ePHI?

 

 

T17

Does your practice have policies and procedures that require an authorized user's session to be automatically logged-off after a predetermined period of inactivity?

 

 

T18

Does a responsible person in your practice know the automatic logoff settings for its information systems and electronic devices?

 

 

T19

Does your practice activate an automatic logoff that terminates an electronic session after a predetermined period of user inactivity?

 

 

T22

Does your practice control access to ePHI and other health information by using encryption/decryption methods to deny access to unauthorized users?

 

 

T34

Does your practice have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?

 

 

T35

Does your practice know the authentication capabilities of its information systems and electronic devices to assure that a uniquely identified user is the one claimed?

 

 

T36

Does your practice use the evaluation from its risk analysis to select the appropriate authentication mechanism?

 

 

A06

Does your practice assure that its risk management program prevents against the impermissible use and disclosure of ePHI?

 

 

T20

Does your practice have policies and procedures for implementing mechanisms that can encrypt and decrypt ePHI?

 

 

T21

Does your practice know the encryption capabilities of its information systems and electronic devices?

 

 

T32

Does your practice have policies and procedures for protecting ePHI from unauthorized modification or destruction?

 

 

T33

Does your practice have mechanisms to corroborate that ePHI has not been altered, modified or destroyed in an unauthorized manner?

 

 

T38

Does your practice have policies and procedures for guarding against unauthorized access of ePHI when it is transmitted on an electronic network?

 

 

T39

Do your practice implement safeguards, to assure that ePHI is not accessed while en-route to its intended recipient?

 

 

T40

Does your practice know what encryption capabilities are available to it for encrypting ePHI being transmitted from one point to another?

 

 

T41

Does your practice take steps to reduce the risk that ePHI can be intercepted or modified when it is being sent electronically?

 

 

T42

Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted from one point to another?

 

 

T43

Does your practice have policies and procedures for encrypting ePHI when deemed reasonable and appropriate?

 

 

T44

When analyzing risk, does your practice consider the value of encryption for assuring the integrity of ePHI is not accessed or modified when it is stored or transmitted?

 

 

PH30

Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed?

 

 

PH31

Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device?

 

 

PH32

Do you maintain records of the movement of electronic devices and media inside your facility?

 

 

PH33

Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI?

 

 

PH34

Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal?

 

 

PH35

Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used?

 

 

PH38

Does your organization create backup files prior to the movement of equipment or media to ensure that data is available when it is needed?

 

 

T10

Does your practice back up ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage, such as a cloud environment?

 

 

PH01

Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?

 

 

PH02

Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility.

 

 

PH03

Do you regularly review your physical and environmental policies and procedures and update them as necessary to address vulnerabilities created by the presence of physical security or environmental factors?

 

 

PH04

Do you have physical protections in place to manage physical security risks, such as a) locks on doors and windows and b) cameras in nonpublic areas to monitor all entrances and exits?

 

 

PH08

Do you have policies and procedures for the protection of keys, combinations, and similar physical access controls?

 

 

PH09

Do you have policies and procedures governing when to re-key locks or change combinations when, for example, a key is lost, a combination is compromised, or a workforce member is transferred or terminated?

 

 

PH12

Do you have a Facility User Access List of workforce members, business associates, and others who are authorized to access your facilities where ePHI and related information systems are located?

 

 

PH16

Has your practice determined whether monitoring equipment is needed to enforce your facility access control policies and procedures?

 

 

PH18

Do you have a process to document the repairs and modifications made to the physical security features that protect the facility, administrative offices, and treatment areas?

 

 

PH23

Does your practice have policies and procedures that describe how to position workstations to limit the ability of unauthorized individuals to view ePHI?

 

 

PH24

Have you put any of your practice's workstations in public areas?

 

 

PH26

Does your practice have physical protections in place to secure your workstations?

 

 

PH27

Do you regularly review your workstations' locations to see which areas are more vulnerable to unauthorized use, theft, or viewing of the data?

 

 

PH28

Does your practice have physical protections and other security measures to reduce the chance for inappropriate access of ePHI through workstations? This could include using locked doors, screen barriers, cameras, and guards.

 

 

A09

Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization's ePHI if they are found to have violated the office's policies to prevent system misuse, abuse, and any harmful activities that involve your practice's ePHI?

 

 

A10

Does your practice include its sanction policies and procedures as part of its security awareness and training program for all workforce members?

 

 

A13

Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact?

 

 

A15

Does your practice have a job description for its security point of contact that includes that person's duties, authority, and accountability?

 

 

A16

Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems?

 

 

A17

Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice's facilities, information systems, electronic devices, and ePHI?

 

 

A19

Does your practice clearly define roles and responsibilities along logical lines and assures that no one person has too much authority for determining who can access your practice's facilities, information systems, and ePHI?

 

 

A22

Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications?

 

 

A27

Do your practice's policies and procedures require screening workforce members prior to enabling access to its facilities, information systems, and ePHI to verify that users are trustworthy?

 

 

A16

Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems?

 

 

A34

Does your practice have a training program that makes each individual with access to ePHI aware of security measures to reduce the risk of improper access, uses, and disclosures?

 

 

A35

Does your practice periodically review and update its security awareness and training program in response to changes in your organization, facilities or environment?

 

 

A36

Does your practice provide ongoing basic security awareness to all workforcemembers, including physicians?

 

 

A37

Does your practice provide role-based training to all new workforce members?

 

 

A38

Does your practice keep records that detail when each workforce member satisfactorily completed periodic training?

 

 

A39

As part of your practice's ongoing security awareness activities, does your practice prepare and communicate periodic security reminders to communicate about new or important issues?

 

 

A40

Does your practice's awareness and training content include information about the importance of implementing software patches and updating antivirus software when requested?

 

 

A41

Does your practice's awareness and training content include information about how malware can get into your systems?

 

 

A42

Does your practice include log-in monitoring as part of its awareness and training programs?

 

 

A43

Does your practice include password management as part of its awareness and training programs?

 

 

A18

Does your practice know all business associates and the access that each requires for your practice's facilities, information systems, electronic devices, and ePHI?

 

 

A60

Does your practice identify the role responsible and accountable for making sure that business associate agreements are in place before your practice enables a service provider to begin to create, access, store or transmit ePHI on your behalf?

 

 

A61

Does your practice maintain a list of all of its service providers, indicating which have access to your practice's facilities, information systems and ePHI?

 

 

A62

Does your practice have policies and implement procedures to assure it obtains business associate agreements?

 

 

A63

If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI?

 

 

A64

Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI?

 

 

O1

Does your practice assure that its business associate agreements include satisfactory assurances for safeguarding ePHI?

 

 

O2

Do the terms and conditions of your practice's business associate agreements state that the business associate will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the practice and timely report security incidents to your practice?

 

 

O3

If your practice is the business associate of a covered entity do the terms and conditions of your practice's business associate agreements state that your subcontractor (business associate) will implement appropriate securitysafeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the covered entity?

 

 

A49

Does your practice know what critical services and ePHI it must have available to support decision making about a patient's treatment during an emergency?

 

 

A50

Does your practice consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation?

 

 

A51

Does your practice regularly review/update its contingency plan as appropriate?

 

 

A52

Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster?

 

 

A53

Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster?

 

 

A54

Does your practice have an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation?

 

 

A55

Does your practice have policies and procedures for testing its contingency plans on a periodic basis?

 

 

A56

Does your practice implement procedures for identifying and assessing the criticality of its information system applications and the storage of data containing ePHI that would be accessed through the implementation of its contingency plans?

 

 

PH05

Do you plan and coordinate physical (facilities) and technical (information systems, mobile devices, or workstations) security-related activities (such as testing) before doing such activities to reduce the impact on your practice assets and individuals?

 

 

PH06

Have you developed policies and procedures that plan for your workforce (and your information technology service provider or contracted information technology support) to gain access to your facility and its ePHI during a disaster?

 

 

PH07

If a disaster happens, does your practice have another way to get into your facility or offsite storage location to get your ePHI?

 

 

T07

Does you practice have policies and procedures to enable access to ePHI in the event of an emergency?

 

 

T08

Does your practice define what constitutes an emergency and identify the various types of emergencies that are likely to occur?

 

 

T09

Does your practice have policies and procedures for creating an exact copy of ePHI as a backup?

 

 

T11

Does your practice have back up information systems so that it can access ePHI in the event of an emergency or when your practice's primary systems become unavailable?

 

 

T12

Does your practice have the capability to activate emergency access to its information systems in the event of a disaster?

 

 

T13

Does your practice have policies and procedures to identify the role of the individual accountable for activating emergency access settings when necessary?

 

 

T14

Does your practice designate a workforce member who can activate the emergency access settings for your information systems?

 

 

T15

Does your practice test access when evaluating its ability to continue accessing ePHI and other health records during an emergency?

 

 

T16

Does your practice effectively recover from an emergency and resume normal operations and access to ePHI?

 

 

A11

Does your practice have policies and procedures for the review of information system activity?

 

 

A12

Does your practice regularly review information system activity?

 

 

PH15

Do you have procedures to create, maintain, and keep a log of who accesses your facilities (including visitors), when the access occurred, and the reason for the access?

 

 

PH17

Do you have maintenance records that include the history of physical changes, upgrades, and other modifications for your facilities and the rooms where information systems and ePHI are kept?

 

 

PH36

Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility?

 

 

PH37

Do you maintain records of employees removing electronic devices and media from your facility that has or can be used to access ePHI?

 

 

T23

Does your practice have policies and procedures identifying hardware, software, or procedural mechanisms that record or examine information systems activities?

 

 

T24

Does your practice identify its activities that create, store, and transmit ePHI and the information systems that support these business processes?

 

 

T26

Does your practice use the evaluation from its risk analysis to help determine the frequency and scope of its audits, when identifying the activities that will be tracked?

 

 

T27

Does your practice have audit control mechanisms that can monitor, record and/or examine information system activity?

 

 

T28

Does your practice have policies and procedures for creating, retaining, and distributing audit reports to appropriate workforce members for review?

 

 

T29

Does your practice generate the audit reports and distribute them to the appropriate people for review?

 

 

T30

Does your practice have policies and procedures establishing retention requirements for audit purposes?

 

 

T31

Does your practice retain copies of its audit/access records?

 

 

A44

Does your practice have policies and procedures designed to help prevent, detect and respond to security incidents?

 

 

A45

Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response?

 

 

A46

Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested?

 

 

A47

Does your practice's incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)?

 

 

A48

Does your practice implement the information system's security protection tools to protect against malware?

 

 

Leave this empty:

Signature arrow
Signature Certificate
Document name: Security Risk Assessment
lock iconUnique Document ID: 17a0de6d54b03b5dab1e133b4673fab34196929c
Timestamp Audit
December 11, 2017 7:49 pm EDTSecurity Risk Assessment Uploaded by B Holmes - Training@MyMeducator.com IP 71.203.16.214