Overview

All owners of information systems containing electronic protected health information (EPHI) must conduct a risk assessment to accurately and thoroughly assess the potential threats and vulnerabilities to the confidentiality, integrity, and availability of the EPHI processed, stored, or transmitted by the system.

Purpose

This standard provides the general methodology that owners of information systems must use to conduct annual risk assessments.

Scope

This standard applies to all owners of information systems connected to any Medical Center network.

Description

Health Information and Technology (HIT) has identified the National Institute of Standards and Technology (NIST) as its source for best practices in risk management and risk assessment.

    • Risk Management looks across the entire organization and examines its information systems as they relate to each other.  Risk management addresses risk related concerns as follows:
      • Tier 1 – Organizational Level (Governance)
      • Tier 2 – Mission / Business Process (Information and Information Flows)
      • Tier 3 – Information System (Environment of Operation)
    • Tier 1 - addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes: (i) the techniques and methodologies the organization plans to employ to assess information system-related security risks and other types of risk of concern to the organization; (ii) the methods and procedures the organization plans to use to evaluate the significance of the risks identified during the risk assessment; (iii) the types and extent of risk mitigation measures the organization plans to employ to address identified risks; (iv) the level of risk the organization plans to accept (i.e., risk tolerance); (v) how the organization plans to monitor risk on an ongoing basis given the inevitable changes to organizational information systems and their environments of operation; and (vi) the degree and type of oversight the organization plans to use to ensure that the risk management strategy is being effectively carried out. As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contractors with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities, including for example: (i) authorizing officials; (ii) chief information officers; (iii) senior information security officers; (iv) enterprise/information security architects; (v) information system owners/program managers; (vi) information owners/stewards; (vii) information system security officers; (viii) information system security engineers; (ix) information system developers and integrators; (x) system administrators; (xi) contracting officers; and (xii) users.
    • Tier 2 - addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture and include: (i) defining the core missions and business processes for the organization (including any derivative or related missions and business processes carried out by subordinate organizations); (ii) prioritizing missions and business processes with respect to the goals and objectives of the organization; (iii) defining the types of information that the organization needs to successfully execute the stated missions and business processes and the information flows both internal and external to the organization; (iv) developing an organization-wide information protection strategy and incorporating high-level information security requirements into the core missions and business processes; and (v) specifying the degree of autonomy for subordinate organizations (i.e., organizations within the parent organization) that the parent organization permits for assessing, evaluating, mitigating, accepting, and monitoring risk.
    • Tier 3 - addresses risk from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures (i.e., security controls) at the information system level. Information security requirements are satisfied by the selection of appropriate management, operational, and technical security controls from NIST Special Publication 800-53. The security controls are subsequently allocated to the various components of the information system as system-specific, hybrid, or common controls in accordance with the information security architecture developed by the organization. Security controls are typically traceable to the security requirements established by the organization to ensure that the requirements are fully addressed during design, development, and implementation of the information system. Security controls can be provided by the organization or by an external provider. Relationships with external providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain arrangements.

    The Risk Management Framework (RMF), illustrated in Figure 2-2, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners). The RMF steps include:

    • Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
    • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
    • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
    • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
    • Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
    • Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

     

    Risk Assessment

    Risk Assessment is the fundamental component of UVA’s Risk Management process and is described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to operations, assets, individuals, and other organizational components, resulting from the operation and use of its information systems. The purpose of risk assessments is to inform management and support risk responses by identifying: (i) relevant threats; (ii) vulnerabilities both internal and external; (iii) impact (i.e., harm) to organizations that may occur given the potential for threats which exploit vulnerabilities; and (iv) likelihood that harm will occur. The end result is a determination of risk.  Risk assessments can be conducted at any of the three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level).  

    At Tiers 1 and 2, organizations use risk assessments to evaluate systemic information security-related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs.  At Tier 3, the risk assessment is used to support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring).

    The risk assessment process consists six steps: (1) preparing for the security control assessment; (2) developing the security assessment plans; (3) conducting the security control assessments; (4)analyzing the security assessment results; (5) communicate assessment results; and (6) maintain the assessment.

    STEP 1: Preparing for the Assessment

    • Identify the purpose of the risk assessment in terms of the information that the assessment is intended to produce and the decisions the assessment is intended to support.
    • Identify the scope of the risk assessment in terms of organizational applicability (what is to be assessed), time frame (how long is it anticipated to take), and architectural/technology considerations.
    • Identify the specific assumptions and constraints under which the risk assessment is conducted.
    • Determine the system or application’s Security Categorization.  Security categorization is represented in the following manner: SC information type = {(confidentiality impact), (integrity impact), (availability impact)}, where the acceptable values for potential impact are Low, Moderate or High.
      • A Low Impact system corresponds to one for which the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
      • A Moderate Impact system corresponds to one for which the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
      • A High Impact system corresponds to one for which the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

    STEP 2: Developing the Security Assessment Plan 

    • Based upon the Security Categorization (Low, Moderate or High) of the system or application to be assessed, select the appropriate controls to be assessed from the MASTER Risk Assessment Matrix and copy it into its own spreadsheet.
    • Identify common controls or those controls that are evaluated at an Enterprise level and exclude them from the assessment.
    • Based upon the system or application that is to be evaluated, note any controls that may be out of scope and the reasoning for this exclusion.
    • Review whether the existing assessment method (interview, examine or test) statements are appropriate for the system or application to be reviewed.
    • Arrange for a peer review of the selected controls.

    STEP 3: Conducting the security control assessment

    • Assess the security controls with the assessment procedures defined in the security assessment plan.
    • From the developed Security Assessment Plan spreadsheet, using the “Assessment Steps Used” and Assessment Method, review the statements to determine whether a control is in place and adequately protects or secures the system in question.
    • Under “Findings”, specify evidence that supports each statement and whether that information is incomplete.
    • As each section is completed, specify the status of the row completed in the "Done" column.
    • A status of what is completed, what has failed, what is left and what elements are partially done by filtering the “Done” column.

    STEP 4: Analyzing the security assessment results

    • Once all controls have been assessed, filter to identify the items that failed and thus need attention.
    • Determine whether the element may be out of scope, evidence may have been over looked, or if the element has genuinely failed.

    STEP 5: Communicate assessment results

    • Based upon the Analysis of the results, a draft Risk Assessment Report (RAR) is produced documenting the findings.
    • Review findings with HIT Security and adjust accordingly.
    • Determine the appropriate method (e.g., executive briefing, risk assessment report, or dashboard) for communicating the risk assessment results and to whom.
    • Communicate risk assessment results to designated organizational stakeholders.
    • Share the risk assessment results and supporting evidence.
    • From the feedback of the designated organizational stakeholders, each risk or finding in the RAR needs to be acted upon.  The responses include: (i) risk acceptance; (ii) risk avoidance; (iii) risk mitigation; (iv) risk sharing; (v) risk transfer; or (vi) a combination of the above.
    • Conduct initial remediation actions of security controls based on the findings and recommendations of the security assessment report.
    • Prepare and file the Final Risk Assessment Report based on all input.

    STEP 6: Maintain the assessment

    • Identify key risk factors that have been identified for ongoing monitoring.
    • Identify the frequency of risk factor monitoring activities and the circumstances under which the risk assessment needs to be updated.

    If any additional work needs to be performed by HIT Security, a Business Case should be drawn up and forwarded for approval.

     

    Types of Risk Assessments Conducted by the Medical Center:

    The following risk assessment methods have been implemented within the Medical Center to ensure risks to the organization are appropriately identified and then mitigated, accepted or avoided as necessary:

    • Procurement of new datacenter related software and hardware The Medical Center Procurement Office works in collaboration the sponsoring department to ensure that new acquisitions of IT related software and hardware have been reviewed by the HIT Security.  A standardized security requirements document, referred to as the Security Exhibit, is completed and attached to the contract in order to ensure that the information security risks of installing the vendor system have been reviewed and evaluated.
    • Procurement of Cloud related software  The Medical Center Procurement Office works in collaboration with HIT Security and the purchasing department to ensure Cloud Risk Assessments are completed prior to the any cloud based purchase.  The Cloud Risk Assessment is completed prior to the hosting of data in the cloud (i.e., outside the Medical Center environment).
    • Application based Risk Assessments The Medical Center has implemented a risk assessment framework for critical information systems based on the recommendations provided in NIST SP 800-30 Guide for Conducting Risk Assessments.  The risk assessment includes a compressive review for the following security and privacy controls:

    Security Control Baselines

    Per NIST SP 800 - 53

    Control Numbers

    Access Control

    AC-1 - AC-22

    Awareness and Training

    AT-1 - AT-5

    Audit and Accountability

    AU-1 - AU-14

    Security Assessment and Authorization

    CA-1 - CA-7

    Configuration Management

    CM-1 - CM-9

    Contingency Planning

    CP-1 - CP-10

    Identification and Authentication

    IA-1 - IA-8

    Incident Response

    IR-1 - IR-8

    Maintenance

    MA-1 - MA-6

    Media Protection

    MP-1 - MP-6

    Physical and Environmental Protection

    PE-1 - PE-19

    Planning

    PL-1 - PL-6

    Personnel Security

    PS-1 - PS-8

    Risk Assessment

    RA-1 - RA-5

    System and Services Acquisition

    SA-1 - SA-14

    System and Communication Protection

    SC-1 - SC-34

    System and Information Integrity

    SI-1 - SI-13

    Project Management

    PM-1 - PM-11

     

    Additional risk assessments include participation in the University of Virginia Information Technology Security Risk Management Plan.  This is an annual assessment completed by Health System Technology Services.  The assessment includes:

    • Mission Impact Analysis - identifies information, computing hardware and software, and associated personnel that require protection against unavailability, unauthorized access, modification, disclosure or other security breaches.
    • Risk Assessment General Questions - determine and evaluate threats to the resources identified through a mission impact analysis, as well as adherence to general secure computing practices.
    • Risk Assessment Questions: HIPAA Supplement - focus on the need for documenting each policy and process, knowledge and training on compliance regulations, facility access controls, workstation use and location and the review of logs and other auditing measures.
    • Threat, Attack and Vulnerability Scenarios - categorize each of the assets identified in Step 1 by threat; most assets are vulnerable to multiple threats.  Then identify strategies that your department currently follows or plans to follow to address these threats.
    • Security Plan Template - Strategies (identified in Step 2.2) will overlap, protecting multiple assets. Document your current method of protecting assets against identified threats, attacks and vulnerabilities. Identify and prioritize what additional mitigation efforts you need to take (along with a timeline for completing them), and document justifications for mitigation steps you identified but decided not to implement.
    • Mission Continuity Questions - the development of a plan for restoration of resources identified in the mission impact analysis and for interim manual processes for continuing critical mission functions during the restoration process.
    • IT Mission Continuity Plan Template - based on answers to the Mission Continuity Questions, a plan is developed that may include a department COOP plan if applicable.
    • Evaluation and Reassessment Questions - Completed every three years or when there are significant changes to departmental IT assets or risk environment.

    In addition to our comprehensive risk management strategy, the Medical Center’s assessment program includes regularly scheduled internal and external audits.

    • Internal Audits – The Medical Center is involved in internal audits in a number of ways, which include:
    • IT Security Audits – The IT Security Audits are audits centered on critical information systems supported within the Medical Center.  These audits include a quarterly or bi-annual review of access to the information systems and the removal of access that has not been used within a specified length of time. Additional audits, such as the Mobile Device Audit, regularly review the iOS/Android version connected to the Medical Center’s Mobile Device Management (MDM) solution and notifies individuals when their device is out of compliance with the MDM’s version policy.
    • University of Virginia Internal Audits – The Medical Center is involved and participates in regularly scheduled audits conducted by the University of Virginia Internal Audit department.  These audits include IT Security centered audits, financial audits, and clinical audits.
    • Virginia Auditor of Public Accounts (APA) - The Medical Center is involved and participates in annual audits performed by the APA.  These audits include IT Security centered audits and financial audits.
    • Third-Party External Audits – The Medical Center procures the services of a third party to perform annual assessments of the Medical Center’s IT infrastructure.  These assessments currently include a review of the following areas:
    • Network Architecture/Diagram Review
    • Network Segmentation and Access Control
    • Network Device Configuration
    • Firewalls
    • Secured Internet Services (DMZ Services)
    • Securing Internet Access
    • Wireless Access
    • Intrusion Detection and Prevention
    • System/Device Build Process
    • Patch Management
    • Configuration Management
    • Antivirus Strategy
    • End-User Device Strategy
    • Mobile Device Strategy
    • Data Encryption
    • Data Destruction
    • Code Development
    • User Management
    • Change Management
    • Backup Strategy
    • Log Management
    • Data Breach/Discovery/Loss Prevent
    • IT Audit

    Other external reviewers include: Center for Medicare and Medicaid Services (CMS), Joint Commission (JC), Virginia Department of Health (VDH), and other Medical Center related vendors such as SureScripts

    Document Supporting Resources