HIPAA Security Risk Assessment Guidelines v1.

0 April 28, 200

Page 1

Information Security Risk Assessment Guidelines

Introduction and Overview
In!"rmati"n security risk assessment is an "n#g"ing pr"cess "! disc"vering, c"rrecting and preventing security pr"$lems. %&e risk assessment is an integral part "! a risk management pr"cess designed t" pr"vide appr"priate levels "! security !"r in!"rmati"n systems. In!"rmati"n security risk assessments are part "! s"und security practices and are re'uired $y t&e ("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and related d"cumentati"n are als" an integral part "! c"mpliance )it& HIPAA security standards +see $el"),. %&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&e resulting security re'uirements !"r eac& system. %&e agency must t&en devise, implement and m"nit"r a set "! security measures t" address t&e level "! identi!ied risk. -"r a ne) system t&e risk assessment is typically c"nducted at t&e $eginning "! t&e System .evel"pment /i!e (ycle +S./(,. -"r an e0isting system, risk assessments may $e c"nducted "n a regular $asis t&r"ug&"ut t&e S./( and1"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&en ma2"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "r audit. %&is risk assessment met&"d"l"gy is $ased "n t&e CMS Information Security RA Methodology, devel"ped $y t&e !ederal .epartment "! Healt& and Human Services, (enters !"r 4edicare and 4edicaid Services +(4S,, )&ic& is availa$le at ))).cms.&&s.g"v1it1security1d"cs1RA5met&.pd!. It is presented in t&ree p&ases6

System ."cumentati"n P&ase Risk .eterminati"n P&ase Sa!eguard .eterminati"n P&ase

%&e risk assessment rep"rt6

Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security8 Includes a list "! t&reats and vulnera$ilities, t&e system3s current security c"ntr"ls, and its
risk levels8

Rec"mmends sa!eguards, and descri$es t&e e0pected level "! risk t&at )"uld remain i!
t&ese sa!eguards )ere put in place8 S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rk8 (an $e used as input t" t&e agency3s $usiness c"ntinuity plan8 Presents t&ese !indings t" management.

Note on HIPAA Security

("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s,, and t&"se )&" are 9usiness Ass"ciates "! (*3s, must c"mply )it& t&e HIPAA security rule, :; (-R parts 1<0, 1<2 and 1<:. %&e HIPAA security !rame)"rk calls !"r due diligence $ased "n g""d $usiness practices, !"r systems &andling electr"nic pr"tected &ealt& in!"rmati"n +*PHI,. (reating an In!"rmati"n Risk Assessment Rep"rt satis!ies t&e Rule3s re'uirements t" analy7e risks, !"rmulate appr"priate sa!eguards, and d"cument t&e risk management decisi"n#making pr"cess +:; (-R part 1<:. 08+a,+1,+ii,+A,+9,, and in!"rms t&e agency3s acti"ns in c"mplying )it& "t&er parts "! t&e rule.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 2

Team Members
A sample representative risk assessment team may include t&e !uncti"ns listed $el"). *ac& team mem$er may per!"rm m"re t&an "ne !uncti"n. HIPAA#a!!ected agencies s&"uld secure t&e inv"lvement "! t&eir HIPAA security "!!icer. S"me !uncti"ns "verlap, !"r !uncti"ns )&ere team mem$ers revie) eac& "t&er3s )"rk. See Appendi0 ( !"r m"re detail "n t&ese r"les. Risk assessment manager System "r net)"rk administrat"r %ec&nical revie)er System $usiness ")ner System tec&nical ")ner *0ecutive sp"ns"r In!"rmati"n security "!!icer

The Risk Assessment Report

A Risk Assessment +RA, Rep"rt applies t" a selected in!"rmati"n system. An in!"rmati"n system is a gr"up "! c"mputing and net)"rk c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n ")ners&ip and management. %&e Rep"rt )ill include6

A d"cumented system invent"ry, listing all system c"mp"nents and esta$lis&ing t&e
system $"undary !"r t&e purp"ses "! t&e Rep"rt8 ."cumentati"n "! t&e system3s p"licies and pr"cedures, and details "! its "perati"n8 /ist "! t&reat 1 vulnera$ility pairs, )it& severity "! impact and likeli&""d "! "ccurrence8 /ist "! sa!eguards !"r c"ntr"lling t&ese t&reats and vulnera$ilities8 /ist "! rec"mmended c&anges, )it& appr"0imate levels "! e!!"rt !"r eac&8 -"r eac& rec"mmended c&ange, t&e resulting reducti"n in risk8 %&e level "! residual risk t&at )"uld remain a!ter t&e rec"mmended c&anges are implemented.

%&e Rep"rt )ill re!lect t&e security p"licies and "$2ectives "! t&e agency3s in!"rmati"n tec&n"l"gy management. It )ill $e presented in a !ace#t"#!ace meeting )it& t&e system $usiness and tec&nical ")ners, t&e risk assessment manager, and "t&er pr"2ect team mem$ers. A Risk Assessment Rep"rt is n"t intended t" create "r include t&e !"ll")ing, &")ever it s&"uld $e used as input !"r6

A system security plan, ne) security arc&itecture, audit rep"rt, "r system accreditati"n8 System security p"licies, "r assignment "! sta!! resp"nsi$ility !"r system security8 .etailed data!l")s8 *0act d"llar c"st estimates "r 2usti!icati"ns8 Assignment "r acceptance "! legal resp"nsi$ility !"r t&e security "! t&e system8 In#dept& analysis "r res"luti"n "! speci!ic security incidents "r vi"lati"ns8 ("ntract revie).

Appendi0 . pr"vides a template !"r t&e d"cumentati"n "! t&e Risk Assessment rep"rt.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page

Tasks
%&is c&art s&")s t&e se'uence "! &ig&#level tasks. %&e c"mplete list "! tasks and durati"ns )ill $e created, estimated and sc&eduled $y t&e team.

ID 1 2

Risk Assessment Project

% System Documentation Phase 1.0 Set $"undary !"r selected system 1.1 Rec"rd system identi!icati"n in!"rmati"n 1.2 ."cument system purp"se and desc. 1. ."cument t&e system security level 2 System Risk Determination Phase 2.1 Identi!y t&reats and vulnera$ilities 2.2 .escri$e risks 2. Identi!y e0isting c"ntr"ls 2.: .etermine likeli&""d "! "ccurrence 2.; .etermine severity "! impact 2.< .etermine risk levels 3 Safeguard Determination Phase .1 Rec"mmend c"ntr"ls and sa!eguards .2 .etermine residual likeli&""d "! "ccurrence . .etermine residual severity "! impact .: .etermine residual risk level Re!ort !resentation" archi#ing and sign$off

Mar 2003 5 6 7 8 !0 !! !2 !3 !" !5

: ; < = 8 > 10 11 12 1 1: 1; 1< 1= 18

System Documentation Phase

."cument system identi!icati"n8 ."cument system purp"se and descripti"n8 ."cument t&e system security level.
%&e team must make a decisi"n a$"ut )&ere t" dra) t&e $"undaries "! t&e system t" $e assessed.

Risk Determination Phase

Identi!y t&reats8 Identi!y vulnera$ilities8
HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200 Page :

.escri$e risks8 Identi!y e0isting c"ntr"ls8 .etermine likeli&""d "! "ccurrence8 .etermine severity "! impact8 .etermine risk level.

%&e team must decide )&et&er t" include "nly c"ntr"ls t&at are currently implemented, "r t" include c"ntr"ls t&at are $udgeted and sc&eduled !"r implementati"n.

Safeguard Determination Phase

Rec"mmend c"ntr"ls and sa!eguards8 .etermine residual +remaining, likeli&""d "! "ccurrence i! c"ntr"ls and sa!eguards are implemented8 .etermine residual severity "! impact i! candidate c"ntr"ls and sa!eguards are implemented8 .etermine residual risk levels.

Risk Assessment Process

1.0 System Documentation hase
%&e System ."cumentati"n P&ase pr"vides a descripti"n "! t&e system and t&e data it &andles, as c"mputing assets used t" !ul!ill t&e "rgani7ati"n3s $usiness missi"n. %&is p&ase esta$lis&es a !rame)"rk !"r su$se'uent risk assessment p&ases. %&e system ")ner pr"vides t&e system identi!icati"n, including t&e system descripti"n, $usiness !uncti"n and assets. -"r ne) systems, t&ese are de!ined )&en t&e system is !irst c"nceived and devel"ped during t&e S./(3s design and implementati"n p&ases +see Appendi0 9,. Phase %& 'ey (eam )em*er s& +ut!ut& Set t&e $"undaries !"r t&e set "! c"mp"nents t&at c"nstitute t&e in!"rmati"n system. An in!"rmati"n system is a gr"up "! c"mputing and supp"rting c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n ")ners&ip and management. System administrat"r %ec&nical revie)er System tec&nical ")ner Hig&#level d"cumentati"n and net)"rk diagram s&")ing t&e system and ad2acent systems, )it& a line s&")ing t&e cut#"!! !"r t&e sc"pe "! t&is risk assessment.

%,% System Identification

/ist t&e system name, "t&er related in!"rmati"n, and t&e resp"nsi$le "rgani7ati"n. See t&e System Identi!ication ta$le in Appendi0 .. (ask %,%& ("mplete and veri!y system identi!icati"n and resp"nsi$le c"ntacts.
Page ;

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

'ey (eam )em*er s& +ut!ut&

System administrat"r %ec&nical revie)er System tec&nical ")ner Risk assessment manager ("mplete !#! Sy$tem Identification ta$le in Appendi0 ..

%,2 System Pur!ose and Descri!tion

%" identi!y t&e assets c"vered $y t&e RA, pr"vide a $rie! descripti"n "! t&e !uncti"n and purp"se "! t&e system and t&e "rgani7ati"nal $usiness pr"cesses it supp"rts, including !uncti"ns and pr"cessing "! data.

(echnical Descri!tion and -n#ironmental .actors

General descripti"n "! !uncti"n and purp"se t&e system General !uncti"nal re'uirements 9usiness pr"cesses supp"rted Applicati"ns supp"rted, services running General in!"rmati"n !l") ?et)"rk diagram )it& system $"undaries .escripti"n "! p&ysical c"mp"nents P&ysical c"mp"nent asset and tag num$ers P&ysical l"cati"n, envir"nmental c"ntr"ls in place *nvir"nmental !act"rs t&at give rise t" security c"ncerns %ec&nical and $usiness users, list "! system user acc"unts System ")ners&ip6 S&ared "r dedicated

System /onnections and Information Sharing

("nnected c"mp"nents /A? and @A? c"nnecti"ns and t"p"l"gy, !ire)all c"n!igurati"ns S"!t)are dependencies Inter!aces ."cument t&e system3s $usiness !uncti"n, c"mp"nents, envir"nment, c"nnecti"ns. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner In!"rmati"n security "!!icer ("mplete !#2 Sy$tem %ur&o$e and De$cri&tion ta$le in Appendi0 ..

(ask %,2& 'ey (eam )em*er s& +ut!ut&

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page <

%,3 System Security 0e#el

.escri$e and d"cument t&e in!"rmati"n &andled $y t&e system, and identi!y t&e "verall system security level. %&e classi!icati"n levels and t&e categ"ries assigned t" di!!erent types "! in!"rmati"n s&"uld c"rresp"nd t" t&e agency3s in!"rmati"n classi!icati"n designati"ns. In!"rmati"n security levels and designati"ns s&"uld $e part "! t&e agency3s in!"rmati"n security p"licy. Appendi0 A, Information Security 'e(el$) pr"vides e0amples "! security levels and &") t&ey can $e assigned t" di!!erent categ"ries "! in!"rmati"n. -"r t&is step, t&e team )ill d"cument t&e sensitivity "! t&e in!"rmati"n &andled $y t&e system, t&en classi!y t&e resulting level "! security re'uirements !"r t&e system itsel!. %&is element includes a general descripti"n "! t&e in!"rmati"n, t&e in!"rmati"n3s sensitivity, and system criticality. It includes re'uirements !"r c"n!identiality, integrity, availa$ility, audita$ility and acc"unta$ility as dictated $y t&e agency3s in!"rmati"n security p"licy. (ask %,3& 'ey (eam )em*er s& +ut!ut& ."cument t&e criticality and sensitivity "! t&e in!"rmati"n t&e system &andles, )it& $rie! re!erences t" t&e agency3s in!"rmati"n security p"licy, and t&e "verall system security re'uirements. %ec&nical revie)er System $usiness ")ner System tec&nical ")ner ("mplete !#3 Information Security 'e(el$ and *(erall Sy$tem Security 'e(el ta$le in Appendi0 ..

".0 Risk Determination hase

%&e g"al "! t&e Risk .eterminati"n P&ase is t" calculate t&e level "! risk !"r eac& t&reat 1 vulnera$ility pair $ased "n t&e likeli&""d "! a t&reat e0pl"iting a vulnera$ility, and t&e severity "! impact t&at t&e e0pl"ited vulnera$ility )"uld &ave "n t&e system, its data and its $usiness !uncti"n. ("nsider t&e impact in terms "! l"ss "! c"n!identiality, integrity "r availa$ility "! t&e data classi!ied in %ask 1. . In!"rmati"n )ill $e c"llected in t&e !"rm "! 'uesti"nnaires, intervie)s, d"cumentati"n revie), and aut"mated scanning t""ls. %&e Risk .eterminati"n P&ase is c"mprised "! si0 steps6

1. Identi!y p"tential dangers t" in!"rmati"n and system +t&reats,. 2. Identi!y t&e system )eakness t&at c"uld $e e0pl"ited +vulnera$ilities, ass"ciated t"
generate t&e t&reat 1 vulnera$ility pair.

3. Identi!y e0isting c"ntr"ls t" reduce t&e risk "! t&e t&reat e0pl"iting t&e vulnera$ility. 4. .etermine t&e likeli&""d "! "ccurrence !"r a t&reat e0pl"iting a related vulnera$ility given 5. 6.
t&e e0isting c"ntr"ls. .etermine t&e severity "! impact "n t&e system $y an e0pl"ited vulnera$ility. .etermine t&e risk level !"r a t&reat1vulnera$ility pair given t&e e0isting c"ntr"ls.

%&is si0#step pr"cess !"r Risk .eterminati"n is c"nducted !"r eac& identi!ied t&reat 1 vulnera$ility pair. Ase t&e Risk .eterminati"n %a$le in Appendi0 . t" d"cument t&e analysis per!"rmed in t&is p&ase.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page =

2,% Identify (hreats and 1ulnera*ilities

-irst, identi!y t&reats t&at c"uld e0pl"it system vulnera$ilities. Re!er t" t&e CMS +hreat Identification Re$ource +))).cms.&&s.g"v1it1security1d"cs1%&reat5I.5res"urce.pd!, !"r p"ssi$le envir"nmental, p&ysical, &uman, natural, and tec&nical t&reats. Asing t&e "utput "! task 1.2, c"nsider t&e system3s c"nnecti"ns, dependencies )it& "t&er systems, in&erited risks and c"ntr"ls, risks !r"m s"!t)are !aults and sta!! err"rs and malici"us intent, and suc& !act"rs as pr"0imity t" t&e Internet, inc"rrect !ile permissi"ns, risks !r"m maintenance pr"cedures and pers"nnel c&anges. ?e0t, c"nsider t&e p"tential vulnera$ilities ass"ciated )it& eac& t&reat, t" pr"duce a pair. A vulnera$ility can $e ass"ciated )it& "ne "r m"re t&reats. ("llect input !r"m previ"us risk assessments, audits, system de!iciency rep"rts, security advis"ries, scanning t""ls, security test results, system devel"pment testing, industry and g"vernment listings, suc& as sans."rg, security!"cus.c"m, vend"r advis"ries, and t&e ?IS% vulnera$ility data$ase at icat.nist.g"v.

(ask 2,%& 'ey (eam )em*er s& +ut!ut&

.escripti"ns "! t&reat1vulnera$ility pairs. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BItem ?".C, B%&reat ?ameC and BDulnera$ility ?ameC c"lumns in 2#0 Ri$, Determination ta$le in Appendi0 ..

2,2 Descri*e Risks

.escri$e &") eac& vulnera$ility creates a risk t" t&e system in terms "! c"n!identiality, integrity, availa$ility, audita$ility "r acc"unta$ility elements t&at may result in a c"mpr"mise "! t&e system.

(ask 2,2& 'ey (eam )em*er s& +ut!ut&

.escri$e risks in relati"n t" t&reat1vulnera$ility pairs. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BRisk .escripti"nC c"lumn "! t&e 2#0 Ri$, Determination ta$le in Appendi0 ..

2,3 Identify -2isting /ontrols

Identi!y e0isting c"ntr"ls t&at reduce t&e likeli&""d "r pr"$a$ility "! a t&reat e0pl"iting a system vulnera$ility, and1"r reduce t&e magnitude "! impact "! t&e e0pl"ited vulnera$ility "n t&e system. *0isting c"ntr"ls may $e management, "perati"nal "r tec&nical c"ntr"ls depending "n t&e t&reat 1 vulnera$ility and t&e risk t" t&e system. (ask 2,3& 'ey (eam .escripti"n "! system c"ntr"ls, cr"ss#re!erenced )it& t&reat 1 vulnera$ility pairs. System administrat"r %ec&nical revie)er
Page 8

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

)em*er s& +ut!ut&

System tec&nical ")ner ("mplete t&e B*0isting ("ntr"lsC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..

2, Determine 0ikelihood of +ccurrence

*stimate t&e likeli&""d t&at a t&reat )ill e0pl"it a vulnera$ility. /ikeli&""d "! "ccurrence is $ased "n a num$er "! !act"rs t&at include system arc&itecture, system envir"nment, in!"rmati"n system access and e0isting c"ntr"ls8 t&e presence, m"tivati"n, tenacity, strengt& and nature "! t&e t&reat8 t&e presence "! vulnera$ilities8 and t&e e!!ectiveness "! e0isting c"ntr"ls. Re!er t" t&is ta$le t" )&en estimating t&e likeli&""d t&at t&e t&reat )ill $e reali7ed and e0pl"it t&e vulnera$ility "n t&e system. 0ikelihood of +ccurrence 0e#els Descri!tion Anlikely ever t" "ccur /ikely t" "ccur t)"1t&ree times every !ive years /ikely t" "ccur "nce every year "r less /ikely t" "ccur "nce every si0 m"nt&s "r less /ikely t" "ccur "nce per m"nt& "r less /ikely t" "ccur multiple times per m"nt& /ikely t" "ccur multiple times per day

0ikelihood ?egligi$le Dery /") /") 4edium Hig& Dery Hig& *0treme

(ask 2, & 'ey (eam )em*er s& +ut!ut&

%&reat 1 vulnera$ility pairs )it& likeli&""d "! success!ul e0pl"itati"n. System administrat"r %ec&nical revie)er System tec&nical ")ner (ateg"ri7e t&reat 1 vulnera$ility pairs $y likeli&""d "! "ccurrence, c"mplete t&e B/ikeli&""d "! EccurrenceC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..

2,3 Determine Se#erity of Im!act

.etermine t&e magnitude "r severity "! impact "n t&e system3s "perati"nal capa$ilities and t&e in!"rmati"n it &andles, i! t&e t&reat is reali7ed and e0pl"its t&e ass"ciated vulnera$ility. .etermine t&e severity "! impact !"r eac& t&reat 1 vulnera$ility pair $y evaluating t&e p"tential l"ss in eac& security categ"ry +c"n!identiality, integrity, availa$ility, audita$ility, acc"unta$ility, $ased "n t&e system3s in!"rmati"n security level as e0plained in Appendi0 A.

Im!act Se#erity 0e#els Insigni!icant 4in"r Signi!icant .amaging Seri"us /ittle "r n" impact 4inimal e!!"rt t" repair, rest"re "r rec"n!igure Small $ut tangi$le &arm, may$e n"ticea$le $y a limited audience, s"me em$arrassment, s"me e!!"rt t" repair .amage t" reputati"n, l"ss "! c"n!idence, signi!icant e!!"rt t" repair ("nsidera$le system "utage, l"ss "! c"nnected cust"mers, $usiness c"n!idence, c"mpr"mise "! large am"unt in!"rmati"n
Page >

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

(ritical

*0tended "utage, permanent l"ss "! res"urce, triggering $usiness c"ntinuity pr"cedures, c"mplete c"mpr"mise "! in!"rmati"n

(ask 2,3& 'ey (eam )em*er s& +ut!ut&

%&reat 1 vulnera$ility pairs )it& severity "! success!ul e0pl"itati"n. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner (ateg"ri7e t&reat 1 vulnera$ility pairs $y severity "r magnitude "! impact, and c"mplete t&e BImpact SeverityC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..

2,4 Determine Risk 0e#els

Risk level is t&e likeli&""d "! "ccurrence multiplied $y t&e severity "! impact. %&e !inal value is su$2ect t" t&e system $usiness and tec&nical ")ners3 discreti"n.

Risk determination -"r eac& t&reat 1 vulnera$ility pair, assess t&e !"ll")ing6 - /ikeli&""d "! t&e t&reat attempting t" e0ercise t&e vulnera$ility8 - 4agnitude "! impact i! t&e t&reat 1 vulnera$ility e0pl"it is success!ul8 - Ade'uacy "! planned "r e0isting security c"ntr"ls !"r reducing "r eliminating risk8 Note& (he !roject team must decide 5hether to use only currently im!lemented controls for this analysis" or to include controls that are *udgeted and scheduled for installation" and document that decision in the Re!ort, - Resulting risk t" t&e in!"rmati"n "n t&e system !r"m t&e t&reat and vulnera$ility.

%&is ta$le s&")s t&e resulting risk level, !"r eac& degree "! likeli&""d and eac& level "! severity. Risk 0e#els
0ikelihood of +ccurrenc e Im!act Se#erity Insignificant )inor Significant Damaging Serious /ritical

/") Negligi*l e 1ery 0o5 0o5 )edium High 1ery High -2treme /") /") /") /") /") /")

/")

/")

/")

/")

/")

/") /") /") 4"derate 4"derate 4"derate

/") 4"derate 4"derate Hig& Hig& Hig&

/") 4"derate Hig& Hig& Hig& Hig&

4"derate Hig& Hig& Hig& Hig& Hig&

4"derate Hig& Hig& Hig& Hig& Hig&

(ask 2,4&

%&reat 1 vulnera$ility pairs )it& assigned risk levels.

Page 10

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

'ey (eam )em*er s& +ut!ut&

System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("m$ine t&e likeli&""d "! "ccurrence )it& magnitude "! impact t" derive t&e risk level !"r eac& t&reat 1 vulnera$ility pair. ("nsider t&e risks t" t&e in!"rmati"n "n t&e system, and c"mplete t&e BRisk /evelC c"lumn "! 2#0 Ri$, Determination ta$le in Appendi0 ..

#.0 Sa!e$uard Determination hase

%&e sa!eguard determinati"n p&ase inv"lves identi!icati"n "! additi"nal c"ntr"ls, sa!eguards "r c"rrective acti"ns t" minimi7e t&e t&reat e0p"sure and vulnera$ility t" e0pl"itati"n !"r eac& t&reat1 vulnera$ility pair )it& a m"derate "r &ig& risk level. %&e residual risk level is t&e am"unt "! risk t&at )"uld remain i! t&e rec"mmended c"ntr"l "r sa!eguard )ere implemented. Sa!eguard determinati"n steps6

1. Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk level "! eac& risk#t&reat pair, i! t&e risk 2. 3. 4.
level is m"derate "r &ig&. .etermine t&e residual likeli&""d "! "ccurrence "! t&e t&reat i! t&e rec"mmended sa!eguard is implemented. .etermine t&e residual impact severity "! t&e e0pl"ited vulnera$ility "nce t&e rec"mmended sa!eguard is implemented. .etermine t&e residual risk level !"r t&e system.

("nsider sa!eguards related t" testing and maintenance, impr"ved audit capa$ility, and restricting p&ysical access.

3,% Recommend /ontrols and Safeguards

Identi!y c"ntr"ls and sa!eguards t" reduce t&e risk presented $y eac& t&reat 1 vulnera$ility pair )it& a m"derate "r &ig& risk level as identi!ied in t&e Risk .eterminati"n P&ase. @&en identi!ying a c"ntr"l "r sa!eguard, c"nsider6

1. 2. 3. 4. 5. 6.

Security area )&ere it $el"ngs, suc& as management, "perati"nal, tec&nical. 4et&"d it empl"ys t" reduce t&e "pp"rtunity !"r t&e t&reat t" e0pl"it t&e vulnera$ility. Its e!!ectiveness in mitigating t&e risk t" in!"rmati"n. P"licy and arc&itectural parameters re'uired !"r its implementati"n in t&e envir"nment. In!"rmati"n security categ"ry +c"n!identiality, integrity, availa$ility, access c"ntr"l, audit, etc., t" )&ic& t&e sa!eguard applies. @&et&er t&e c"st "! t&e sa!eguard is c"mmensurate )it& its reducti"n in risk.

I! m"re t&an "ne sa!eguard is identi!ied !"r t&e same t&reat 1 vulnera$ility pair, list t&em in t&is c"lumn in separate r")s and c"ntinue )it& t&e analysis steps. %&e residual risk level must $e evaluated during t&is p&ase "! t&e assessment and may $e !urt&er evaluated in risk management activities "utside t&e sc"pe "! t&is pr"2ect. I! t&e rec"mmended sa!eguard cann"t $e c"mpletely implemented in t&e envir"nment due t" c"st, management, "perati"nal "r tec&nical c"nstraints, d"cument t&e circumstances and c"ntinue )it& t&e analysis.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 11

("nsider c"ntr"l elements implemented as p"licies and pr"cedures, training, and impr"ved p"licy en!"rcement. (ask 3,%& 'ey (eam )em*er s& +ut!ut& (reate a list "! current, planned "r availa$le sa!eguards and c"ntr"ls suita$le !"r pr"tecting t&e in!"rmati"n System administrat"r System tec&nical ")ner %ec&nical revie)er /ist "! sa!eguards and c"ntr"ls, )it& implementati"n c"nsiderati"ns. ("mplete t&e BRec"mmended Sa!eguardC c"lumn in 3#0 Safeguard Determination ta$le in Appendi0 ..

3,2 Determine Residual 0ikelihood of +ccurrence

-"ll") t&e directi"ns in secti"n 2.: "! t&e Risk .eterminati"n p&ase, )&ile assuming t&e selected sa!eguard &as $een implemented. (ask 3,2& 'ey (eam )em*er s& +ut!ut& (ateg"ri7e t&reat 1 vulnera$ility pairs $y likeli&""d "! "ccurrence, assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner ("mplete t&e BResidual /ikeli&""d "! EccurrenceC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..

3,3 Determine Residual Se#erity of Im!act

-"ll") t&e directi"ns in secti"n 2.; "! t&e Risk .eterminati"n p&ase )&ile assuming t&e selected sa!eguard &as $een implemented. (ask 3,3& 'ey (eam )em*er s& +ut!ut& (ateg"ri7e t&reat 1 vulnera$ility pairs $y severity "r magnitude "! impact "! a success!ul e0pl"itati"n, assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("mplete t&e BResidual Impact SeverityC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..

3, Determine Residual Risk 0e#els

.etermine t&e residual risk level !"r t&e t&reat1vulnera$ility pair and its ass"ciated risk "nce t&e rec"mmended sa!eguard is implemented. %&e residual risk level is determined $y e0amining t&e likeli&""d "! "ccurrence "! t&e t&reat e0pl"iting t&e vulnera$ility and t&e impact severity !act"rs in categ"ries "! ("n!identiality, Integrity and Availa$ility. -"ll") t&e directi"ns in Secti"n 2.< "! t&e Risk .eterminati"n p&ase t" determine t&e residual risk level "nce t&e rec"mmended sa!eguard is implemented.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 12

.epending "n t&e nature and circumstances "! t&reats and vulnera$ilities, a rec"mmended sa!eguard may reduce t&e risk level t" B/").C 4ake a n"te "! t&e situati"n )it& a descripti"n $el") t&e ta$le, i! needed, i! suc& special c"nditi"ns e0ist. -"r ne) systems, t&e ne0t steps )"uld include creating a sensitivity assessment, system security re'uirements, risk assessment rep"rt, and system security plan in t&e S./(. (ask 3, & 'ey (eam )em*er s& +ut!ut& Repeat t&e derivati"n t&e risk level !"r eac& t&reat 1 vulnera$ility pair !r"m task 2.<, t&is time assuming t&e selected sa!eguard &as $een implemented. System administrat"r %ec&nical revie)er System tec&nical ")ner System $usiness ")ner ("mplete t&e BResidual Risk /evelC c"lumn "! 3#0 Safeguard Determination ta$le in Appendi0 ..

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 1

A!!endi2 A& Information Security 0e#els

System $usiness and tec&nical ")ners must determine t&e appr"priate security levels $ased "n t&e "rgani7ati"n3s c"n!identiality, integrity and availa$ility re'uirements !"r t&e in!"rmati"n, as )ell as its criticality t" t&e "rgani7ati"n3s $usiness missi"n. %&ese re'uirements are usually c"ntained in t&e agency3s statut"ry, regulat"ry and p"licy !rame)"rks. %&is is t&e $asis !"r assessing t&e risks t" $usiness "perati"ns and assets and in selecting appr"priate security c"ntr"ls and tec&ni'ues. 9el") are sample in!"rmati"n security levels t&at esta$lis& c"mm"n criteria !"r security $y in!"rmati"n categ"ry. %&e !irst ta$le de!ines t&e in!"rmati"n security levels. %&e sec"nd ta$le pr"vides security level e0amples !"r t&e vari"us in!"rmati"n categ"ries. In cases )&ere in!"rmati"n "! varying security levels are c"m$ined in "ne system, t&e &ig&est security level takes precedence. It is each agency6s res!onsi*ility to determine information security le#els for each information category *ased on its !articular *usiness and legal re7uirements, (he e2am!les *elo5 are !ro#ided for illustration !ur!oses only,

Examples of Information Security Levels

Security %eve& /") Description 4"derately seri"us Dery seri"us '(p&anation ?"ticea$le impact "n an agency3s missi"ns, !uncti"ns, "r reputati"n. A $reac& "! t&is security level )"uld result in a negative "utc"me8 "r )"uld result in damage, re'uiring repairs, t" an asset "r res"urce. Severe impairment t" an agency3s missi"ns, !uncti"ns, image, and reputati"n. %&e impact )"uld place an agency at a signi!icant disadvantage8 "r )"uld result in ma2"r damage, re'uiring e0tensive repairs t" assets "r res"urces. ("mplete l"ss "! missi"n capa$ility !"r an e0tended peri"d8 "r )"uld result in t&e l"ss "! ma2"r assets "r res"urces and c"uld p"se a t&reat t" &uman li!e.

4"derate

Hig&

(atastr"p&ic

Examples of Information Security Levels by Information Category

In!ormation )ate$ory '(p&anation and '(amp&es System Security %eve&*
Page 1:

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

/a) en!"rcement and state security in!"rmati"n /i!e#critical in!"rmati"n In!"rmati"n a$"ut pers"ns

-inancial, $udgetary, c"mmercial, pr"prietary and trade secret in!"rmati"n Pu$lic in!"rmati"n

In!"rmati"n related t" investigati"ns !"r la) en!"rcement purp"ses8 security plans, c"ntingency plans, emergency "perati"ns plans, incident rep"rts, rep"rts "! investigati"ns, risk "r vulnera$ility assessments certi!icati"n rep"rts8 d"es n"t include general plans, p"licies, "r re'uirements. In!"rmati"n critical t" li!e#supp"rt systems +i.e., in!"rmati"n )&ere inaccuracy, l"ss, "r alterati"n c"uld result in l"ss "! li!e,. In!"rmati"n related t" pers"nnel, medical, and similar data +e.g., salary data, s"cial security in!"rmati"n, pass)"rds, user identi!iers +I.s,, **E, pers"nnel pr"!ile +including &"me address and p&"ne num$er,, medical &ist"ry, empl"yment &ist"ry +general and security clearance in!"rmati"n,, and arrest1criminal investigati"n &ist"ry,. In!"rmati"n related t" !inancial in!"rmati"n and applicati"ns, c"mmercial in!"rmati"n received in c"n!idence, "r trade secrets +i.e., pr"prietary, c"ntract $idding in!"rmati"n, sensitive in!"rmati"n a$"ut empl"yees "r citi7ens,. Als" included is in!"rmati"n a$"ut payr"ll, aut"mated decisi"n making, pr"curement, invent"ry, "t&er !inancially related systems, and site "perating and security e0penditures. Any in!"rmati"n t&at is declared !"r pu$lic c"nsumpti"n $y "!!icial aut&"rities. %&is includes in!"rmati"n c"ntained in press releases. It als" includes in!"rmati"n placed "n pu$lic access )"rld#)ide#)e$ servers.

Hig&

Hig& 4"derate

4"derate

/")

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 1;

A!!endi2 8& Security in the System De#elo!ment 0ife /ycle

+!r"m CMS Information Security RA Methodology, Alt&"ug& in!"rmati"n security must $e c"nsidered in all p&ases "! t&e li!e "! a system, t&e System .evel"pment /i!e (ycle identi!ies !"ur speci!ic steps t&at are needed t" ensure t&at in!"rmati"n at (4S is pr"perly pr"tected. %&ese include t&e In!"rmati"n Sensitivity Assessment +Secti"n 10.; "! t&e 9usiness (ase Analysis,, System Re'uirements ."cument, t&e RA Rep"rt and t&e System Security Plan. Step 1 # %&e In!"rmati"n Sensitivity Assessment +ISA, Prior to !roject initiation" the system o5ner !re!ares a 8usiness /ase Analysis 98/A:" 5hich includes the ISA 9section %;,3 of the 8/A:, In this ste!" the system o5ner categori<es the data according to sensiti#ity and identifies high$le#el security re7uirements that a!!ly to the system under consideration for de#elo!ment, Information from the ISA is one of the factors considered in determining if the system 5ill go for5ard into de#elo!ment and 5hat le#el of information security 5ill *e needed, -lements from the ISA !ro#ide the initial in!ut to the RA, Step 2 FSystem Re'uirements ."cument +speci!ically Security Re'uirements, As an initial ste! of the de#elo!ment !rocess" system re7uirements are documented for e#ery system, (he security re7uirements ser#e as a *aseline for security 5ithin the system, (he /)S )inimum Information Security Standards is a tool to assist in defining security re7uirements, +ther re7uirements may *e determined *y *usiness or functional re7uirements, Step F Risk Assessment Rep"rt During the de#elo!ment !rocess" a risk assessment is conducted and the result RA Re!ort documents the #ulnera*ilities that ha#e *een identified in the system" the risks to the system resulting from the #ulnera*ilities and the efforts designed to reduce those risks" through the use of safeguards, (he RA Re!ort !ro#ides in!ut to the System Security Plan and other risk management acti#ities,

Step : F System Security Plan (he System Security Plan incor!orates all of the elements re7uired for the system o5ner to determine if the system should *e certified as meeting *oth /)S !olicy and *usiness re7uirements, Information from the RA Re!ort is incor!orated into the System Security Plan in Section 2 = )anagement /ontrols, Security steps als" c"rresp"nd t" p&ases in t&e Integrated I% Investment 4anagement R"ad 4ap +REA.4AP, !"r system devel"pment. %&e REA.4AP is (4S3s implementati"n standard !"r S./( and Investment 4anagement and can $e !"und at cms.&&s.g"v1it1r"admap. In -igure 9#1, t&e system devel"pment li!e cycle and REA.4AP are s&")n "n t&e rig&t and le!t sides )it& t&e in!"rmati"n security delivera$les and t""ls entered in t&e center secti"n $et)een t&em. %&is !"rmat illustrates t&e relati"ns&ip "! t&e in!"rmati"n security tasks t" $"t& pr"cesses.

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 1<

Figure B-1. Security in the System evelopment Life Cycle an! C"S#s $oa!map
I( In#estment )anagement Road )a!

System Security in the SD0/

Security Deli#era*les 9rectangle: > Resources 9o#al:

Pre#.evel"pment
1. *0press need !"r system 2. Assess?determine data sensiti#ity 3. Define initial security re7uirements

9usiness (ase Analysis 10.; # In!"rmati"n Sensitivity

Ac'uisiti"ns
# 9(A 10.; F In!"rmati"n Sensitivity Assessment

.evel"pment
1. Identi!y detailed system security re'uirements during system design. 2. .evel"p appr"priate security c"ntr"ls )it& evaluati"n G test pr"cedures pri"r pr"curement acti"ns . .evel"p s"licitati"n d"cuments t" include security re'uirements G evaluati"n1test pr"cedures :. Apdate security re'uirements as tec&n"l"gies are implemented ;. Identi!y security re'uirements !"r pr"curement "! (E%S applicati"ns c"mp"nents <. Per!"rm design revie) t" ensure security c"ntr"ls are c"nsidered pri"r t" pr"ducti"n =. *nsure security !eatures are c"n!igured, ena$les, tested, and d"cumented during devel"pment 8. Apdate, design, per!"rm and d"cument ne)ly devel"ped security c"ntr"ls @, Document system security tests and risk assessment 10. *nsure c"mpliance )it& -ederal la)s, regulati"ns, p"licies and standards %%, /ertify system and o*tain system accreditation 12. Pr"vide security training

Re'uirements .e!initi"n
$ Define System Re7uirements # In!"rmati"n Security Risk Assessment

4inimum Security Standards

.esign and *ngineering

# Security %est Plan1(ases

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 1=

System Re'uirements ."cument +includes security,

.evel"pment
# S"!t)are %est Plan # Pr"gram S"!t)are Anit and Integrati"n # %est (ase Scenari"s # %est .ata

%&reat Identi!icati"n Res"urce

%esting and Implementati"n

# Per!"rm System Acceptance %esting $ (est or 1alidation Result Re!ort # Security %est Results

P"st#.evel"pment
1. ."cument all security activities 2. Per!"rm security "perati"ns and administrati"n a. Per!"rm $ackups $. Pr"vide security training c. 4aintain G revie) user admin G access privileges d. Apdate security s"!t)are as re'uired e. Apdate security pr"cedures as re'uired . Per!"rm "perati"nal assurance a. Per!"rm G d"cument peri"dic security audits $. Per!"rm G d"cument m"nit"ring "! system security c. *valuate G d"cument results "! security m"nit"ring d. Per!"rm G d"cument c"rrective acti"ns

e. %est c"ntingency plans "n a regular $asis f. Perform Risk Assessment and u!date Security Plan" as needed" 5ith each configuration change or e#ery year
:. ."cument disp"sal "! in!"rmati"n ;. Ase c"ntr"ls t" ensure c"n!identiality "! in!"rmati"n

Identify -ulnera.ilitie$

Risk Assessment +Risk .eterminati"n

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 18

and Sa!eguard *valuati"n,

Implementati"n $ System Security Risk Assessment # System Security Plan

System Security Plan

Risk Assessment and System Security Plan

Eperati"ns G 4aintenance
$ A!dated Risk Assessment $ A!dated System Security Plan

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 1>

A!!endi2 /& Assessment (eam )em*ers and .unctions

-uncti"nal R"le Risk Assessment 4anager 9ackgr"und .rives t&e risk assessment pr"cess, c""rdinates tasks, delivera$les and sc&edule, c"mp"ses t&e rep"rt )it& input !r"m all team mem$ers. Eperates and maintains t&e system !r"m a tec&nical, day#t"# day standp"int8 usually t&e BPrimary System ("ntactC in t&e Sy$tem Identification ta$le. Anderstands t&e tec&nical c"mp"nents "! t&e system, $ut )as n"t inv"lved in designing, $uilding "r "perating t&e system $eing assessed. Resp"nsi$le !"r t&e system, "r t&e services it pr"vides, !r"m a $usiness "r cust"mer standp"int8 understands t&e system3s purp"se $ut n"t necessarily t&e details "! its tec&nical implementati"n. Has supervis"ry resp"nsi$ility !"r t&e "perati"n "! t&e system. *0ecutive management#level resp"nsi$ility !"r t&e system. Resp"nsi$le !"r t&e agency3s security p"licies and "$2ectives, and its "verall risk pr"!ile. Ergani7ati"n *mail P&"ne

System "r net)"rk administrat"r

%ec&nical Revie)er

System $usiness ")ner

System tec&nical ")ner *0ecutive sp"ns"r In!"rmati"n security "!!icer

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 20

A!!endi2 D& Information Security Risk Assessment (em!late

1.0 System Documentation
%,% System Identification Agency ?ame E!!icial System ?ame System Acr"nym System 9usiness E)ner System %ec&nical E)ner System Security E)ner Additi"nal System Stake&"lders

System /"cati"n -ull Address ("ntract ?um$er, ("ntract"r names, p&"ne num$ers and emails, i! applica$le System type+s, +main!rame, applicati"n 1 data$ase 1 net)"rk 1 !ile server, )"rkstati"n, Primary System ("ntact+s,, ?ame and %itle +usually t&e system administrat"r, Ergani7ati"n ?ame -ull Address *mail Address P&"ne and pager num$ers

%,2 System Pur!ose and Descri!tion -uncti"n and purp"se "! t&e system

General !uncti"nal re'uirements

9usiness pr"cesses, applicati"ns and services supp"rted System c"mp"nents *nvir"nmental !act"rs ?et)"rk diagram )it& system $"undaries +attac&, General in!"rmati"n !l")

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 21

%ec&nical and $usiness users +list, System ")ners&ip +s&ared "r dedicated,

%,3 Information Security 0e#els and +#erall System Security 0e#el In!"rmati"n (ateg"ry In!"rmati"n Security /evel In!"rmati"n (ateg"ry In!"rmati"n Security /evel In!"rmati"n (ateg"ry In!"rmati"n Security /evel Everall System Security /evel

".0 Risk Determination

2,; Risk Determination (a*le
Item No, (hreat Name 1ulnera$ *ility Name Risk Descri!$ tion -2isting /ontrols 0ikeli$ hood of +ccur$ rence Im!act Se#erity Risk 0e#el

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 22

#.0 Sa!e$uard Determination

3,; Safeguard Determination (a*le Item No, 9from Risk Determination (a*le: Recommended Safeguard Descri!tion Residual 0ikelihood of +ccurrence Residual Im!act Se#erity Residual Risk 0e#el

Si$natures
Su$mitted $y6 55555555555555555555555 .ate6 555555555 Risk Assessment 4anager

Revie)ed $y6 H%itleI

55555555555555555555555 .ate6 555555555

Appr"ved $y6 H%itleI

55555555555555555555555 .ate6 555555555

HIPAA Security Risk Assessment Guidelines v1.0 April 28, 200

Page 2