It Security Risk Assessment Guidelines

HIPAA Security Risk Assessment Guidelines v1.0

Page 1

Information Security Risk Assessment Guidelines Introduction and Overview  In!"rmati"n security risk assessment is an "n#g"ing p r"cess "! disc"vering, c"rrecting and preventing security pr"$lems. pr"$lems. %&e risk assessment is an integral integral part "! a risk management pr"cess designed t" pr"vide appr"priate levels "! security !"r in!"rmati"n systems. In!"rmati"n security risk assessments are part "! s"und security practices and are re'uired $y t&e ("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and related d"cumentati"n are als" an integral part "! c"mpliance )it& HIPAA security security standards +see $el"). %&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&e resulting security re'uirements !"r eac& system. %&e agency must t&en devise, implement and m"nit"r a set "! security measures measures t" address t&e level "! identi!ied identi!ied risk. -"r a ne) system t&e risk assessment is typically c"nducted at t&e $eginning "! t&e System evel"pment /i!e (ycle +S/(. -"r an eisting system, risk assessments may $e c"nducted "n a regular $asis t&r"ug&"ut t&e S/( and"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&en ma"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "r audit. %&is risk assessment met&"d"l"gy is $ased "n t&e CMS Information Security RA Methodology , devel"ped $y t&e !ederal epartment "! Healt& and Human Services, (enters !"r 4edicare and 4edicaid Services +(4S, )&ic& is availa$le at ))).cms.&&s.g"vits ))).cms.&&s.g"vitsecurityd"csRA5m ecurityd"csRA5met&.pd!. et&.pd!. It is presented in t&ree p&ases6 

System "cumentati"n P&ase  Risk eterminati"n P&ase  Sa!eguard eterminati"n P&ase %&e risk assessment rep"rt6      

Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security Includes a list "! t&reats and vulnera$ilities, vulnera$ilities, t&e system3s current security c"ntr"ls, and its risk levels Rec"mmends sa!eguards, and descri$es t&e epected level "! risk t&at )"uld remain i! t&ese sa!eguards )ere put in place S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rk (an $e used as input t" t&e agency3s $usiness c"ntinuity plan Presents t&ese !indings t" management.

Note on HIPAA Security ("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s, and t&"se )&" are 9usiness  Ass"ciates "! (*3s, (*3s, must c"mply c"mply )it& t&e HIP HIPAA AA security rule, :; :; (-R parts 1