• Risk management
  • Metadata
  • Acquire and maintain independent information security certifications
  • Acquire and maintain a Threat and Risk Assessment (TRA) and a Privacy Impact Assessment (TRA)
  • Review information security internally
  • Distribute the results of reviews to
  • Risk management and treatment
  • Enforcement
  • References

Risk management

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2019-10-12
  • reviewed: 2018-06-20
• Applicability: standard

Acquire and maintain independent information security certifications

• HITRUST
  • a private US certification organization that maintains the HITRUST Common Security Framework (CSF)
  • primarily targets the healthcare industry
  • commonly accepted as a proxy for HIPAA compliance by major US healthcare organizations
  • compliance is audited by an independent authorized assessor organization
  • HITRUST verifies the assessment and issues the certification
• SOC 2
  • an auditing standard developed by the American Institute of CPAs (AICPA) consisting of the Trust Services Criteria
  • targets the services industry
  • compliance is audited by an independent authorized assessor organization
  • the assessor then issues a SOC 2 report

Acquire and maintain a Threat and Risk Assessment (TRA) and a Privacy Impact Assessment (TRA)

• Who
  • conducted by an independent expert
• When
  • annually
  • when significant changes occur
• Why
  • Perform risk analysis and risk management.
  • Improve the effectiveness of our security policies and procedures to best protect our business, our assets, our personnel, and the PHI that we possess.
  • Identify, analyze, prioritize, and minimize identified risks to information privacy, security, integrity, and availability.
  • Identify and quantify the nature and severity of various risk and risk elements.
  • Recommend improvements to reducing risk as much as is practicable.
• Model the assessment on
  • ISO 27005 (Information security risk management) as the primary framework
  • NIST SP 800-30 (Guide for Conducting Risk Assessments) as an additional framework
  • business and information-technology best practices
• Review technical, administrative and physical safeguards
  • control objectives
  • controls
  • policies
  • processes
  • procedures
• Involve the necessary parties, such as
  • senior management
  • software development and operations
  • legal counsel

    Code	Section	Title	Text
    ISO	A.18.2.1	Independent review of information security	The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
    HIPAA	164.308(a)(1)(ii)(A)	Risk analysis	(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). © Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Review information security internally

• When
  • annually
  • when the internal environment or operation significantly changes
  • when the external environment significantly changes
• Review
  • Information processing and procedures, for compliance with the appropriate security policies, standards and any other security requirements.
  • Information systems, for compliance with the organization’s information security policies and standards.

    Code	Section	Title	Text
    ISO	A.18.2.2	Compliance with security policies and standards	Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
    ISO	A.18.2.3	Technical compliance review	Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.
    HIPAA	164.308(a)(8)	Evaluation	Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

Distribute the results of reviews to

• senior management
• internal system administrators

Risk management and treatment

• The results of risk analyses and assessments shall become an integral part of management’s decision-making process, and shall guide decisions related to the protection of PHI.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	8.2	Information security risk assessment	The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments.
ISO	8.3	Information security risk treatment	The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment.
ISO	A.18.2	Information security reviews	Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
CHI	SR1	Threat and Risk Assessment	Organizations hosting components of the EHRi must – and organizations connecting to the EHRi should – assess threats and risks to these components by careful review of a Threat and Risk Assessment (TRA). At a minimum, a TRA must include: a) An inventory of all information assets supporting the EHRi components, including data, services and technology. that must be protected and a determination of which assets include PHI; b) An assessment, for each information asset, of how critical it will be to maintain the confidentiality, integrity and availability of the asset, and accountability for the asset; c) A vulnerability analysis, including a comprehensive listing of the privacy and security vulnerabilities of the hosted EHRi components and a listing of the actual or planned safeguards that can protect against those vulnerabilities; d) A risk analysis that determines the residual risk after actual or planned safeguards are put in place; and e) A recommendation of whether residual risk is to be: i) further reduced (by adding specific safeguards to the system or scaling back system functionality); ii) transferred to a third party; or iii) accepted by the organization.
CHI	SR4	Independent Review of Security Policy Implementation	Organizations connecting to the EHRi or hosting components of the EHRi must have the implementation of their information security policy either: a) Reviewed independently; or b) Attested to in a written declaration by the organization’s Chief Executive Officer or Board of Directors.

November 13, 2019

Powered by