More Related Content
Similar to Hipaa Gap Assessment.Sanitized Report (20)
Hipaa Gap Assessment.Sanitized Report
- 2. T he i nf or ma t io n tr ansm i t te d in th is docu me n t is in ten ded on l y f or t he ad dr es s ee an d
m a y c on tai n c on f id en t ia l an d /o r pr i v i lege d ma ter ia l . A n y i n t er c e p tio n , r e vi ew,
r etrans miss ion , disse mina tio n o r o the r use o f or tak in g o f an y ac tion u pon this
in fo rma tio n b y pers ons or en tities o ther tha n the in ten ded rec ipien t is p roh ib ite d b y
l a w a n d may s u b j e c t th e m to c r im i n a l o r c iv i l l ia b i l it y .
Pro pr ie tar y an d C onfide n tial In forma tion sha l l includ e , bu t no t b e limited to ,
p er for ma nce , s ales , fina ncial, co n trac tua l a nd sp ecial ma rke ting in forma tio n , ideas ,
tec hn ica l da ta and conc ep ts or igina ted b y th e disc los in g par ty, its subs id ia ries an d /or
a f f i li a tes , n o t pre v i ous l y p ub lish ed o r o the r w is e d is c los e d to th e ge ner al p ub lic , not
p r e v ious l y a v ai la bl e w i tho u t r es t r ic ti on t o t h e r ec e i vin g p ar t y or o the r s , no r no r m al ly
fur n ishe d to o thers witho u t c omp ensa tio n , an d w hic h the d isc los ing p ar ty d esires to
p r o tec t aga ins t u nr es tr ic ted d is c los u r e or c o mpe t i t ive us e , an d w hic h is fur n ish ed
p ur s u an t to t h is d el iv e r ab le and ap pro pr ia t el y i den ti f i ed as be in g p r opr ie t ar y w h e n
f ur n ishe d .
Co pyr igh t © 2009 F i s hNet Sec ur i t y , Inc . All rights res er ved. The FishNet Security,
inc (“F is hNe t Secu rity”) log o is a reg is tered trad emark o f F ishNe t Secur i ty. All o the r
p r od uc ts a nd c ompa n y n ames men t io ne d h er e in a r e tr ade mar k s or r eg is ter ed
t r a de mark s o f t he ir r es p ec ti v e own er s .
Proprietary and Confidential April 15, 2009 v.1 ii
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 3. Table of Contents
Executive Summary .................................................................................................................................... 1
Engagement Objectives ................................................................................................................................ 1
Scope of Work ............................................................................................................................................. 2
Approach ....................................................................................................................................................... 2
High-Level Findings .................................................................................................................................... 4
Overview ....................................................................................................................................................... 4
Appendix A .................................................................................................................................................. 6
Detailed findings and Recommendations ..................................................................................................... 6
Proprietary and Confidential April 15, 2009 v.1 iii
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 4. ABC Company
HIPAA GAP Assessment
Executive Summary
ABC Company’s primary purpose is in the business processing outsourcing (BPO) services industry. As
ABC Company continues to expand its range of service offerings into new industries, compliance with
regulatory acts and standards involving data systems security become increasingly important. Topping
the list for regulatory compliance is the Health Insurance Portability and Accountability Act (HIPAA). As
ABC Company considers providing new health related services to its client base, compliance with HIPAA
and other standards aimed at the protection and safeguard of health related information are critical
components to establishing and sustaining these services.
HIPAA is comprised of two separate but related regulatory acts focused on the identification and
classification of protected health related information and the protection of such information in the
enterprise. The first of the two regulatory acts is the privacy rule. The HIPAA Privacy Rule covers
protected health information (PHI) in all forms (paper, oral and electronic). The second act is the HIPAA
Security Standard Final Rule which applies only to PHI that is maintained or transmitted in electronic form
(EPHI). The HIPAA data security rule for the most part does not prescribe specific safeguards for all
covered entities to use regardless of their circumstances. Rather, it expects each covered entity to
evaluate its protection approach in light of its mission, budget and good information assurance practices.
A covered entity is any organization that stores, processes or transmits protected health information (in
any form) and must comply with the provisions as described in HIPAA. FishNet Security assumes ABC
Company’s status under HIPAA to be that of a covered entity. Covered entities must comply with the
applicable provisions listed in both the HIPAA privacy and security rules. Therefore this report measured
ABC Company’s environment using data security and protection control areas contained in both
standards.
The remaining sections of this report illustrate the objectives of the engagement, standards used, and a
listing of variances discovered using said standards as a baseline measurement. The main body of this
report contains a section of high-level findings and recommendations required to achieve HIPAA
compliance as either a covered entity or business associate. This section aims to provide ABC
Company’s senior leadership team with key information both on ABC Company’s current and future state
of HIPAA compliance. Detailed listing (Technical) findings can be found in Appendix
Engagement Objectives
ABC Company provides both onshore and offshore BPO services through 14 delivery centers throughout
the United States and abroad.
ABC Company engaged FishNet Security to conduct an assessment of their information processing
environment using standards contained in the HIPAA. The HIPAA security compliance gap assessment
is the first step in addressing ABC Company’s specific business driven requirements and regulatory
issues pertaining to PHI. ABC Company has identified the need for a risk-based assessment based on
HIPAA requirements to assist in the further development and advancement of the strategic position and
approach of Information Security within the organization.
The HIPAA compliance privacy rule and the HIPAA Security Standard Final Rule specify a series of
administrative, technical, and physical security procedures for covered entities to use to assure the
confidentiality of electronic protected health information. The standards are delineated into either required
or addressable implementation specifications. The HIPAA regulation and standard rules requires
organizations that have access to PHI to ensure their security requirements are in compliance.
Proprietary and Confidential April 15, 2009 v.1 1
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 5. ABC Company
HIPAA GAP Assessment
Scope of Work
The scope of our engagement was to perform a high-level HIPAA gap assessment of ABC Company’s
data processing environment and the related policies and procedures within the Information Services
function. Our objective was to measure ABC Company’s general computer, information security and data
protection controls using the HIPAA privacy and security rules as a baseline. FishNet Security does not
express an opinion nor provides assurance as to the design or operating effectiveness of those controls
and accordingly, does not offer any such assurance with respect to any specified objectives.
Approach
HIPAA Security Assessment Methodology
FishNet Security reviewed each of the applicable areas of ABC Company’s environment to determine the
“current state” of HIPAA compliance. The methodology included in-depth interviews with ABC Company’s
key business and Information Technology leaders to assess the organizations understanding and
determination to comply with the applicable areas of the HIPAA privacy and security rules. Through
inquiry and observation, FishNet Security consultants reviewed ABC Company’s policies, processes and
procedures related to the protection of health related information.
FishNet Security performed a physical on-site visit to the corporate data center to assess certain and
specific physical, environmental and data access controls related to the protection of protected health
information processing facilities and repositories. FishNet Security aggregated the information collected
during this visit and has included them into the high-level HIPAA gap analysis matrix. This matrix contains
a complete listing of areas listed in the standard as “required or addressable” including detailed
descriptions of any ABC Company in-place controls, compensating controls or variances from the HIPAA
privacy and security rules.
HIPAA Compliance Review
The HIPAA Security Standard Final Rule specifies a series of administrative, technical, and physical
security procedures for covered entities that are used to assure the confidentiality of electronic protected
health information. These standards are delineated into either required or addressable implementation
specifications. Both HIPAA rules provide a framework for organizations to measure compliance with each
standard. FishNet Security performed the following actions to determine compliance with each HIPAA
rule including:
• Obtained and reviewed applicable information security policies, processes and procedures
• Assessed the potential risks and vulnerabilities to data related to non-compliance
• Interviewed key ABC Company personnel to understand critical business and IT processes
related to compliance with these safeguards
The HIPAA Security Standard Final Rule applies to all individually identifiable health information that is in
electronic form, whether it is being stored or transmitted. The goal is to protect against threats to
information security or integrity, and against unauthorized use or disclosure. Using the HIPAA Security
Standard Final Rule as a baseline FishNet Security reviewed (where applicable) ABC Company’s:
• Administrative procedures, to ensure access to information is limited to appropriate parties and
guard information from all others
• Technical procedures, to ensure the balance of timely access to needed health information with
the need to protect its confidentiality and integrity
• Technical security mechanisms, to review whether information is kept from being easily
intercepted by third parties via external entry points
• Physical security procedures, with a focus on preventing unauthorized individuals from gaining
access to electronic information
Proprietary and Confidential April 15, 2009 v.1 2
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 6. ABC Company
HIPAA GAP Assessment
FishNet Security measured ABC Company’s information processing environment using only the
applicable areas of the HIPAA Privacy and Security rules. As ABC Company does not currently handle
protected health information nor is considered a “covered entity” under HIPAA, only those areas of each
rule applicable to ABC Company’s environment were assessed and appear in the subsequent findings
and recommendations sections of this report.
Interviews Conducted
During the course of this engagement, FishNet Security conducted the following interviews:
Sarah Jones – Vice President and Chief Information Security Officer
Mike Smith – Director, US Human Resources Services
John Cooper – Vice President, Global Sales Operations
Mary Rogers – Business Continuity Planning
Documents examined
• Security Management Policy
• Organization of Security Policy
• Risk Assessment and Treatment Policy
• Asset Management Policy
• Human Resources Policy
• Physical and Environmental Security Policy
• Communications and Operations Management Policy
• Third Party Service Delivery Management Policy
• Protecting against malicious code policy
• Data Backup Policy
• Network Security Management Policy
• Media Handling and Destruction Policy
• Access Control Policy
• System Acquisition, Development and Maintenance Policy
• Incident Management Policy
• Business Continuity Management Policy
• Compliance Policy
• Acceptable Use Policy
• Encryption Key Management Policy
Proprietary and Confidential April 15, 2009 v.1 3
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 7. ABC Company
HIPAA GAP Assessment
High-Level Findings
Overview
The findings in this section outline the requirements for HIPAA compliance as either a covered entity or a
business associate. As access to health information may be required as part of an ABC Company
strategic business service offering, the organization should consider how it will allow and safeguard
access to PHI to meet the provisions under HIPAA. Should ABC Company’s executive management
decide to achieve a covered entity status, HIPAA compliance requirements become increasingly
comprehensive.
Covered entities have stringent requirements for both logical and physical segmentation of networks and
information processing sites whereas a business associate may require less complexity to meet HIPAA
information protection standards. In any case, ABC Company should examine the unique and specific
requirements in either category to determine the appropriate approach based on the needs of its business
units.
Information Segmentation (Physical and Logical)
As previously stated, covered entity requirements to protect health related information are rigorous by
design and require careful consideration from a cost and support perspective. Covered entities must both
protect information from unauthorized access (provisioning and logical control) as well as unauthorized
viewing and dissemination (physical control). Logical segmentation may require ABC Company to
architect and build a completely separate network that processes, stores and transmits PHI. Access to
and provisioning of this information would be limited to and provided by those personnel and
administrators that were appropriate cleared and have a “right” to such information.
Under HIPAA, meeting physical segmentation requirements requires the isolation of both ABC Company
personnel and systems administrators that have access to PHI. The relocation of personnel to a specific
space, floor or building may be required to adequately restrict EPHI personnel and data from other
business and information technology functions within the enterprise. Floors, walls and other physical
limiting barriers may have to be constructed in order to meet the hard requirements for limited physical
access to protected health information. ABC Company should examine the requirements for compliance
in each category and determine the implementation of security and information protection controls
required to meet HIPAA standards.
The following table outlines the specific requirements for logical and physical segmentation according to
each compliance category (covered entity and business associate):
Compliance Requirement Required for a covered Required for Business Associate?
entity?
Not Necessarily. Based on a review of ABC
Company’s information processing
Physical segmentation (walls, floors,
Yes environment, the in-place controls may be
doors, locks, datacenters, etc).
sufficient to meet the requirements in this
category
Workstations that access EPHI must
be isolated from other workstations
Yes No
that do not access EPHI. Polarized
screens must also be used.
Logical Access EPHI must be
Yes
provisioned separately from access to No
other forms of non-EPHI
Servers, databases and other network
devices that process, transmit and/or
Yes No
store EPHI must be logically separate
from non-EPHI systems
Proprietary and Confidential April 15, 2009 v.1 4
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 8. ABC Company
HIPAA GAP Assessment
Yes
Control of Removable Media Yes
Yes
Backup Media Encryption No
EPHI Storage (Server, Database,
Yes No
SAN, etc).
Secure and segregated movement of
Yes No
EPHI backup Media
Separate Workforce Clearance
Yes No
Process
Business Continuity
Business continuity and availability is a key component of HIPAA compliance. The act outlines several
significant requirements covering the availability and access to protected health information in the event
of an emergency, natural disaster or catastrophic systems failure. Although ABC Company has a
documented business continuity and disaster recovery program currently in-place, it has yet to be
adequately tested and further developed in the United States.
Capacity planning has yet to be tested and validated (at each location) to adequately sustain normal
operations in the event of business interruption. Some testing of the business continuity plan has been
performed in the Philippines however seat testing and validation has not occurred. Failover to other data
processing sites has not been fully tested or implemented in the U.S. or abroad at all of the ABC
Company data center locations. The absence of such testing may have a significant impact on ABC
Company’s ability to provide the required level of emergency access to EPHI in the event of natural
disaster or systems failure.
The requirement for a covered entity to have protected health information highly available (even to
unauthorized personnel in the event of an emergency) is a critical requirement of compliance and
subsequently has a very high consequence for non-compliance under the HIPAA enforcement rule.
The following table illustrates the requirements for business continuity compliance under HIPAA:
Compliance Requirement Required for a covered Required for Business Associate?
entity?
Not necessarily. Depending on the type of
Emergency Access to EPHI (including information that is stored, processed and/ or
Yes
temporary access to unauthorized transmitted with ABC Company, the
individuals) organization may not have to comply with
this requirement.
Not necessarily. Depending on the type of
information that is stored, processed and/ or
Emergency decryption of EPHI in the
Yes transmitted with ABC Company, the
event of emergency
organization may not have to comply with
this requirement.
Not necessarily. Depending on the type of
information that is stored, processed and/ or
Yes
Emergency authentication to EPHI transmitted with ABC Company, the
organization may not have to comply with
this requirement.
Not necessarily. Depending on the type of
information that is stored, processed and/ or
Emergency recovery of EPHI from
Yes transmitted with ABC Company, the
encrypted backup media
organization may not have to comply with
this requirement.
Proprietary and Confidential April 15, 2009 v.1 5
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 9. ABC Company
HIPAA GAP Assessment
Appendix A
Detailed findings and Recommendations
Finding #1
Applicable Standard: HIPAA Privacy Rule
Control Section:
Control Area: Chief Privacy Officer
Implementation Specification:
Issue: ABC Company does not currently have a formalized role or a single person appointed to address
all concerned related to protected health information.
Recommendation: ABC Company should appoint a Chief Privacy Officer (CPO) with responsibilities for
the protection and safeguard of protected health information. The CPO’s primary responsibility would be
to ensure that ABC Company’s policies, processes and procedures related to the handling of protected
health information comply with HIPAA. The CPO should report directly to the CEO or Chief Executive
Counsel.
Finding #2
Applicable Standard: HIPAA Security Standard Final Rule (Security Process Management)
Control Section: §164.308(a) (1) (ii) (C)
Control Area: Apply appropriate sanctions against workforce members who fail to comply with security
policies and procedures of the covered entity
Implementation Specification: Sanction Policy (Required)
Issue: ABC Company does not have a formalized sanction policy that details the process and procedures
for discipline of employees regarding breaches of the security of electronic protected health information.
Recommendation: ABC Company should develop a formalized policy for disciplining employees for
breaches of the security of EPHI. Those violations include failure to comply with ABC Company’s policies
and procedures. An investigation following the standard disciplinary process will determine the specific
sanction according to the severity and circumstances of the violation.
Proprietary and Confidential April 15, 2009 v.1 6
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 10. ABC Company
HIPAA GAP Assessment
Finding #3
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: 164.308(a) (2)
Control Area: Identify the security official who is responsible for the development and implementation of
the policies and procedures required for HIPAA security.
Implementation Specification: Assigned Security Responsibility (Required)
Issue: ABC Company has not formally assigned HIPAA security to a single individual.
Recommendation: FishNet Security recommends that ABC Company formally assign HIPAA security to a
single individual. Our recommendation includes the assignment of HIPAA security to the Chief Privacy
Officer reporting directly to the CEO or Chief Executive Counsel.
Finding #4
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (3) (i)
Control Area: Implement policies and procedures to ensure that all members of its workforce have
appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this
section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this
section from obtaining access to electronic protected health information.
Implementation Specification: Workforce Security (Required)
Issue: ABC Company has not specified how access to protected health information is provisioned to
users that have a right to such information. Although ABC Company has an access provisioning process,
it does not currently address how access to protected health information will be approved, granted and
revoked upon termination.
Recommendation: ABC Company should modify the current access provisioning process to include the
appropriate workflow and approval chain for access to protected health information. FishNet highly
recommends that ABC Company consider the implementation of an automated Identity and Access
Management solution that provisions access to protected health information based on pre-defined roles
and responsibilities.
Finding #5
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (3) (ii) (B)
Control Area: Implement procedures to determine that the access of a workforce member to electronic
protected health information is appropriate.
Implementation Specification: Workforce Clearance Procedures (Addressable)
Issue: ABC Company does not have an in-depth and formalized pre-hire background investigation
process to determine if pre-employment candidates are appropriate personnel for access to protected
health information. Although ABC Company does have a formal background process for positions other
Proprietary and Confidential April 15, 2009 v.1 7
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 11. ABC Company
HIPAA GAP Assessment
than agents, the process does not include a pre-hire determination for access to information protected
under HIPAA. Also, ABC Company does not have a formalized process to “Clear and authorize”
individuals for access to protected health information.
Recommendation: “Clearance” is the process of determining a person’s trustworthiness. “Authorization”
is the process of giving user permission to access information. A person can be “cleared” but still not
authorized for access to certain information and vice versa. FishNet Security recommends that ABC
Company develop a formalized workforce clearance process that determines, based on the results of an
in-depth investigation, a person’s eligibility to access protected health information. Investigative criteria
should contain a national agency criminal records check, financial and credit review, and a check for
issues related to the theft, breach or mis-handling of protected health information.
Finding #6
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (5) (ii) (A)
Control Area: Implement periodic security updates.
Implementation Specification: Security Reminders (Addressable)
Issue: Although ABC Company does have a formalized information security training program, the current
process does not include subject specific training for the access and handling of protected health related
information. ABC Company does not regularly distribute information security reminders or periodic
updates on security related subjects including those related to HIPAA compliance.
Recommendation: FishNet Security recommends the inclusion of HIPAA related training in their
information security training program and develop periodic security updates related to the organization’s
expectations for the access and handling of information protected under HIPAA.
Finding #7
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (6) (ii)
Control Area: Identify and respond to suspected or known security incidents; mitigate, to the extent
practicable, harmful effects of security incidents that are known to the covered entity; and document
security incidents and their outcomes.
Implementation Specification: Response and Reporting Procedures (Required)
Issue: ABC Company does not have formalized information security incident response procedures
associated with the organization’s incident response policy.
Recommendation: FishNet Security recommends that ABC Company develop formalized information
Security response procedures including specific tasks for the timely investigation and notification of a
breach of protected health information. FishNet also recommends that ABC Company retain all
evidentiary and documentary components of an incident (evidence, logs, and reports) for a period of not
less than six years from the date of disposition.
Proprietary and Confidential April 15, 2009 v.1 8
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 12. ABC Company
HIPAA GAP Assessment
Finding #8
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (7) (ii) (A)
Control Area: Establish policies and procedures to create and maintain retrievable exact copies of
electronic protected health information.
Implementation Specification: Data Backup Plan (Required)
Issue: FishNet reviewed ABC Company’s continuity plan and found the plan does not currently meet the
backup and integrity requirements of HIPAA. Currently HIPAA requires “exact” copies of all protected
health information and a retention period of not less than six years from date of creation.
Recommendation: FishNet Security recommends that ABC Company modify its existing business
continuity plan to meet the specific requirements listed in §164.308(a) (7) (i). These requirements include
an integrity verification process of all protected health information backups and a retention period of those
backup for a period of at least six years from the creation data of such information.
Finding #9
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (7) (i), §164.308(a) (7) (ii) (B), §164.308(a) (7) (ii) (C)
Control Area: Establish (and implement as needed) policies and procedures for responding to an
emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that
damages systems that contain electronic protected health information.
Implementation Specification: Contingency Plan (Required), Disaster Recovery Plan (Required),
Emergency Mode Operation Plan (Required)
Issue: Although ABC Company has an overall business continuity plan, it does not address what actions
the organization will take in the event of a disaster at a specific site. Additionally, it does not address how
ABC Company will continue to provide access to protected health information during and after recovery.
A formal and documented individual site contingency plan was not available for review or validation by
FishNet Security consultants.
Recommendation: FishNet Security recommends ABC Company develop a formalized process (for each
processing site) to recover from systems or location catastrophic failure. The plan should consider each
site’s unique physical and environmental requirements and have a process to address known and future
risks as they occur. The plan should also contain how security of protected health information will be
maintained during recovery and transition operations.
Proprietary and Confidential April 15, 2009 v.1 9
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 13. ABC Company
HIPAA GAP Assessment
Finding #10
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(a) (7) (ii) (D)
Control Area: Procedures for periodic testing of written contingency plans to discover weaknesses and
the subsequent process of revising the documentation, if necessary
Implementation Specification: Testing and Revision Procedures (Addressable)
Issue: Although ABC Company’s business continuity planning process requires periodic testing of
disaster and recovery plans, a formalized document detailing the execution and results of testing was not
available for review at the time of this assessment.
Recommendation: FishNet Security recommends the regular and formalized testing of disaster and
recovery plans for all ABC Company information processing locations. The results of testing should be
documented and reviewed by local, regional and executive management business and technology teams.
Each plan should be updated to reflect changes in processes and procedures resulting from testing.
Finding #11
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.308(b) (1), §164.308(b) (4)
Control Area: A covered entity, in accordance with §164.306, may permit a business associate to create,
receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if
the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business
associate will appropriately safeguard the information. Document the satisfactory assurances required by
paragraph (1) of section §164.308(b) through a written contract or other arrangement with the business
associate that meets the applicable requirements of §164.314(a).
Implementation Specification: Business Associate Contracts and Other Arrangements (Required) and
Written Contract or Other Arrangement (Required)
Issue: ABC Company does not have a formalized process to evaluate other partner organizations
handling protected health information as to their status of compliance under HIPAA. Currently, ABC
Company does not review contracts with its client, vendors or key business partners to determine the
external organizations relationship as a covered entity or a business associate.
Recommendation: FishNet Security recommends that ABC Company develop a formalized process to
review new and existing contracts with clients, vendors and key business partners to determine their
status under HIPAA as a covered entity or business associate. ABC Company should ensure that all
contracts that involve the processing, storage and transmission of protected health information include
requirements for the external organization to comply with HIPAA as either a covered entity or business
associate. The process should include a complete legal review from the corporate executive council and
the Chief Compliance Officer.
Proprietary and Confidential April 15, 2009 v.1 10
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 14. ABC Company
HIPAA GAP Assessment
Finding #12
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.310(a) (2) (iv)
Control Area: Implement policies and procedures to document repairs and modifications to the physical
components of a facility which are related to security (for example hardware, walls, doors, or locks).
Implementation Specification: Maintenance Records (Addressable)
Issue: ABC Company does not have a formalized process to document repairs and/or modifications to
physical components facilities that handle protected health information.
Recommendation: FishNet Security recommends ABC Company develop a formalized process to
document and records all changes (additions, modifications, and deletions) of physical security
components to facilities that store, process and/or transmit protected health information.
Finding #13
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.310(d) (1)
Control Area: Implement policies and procedures that govern the receipt and removal of hardware and
electronic media that contain protected health information into and out of a facility, and the movement of
these items within the facility.
Implementation Specification: Device and Media Controls (Required)
Issue: ABC Company does not have a formalized media control policy, process and a related set of
enforcement procedures to prevent the unauthorized removal of electronic protected health information
from the facility. ABC Company does not currently have the ability to govern the transfer of EPHI (at the
endpoint) to or from the facility.
Recommendation: FishNet Security recommends ABC Company develop a formalized policy, process
and set of procedures governing the use and enforcement of removable media. FishNet Security
recommends that ABC Company consider a proof-of-concept project for the evaluation of an automated
removable media endpoint enforcement solution to address HIPAA requirements and the protection of
protected health information.
Proprietary and Confidential April 15, 2009 v.1 11
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 15. ABC Company
HIPAA GAP Assessment
Finding #14
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.312(a) (2) (ii)
Control Description: Establish (and implement as needed) procedures for obtaining necessary electronic
protected health information during an emergency.
Implementation Specification: Emergency Access Procedure (Required)
Issue: ABC Company does not have a formalized policy, process or set of procedures for the
provisioning of emergency access to electronic protected health information. Access to EPHI may be
available during an emergency or time of crisis.
Recommendation: FishNet Security recommends ABC Company develop technical procedures, and
document instructions, for obtaining EPHI when the normal methods for obtaining access fail because of
a crisis situation. Two situations may potentially deny access to patient information stored in automated
information systems, including system failure and the unavailability of authorized users. This mandatory
implementation specification requires ABC Company to develop procedures to grant temporary access to
otherwise unauthorized users when authorized users may not be available. ABC Company should
develop procedures for gaining access to information during a system emergency or failure.
Finding #15
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.314(a) (1)
Control Description: The contract or other arrangement between the covered entity and its business
associate required by §164.308(b) must meet the requirements of paragraph (a) (2) (i) or (a) (2) (ii) of this
section, as applicable. (ii) A covered entity is not in compliance with the standards in §164.502(e) and
paragraph (a) of this section if the covered entity knew of a pattern of an activity or practice of the
business associate that constituted a material breach or violation of the business associate's obligation
under the contract or other arrangement, unless the covered entity took reasonable steps to cure the
breach or end the violation, as applicable, and, if such steps were unsuccessful-- (A) Terminated the
contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the
Secretary.
Implementation Specification: Business associate contracts or other arrangements (Required)
Issue: ABC Company does not have a formal process to assess a vendor or key business partner’s
capability to appropriately safeguard EPHI.
Recommendation: ABC Company should develop a formalized policy and process for the evaluation of
all vendors and key business partners that will process, store and/or transmit data on behalf of ABC
Company. The policy and process should include the requirement for all business associates’ to
implement the appropriate
Section §164.314 complements section 308(b) Business Associate Contracts. It states that business
associate contracts must require the business associate to implement administrative, physical and
technical safeguards providing a minimum level of protection equivalent to that required by the final rule
for security and section §164.502(e) of the Privacy Rule. ABC Company may not be compliant with the
provisions under HIPAA if it knows of breaches of the terms of the agreement by its business associates
and takes no action to terminate the contract or report to the Secretary of the Department of Health and
Human Services.
Proprietary and Confidential April 15, 2009 v.1 12
Copyright © 2009 FishNet Security, Inc. All rights reserved.
- 16. ABC Company
HIPAA GAP Assessment
Finding #16
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.314(a) (2) (i)
Control Description: The contract between a covered entity and a business associate must provide that
the business associate will-- (A) Implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic
protected health information that it creates, receives, maintains, or transmits on behalf of the covered
entity as required by this subpart; (B) Ensure that any agent, including a subcontractor, to whom it
provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C)
Report to the covered entity any security incident of which it becomes aware; (D) Authorize termination of
the contract by the covered entity, if the covered entity determines that the business associate has
violated a material term of the contract.
Implementation Specification: Business associate contracts (Required)
Issue: ABC Company does not have a formalized process to ensure that business associates or other
covered entities that have access to EPHI are bound to implement data protection and availability
controls as listed in the HIPAA Security Standard Final Rule. ABC Company does not currently have a
process to include contractual language requiring business associates or other covered entities with
access to protected health information to comply with the provisions of HIPAA.
Recommendation: ABC Company should develop a process to ensure that agreements with ABC
Company’s business associates include the specified elements of HIPAA. The business associate
contracts between ABC Company and its business associates must require the business associate to
implement administrative, physical and technical safeguards providing a minimum level of protection
equivalent to that required by the final rule for security and section §164.502(e) of the Privacy Rule. The
business associate must agree to ensure that any agents or subcontractors to whom it provides
information will also implement equivalent safeguards, report any security incidents to the covered entity.
The contracts or legal document must allow ABC Company to terminate the contract if the business
associate violates the terms of the contract on data security. This ensures that health information that is
protected by ABC Company continues to be protected when given to someone that is not required to
comply with HIPAA.
Finding #17
Applicable Standard: HIPAA Security Standard Final Rule
Control Section: §164.316(b) (2) (i)
Control Description: Retain the documentation required by paragraph (b) (1) of this section for 6 years
from the date of its creation or the date when it last was in effect, whichever is later.
Implementation Specification: Time Limit (Required)
Issue: ABC Company does not currently retain documentation or data related to protected health care
information for the required six year period.
Recommendation: FishNet Security recommends ABC Company keep all policies and procedures
required by the HIPAA security rule until six years after they are no longer in effect. ABC Company should
retain documented results of actions, activities, assessments, or designations created as a result of the
HIPAA security rule for six years. This ensures that the information is available if needed to answer legal
questions and other inquiries that might arise.
Proprietary and Confidential April 15, 2009 v.1 13
Copyright © 2009 FishNet Security, Inc. All rights reserved.