Upload
sandra4211
View
1.399
Download
1
Embed Size (px)
Citation preview
Columbia University Medical CenterInformation Security Risk Questionnaire and Documentation (Limited Access)
Version 1.1, Mar 1, 2005
All CUMC Electronic Protected Health Information (EPHI) asset owners and systems must follow CUMC EPHI security policies.
Protected Health Information (PHI) is defined as health or medical information identifiably linked to a specific individual including Identity information (demographic and financial data) and medical condition and treatment information (clinical data), and Electronic Protected Health Information is defined as PHI stored on or transmitted via our computers and networks, including CDs, PDAs, tapes, and clinical equipment. An EPHI asset is a collection, application, or database of EPHI that is used for specific purposes in care delivery, or for research or education. Owner of an asset is the principal who has required and likely funded the asset to exist for care, research or education purposes, and is responsible for overall use of the information. Custodians of an asset are responsible for day-to-day operations and maintenance of hardware and software used for the asset. Institutional applications may have ownership determined by a committee of institutional stakeholders; all other assets usually have individual owners. An Information Technology person or a system administrator cannot usually be the owner of an EPHI asset.
To demonstrate compliance with the policies (specifically for EPHI assets as required by the HIPAA regulations), the owners must complete a security risk analysis for their asset. This document represents documentation for Tier B assets as defined in Information Security Management Process (# EPHI1) policy. Specifically,
Tier B assets are defined as an information system or data collection (database, files, etc.) with:
1. 20 users or less; and2. 10 devices with EPHI or less (servers and workstations that store EPHI data
including medical devices but not workstations used only to access EPHI using an application).
There are total 11 questions, and sample answers to the questionnaire are available at the end of the document. For any additional information, please contact [email protected], or the Information Security Officer.
Confidential and Privileged Page 1 of 25
ASSET INFORMATION
Provide information about the Asset.
Asset NameAsset Description
Owner NameOwner Title and DeptOwner PhoneOwner Email
Custodian Name(s)Custodian Title and DeptCustodian Phone(s)Custodian Email(s)
Date of submission
IRB Institution(s), if researchActive IRB Number(s), if research
Confidential and Privileged Page 2 of 25
QN 1. AUTHENTICATION
Sign-on with UserID and secret password for all services and data access methods associated with the EPHI is required. Provide a list of users and custodians who can access this asset (add lines as necessary). All custodians, including system administrators, should be listed and may be aggregated under a group name without UserID.
A common generic UserID to access clinical data is strongly discouraged and is usually not permitted. Specifically, for less than 20 users, defining accounts for individual users is not considered an onerous or hard task. It is recommended that the asset software is configured to turn off or severely restrict the use of common generic UserIDs. If, however, such a generic UserID is used, appropriate justification must be provided in the response below.
Response:
User ID User Name Title/Dept
Confidential and Privileged Page 3 of 25
QN 2. AUTHORIZATION
A written access authorization grid or rule is required that specifies which user has/had what kind of access to the EPHI, and why. Provide this information below (add lines as necessary). A system administrator (custodian) who manages the computer should also be listed.
Response:
User ID Asset function (Read/ Update/ All/ Administer/ etc.)
Role/Reason Status (Active/ Term)
Start date
End Date
Confidential and Privileged Page 4 of 25
QN 3. AUDIT LOGS
Audit logs of an asset show who accessed what EPHI of which patient and when. Audit logs are highly desirable when investigating security incidents, and to punish the violators and to protect the innocents. They also help in understanding how and when the asset is accessed.
Investigate with custodians what kinds of audit logs are possible and are available at the system, database, and/or application level for the asset, and have them enabled to the maximum possible extent. Describe below what level of Audit logs are maintained for the asset.
Response:
Confidential and Privileged Page 5 of 25
QN 4. DEVICE EXPOSURE
Information assets include the collection of EPHI data as well as devices that are used to store data. Identify the number of hardware devices used to store or to access EPHI below. The total number of devices that contain PHI should be less than 10 to qualify for filling this questionnaire.
Response:
Servers that contain EPHI (within Institution).........Workstations that contain EPHI) (within Institution)...Servers that contain EPHI (outside Institution)........Workstations that contain EPHI (outside Institution)...
Biomedical devices that contain EPHI....... Total devices that contain EPHI...
All workstations, PDA, etc. that access EPHI.... Total devices that store or access EPHI...
Confidential and Privileged Page 6 of 25
QN 5. PROTECTION AGAINST MALICIOUS SOFTWARE
All devices that store or access EPHI must have basic security protections.
Currently, Anti-virus software and Anti-spyware software are required. These protect from malicious software stealing or damaging data, hijacking and improper use of the devices, stealing passwords, etc.
Additional protections are desirable – for example, all devices within the institution are protected by a firewall from attacks and threats from the Internet. Some devices such as Biomedical devices and servers in central data centers are additionally protected using building or data center firewalls.
Computers such as Windows XP (SP2), Macintosh OS X, Linux and variations of Unix must have local (or personal) host-based firewalls turned on. This security protection permits only controlled and pre-defined access to the systems and data on the computers.
Other desirable protections include periodic testing of ‘password strength check’ as well as ‘host integrity checks’ software that proactively protect the servers, workstations and access devices.
Finally, all software in the devices, specifically the operating system, databases, web and other servers must be frequently monitored for security vulnerabilities as announced by the software vendors, and security patches and updates to anti-virus and anti-spyware software must be applied as and when they are made available by the vendors.
Indicate below the protections that are in place currently, and the person who is responsible for monitoring of the same.
Response:
Protection description
Type R: RequiredD: Desirable
How implemented? (such as: Name of software or vendors, versions, reports or logs, etc.)
Userid/Name of the responsible person/group
Anti-virus, regular updates
R
Anti-spyware, regular updates
R
Vulnerability checks RPatching of security updates for the OS, database, etc.
R
Special network firewalls
D
Local/personal firewalls
R
Other checks D
Confidential and Privileged Page 7 of 25
QN 6. ENCRYPTION AND INTEGRITY
EPHI carried or transmitted outside of institutional network requires special consideration for encryption and information integrity. Specifically, if EPHI is accessed over the Internet or Wireless networks, both of which are inherently at higher risk than the institutional network, then such transmission should be encrypted and should occur over reliable network protocols (such as TCP), Alternately, if EPHI is stored on mobile devices such as laptops and Personal Digital Assistant devices, the mobile device must implement user sign-on with strong passwords and/or encryption of data to reduce risk of exposure due to device theft or accidents. It is highly desirable to implement both security protection mechanisms. On many operating systems (Windows XP, Mac OS X), one can encrypt the data stored on the system by encrypting the folders; such encryption of EPHI at rest is highly recommended.
Explain in detail how the EPHI transmission and storage are encrypted, and identify the person who implemented the solutions.
Response:
Security Protection
Describe mechanism Userid/Name of the responsible person/group
Encryption on EPHI transmission over the InternetEncryption of EPHI storage in laptop/EPHISign on to access laptop/EPHI
Confidential and Privileged Page 8 of 25
QN 7. PHYSICAL SECURITY
All devices that contain EPHI must be physically secured. EPHI, however, is additionally stored in passive storage media (Floppy disks, CD-Rom, USB storage devices, Tapes). Regular backups are recommended to protect against loss of data; the backup tapes contain clinical data, and must be maintained securely. Similarly, data may be exchanged or backed up using Floppy disks, CD-Rom, USB storage devices, and other storage media. An important protection is to monitor where such media are kept, how they are handled, and also to take steps to remove and destroy all clinical data once the purpose of that data is completed. Sometimes, it may be appropriate to physically destroy the media.
Describe below the physical security environment of the asset and the associated media.
Response:
Security consideration Describe management Userid/Name of the responsible person/group
Physical access to devices containing EPHI (door locks, computer locks, card access, etc.) Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.)Types of passive media used for backup (tapes, disks), and its physical protectionTypes of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.)Disposal of devices and media when they are no longer required
Confidential and Privileged Page 9 of 25
QN 8. CONTINGENCY
If the EPHI asset is used to deliver or influence the delivery of ongoing patient care, one must carefully consider the availability of such asset. Specifically, such assets must guard against ‘system down’ situations by considering information backup, physical device backup, formal methods to retrieve backups and make the asset available to users, and prior determination of procedures that users should follow when the asset is unavailable for short-term as well as long term. These considerations of availability of the asset are placed in the Contingency Plan for the asset.
Explain the Contingency Plan below.
Response:
Contingency plan considerations
Describe process in place, if applicable
Userid/Name of the responsible person/group
Is the asset used for ongoing patient care?If yes above, describe backup methods in place to address short-term unavailabilityIf yes above, describe end-user processes to address short-term unavailability of the assetIf yes above, describe disaster recovery methods in place to address long-term unavailabilityIf yes above, describe end-user processes to address long-term unavailability of the asset
Confidential and Privileged Page 10 of 25
QN 9. EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT
If EPHI are sent to or received from other assets (using methods like ftp, copy, tape or CD transfers, etc.), it is necessary to ensure that there is legal basis that the information will be protected. If transfer is to an entity that is not covered under HIPAA regulations, a legal contract with specific language (called a Business Associate agreement) is required. This agreement is also required for vendors who access our systems for maintenance purposes, and thus be able to access EPHI. If the transfer is over public networks, appropriate encryption solutions are required. You should include all transfers that are electronic, even if they are not real-time transfers, such as data copied onto tapes or CDs.
Provide information about the partners that receive or send EPHI below.
Response:
Descrip-tion of transferred EPHI
Recv From(F) or Send To (T) or Access (A)
Partner asset name/description
Owner name and contact info
HIPAA cove-red? (Yes/ No)
EPHI moves/transfers over Internet? (Yes/No) If yes, is the transfer encrypted? (Yes/No/ Not Appl)
BA Agre- ement (Yes/ No/ Not Appl)
Confidential and Privileged Page 11 of 25
QN 10. TRAINING
All EPHI users should be trained for user responsibility towards EPHI security. The relevant information security policies are in the areas of password management, sign on and sign off, workstation use and security, and security incident reporting procedures. Various training material are available.
The owners of EPHI assets should use asset questionnaires as the basis of responsibilities associated with management of an asset, and should understand the Information Security policies and procedures.
Response:
Are their regular review and reinforcement of individual and team responsibilities towards EPHI privacy and security by the owner? (Yes/No)
QN 11. SECURITY INCIDENT REPORTING
Significant security issues should be investigated and reported to appropriate authorities as described in Security Incident Reporting policy. Such issues include malicious infections with Trojans and Keyloggers, unauthorized access and accidental or malicious exposure or destruction of EPHI information, etc. IRB may be informed if it is an IRB approved research.
Identify the person who will document and report a Security Incident as required in Security Incident Report Policy.
Response:
Identify the person responsible for Security Incident Reporting
Confidential and Privileged Page 12 of 25
Questionnaire Samples
Case 1. A set of EPHI files stored on local PC used for clinical operations.
ASSET INFORMATION
Asset Name Quality report for State RegistryAsset Description Cardiac Cath data
Owner Name Qadir SmithOwner Title and Dept Manager, Finance recoveryOwner Phone 212-305-9989Owner Email [email protected]
Custodian Name(s)Custodian Title and DeptCustodian Phone(s)Custodian Email(s)
Date of submission 4/15/2005
IRB Institution(s), if researchActive IRB Number(s), if research
AUTHENTICATION
User ID User Name Title/DeptQas2 Qadir Smith Manager, Finance recoveryBal99 Barry A London QA, Finance RecoveryMd2 Monalisa Davinci Temp Programmer, Finance recovery
AUTHORIZATION
User ID Asset function (Read/ Update/ All/ Admin/ etc.)
Role/Reason Status (Active/ Term)
Start date
End Date
Qas2 All Manager Active 5/10/03Bal99 Update Quality Analyst Active 5/10/03CUBHIS Desktop group
Manage computers
Manage computer Active - -
Md2 Update Programmer Term 5/10/03 4/15/04
AUDIT LOGS
See examples in the next case.
DEVICE EXPOSURE
Confidential and Privileged Page 13 of 25
Servers that contain EPHI (within Institution)......... 0Workstations that contain EPHI) (within Institution)... 3Servers that contain EPHI (outside Institution)........ 0Workstations that contain EPHI (outside Institution)... 0
Biomedical devices that contain EPHI....... 0 Total devices that contain EPHI... 3
All workstations, PDA, etc. that access but not store EPHI... 0 Total devices that store or access EPHI... 3
PROTECTION AGAINST MALICIOUS SOFTWARE
Protection description
Type R: RequiredD: Desirable
How implemented? (such as: Name of software or vendors, versions, reports or logs, etc.)
Userid/Name of the responsible person/group
Anti-virus, regular updates
R Symantec Anti-virus 9.0 CUBHIS
Anti-spyware, regular updates
R Microsoft Giant (to be implemented)
CUBHIS
Vulnerability checks R Workstations configured securely by CUBHIS
CUBHIS
Patching of security updates for the OS, database, etc.
R Updates through Microsoft SUS
CUBHIS
Special network firewalls
D Internet Firewall CUBHIS
Local/personal firewalls
R Use of XP SP2 local firewall
CUBHIS
Other checks D None
ENCRYPTION AND INTEGRITY
Security Protection
Describe mechanism Userid/Name of the responsible person/group
Encryption on EPHI transmission over the Internet
WinZIP with AES encryption, VPN connectivity
WinZIP by qas2, VPN by IS Core Resources
Encryption of EPHI storage in laptop/EPHI
None
Sign on to access laptop/EPHI
None
PHYSICAL SECURITY
Security consideration Describe management Userid/Name of the responsible person/group
Physical access to devices Workstations are in Qas2
Confidential and Privileged Page 14 of 25
containing EPHI (door locks, computer locks, card access, etc.)
restricted area.
Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.)
Usual office environment Qas2
Types of passive media used for backup (tapes, disks), and its physical protection
CDs as backup Bal99
Types of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.)
None
Disposal of devices and media when they are no longer required
Workstation disposal CUBHIS
CONTINGENCY
Contingency plan considerations
Describe process in place, if applicable
Userid/Name of the responsible person/group
Is the asset used for ongoing patient care?
No
If yes above, describe backup methods in place to address short-term unavailability
Not Applicable
If yes above, describe end-user processes to address short-term unavailability of the asset
Not Applicable
If yes above, describe disaster recovery methods in place to address long-term unavailability
Not Applicable
If yes above, describe end-user processes to address long-term unavailability of the asset
Not Applicable
EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT
Descrip-tion of transfer
Recv From(F)
Partner asset name/descri
Owner name and contact
HIPAA cove-red?
EPHI moves/transfers over
BA Agre- ement (Yes/
Confidential and Privileged Page 15 of 25
red EPHI or Send To (T) or Access (A)
ption info (Yes/ No)
Internet? (Yes/No) If yes, is the transfer encrypted? (Yes/No/ Not Appl)
No/ Not Appl)
Report of all cardiac cath adverse results
T NY State Error registry
GG Lowery, Albany, [email protected]
No, but govt.
Yes, Yes (Winzip password)
NA (govt.)
TRAINING
Are their regular review and reinforcement of individual and team responsibilities towards EPHI privacy and security by the owner? (Yes/No)
Yes, reviewed during weekly meeting.
SECURITY INCIDENT REPORTING
Identify the person responsible for Security Incident Reporting
Qas2
Confidential and Privileged Page 16 of 25
Case 2. An EPHI database stored on a local server used for research.
ASSET INFORMATION
Asset Name Cardiology Research NameAsset Description Database of Electrocardiogram reports and
tracings
Owner Name Joseph BrownOwner Title and Dept Asst Prof, Cardiology, MedicineOwner Phone 212-305-9998Owner Email [email protected]
Custodian Name(s) John SmithCustodian Title and Dept System Admin, MedicineCustodian Phone(s) 212-342-9989Custodian Email(s) [email protected]
Date of submission 3/22/2005
IRB Institution(s), if research
Columbia University
Active IRB Number(s), if research
IG98945
AUTHENTICATION
User ID User Name Title/DeptJOEBROWN Joseph Brown Asst Prof, Cardiology, MedicineMATHSMART Matthew Smart Assoc Res Scientist, BiostatisticsPUTTGTHER Putnam T Gather Coordinator, Medicine, Service
CorporationJRPROGRAM Junior Programmer Programmer, MedicineJOHNSMITH John Smith System Admin, MedicineOLDSMITH Olden Smith System Admin, MedicineDAVINCM Monalisa Davinci Temp Programmer, Medicine
AUTHORIZATION
User ID Asset function (Read/ Update/ All/ Admin/ etc.)
Role/Reason Status (Active/ Term)
Start date
End Date
JOEBROWN All Principle Investigator
Active 3/7/04
MATHSMART Read Statistician Active 3/7/04PUTTGTHR Update Coordinator Active 1/1/05JRPROGRAM Admin Programmer Active 4/10/04JOHNSMITH Manage
computerLocal System Administrator
Active 3/7/04
Confidential and Privileged Page 17 of 25
OLDSMITH Used to manage computer
Local System Administrator
Term 3/7/04 12/31/04
DAVINCM Update Programmer Term 5/10/03 4/15/04
AUDIT LOGS
Example 1 (Weak)
There are no audit logs with the files. The files are exchanged using floppies and CDs between the users. All users understand that there are no audit logs, and therefore it is assumed that all users have seen all data in the asset.
Example 2 (Weak, but better)
There are only server sign-on logs (userid and date-time) available, which are kept for 60 days. The users understand that if they sign-on to the server, it is assumed that they have seen all data in the asset.
Example 3 (Weak, but better)
The web-based application has a sign-on log (userid, date-time, browser IP address, URL). The logs are rotated every week, and kept for past 8 weeks. The users understand that if they sign-on to the web application, it is assumed that they have seen all data in the asset.
Example 4 (Good)
There are 2 kinds of logs: (1) sign-on log to the server (userid and date-time), and (2) an access log to specific files in the asset by an individual who has signed-on (userid, date-time, filename). The logs are kept for past 30 days on the system.
Example 5 (Very Good)
An application log exists that logs user sign-on as well as the patient records that were accessed by the user. The log includes userid, date-time, sign-on, MRN of a patient, date-time when that patient record was accessed. The logs are kept locally for last 3 months, but are also sent daily to the central audit log storage facility for long term storage and correlation with other access.
Example 6 (Excellent)
An application log exists that logs user sign-on (userid, date-time, client IP address) as well as details of each access by the user (date-time of access, MRN of a patient, type of data that was accessed (demographics, orders, EKG, Lab, Discharge Summary, etc.) and kind of access (read, add, update, print, etc.). The logs are kept locally for
Confidential and Privileged Page 18 of 25
last 7 days, but are also sent daily to the central audit log storage facility for long term storage and correlation with other access.
DEVICE EXPOSURE
Servers that contain EPHI (within Institution)......... 1Workstations that contain EPHI) (within Institution)... 3Servers that contain EPHI (outside Institution)........ 1Workstations that contain EPHI (outside Institution)... 0
Biomedical devices that contain EPHI....... 0 Total devices that contain EPHI... 5
All workstations, PDA, etc. that access but not store EPHI... 3 Total devices that store or access EPHI... 8
PROTECTION AGAINST MALICIOUS SOFTWARE
Protection description
Type R: RequiredD: Desirable
How implemented? (such as: Name of software or vendors, versions, reports or logs, etc.)
Userid/Name of the responsible person/group
Anti-virus, regular updates
R Symantec Anti-virus 9.0 CUBHIS
Anti-spyware, regular updates
R CA PestPatrol CUBHIS
Vulnerability checks R Workstations configured securely by CUBHIS
CUBHIS
Patching of security updates for the OS, database, etc.
R Planned updates CUBHIS
Special network firewalls
D Internet Firewall Core Resources
Local/personal firewalls
R Use of Linux and XP SP2 local firewall
JOHNSMITH
Other checks D Tripwire for host integrity check
CUBHIS
ENCRYPTION AND INTEGRITY
Security Protection
Describe mechanism Userid/Name of the responsible person/group
Encryption on EPHI transmission over the Internet
Ssh access, SSL-based Web server JOHNSMITH
Encryption of EPHI storage in laptop/EPHI
Encrypting File System on Windows XP JOHNSMITH
Sign on to access laptop/EPHI
Windows XP Signon, Palm and Blackberry Signon
JOHNSMITH
Confidential and Privileged Page 19 of 25
PHYSICAL SECURITY
Security consideration Describe management Userid/Name of the responsible person/group
Physical access to devices containing EPHI (door locks, computer locks, card access, etc.)
Servers are in a physically restricted area in the data center, access permitted authorized personnel
CUBHIS
Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.)
These are controlled in the Data Center
CUBHIS
Types of passive media used for backup (tapes, disks), and its physical protection
These are controlled in the Data Center
CUBHIS
Types of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.)
CDs can be created to copy research data. CDs are managed by the research members. PDA’s have sign on protection, and have been registered with the Physical Security department
JOHNSMITH, Researchers
Disposal of devices and media when they are no longer required
Tapes are broken before disposal.
CUBHIS, JOHNSMITH
CONTINGENCY
Contingency plan considerations
Describe process in place, if applicable
Userid/Name of the responsible person/group
Is the asset used for ongoing patient care?
No
If yes above, describe backup methods in place to address short-term unavailability
Not Applicable
If yes above, describe end-user processes to address short-term unavailability of the asset
Not Applicable
If yes above, describe disaster recovery methods in place to address long-term unavailability
Not Applicable
If yes above, describe end-user processes to address long-term
Not Applicable
Confidential and Privileged Page 20 of 25
unavailability of the asset
EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT
Descrip-tion of transferred EPHI
Recv From(F) or Send To (T) or Access (A)
Partner asset name/description
Owner name and contact info
HIPAA cove-red? (Yes/ No)
EPHI moves/transfers over Internet? (Yes/No) If yes, is the transfer encrypted? (Yes/No/ Not Appl)
BA Agre- ement (Yes/ No/ Not Appl)
ADT Info F Eagle System, via EGate.
AM Brown, Finance, 212-305-9999
Yes No NA
EKG Reports
F GE Muse System, via EGate.
AM Jones, Medicine, 212-305-9999
Yes No NA
EKG Reports and Traces
F Other system at a satellite care facility
AM Rivera, Director, Sateliite Facility, 212-305-9999
Yes Yes, Yes (SSL)
No (Res agreem-ent, both are HIPAA covered)
TRAINING
Are their regular review and reinforcement of individual and team responsibilities towards EPHI privacy and security by the owner? (Yes/No)
Yes, discussed weekly by JOEBROWN
SECURITY INCIDENT REPORTING
Identify the person responsible for Security Incident Reporting
JOHNSMITH, JOEBROWN
Confidential and Privileged Page 21 of 25
Case 3. An MRI system
ASSET INFORMATION
Asset Name Power MRI Imaging systemAsset Description MRI machine with 3T Magnet and Spectra
software
Owner Name BM Jordan, Maura JonesOwner Title and Dept VP, Operations, Director, MRI ServicesOwner Phone 212-305-4433, 212-305-9989Owner Email [email protected], [email protected]
Custodian Name(s) PM RichCustodian Title and Dept MRI VendorCustodian Phone(s) 212-222-7767Custodian Email(s) [email protected]
Date of submission 4/1/2005
IRB Institution(s), if researchActive IRB Number(s), if research
AUTHENTICATION
User ID User Name Title/DeptPOWER All users This is a generic userid. The
system is physically protected in a restricted area accessible to authorized users. The userid has a strong password, is changed every 3 months or when a tech who knew the password leaves the institution, and is known only to the 12 users. Additionally the system is protected by special network and host-level firewalls to protect against remote access.The vendor does not support individual userid accounts.
AUTHORIZATION
User ID Asset function (Read/ Update/ All/ Admin/
Role/Reason Status (Active/ Term)
Start date
End Date
Confidential and Privileged Page 22 of 25
etc.)POWER All Full access
accountActive 5/10/03
AUDIT LOGS
See Case 2.
DEVICE EXPOSURE
Servers that contain EPHI (within Institution)......... 2Workstations that contain EPHI) (within Institution)... 3Servers that contain EPHI (outside Institution)........ 0Workstations that contain EPHI (outside Institution)... 0
Biomedical devices that contain EPHI....... 3 Total devices that contain EPHI... 8
All workstations, PDA, etc. that access but not store EPHI... 0 Total devices that store or access EPHI... 8
PROTECTION AGAINST MALICIOUS SOFTWARE
Protection description
Type R: RequiredD: Desirable
How implemented? (such as: Name of software or vendors, versions, reports or logs, etc.)
Userid/Name of the responsible person/group
Anti-virus, regular updates
R None on devices and workstations – vendor non-support, Symantec AV on servers
CUBHIS
Anti-spyware, regular updates
R None on devices and workstations – vendor non-support
-
Vulnerability checks R Devices scanned for vulnerability at install time
CUBHIS
Patching of security updates for the OS, database, etc.
R Manual updates Vendor
Special network firewalls
D Internet Firewall, Medical device firewall at Allen
Core Resources
Local/personal firewalls
R None on devices and workstations – vendor non-support
-
Other checks D None -
ENCRYPTION AND INTEGRITY
Security Protection
Describe mechanism Userid/Name of the responsible person/group
Encryption on EPHI Site-to-Site VPN for system CUBHIS,
Confidential and Privileged Page 23 of 25
transmission over the Internet
maintenance Vendor
Encryption of EPHI storage in laptop/EPHI
None
Sign on to access laptop/EPHI
None
PHYSICAL SECURITY
Security consideration Describe management Userid/Name of the responsible person/group
Physical access to devices containing EPHI (door locks, computer locks, card access, etc.)
Devices, workstations and servers are all together in a physically restricted area, access permitted only to operators and other authorized personnel
Maura Jones, Manager, MRI system
Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.)
These are controlled as medical device environmental issues
Maura Jones, Manager, MRI system
Types of passive media used for backup (tapes, disks), and its physical protection
Tapes are stored in the same room
Maura Jones, Manager, MRI system
Types of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.)
CDs can be created to copy images. CDs are carried away by the researchers.
Researchers
Disposal of devices and media when they are no longer required
Tapes are broken before disposal. Servers and Workstations are on lease from the vendor. With assistance from the vendor, the disks are erased before disposal
Maura Jones, Manager, MRI system
CONTINGENCY
Contingency plan considerations
Describe process in place, if applicable
Userid/Name of the responsible person/group
Is the asset used for ongoing patient care?
Yes Maura Jones
If yes above, describe backup methods in place to
The data in the system are copied to a separate PACS
PACS group, Maura Jones
Confidential and Privileged Page 24 of 25
address short-term unavailability
system
If yes above, describe end-user processes to address short-term unavailability of the asset
Patients are scheduled to other MRI machines
Maura Jones, Radiology operations group
If yes above, describe disaster recovery methods in place to address long-term unavailability
None
If yes above, describe end-user processes to address long-term unavailability of the asset
Patients are scheduled to other MRI machines
Maura Jones, Radiology operations group
EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT
Descrip-tion of transferred EPHI
Recv From(F) or Send To (T) or Access (A)
Partner asset name/description
Owner name and contact info
HIPAA cove-red? (Yes/ No)
EPHI moves/transfers over Internet? (Yes/No) If yes, is the transfer encrypted? (Yes/No/ Not Appl)
BA Agre- ement (Yes/ No/ Not Appl)
Images T PACS system PM Brown, Radiology, 212-305-9999
Yes No NA
All data A MRI Vendor PM Rich, MRI Vendor, 212-222-7767
Bo Yes, Yes Yes
TRAINING
Are their regular review and reinforcement of individual and team responsibilities towards EPHI privacy and security by the owner? (Yes/No)
Yes, discussed monthly by Maura Jones
SECURITY INCIDENT REPORTING
Identify the person responsible for Security Incident Reporting
Maura Jones
Confidential and Privileged Page 25 of 25