clearwater risk analysis workshop™ findings, observations ...€¦ · findings, observations, and...
TRANSCRIPT
1|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
ClearwaterRiskAnalysisWorkShop™Findings,Observations,and
Recommendations(FOR)ClearwaterCustomerReport
January11,2016
PrivilegedandConfidentialPreparedUndertheDirectionofOutsideCounsel
PreparedBy:
PrincipalConsultant#1PrincipalConsultant#2
ClearwaterComplianceLLC
800-704-3394
2|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
TableofContentsExecutiveSummary..................................................................................................3RiskAnalysisMethods..............................................................................................5Background...........................................................................................................5MeetingOCRRiskAnalysisAuditProtocols..........................................................7
OurProcess..............................................................................................................7LimitationsoftheAnalysis.......................................................................................9RiskAnalysisResults...............................................................................................10GoodorBestPracticesObserved........................................................................11ControlAnalysis...................................................................................................11IdentifiedHighRisksandRecommendedRemediationControls........................11OtherRecommendations....................................................................................17
Appendices.............................................................................................................18AppendixA–InformationAssetInventory.........................................................18AppendixB–RiskRatingReport/RiskRegister(SAMPLE).................................21AppendixC–ClearwaterControls......................................................................22
3|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
ExecutiveSummaryClearwaterComplianceperformedaHIPAASecurityRiskAnalysisofClearwaterCustomerspecificallyidentifiedinformationassetsthatcreate,receive,maintainortransmitelectronicProtectedHealthInformation(ePHI)throughanonsitevisit,interviews,reviewofprovideddocumentation,andanalysisofcontrolsagainstasset/threat/vulnerabilitycombinations.ActualtechnicaltestingoftheCustomerinformationsecuritycontrolswasconsideredout-of-scopeforthisspecificengagement,asagreed,butshouldbeperformedseparatelytofurthertesttheefficacyofadministrative,physicalandtechnicalcontrols.TheRiskAnalysisexaminestheinformationsecurityrisksataspecificpointintimeandallresultsarebasedonfindingsandobservationsduringtheonsiteinterviewsandfollow-updiscoveryphonecalls.
The Clearwater IRM|Analysis™ Software-as-a-Service (SaaS) application was used to facilitate themethodologyspecificallyoutlinedinHHS/OCR“GuidanceonRiskAnalysisRequirementsundertheHIPAASecurity Rule”1 and the underlying NIST Special Publications on performing risk assessments and riskmanagement.Notably,theClearwatersoftwareandmethodologyisbasedonNISTSP800-30GuideforConductingRiskAssessments2,asillustratedinthefigurebelow.
Furthermore,ourmethodologyaddressesallfive(5)KeyAuditProceduresspecifiedfortheriskanalysisimplementationspecificationintheOCRHIPAAAuditProtocol.3
1https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf2http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf3http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html
4|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
Aspartofthisengagement,allinformationassetsandassociatedmediadeemedtobeinscopewereloadedintotheClearwaterIRM|Analysis™Software-as-a-Serviceapplicationandanalyzedforrelevantthreats,vulnerabilities,currentcontrolsandthen,ariskratingwasdeterminedbasedonthelikelihoodofspecificthreatstoexploitspecificvulnerabilitiesandtheimpactofharmweresuchanexploitationtotakeplace.TheSaaSapplicationnowhousesClearwaterCustomer’sriskpostureandshouldbeusedasamanagementandreportingplatformtoprioritizeandtrackimplementationofrelevantcontrols.
Acompleteprioritizedinventoryofriskstotheconfidentiality,integrityandavailabilityofePHIispopulatedinthisSaaSapplicationintheRiskRatingReport.Risksarecategorizedas“Critical”,“High”,“Medium”and“Low”.
ThisreporthighlightstherisksdeterminedtobehigherthanClearwaterCustomer’sriskthreshold(i.e.riskrating>=15)whichrepresentthemostsignificantareasofrisktotheePHIthatCustomercreates,receives,maintainsortransmits.Thesespecificrisksfoundtoexceedthisthresholdcanbegroupedintothefollowingfourareas:
• Thecurrentpracticeofshippingworkstations,servers,and/ortheirdiskswithunencryptedePHIwithoutwipingtheircontentsfirst;
• TheabilityofClearwaterCustomerstafftodownloadGoogleGmailattachmentsandGoogleDrivefilesthatcouldcontainePHItonon-ClearwaterCustomercomputersanddeviceswheretheycouldpossiblybeviewedbyothers;
• Thepresenceofunencryptedsmartphones,tablets,andUSBkeysthatcouldbeusedtovieworstoreClearwaterCustomerePHI,whichcouldbeeasilylostorstolen;
• Thepossibilitythatthesesameuser-owneddevicescouldbeimproperlydisposedofbytheirownerswhilestillcontainingunencryptedClearwaterCustomerePHI;and
• Insufficientduediligenceofcertainthird-partyvendorswhichcreate,transmit,maintain,orreceiveePHIinordertoensuretheyhavethenecessaryISsecuritycontrolsinplacetoproperlysafeguardthisdata.
Importantly,ascommittedintheprojectStatementofWork,theClearwaterIRM|Analysis™softwarehasbeenpopulatedwithassetinformation,associatedmedia,threats/vulnerabilities,presentcontrols,andriskratingsforallassetsincludedintheanalysis.WhatthismeanstoClearwaterCustomeristhatadatabaserepositoryforongoingriskanalysisandriskmanagementhasbeencreatedtomeetexplicitHIPAASecurityRulerequirementsandOfficeforCivilRights(OCR)auditprotocolspertainingtotheHIPAASecurityRiskAnalysisrequirementat45CFR§164.308(a)(1)(ii)(A).TrainingintheuseofthistoolwillbeprovidedtoappropriateClearwaterCustomerstaff.
5|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
RiskAnalysisMethods
BackgroundClearwaterComplianceusesanindustry-acceptedformulafordeterminingariskvalue:
Risk=Likelihood*ImpactByapplyingthisformula,ClearwaterComplianceisabletocategorizerisksasLow,Medium,HighandCriticalasillustratedinthe5X5matrixshownbelow.ThecategorizationofeachriskwillhelpClearwaterCustomerprioritizeriskremediationefforts.Categorizingrisksinthiswayenablesprioritizationandfacilitatesriskmanagementdecisions.
OverallRisk
Impact
Disastrous(5) Low Medium High High CriticalMajor(4) Low Medium Medium High HighModerate(3) Low Low Medium Medium HighMinor(2) Low Low Low Medium MediumInsignificant(1) Low Low Low Low Low
Rare(1) Unlikely(2)Moderate(3)
Likely(4)AlmostCertain(5)
Likelihood
Thepossiblevaluesinthismatrixaredistributed,asfollows:
PossibleValues RiskLevel
0 NotApplicableRisk
1,2,3,4,5,6 LowRisk
8,9,10,12 MediumRisk
15,16,20 HighRisk
25 CriticalRisk
The Security Rule does not specify exactly how a risk analysis should be conducted; however, theDepartmentofHealthandHumanServices(DHHS)andOfficeforCivilRights(OCR)issued“GuidanceonRisk Analysis Requirements under the HIPAA Security Rule”4, in July 2010. This guidance, in turn,references theNational Instituteof Standards andTechnology (NIST) Security Frameworkand several
4https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf
6|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
specificdocumentssuchasNISTSP800-30Revision1GuideforConductingRiskAssessments-FINAL.ThisNIST publication offers a comprehensive approach to completing a risk analysis. Threats in theenvironmentareidentified,andthenvulnerabilitiesintheinformationassetsareassessed.Threatsarethenmatched to vulnerabilities to describe risk. The Clearwater Risk Analysis and RiskManagementMethodologyrigorouslyfollowDHHS/OCRguidanceandtheNISTRiskManagementFramework.
The“GuidanceonRiskAnalysisRequirementsundertheHIPAASecurityRule”5describesnine(9)essentialelementsaRiskAnalysismustincorporate,regardlessofthemethodologyemployed.Theseelementsareasfollows:
1. ScopeoftheAnalysis-AllePHIthatanorganizationcreates,receives,maintains,ortransmitsmustbeincludedintheriskanalysis.(45C.F.R.§164.306(a).)
2. DataCollection-ThedataonePHIgatheredusingthesemethodsmustbedocumented.(See45C.F.R.§§164.308(a)(1)(ii)(A)and164.316(b)(1).)
3. IdentifyandDocumentPotentialThreatsandVulnerabilities-OrganizationsmustidentifyanddocumentreasonablyanticipatedthreatstoePHI.(See45C.F.R.§§164.306(a)(2),164.308(a)(1)(ii)(A)and164.316(b)(1)(ii).)
4. AssessCurrentSecurityMeasures-OrganizationsshouldassessanddocumentthesecuritymeasuresanentityusestosafeguardePHI.(See45C.F.R.§§164.306(b)(1),164.308(a)(1)(ii)(A),and164.316(b)(1).)
5. DeterminetheLikelihoodofThreatOccurrence-TheSecurityRulerequiresorganizationstotakeintoaccountthelikelihoodofpotentialriskstoePHI.(See45C.F.R.§164.306(b)(2)(iv).)
6. DeterminethePotentialImpactofThreatOccurrence-TheRulealsorequiresconsiderationofthe“criticality,”orimpact,ofpotentialriskstoconfidentiality,integrity,andavailabilityofePHI.(See45C.F.R.§164.306(b)(2)(iv).)
7. DeterminetheLevelofRisk-Thelevelofriskcouldbedetermined,forexample,bycombiningthevaluesassignedtothelikelihoodofthreatoccurrenceandresultingimpactofthreatoccurrence.(See45C.F.R.§§164.306(a)(2),164.308(a)(1)(ii)(A),and164.316(b)(1).)
8. FinalizeDocumentation-TheSecurityRulerequirestheriskanalysistobedocumentedbutdoesnotrequireaspecificformat.(See45C.F.R.§164.316(b)(1).)
9. PeriodicReviewandUpdatestotheRiskAnalysis-Theriskanalysisprocessshouldbeongoing.Inorderforanentitytoupdateanddocumentitssecuritymeasures“asneeded,”whichtheRulerequires,itshouldconductcontinuousriskanalysistoidentifywhenupdatesareneeded.(45C.F.R.§§164.306(e)and164.316(b)(2)(iii).)
ThisreportandcomprehensivedocumentationcapturedintheClearwaterIRM|Analysis™SaaStoolsuchasasset-by-assetinformation,associatedmedia,threats/vulnerabilities,presentcontrols,andriskratingsforallassetsdemonstratefullcompliancewithelements1-8fromthislistforthenumberofinformationassetsreviewedduringthelimitedtimeallocated.Compliancewithelement9,Periodic
5https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf
7|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
ReviewandUpdatestotheRiskAnalysis,canbedemonstratedbyregularlyrepeatingthisprocessinthefuture.ClearwaterCompliancestronglyrecommendsthatariskanalysisbecompletedannually(ataminimum)oruponanysignificantchangesinorganization,people,processes,ortechnology.6
MeetingOCRRiskAnalysisAuditProtocolsInJune2012,OCRmadepublicallyavailabletheprotocolsforOCRauditsofHIPAAPrivacy,SecurityandHITECHBreachRulecompliance.Thereareapproximately77suchprotocolsforSecurityRulecompliance,78forPrivacyRulecomplianceand10forBreachRulecompliance.EachareabeingauditedbreaksdownintoAuditPerformanceCriteria,KeyAuditActivitiesandKeyAuditProcedures.FortheHIPAASecurityRiskAnalysisrequirementat45CFR§164.308(a)(1)(ii)(A),thereare5KeyAuditProceduresspecifiedasfollows:
1. Inquireofmanagementastowhetherformalorinformalpoliciesorpracticesexisttoconductanaccurateassessmentofpotentialrisksandvulnerabilitiestotheconfidentiality,integrity,andavailabilityofePHI.
2. ObtainandreviewrelevantdocumentationandevaluatethecontentrelativetothespecifiedcriteriaforanassessmentofpotentialrisksandvulnerabilitiesofePHI.
3. Evidenceofcoveredentityriskassessmentprocessormethodologyconsiderstheelementsinthecriteriaandhasbeenupdatedormaintainedtoreflectchangesinthecoveredentity'senvironment.
4. Determineifthecoveredentityriskassessmenthasbeenconductedonaperiodicbasis.5. Determineifthecoveredentityhasidentifiedallsystemsthatcontain,process,ortransmit
ePHI.TheClearwaterSecurityRiskAnalysisprocesshelpsprepareorganizationstomeeteachoftheseauditareas.
OurProcessClearwater Compliance conducted interviews with multiple members of Clearwater Customer staff,basedontheInformationAssetInventoryagreeduponinthescope-of-workandlistedinAppendixA.Theintentofeachinterviewsessionwastoperformthefollowingforeachin-scopeinformationasset:
1. IdentifyandDocumentPotentialThreatsandVulnerabilities2. AssessCurrentSecurityControls3. DeterminetheLikelihoodofThreatOccurrence4. DeterminethePotentialImpactofThreatOccurrence5. DeterminetheLevelofRisk6. Recordrequireddocumentation7. Preparerequiredreporting
6Ideally,Customerwouldconductariskanalysisbeforeperforminganysignificantchanges.
8|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
Notethatriskscanexistwhenandonlywhenaspecificasset-threat-vulnerabilitycombinationexitsintheenvironment.Forexample,alaptopwithsensitivedatasuchasePHImaybestolen(thethreat).Ifthatdata is not encrypted (a vulnerability that may be exploited), the combination of this threat andvulnerabilitylikelyrepresentsarisktotheorganization.Theextentorsignificanceofthisriskisafunctionofcertainpredisposingconditionsandcontrolsthatmayormaynotbeinplace.Thedeterminationofariskratingforaparticularasset-threat-vulnerabilitycombinationisexpressedasafunctionoflikelihoodandimpactwhere;Thelikelihoodisessentiallytheestimatedprobabilityofanadverseimpacttotheorganizationconsideringthe ability of a specific threat to exploit a specific vulnerability given predisposing conditions, andconsideringthecontrolsinplaceforthespecificmedia/asset.Theimpactistheestimatedmagnitudeofharmthatcanbeexpectedtotheconfidentiality,integrityoravailabilityofsensitiveinformationifthespecificthreatweretoexploitthespecificvulnerabilitygiventhepredisposingconditionsandcontrolscurrentlyinplaceforthespecificmedia/asset.Thususingthesevalues,theriskcanbecalculatedas:Risk=Impact*LikelihoodNotethatbothlikelihoodandimpactincludethecontrolenvironmentinplace.Forthisengagement,thelikelihoodratingofaparticularthreatexploitingapotentialvulnerabilitywithintheactualClearwaterCustomerenvironmentwasestimatedbasedon:
• Historicalinformation• Threat-sourcemotivationandcapability• Natureofthevulnerability• Existenceandeffectivenessofcurrentcontrols
In addition to the historical informationprovidedbyClearwater Customerworkforce, theClearwaterComplianceteamusedtheirprofessionalknowledgetoestimatetheotherthreefactors.Thelikelihoodthatapotentialvulnerabilitycouldbeexploitedbyagiventhreatsourcewasdefinedasfollows:
Level LikelihoodDefinition
Rare(1) Mayhappenonceevery20yearsorlonger
Unlikely(2) Mayhappenonceevery10to20years
Moderate(3) Mayhappenonceevery5to10years
9|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
Likely(4) Mayhappenonceevery1to5years
AlmostCertain(5) Mayhappenatleastonceayearormorefrequently
Similarly, to analyze the impact of a threat exploiting a particular vulnerability, the team used thefollowingdefinitions:
Level ImpactDefinition(PotentialScenarios)
Insignificant(1) Remediatewithin1hourNointerruptionofoperations
Minor(2) Remediatewithin8hoursNoseriousinterruptionofoperationsMultiple other controls would have to fail for the threat to exploit thevulnerability
Moderate(3) • Remediateinmorethan8hours• Disruptionofoperations• Createsnewminorvulnerabilities
Major(4) • Multi-hourinterruptionofoperations• DatabreachreportabletoHHSannually(<500records)• AnOCRinvestigationcouldpotentiallyresultinpenalties• Createsanewseriousvulnerability
Disastrous(5) • Multi-dayinterruptionofoperations• DatabreachreportabletoHHSimmediately(>500records)• AnOCRinvestigationwouldlikelyresultinpenalties• Createsmanynewseriousvulnerabilities
LimitationsoftheAnalysisTheriskanalysisissolelybasedoninterviewsandsubjectiveobservation,notobjectivetechnicalreportsorsystem/applicationtesting.ItreliesoninformationprovidedbyknowledgeableClearwaterCustomerstaffandsubjectmatterexperts.VulnerabilityinformationwastakenfromtheNationalVulnerabilityDatabaseattheNationalInstituteforStandards and Technology (NIST)7 . It is the Clearwater Compliance assumption that there are othervulnerabilitiesandthreatsthatwehavenotidentifiedthatcouldonlybeidentifiedbydeeperanalysis,
7https://nvd.nist.gov
10|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
investigationandperiodicrepetitionoftheriskanalysisprocess.Controlrecommendationsweremadebasedontheprioranalysis,takingintoaccountbestpractices,resourceconstraints,andwhatcontrolswouldbereasonableandappropriatefortheClearwaterCustomerenvironment.RiskAnalysesexamine the informationassets, threats,vulnerabilitiesandrisksofanorganizationataspecificpointintime.Itistheresponsibilityoftheorganizationtoachieve,demonstrate,andmaintaintheir information security vigilance at all times. Therefore, Clearwater Compliance, LLC makes norepresentationorwarrantyastowhethertheCompany'snetworkand/orcomputersystemsaresecurefromeitheraninternaloranexternalattackorwhethersensitivedataisatriskofbeingcompromised.Additionally, Clearwater Compliance, LLC makes no representations or warranties regarding theorganization'sbusinessactivitiesoroperations.
RiskAnalysisResultsSystemCharacterizationClearwaterCustomerhasthreelinesofbusinessthatroutinelyhandleePHI.Themain applications in use byClearwater Customer are theABCworkflow application and the XYZ‘sensitive information’ management system, which have one installation at each of 100 locations.Additionalsystemsinuseincludeane-prescribingsystem,mailorderande-commercesupportsystems,theTopShelfIncidentandRiskManagementapplication,andtheQspecialtysensitiveinformationsystem,hosted at the vendor. Sensitive information operations alsomake use of Vendor X adherence andanalyticsservices.TheYsystemsinuseincludethemain,internallydevelopedapplicationrunningontheIBMiSeriessystemandthethinclientsinstalledonworkstationsateachlocation.Themanufacturingplantsystemsconsistofanumberofcomputernumericalcontrol(CNC)machinesontheassemblyline,andtheirmanagementsystemsonadedicatedsegmentednetworkattheplant.TheQRSCentersuseaweb-basedSoftware-as-a-Serviceapplicationhostedbythevendor,Vendor.net.ThisapplicationisonlyaccessiblefromapprovedwhitelistedIPaddresseswithinClearwaterCustomercorporateofficesandlocations.ThereisasupportingNoah4applicationinstalledonworkstationsateachHAC,usedtoruntestsandtransmitresults.ClearwaterCustomer’scorporateemailsystemsisGmail,whichisaccessiblefromanywhere.Zixmailisusedtoencryptemailautomaticallywhenitissentbyothers.Itcanalsobedonemanuallybyplacingakeywordinthesubjectline.Emailisalsoarchivedforoneyear.ThisarchivingfunctionalityisbeingmovedtoGoogleVault,whereemailwillbearchivedforsevenyears.Asindicatedabove,theInformationAssetsagreeduponinthescope-of-workarelistedinAppendixA.
11|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
GoodorBestPracticesObservedClearwaterCustomerhasimplementedanumberofinformationsecuritysafeguardsthatareconsideredindustrybestpractices.Thesepracticesinclude,butarenotlimitedto:
• Strongphysicalsecuritycontrolsatalllocations• Cross-trainedpersonnelwithstrongcorporateknowledgeandlongtenureatClearwater
Customer• Well-definedaccesscontrolprocesses• ExtensiveISsecurityawarenesstrainingandreminders• RegularpenetrationandvulnerabilityscanningofnetworksandInternet-facingsystems.• FrequentauditsofmanyofClearwaterCustomer’sadministrative,technical,andphysicalIS
controls.
ControlAnalysisDetailsofthepreventative,detective,andcompensatingcontrolsinplacetominimizethelikelihoodorimpactofaspecificthreatexploitingaparticularvulnerabilityaredocumentedintheClearwaterComplianceIRM|Analysis™SaaSapplication.TherobustcontrolsetusedtocompletethecontrolanalysisisderivedfromNISTSP800-53Revision4Final,RecommendedcontrolsforFederalInformationSystemsandOrganizations.AlistingoftheClearwaterControls,derivedfromtheNISTcontrolset,areshowninAppendixB.Thesecontrolscanbeseenintheapplication’sRiskRatingReportoraspartofnotesatthethreat-vulnerabilitylevel.
IdentifiedHighRisksandRecommendedRemediationControlsAsset-threat-vulnerabilitycombinationsthatwerejudgedtobesounlikelyastonotmeritriskmanagementwerenotincludedintheanalysis.IntheClearwaterComplianceIRM|Analysis™Software-as-a-Serviceapplication,846media-threat-vulnerabilitycombinationswereanalyzedandtheexistingcontrolenvironmentdocumented.FromouranalysisandtheClearwaterIRM|Analysis™application,asummaryofClearwaterCustomerrisksisasfollows:
RiskLevel
NumberofRisks
PercentageofTotalRisks
Critical 0 0%
High 21 2%
Medium 137 16%
Low 688 82%
Below,youwillfindtherisksthatwereidentifiedasexceedingClearwaterCustomerriskthreshold(i.e.riskrating>=15).Theseriskshavebeencombinedintofivebroadcategories,wherethecauseforthe
12|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
riskandrecommendedremediationcontrolswerethesame.TheexhaustivelistofallrisksisarticulatedintheClearwaterComplianceIRM|Analysis™Software-as-a-Serviceapplication.OtherMediumandLowrisksshouldalsobewatchedclosely,asitisnotuncommonforlowerriskstobecomehigherrisksastheenvironmentchangesovertime.
Threat-VulnerabilitySpecificNo.ofRatingsofthisMagnitudeforthisThreat-Vulnerability
RiskRating
VariousClearwaterCustomerServers,Workstations,andITDevicesImproperDestruction,DisposalorReuseofStorageMedia-Destruction/DisposalVulnerabilities
7 High
ExplanationofFinding:• Unencryptedserver,workstations,andotherITequipment(e.g.tablets,networkequipment,
etc.)areeithershippedtoRecyclingfordestruction,disposal,orreuse.Theharddrivesandothernon-volatilememoryinthesesystemsarenotnecessarilywipedbeforeshipment,eventhoughsomeofthemmaycontainePHIdata.
• ShipmentstoRecyclingarenotnecessarilyshippedwithanysortoftrackinginformationrequired.Thiswouldmakeitdifficult,ifnotimpossible,tolocateanyofthisequipmentifitweretogomissingbeforereachingitsintendeddestination.
• SomeharddrivesarestoredatBuilding2andatABCPartsforatimebeforetheyarereusedorsenttoRecyclingfordestruction.However,acurrentinventoryoftheharddrivesbeingmaintainedateachlocationdoesn’texist,soifanyoftheseweretoberemovedorstolen,itisunlikelyanyonewouldnoticeforawhile,ifever.
RemediationRecommendations:• RequireallunencryptedharddiskdriveswithePHIdatabeingdisposedoforrecycledforreuse
besecurelywipedbeforebeingsenttoRecyclingorABCParts,ifpossible.
• Alternatively,considercontractingwithadiskdestruction/shreddingcompanytogodirectlytoanyClearwaterCustomerlocationthathasaharddriveitneedsdestroyedinordertoperformthedestructiononsite.
Threat-VulnerabilitySpecificNo.ofRatingsofthisMagnitudeforthisThreat-Vulnerability
RiskRating
Gmail/GoogleDocsInformationLeakage–EndpointLeakageVulnerabilities
1 High
ExplanationofFinding:
13|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
• EmployeescandownloadGoogleGmailattachmentsandGoogleDrivefiles,eitherofwhichmaycontainePHIdata,ontopersonally-ownedcomputersandmobiledevices(e.g.smartphones,Chromebooks,tablets,etc.),aswellasontoothernon-companycomputerswithInternetaccess.
• ThoughCloudlockisbeingusedtoscanthemovementofdataonthecompany’sGoogleDriveaccount,itisnotcurrentlybeingusedtoscanorstoptheunauthorizedmovementofePHIdataontoanyofthecomputersordevicesmentionedabove.
• Oncedownloaded,thesefilescouldbeviewedbyotherswhoarenotClearwaterCustomeremployeesand/ornottrainedintheHIPAAprivacyrules,whichwouldconstituteanimpermissibledisclosureofePHI.
• ComputersanddevicescontainingthesefilescouldbedisposedofordonatedtocharitieswithouttheePHIbeingproperlydeleted,whichcouldresultinadatabreachreportabletotheOfficeforCivilRightsattheU.S.DepartmentofHealthandHumanServicesundertheprovisionsofTitle45,SubtitleA,SubchapterC,Part164,SubpartD–NotificationintheCaseofBreachofUnsecuredProtectedHealthInformation
RemediationRecommendations:• ConsiderimplementingapolicythatprohibitsClearwaterCustomeremployeesfrom
downloadingePHItonon-ClearwaterCustomercomputersormobiledevices.
• EnableCloudlocktostopthetransferoffileswithePHIdatatonon-ClearwaterCustomercomputersormobiledevices.
Threat-VulnerabilitySpecificNo.ofRatingsofthisMagnitudeforthisThreat-Vulnerability
RiskRating
EmployeeOwnedandCompanyIssuedMobileDevices(Smartphones&Tablets)LossorTheftofEquipment-VulnerabilitiesinMediaHandling;Burglary/Theft–PhysicalSecurityVulnerabilities;AccesstoSensitiveData–VulnerabilitiesRelatedtoEncryption;AccesstoSensitiveData–VulnerabilitiesinUserAuthentication;ImproperDestruction,DisposalorReuseofStorageMedia-Destruction/DisposalVulnerabilities
10 High
ExplanationofFinding:• EmployeescandownloadGoogleGmailattachmentsandGoogleDrivefiles,eitherofwhichmay
containePHIdata,ontopersonallyandcompany-ownedmobiledevices(e.g.smartphones,Chromebooks,tablets,etc.).
• Employeesarenotrequiredtoregistertheirdeviceswithacompany-managedMobileDeviceManagementProgram,noraretheyrequiredtoenablePIN,password,orgesture-basedauthentication,enabledeviceencryption,orinstallremotewipeorgeo-locationprogramsonthesedevicesbeforeaccessingClearwaterCustomerprogramsandfilestoreswithePHI.
14|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
• ThelossortheftofanyofthesemobiledevicesthatmayhaveePHIdatastoredonthemcouldresultinadatabreachreportabletotheOfficeforCivilRightsattheU.S.DepartmentofHealthandHumanServicesundertheprovisionsofTitle45,SubtitleA,SubchapterC,Part164,SubpartD–NotificationintheCaseofBreachofUnsecuredProtectedHealthInformation.Ifover500recordsareinvolved,ClearwaterCustomerwouldalsohavetonotifytheaffectedClearwaterCustomerandthemediaofthebreach.Ifthiswerenecessary,thiscouldhaveaprofoundlynegativeimpactonClearwaterCustomer’sreputationandfinances.
• Employeeslikelydisposeoftheirmobiledeviceswithoutremovinganyfilesorprogramsfromthedevicebeforedoingso.IftheyhaveePHIdataonthedevicewhentheydodisposeofit,andiftheydonotremovethisdataorhaveenabledencryption,thereisastrongpossibilitythatthis,too,couldresultinareportabledatabreach.
RemediationRecommendations:• ConsiderimplementingapolicythatprohibitsallClearwaterCustomeremployeesfrom
accessingePHIdataonordownloadingePHIdatatoanypersonally-orcompany-ownedmobiledevicethatdoesnothave:
o PIN,password,orgesture-basedauthentication;o Device-basedencryptionenabled;ando Remote-wipeorgeo-locationcapabilityimplemented.
• Alternatively,considerre-implementingthecompany’sMobileDeviceManagementsystemandrequireallpersonally-orcompany-ownedmobiledevicestoberegisteredwithandmanagedbythisprogrambeforeaccessingcompanyprograms,email,ordatastores.
Threat-VulnerabilitySpecificNo.ofRatingsofthisMagnitudeforthisThreat-Vulnerability
RiskRating
EmployeeOwnedandCompanyIssuedPortableStorageDevices(e.g.USBKeys/FlashDrives,externalUSBharddrives,SDcards,etc.)LossorTheftofEquipment-VulnerabilitiesinMediaHandling;TheftofEquipment–PhysicalSecurityVulnerabilities
2 High
15|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
ExplanationofFinding:• EmployeesmaydownloadePHIandothersensitivedatatoeithercompany-issuedoremployee-
ownedportablestoragedevices(e.g.USBkey,externalUSBharddrive,SDcard,etc.)whichdonothavetobeencrypted.
• MostcorporateworkstationUSBportsarenotblockedfromwritingdata.Whenwritingdatatoportablestoragedevices,thedatabeingwrittenisnotnecessarilyencrypted,norarethedevicesthemselvesencrypted.
• AlthoughClearwaterCustomerdoeshaveaDataLossProtection(DLP)systemtomonitorthemovementofdata,itisnotcurrentlyconfiguredtotrackthemovementofanyePHIdata.
• ThelossortheftofanyofportablestoragedeviceswhichmayhaveePHIdatastoredonthemcouldresultinadatabreachreportabletotheOfficeforCivilRightsattheU.S.DepartmentofHealthandHumanServicesundertheprovisionsofTitle45,SubtitleA,SubchapterC,Part164,SubpartD–NotificationintheCaseofBreachofUnsecuredProtectedHealthInformation.Ifover500recordsareinvolved,ClearwaterCustomerwouldalsohavetonotifytheaffectedbusinessassociatesandthemediaofthebreach.Ifthiswerenecessary,thiscouldhaveaprofoundlynegativeimpactonClearwaterCustomer’sreputationandfinances.
RemediationRecommendations:• ConsiderimplementingapolicythatprohibitsallClearwaterCustomeremployeesfrom
transferringePHIdatatoanycompany-issuedoremployee-ownedportablestoragedevice(e.g.USBkey,externalUSBharddrive,SDcard,etc.).BecausevirtuallyallemployeeswithaccesstoePHIthatshouldneedtotransferitelsewherehaveaccesstoothersecurefiletransfermethodsavailabletothem(e.g.encryptedemail,SecureFTP,etc.),thereshouldbenoreasontouseportablestoragedevicesasatransfermethod,especiallyconsideringtherisktheyrepresenttotheorganization.
• FurtherconsiderlockingdowndatawritecapabilitiesonallworkstationUSBportsandCD/DVDdrivesusingActiveDirectoryGroupPolicies.Grantexceptionstothispolicyonlyuponappropriatemanagementapproval.
• IntheeventitisdeterminedthereisalegitimatebusinessneedtotransferePHIdatausingportablestoragedevices,requirethatsuchdatabeencryptedwhenwritten,oralternatively,onlybewrittentodeviceswithbuilt-inencryptioncapabilities(e.g.IronKey,ImationDefender,etc.)
Threat-VulnerabilitySpecificNo.ofRatingsofthisMagnitudeforthisThreat-Vulnerability
RiskRating
Third-partyContractors/ConsultantsLackofDueDiligence-VulnerabilitiesinServiceProviders/Vendors
1 High
16|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
ExplanationofFinding:• ClearwaterCustomerdoesnotpresentlyrequireindependentauditsorotherproofthatall
third-partycontractorsthatcreate,receive,maintain,ortransmitClearwaterCustomerePHIarecomplyingwiththeHIPAASecurityRuleorthattheyhavethenecessaryISsecuritycontrolsinplacetoproperlyprotectsensitivedata.
• ClearwaterCustomerdoesnotpresentlyhaveaBusinessAssociateAgreement(BAA)inplacewithVendorX,athird-partyvendorthatcouriersandstoresClearwaterCustomersystembackuptapescontainingePHI,asisrequiredby45CFR§164.308(a)(8)(b)(2).ABAArequiresVendorXtoformallyacknowledgetheirresponsibilitytoabidebyallapplicableprovisionsoftheHIPAASecurityRule,andtopromptlynotifyClearwaterCustomershouldtheyexperienceadatabreachofClearwaterCustomer’sePHIdata.
RemediationRecommendations:• Toensurethird-partiesthatcreate,receive,maintain,ortransmitClearwaterCustomer,ePHI
havetheappropriateprotectivemeasurestoinplacetoprotectthissensitivedata,ClearwaterCustomershouldrequirethesethirdpartiesprovidethemwithproofofthisfact.Thefollowingitems,inorderofpreference,wouldprovidethisadditionalproof:o ASOC2orSOC3report,conductedbyanindependentCPAfirm,formallyattestingtothe
stateofthethirdparty’sinformationsystemsecuritycontrols.o ARiskAnalysis,conductedbyanindependentthirdparty,showinganevaluationoftherisks
totheBusinessAssociate’sorganization’ssystemsthataccess,create,maintain,transmitorreceiveePHI.
o AsecuritycontrolsauditperformedbyClearwaterCustomerstaffofthethirdparty’sinformationsystemsecuritymeasures.
o AcompletedsecuritycontrolsquestionnairefurnishedbyClearwaterCustomertothethirdpartyregardingthesecuritymeasurestheyhaveinplacetoprotecttheorganization’sePHIdata.
• OncetheresultsofoneoftheprecedingreviewsareprovidedtoClearwaterCustomer,itshouldrequirethatthevendorshowproofwithinapredeterminedperiodthatithasremediatedanyrisksClearwaterCustomerandthevendoragreeareaboveanacceptablerisklevel.AnyfailurebythemtocompletetheirremedialactionswithintheagreedupontimeframeshouldbeconsideredgroundsforClearwaterCustomertoterminateitscontractwiththevendor.
• RequireVendorXtosignaClearwaterCustomerBusinessAssociateAgreementthatmeetstherequirementsof45CFR§164.314(a)(2)(i)(A)-(C)oftheHIPAASecurityRule.
17|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
OtherRecommendations
Thefollowingrecommendationsaredesignedtoaddressothersecurityconcernswhich,whilenotaspressingasthoselistedabove,areworthyofconsideration,astheywill,iffollowed,likelyreducecertainlowerlevelrisksorpreventthemfrombecominghigherriskslater.
• ClearwaterCustomerdoesnotmaintainacurrentinventoryofitscomputerhardwareandsoftware.Asaresult,ifsomeequipmentorsoftwareinstoragegoesmissing,there’sreallynowaythatClearwaterCustomerwouldnecessarilyknow.ThiscouldbeespeciallyproblematiciftheequipmentthatismissingwaspreviouslyusedtostoreePHIdata.Itwouldbehighlyadvisable,therefore,forClearwaterCustomertoupdateitscomputerhardwareandsoftwareinventory,andperiodicallyre-inventorytheseitems.
• ClearwaterCustomershouldconsiderenablingencryptionforanydatabasethatcontainsePHIdata,wherepossible.Thiswillgreatlyreducetheabilityofasystemcrackerormalicioususertogainaccesstothisdata,eveniftheyareabletocompromisetheserverthathoststhedatabaseinsomeotherway(e.g.gainrootaccess).
• ClearwaterCustomer’sDisasterRecoveryandBusinessContinuity(DR/BC)PlanningisinconsistentatitsBuilding2andtestingoftheseplansissporadic,andinsomecases,non-existent.Ifonedoesnotalreadyexist,a“model”DR/BCplanshouldbedevelopedforallBuildings,modifiedbyeachofthem,andperiodicallytestedatselectlocations.
18|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
Appendices
AppendixA–InformationAssetInventory
AssetName AssetDescriptionMediaandDevicesthatstorethisData Notes
DirectoryServers AuthenticatesusersbeforeallowingaccesstotheClearwaterCustomernetworkorapplications
Server
Corporate,(MailOrder)Workstations
PCsandlaptopsusedtoaccesscorporateapplications
DesktoporLaptop,Tablet
VendorX Third-partybackupmediacourierandoffsitestoragevendor
Contractors/Consultants
ADDED
Cloud-BasedProductivityApplications
Enterpriseemailanddocumentstorage Software-as-a-Service
FAX(HasHDD)FaxVendor555
FaxMachine Scanners,Printers,orCopiers
REMOVEDOutofscope–DoesnotstoreePHI
ImagingManagementGroup
Secondtierhelpdesksupportvendor Contractors/Consultants
ADDED
Recumbent.com Web-Basedpracticemanagementapplication Software-as-a-Service Workstations WorkstationsusedtoaccessRecumbent.com
practicemanagementapplicationDesktop
ContentManagementSystem
Contentmanagementsystemwhichcontainsbenefitplaninformation.
Server,DiskArray,BackupMedia
StorageManager Backsupserversandworkstations Server EmailArchiveFiles Localstorageofemailmessages DesktoporLaptop MobileDevices BYOdevicesthatcanaccessClearwater
CustomerSystemsSmartphone,Tablet,USBkeyorflashdrive
ADDED
Multi-FunctionPrinter/Scanner/Copier
Devicesusedforprinting,scanning,emailofscanneddocuments,andstoragetonetworkshare
Scanners,Printers,orCopiers
NetworkFileShares WindowsserversconnectedtotheSAN StorageAreaNetwork,Server
RenamedfromFileServer
DVIServer ProgramusedatLabtofillorders Third-partyserviceprovider,Server,BackupMedia,USBkey/flashdrive
Fax(HasHDD)FaxVendor555
FaxMachine Scanners,Printers,orCopiers
REMOVEDOutofscope–DoesnotstoreePHI
PrimaryApplication–ABCapplication
SystemusedtoprocessordersatBuilding2 Server
19|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
AssetName AssetDescriptionMediaandDevicesthatstorethisData Notes
ABCApplicationWorkstations
WorkstationsusedtoconnecttoABCapplication Desktop
DVIWorkstations WorkstationsusedtoconnecttoDVIserveratLab
Desktop
VendorX Third-partysensitiveinformationadherenceandanalyticsservicesprovider.
Contractors/Consultants
ADDED
Department1application ApplicationthatstoresDepartment1sensitiveinformation
Server
Department1-Albatross ClearwaterCustomersensitiveinformationmanagementsystem
Server
Department1-AlbatrossCommandandControl
FacilitatesClearwaterCustomersensitiveinformationmanagement.
Server
Department1–SensitiveInfoGenerator
CreatesemailstosendClearwaterCustomers’Customerssensitiveinfo
Server RenamedfromEmailCreator
Department1–SensitiveInfoSystem
Systemusedtosendandreceivesensitiveinformation
Server
Fax(NoHDD)FaxVendor555
FacsimileMachine Scanners,Printers,orCopiers
REMOVEDOutofscope–DoesnotstoreePHI
InteractiveVoiceResponseSystem
Voicemailapplianceusedtoreceiveincomingmessages
Server
SpecialtyAlbatrossServer Albatrossservers Server ADDEDOnlineOrdersSystem Programusedtopullonlineorders Desktop ChangedfromServer
toDesktop,asthisiswhattheprogramrunson.
IncidentTrackingSystem IntranetapplicationmanageHIPAAincidenttracking
Server
SpecialtyApplication Systemusedtoprocessspecializeddrug(e.g.cancerchemotherapy)orders
Third-partyserviceprovider
BackupClient BackupclientusedtofacilitatebackupsofcriticaldatabaseandAlbatrossServers.
Server ADDEDReplacesVirtualServers
AlbatrossDatabase OracleDatabaseusedtosupportAlbatrossapplications
Server ADDEDReplacesVirtualServers
AlbatrossServer ClearwaterCustomersensitiveinformationmanagementsystem
Server ADDEDReplacesVirtualServers
20|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
AssetName AssetDescriptionMediaandDevicesthatstorethisData Notes
CaptainDatabase SQLServerDatabaseusedtosupportCaptainapplication
Server ADDEDReplacesVirtualServers
CaptainServer Workflowsystemcontrollingtheprocessusedtoprocesssensitiveinformation
Server
VirtualServers VirtualizedAlbatrossandCaptainServerslocatedatalllocations
Server REMOVEDBrokenoutintoothercategoriescapturedasotherassetsintheInformationAssetInventory
Workstations Windowsdesktopsusedtoaccessapplications Desktop WebSiteDatabaseServer Databaseserverforpublicfacingwebserver
acceptingonlinesensitiveinformationServer
WebSiteServer Public-facingwebserverusedtoprocessonlinesensitiveinformation
Server
AutomatedFaxVendor ReceivesexternaltransmissionsintotheBenefitsDepartment
Server
CollocationDataCenterCorp.
DataCenterVendor Contractors/Consultants
ADDED
123BackUpSoftware Applianceusedtobackupserversandworkstations
Server,DiskArray,BackupMedia
RenamedfromABCSystem.123BackUpSoftwareisthevendor.
SFTPServer Providessecure(encrypted)filetransferbetweeninternalClearwaterCustomersystemsandexternalsystems
Server
DocumentManagementSystem(DMS)
E-captureanddocumentmanagementsystem Server
DMSDatabase Documentmanagementsystemdatabase Server,BackupMedia REMOVEDCombinedwithDMSApplication
CollocationDataCenter BackupDataCenterVendor Contractors/Consultants
ADDED
21|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
AppendixB–RiskRatingReport/RiskRegister(SAMPLE)
22|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
AppendixC–ClearwaterControlsAdministrativeAcceptableUsePolicyEmployeesupervisionIdentifiedsecurityrolesInformationdisclosureproceduresInternalITauditprogramSecurity/privacyawarenessandtrainingSecurityduringsystemsacquisitionSegregationofdutiesTrainingforthesecurityworkforceProcessdocumentationRedundantserviceprovidersContinuityBusinesscontinuityplansCapacityplanningDatabackupMobileDevices(IncludingUSBDevices)AutomatedmanagementofdeviceControlledaccesstoareaswithmobiledevicesDevicehandlingpolicyandproceduresDevicetestingandvalidationpolicyandproceduresEncryptionofdevicePhysicalsecuritypolicyandproceduresSecurestorageofdeviceswhennotinuseTrackingofdeviceOperatingSystemsandApplicationsAccountslockaftertoomanyfailedloginsApplicationpenetrationtestingAutologofforautoscreenlockingControlsarounduser-installedsoftwareFakedatatoattractmisuse(honeypotrecords)InformationaccesscontrolpolicyandproceduresIdentificationandauthenticationpolicyandproceduresLoggingofinformationaccessOS/ApplicationpatchingpolicyandproceduresPasswordstrengthrequirementsPassword/tokenmanagementpolicyandproceduresPreventionofsimultaneoususerloginsPrincipleofleastprivilegeRole-basedaccesscontrolStandardizedsystemconfigurationsTestingofpasswordstrengthsTwofactorauthenticationUseraccountmanagementUseractivityreviewUserauthenticatedlocallyUserpermissionsreviews
PhysicalFire-suppressionsystemsLimitedaccesstonetworkcablinganddevicesOn-sitegeneratorPhysicalaccessauthorizationPhysicalaccesscontrolPhysicalaccessmonitoringPhysicallyhardenedorruggedizedsystemsPhysicallysecureddemarcationpointsPhysicallysecuringdevicesorsystemswhennotinuseProtectiveenclosuresfornon-mobileequipmentRedundantHVACequipmentSurgeprotectorsUninterruptablepowersupply(UPS)VisitoraccesscontrolSoftwareDevelopmentApplicationcodereviewApplicationordatapartitioningApplicationpenetrationtesting[customapps]DatainputvalidationSecuresoftwaredevelopmentprocessesSecuresoftwaredevelopmenttrainingandawarenessSecuritystandardsforsoftwaredevelopmentSystemsandMediaAnti-viruspolicyandproceduresAnti-virussoftwareAutomatedhandlingofbackupmediaBackupmediahandlingpolicyandproceduresBackupmediare-use/disposalpolicyandproceduresDocumentedsecurityrolesinthesystemdevelopmentlifecycleEncryptionofbackupmediaEncryptionofdisks(fulldisk,filebased,USBkey,etc.)Lights-out/hands-offmanagementLimitedaccesstooutputdevices(printers,etc.)Lockeddownexternalports(USB,CD,DVD,Firewire,etc.)Mediare-useanddisposalpolicyandproceduresMediatestingandvalidationpolicyandproceduresPreventionofuserstoringdatalocally(terminals,VDI,etc.)RestrictionsonmediauseSecurestorageofbackupmediawhennotinuseTrackingofbackupmediaUseofadiskshreddingservicewithconfirmationofdestructionTechnicalApplication,systemornetworkvulnerabilityscanningAuthenticationofnetworksessions(asdistinctfromusers)Centralmonitoringofanti-virusandpersonalfirewalllogsChangecontrolprocesses
23|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate
NetworkEncryptionofnetworktrafficNetworkdisconnectofidleormaliciousconnectionsNetworkfirewallsNetworksegmentationNetworktrafficthrottlingPersonalfirewallenabledRedundantInternetconnectionsRedundanttelecommunicationsprovidersRemoteaccesscontrolsRemoteadministrativeaccessWirelessaccessrestrictionsWirelessencryptionWirelesslinkprotectionWirelesssecuritypolicyandprocedures
DistributedprocessingorstorageDataLossPreventiontoolsLimiteduseraccessability(bytimeofday,bylocation,etc.)MedicalsnoopingdetectivesoftwareOn-calltechnicalresourcesRedundantorspareequipmentTamper-proofmechanismsTwo-manrule3rdPartyAuditsofserviceprovidersLocally-storedbackupsofthird-partyhosteddataService-levelagreementsUseofthird-partydatastoragesservices