Information Security Risk Questionnaire and Documentation ....doc

Columbia University Medical CenterInformation Security Risk Questionnaire and Documentation (Limited Access)

Version 1.1, Mar 1, 2005

All CUMC Electronic Protected Health Information (EPHI) asset owners and systems must follow CUMC EPHI security policies.

Protected Health Information (PHI) is defined as health or medical information identifiably linked to a specific individual including Identity information (demographic and financial data) and medical condition and treatment information (clinical data), and Electronic Protected Health Information is defined as PHI stored on or transmitted via our computers and networks, including CDs, PDAs, tapes, and clinical equipment. An EPHI asset is a collection, application, or database of EPHI that is used for specific purposes in care delivery, or for research or education. Owner of an asset is the principal who has required and likely funded the asset to exist for care, research or education purposes, and is responsible for overall use of the information. Custodians of an asset are responsible for day-to-day operations and maintenance of hardware and software used for the asset. Institutional applications may have ownership determined by a committee of institutional stakeholders; all other assets usually have individual owners. An Information Technology person or a system administrator cannot usually be the owner of an EPHI asset.

To demonstrate compliance with the policies (specifically for EPHI assets as required by the HIPAA regulations), the owners must complete a security risk analysis for their asset. This document represents documentation for Tier B assets as defined in Information Security Management Process (# EPHI1) policy. Specifically,

Tier B assets are defined as an information system or data collection (database, files, etc.) with:

1. 20 users or less; and2. 10 devices with EPHI or less (servers and workstations that store EPHI data

including medical devices but not workstations used only to access EPHI using an application).

There are total 11 questions, and sample answers to the questionnaire are available at the end of the document. For any additional information, please contact [email protected], or the Information Security Officer.

Confidential and Privileged Page 1 of 25

ASSET INFORMATION

Provide information about the Asset.

Asset NameAsset Description

Owner NameOwner Title and DeptOwner PhoneOwner Email

Custodian Name(s)Custodian Title and DeptCustodian Phone(s)Custodian Email(s)

Date of submission

IRB Institution(s), if researchActive IRB Number(s), if research


QN 1. AUTHENTICATION

Sign-on with UserID and secret password for all services and data access methods associated with the EPHI is required. Provide a list of users and custodians who can access this asset (add lines as necessary). All custodians, including system administrators, should be listed and may be aggregated under a group name without UserID.

A common generic UserID to access clinical data is strongly discouraged and is usually not permitted. Specifically, for less than 20 users, defining accounts for individual users is not considered an onerous or hard task. It is recommended that the asset software is configured to turn off or severely restrict the use of common generic UserIDs. If, however, such a generic UserID is used, appropriate justification must be provided in the response below.

Response:

User ID User Name Title/Dept


QN 2. AUTHORIZATION

A written access authorization grid or rule is required that specifies which user has/had what kind of access to the EPHI, and why. Provide this information below (add lines as necessary). A system administrator (custodian) who manages the computer should also be listed.

Response:

User ID Asset function (Read/ Update/ All/ Administer/ etc.)

Role/Reason Status (Active/ Term)

Start date

End Date


QN 3. AUDIT LOGS

Audit logs of an asset show who accessed what EPHI of which patient and when. Audit logs are highly desirable when investigating security incidents, and to punish the violators and to protect the innocents. They also help in understanding how and when the asset is accessed.

Investigate with custodians what kinds of audit logs are possible and are available at the system, database, and/or application level for the asset, and have them enabled to the maximum possible extent. Describe below what level of Audit logs are maintained for the asset.

Response:


QN 4. DEVICE EXPOSURE

Information assets include the collection of EPHI data as well as devices that are used to store data. Identify the number of hardware devices used to store or to access EPHI below. The total number of devices that contain PHI should be less than 10 to qualify for filling this questionnaire.

Response:

Servers that contain EPHI (within Institution).........Workstations that contain EPHI) (within Institution)...Servers that contain EPHI (outside Institution)........Workstations that contain EPHI (outside Institution)...

Biomedical devices that contain EPHI....... Total devices that contain EPHI...

All workstations, PDA, etc. that access EPHI.... Total devices that store or access EPHI...


QN 5. PROTECTION AGAINST MALICIOUS SOFTWARE

All devices that store or access EPHI must have basic security protections.

Currently, Anti-virus software and Anti-spyware software are required. These protect from malicious software stealing or damaging data, hijacking and improper use of the devices, stealing passwords, etc.

Additional protections are desirable – for example, all devices within the institution are protected by a firewall from attacks and threats from the Internet. Some devices such as Biomedical devices and servers in central data centers are additionally protected using building or data center firewalls.

Computers such as Windows XP (SP2), Macintosh OS X, Linux and variations of Unix must have local (or personal) host-based firewalls turned on. This security protection permits only controlled and pre-defined access to the systems and data on the computers.

Other desirable protections include periodic testing of ‘password strength check’ as well as ‘host integrity checks’ software that proactively protect the servers, workstations and access devices.

Finally, all software in the devices, specifically the operating system, databases, web and other servers must be frequently monitored for security vulnerabilities as announced by the software vendors, and security patches and updates to anti-virus and anti-spyware software must be applied as and when they are made available by the vendors.

Indicate below the protections that are in place currently, and the person who is responsible for monitoring of the same.

Response:

Protection description

Type R: RequiredD: Desirable

How implemented? (such as: Name of software or vendors, versions, reports or logs, etc.)

Userid/Name of the responsible person/group

Anti-virus, regular updates

R

Anti-spyware, regular updates

R

Vulnerability checks RPatching of security updates for the OS, database, etc.

R

Special network firewalls

D

Local/personal firewalls

R

Other checks D


QN 6. ENCRYPTION AND INTEGRITY

EPHI carried or transmitted outside of institutional network requires special consideration for encryption and information integrity. Specifically, if EPHI is accessed over the Internet or Wireless networks, both of which are inherently at higher risk than the institutional network, then such transmission should be encrypted and should occur over reliable network protocols (such as TCP), Alternately, if EPHI is stored on mobile devices such as laptops and Personal Digital Assistant devices, the mobile device must implement user sign-on with strong passwords and/or encryption of data to reduce risk of exposure due to device theft or accidents. It is highly desirable to implement both security protection mechanisms. On many operating systems (Windows XP, Mac OS X), one can encrypt the data stored on the system by encrypting the folders; such encryption of EPHI at rest is highly recommended.

Explain in detail how the EPHI transmission and storage are encrypted, and identify the person who implemented the solutions.

Response:

Security Protection

Describe mechanism Userid/Name of the responsible person/group

Encryption on EPHI transmission over the InternetEncryption of EPHI storage in laptop/EPHISign on to access laptop/EPHI


QN 7. PHYSICAL SECURITY

All devices that contain EPHI must be physically secured. EPHI, however, is additionally stored in passive storage media (Floppy disks, CD-Rom, USB storage devices, Tapes). Regular backups are recommended to protect against loss of data; the backup tapes contain clinical data, and must be maintained securely. Similarly, data may be exchanged or backed up using Floppy disks, CD-Rom, USB storage devices, and other storage media. An important protection is to monitor where such media are kept, how they are handled, and also to take steps to remove and destroy all clinical data once the purpose of that data is completed. Sometimes, it may be appropriate to physically destroy the media.

Describe below the physical security environment of the asset and the associated media.

Response:

Security consideration Describe management Userid/Name of the responsible person/group

Physical access to devices containing EPHI (door locks, computer locks, card access, etc.) Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.)Types of passive media used for backup (tapes, disks), and its physical protectionTypes of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.)Disposal of devices and media when they are no longer required


QN 8. CONTINGENCY

If the EPHI asset is used to deliver or influence the delivery of ongoing patient care, one must carefully consider the availability of such asset. Specifically, such assets must guard against ‘system down’ situations by considering information backup, physical device backup, formal methods to retrieve backups and make the asset available to users, and prior determination of procedures that users should follow when the asset is unavailable for short-term as well as long term. These considerations of availability of the asset are placed in the Contingency Plan for the asset.

Explain the Contingency Plan below.

Response:

Contingency plan considerations

Describe process in place, if applicable


Is the asset used for ongoing patient care?If yes above, describe backup methods in place to address short-term unavailabilityIf yes above, describe end-user processes to address short-term unavailability of the assetIf yes above, describe disaster recovery methods in place to address long-term unavailabilityIf yes above, describe end-user processes to address long-term unavailability of the asset


QN 9. EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT

If EPHI are sent to or received from other assets (using methods like ftp, copy, tape or CD transfers, etc.), it is necessary to ensure that there is legal basis that the information will be protected. If transfer is to an entity that is not covered under HIPAA regulations, a legal contract with specific language (called a Business Associate agreement) is required. This agreement is also required for vendors who access our systems for maintenance purposes, and thus be able to access EPHI. If the transfer is over public networks, appropriate encryption solutions are required. You should include all transfers that are electronic, even if they are not real-time transfers, such as data copied onto tapes or CDs.

Provide information about the partners that receive or send EPHI below.

Response:

Descrip-tion of transferred EPHI

Recv From(F) or Send To (T) or Access (A)

Partner asset name/description

Owner name and contact info

HIPAA cove-red? (Yes/ No)

EPHI moves/transfers over Internet? (Yes/No) If yes, is the transfer encrypted? (Yes/No/ Not Appl)

BA Agre- ement (Yes/ No/ Not Appl)


QN 10. TRAINING

All EPHI users should be trained for user responsibility towards EPHI security. The relevant information security policies are in the areas of password management, sign on and sign off, workstation use and security, and security incident reporting procedures. Various training material are available.

The owners of EPHI assets should use asset questionnaires as the basis of responsibilities associated with management of an asset, and should understand the Information Security policies and procedures.

Response:

Are their regular review and reinforcement of individual and team responsibilities towards EPHI privacy and security by the owner? (Yes/No)

QN 11. SECURITY INCIDENT REPORTING

Significant security issues should be investigated and reported to appropriate authorities as described in Security Incident Reporting policy. Such issues include malicious infections with Trojans and Keyloggers, unauthorized access and accidental or malicious exposure or destruction of EPHI information, etc. IRB may be informed if it is an IRB approved research.

Identify the person who will document and report a Security Incident as required in Security Incident Report Policy.

Response:

Identify the person responsible for Security Incident Reporting


Questionnaire Samples

Case 1. A set of EPHI files stored on local PC used for clinical operations.

ASSET INFORMATION

Asset Name Quality report for State RegistryAsset Description Cardiac Cath data

Owner Name Qadir SmithOwner Title and Dept Manager, Finance recoveryOwner Phone 212-305-9989Owner Email [email protected]

Custodian Name(s)Custodian Title and DeptCustodian Phone(s)Custodian Email(s)

Date of submission 4/15/2005


AUTHENTICATION

User ID User Name Title/DeptQas2 Qadir Smith Manager, Finance recoveryBal99 Barry A London QA, Finance RecoveryMd2 Monalisa Davinci Temp Programmer, Finance recovery

AUTHORIZATION

User ID Asset function (Read/ Update/ All/ Admin/ etc.)


Start date

End Date

Qas2 All Manager Active 5/10/03Bal99 Update Quality Analyst Active 5/10/03CUBHIS Desktop group

Manage computers

Manage computer Active - -

Md2 Update Programmer Term 5/10/03 4/15/04

AUDIT LOGS

See examples in the next case.

DEVICE EXPOSURE


Servers that contain EPHI (within Institution)......... 0Workstations that contain EPHI) (within Institution)... 3Servers that contain EPHI (outside Institution)........ 0Workstations that contain EPHI (outside Institution)... 0

Biomedical devices that contain EPHI....... 0 Total devices that contain EPHI... 3

All workstations, PDA, etc. that access but not store EPHI... 0 Total devices that store or access EPHI... 3

PROTECTION AGAINST MALICIOUS SOFTWARE






R Symantec Anti-virus 9.0 CUBHIS


R Microsoft Giant (to be implemented)

CUBHIS

Vulnerability checks R Workstations configured securely by CUBHIS

CUBHIS

Patching of security updates for the OS, database, etc.

R Updates through Microsoft SUS

CUBHIS


D Internet Firewall CUBHIS


R Use of XP SP2 local firewall

CUBHIS

Other checks D None

ENCRYPTION AND INTEGRITY

Security Protection


Encryption on EPHI transmission over the Internet

WinZIP with AES encryption, VPN connectivity

WinZIP by qas2, VPN by IS Core Resources

Encryption of EPHI storage in laptop/EPHI

None

Sign on to access laptop/EPHI

None

PHYSICAL SECURITY


Physical access to devices Workstations are in Qas2


containing EPHI (door locks, computer locks, card access, etc.)

restricted area.

Environmental management of the location where these devices are placed (Humidity, Temperature, Dust, etc.)

Usual office environment Qas2

Types of passive media used for backup (tapes, disks), and its physical protection

CDs as backup Bal99

Types of passive media (CDs, DVDs, USB devices, Zip disks, etc.) used for information exchange, and their physical protection (locked cabinets, destruction, etc.)

None

Disposal of devices and media when they are no longer required

Workstation disposal CUBHIS

CONTINGENCY




Is the asset used for ongoing patient care?

No

If yes above, describe backup methods in place to address short-term unavailability

Not Applicable

If yes above, describe end-user processes to address short-term unavailability of the asset

Not Applicable

If yes above, describe disaster recovery methods in place to address long-term unavailability

Not Applicable

If yes above, describe end-user processes to address long-term unavailability of the asset

Not Applicable

EPHI EXCHANGE AND BUSINESS ASSOCIATE AGREEMENT

Descrip-tion of transfer

Recv From(F)

Partner asset name/descri

Owner name and contact

HIPAA cove-red?

EPHI moves/transfers over

BA Agre- ement (Yes/


red EPHI or Send To (T) or Access (A)

ption info (Yes/ No)

Internet? (Yes/No) If yes, is the transfer encrypted? (Yes/No/ Not Appl)

No/ Not Appl)

Report of all cardiac cath adverse results

T NY State Error registry

GG Lowery, Albany, [email protected]

No, but govt.

Yes, Yes (Winzip password)

NA (govt.)

TRAINING


Yes, reviewed during weekly meeting.

SECURITY INCIDENT REPORTING


Qas2


mailto:[email protected]


Case 2. An EPHI database stored on a local server used for research.

ASSET INFORMATION

Asset Name Cardiology Research NameAsset Description Database of Electrocardiogram reports and

tracings

Owner Name Joseph BrownOwner Title and Dept Asst Prof, Cardiology, MedicineOwner Phone 212-305-9998Owner Email [email protected]

Custodian Name(s) John SmithCustodian Title and Dept System Admin, MedicineCustodian Phone(s) 212-342-9989Custodian Email(s) [email protected]


IRB Institution(s), if research

Columbia University

Active IRB Number(s), if research

IG98945

AUTHENTICATION

User ID User Name Title/DeptJOEBROWN Joseph Brown Asst Prof, Cardiology, MedicineMATHSMART Matthew Smart Assoc Res Scientist, BiostatisticsPUTTGTHER Putnam T Gather Coordinator, Medicine, Service

CorporationJRPROGRAM Junior Programmer Programmer, MedicineJOHNSMITH John Smith System Admin, MedicineOLDSMITH Olden Smith System Admin, MedicineDAVINCM Monalisa Davinci Temp Programmer, Medicine

AUTHORIZATION

User ID Asset function (Read/ Update/ All/ Admin/ etc.)


Start date

End Date

JOEBROWN All Principle Investigator

Active 3/7/04

MATHSMART Read Statistician Active 3/7/04PUTTGTHR Update Coordinator Active 1/1/05JRPROGRAM Admin Programmer Active 4/10/04JOHNSMITH Manage

computerLocal System Administrator

Active 3/7/04



OLDSMITH Used to manage computer

Local System Administrator

Term 3/7/04 12/31/04

DAVINCM Update Programmer Term 5/10/03 4/15/04

AUDIT LOGS

Example 1 (Weak)

There are no audit logs with the files. The files are exchanged using floppies and CDs between the users. All users understand that there are no audit logs, and therefore it is assumed that all users have seen all data in the asset.

Example 2 (Weak, but better)

There are only server sign-on logs (userid and date-time) available, which are kept for 60 days. The users understand that if they sign-on to the server, it is assumed that they have seen all data in the asset.

Example 3 (Weak, but better)

The web-based application has a sign-on log (userid, date-time, browser IP address, URL). The logs are rotated every week, and kept for past 8 weeks. The users understand that if they sign-on to the web application, it is assumed that they have seen all data in the asset.

Example 4 (Good)

There are 2 kinds of logs: (1) sign-on log to the server (userid and date-time), and (2) an access log to specific files in the asset by an individual who has signed-on (userid, date-time, filename). The logs are kept for past 30 days on the system.

Example 5 (Very Good)

An application log exists that logs user sign-on as well as the patient records that were accessed by the user. The log includes userid, date-time, sign-on, MRN of a patient, date-time when that patient record was accessed. The logs are kept locally for last 3 months, but are also sent daily to the central audit log storage facility for long term storage and correlation with other access.

Example 6 (Excellent)

An application log exists that logs user sign-on (userid, date-time, client IP address) as well as details of each access by the user (date-time of access, MRN of a patient, type of data that was accessed (demographics, orders, EKG, Lab, Discharge Summary, etc.) and kind of access (read, add, update, print, etc.). The logs are kept locally for


last 7 days, but are also sent daily to the central audit log storage facility for long term storage and correlation with other access.

DEVICE EXPOSURE










R Symantec Anti-virus 9.0 CUBHIS


R CA PestPatrol CUBHIS

Vulnerability checks R Workstations configured securely by CUBHIS

CUBHIS


R Planned updates CUBHIS


D Internet Firewall Core Resources


R Use of Linux and XP SP2 local firewall

JOHNSMITH

Other checks D Tripwire for host integrity check

CUBHIS


Security Protection


Encryption on EPHI transmission over the Internet

Ssh access, SSL-based Web server JOHNSMITH


Encrypting File System on Windows XP JOHNSMITH


Windows XP Signon, Palm and Blackberry Signon

JOHNSMITH


PHYSICAL SECURITY


Physical access to devices containing EPHI (door locks, computer locks, card access, etc.)

Servers are in a physically restricted area in the data center, access permitted authorized personnel

CUBHIS


These are controlled in the Data Center

CUBHIS


These are controlled in the Data Center

CUBHIS


CDs can be created to copy research data. CDs are managed by the research members. PDA’s have sign on protection, and have been registered with the Physical Security department

JOHNSMITH, Researchers


Tapes are broken before disposal.

CUBHIS, JOHNSMITH

CONTINGENCY





No

If yes above, describe backup methods in place to address short-term unavailability

Not Applicable


Not Applicable


Not Applicable

If yes above, describe end-user processes to address long-term

Not Applicable


unavailability of the asset









ADT Info F Eagle System, via EGate.

AM Brown, Finance, 212-305-9999

Yes No NA

EKG Reports

F GE Muse System, via EGate.

AM Jones, Medicine, 212-305-9999

Yes No NA

EKG Reports and Traces

F Other system at a satellite care facility

AM Rivera, Director, Sateliite Facility, 212-305-9999

Yes Yes, Yes (SSL)

No (Res agreem-ent, both are HIPAA covered)

TRAINING


Yes, discussed weekly by JOEBROWN



JOHNSMITH, JOEBROWN


Case 3. An MRI system

ASSET INFORMATION

Asset Name Power MRI Imaging systemAsset Description MRI machine with 3T Magnet and Spectra

software

Owner Name BM Jordan, Maura JonesOwner Title and Dept VP, Operations, Director, MRI ServicesOwner Phone 212-305-4433, 212-305-9989Owner Email [email protected], [email protected]

Custodian Name(s) PM RichCustodian Title and Dept MRI VendorCustodian Phone(s) 212-222-7767Custodian Email(s) [email protected]



AUTHENTICATION

User ID User Name Title/DeptPOWER All users This is a generic userid. The

system is physically protected in a restricted area accessible to authorized users. The userid has a strong password, is changed every 3 months or when a tech who knew the password leaves the institution, and is known only to the 12 users. Additionally the system is protected by special network and host-level firewalls to protect against remote access.The vendor does not support individual userid accounts.

AUTHORIZATION

User ID Asset function (Read/ Update/ All/ Admin/


Start date

End Date



etc.)POWER All Full access

accountActive 5/10/03

AUDIT LOGS

See Case 2.

DEVICE EXPOSURE










R None on devices and workstations – vendor non-support, Symantec AV on servers

CUBHIS


R None on devices and workstations – vendor non-support

-

Vulnerability checks R Devices scanned for vulnerability at install time

CUBHIS


R Manual updates Vendor


D Internet Firewall, Medical device firewall at Allen

Core Resources


R None on devices and workstations – vendor non-support

-

Other checks D None -


Security Protection


Encryption on EPHI Site-to-Site VPN for system CUBHIS,


transmission over the Internet

maintenance Vendor


None


None

PHYSICAL SECURITY


Physical access to devices containing EPHI (door locks, computer locks, card access, etc.)

Devices, workstations and servers are all together in a physically restricted area, access permitted only to operators and other authorized personnel

Maura Jones, Manager, MRI system


These are controlled as medical device environmental issues



Tapes are stored in the same room



CDs can be created to copy images. CDs are carried away by the researchers.

Researchers


Tapes are broken before disposal. Servers and Workstations are on lease from the vendor. With assistance from the vendor, the disks are erased before disposal


CONTINGENCY





Yes Maura Jones

If yes above, describe backup methods in place to

The data in the system are copied to a separate PACS

PACS group, Maura Jones


address short-term unavailability

system


Patients are scheduled to other MRI machines

Maura Jones, Radiology operations group


None

If yes above, describe end-user processes to address long-term unavailability of the asset

Patients are scheduled to other MRI machines

Maura Jones, Radiology operations group









Images T PACS system PM Brown, Radiology, 212-305-9999

Yes No NA

All data A MRI Vendor PM Rich, MRI Vendor, 212-222-7767

Bo Yes, Yes Yes

TRAINING


Yes, discussed monthly by Maura Jones



Maura Jones


Documents

Information Security Risk Questionnaire and Documentation ....doc