This form can be used to inventory cloud-related assets within the information technology portfolio.

The knowledge of what

technology exists in an organization is vital to any good information security program. This worksheet will guide the team thro
inventory process by asking the right questions, gathering valuable information, and resulting in a full assessment of the locati
inter-relatedness of all cloud-related information technology assets that store, process or transmit electronic protected health

Category (Clinical
Application, Business
Application, Data Center
Name of Application or System Operating System
Application, Biomedical
Application, Web
Application, etc)

Electronic Health Record Hosted (Cloud Based) Clinical

Email Hosted (Cloud Based) Business

Patient Scheduling System Hosted (Cloud Based) Business

Remote Backup Software Hosted (Cloud Based) Business

Pathology Data System Hosted (Cloud Based) Clinical

Collaboration/File Sharing Software Hosted (Cloud Based) Business

PACS/Imaging Hosted (Cloud Based) Clinical

Business Intelligence Hosted (Cloud Based) Business

Customer relationship management

(CRM) Hosted (Cloud Based) Business

Customer Service (e.g. survey tools) Hosted (Cloud Based) Business

technology portfolio. The knowledge of what information
ogram. This worksheet will guide the team through a detailed
and resulting in a full assessment of the location, condition, and
process or transmit electronic protected health information (ePHI).

Data Classification / Data Stored (&

Description ~Number Of Users System Criticality
Regulation volume)

Electronic Health Record for the

Outpatient Facility

Email

Patient Scheduling

Software to backup the data

Ancillary system for where lab work is

documented, charges developed, and
sends results to EHR

Employee collaboration

Clinical Picture Archiving

Communication System
Business analytic tool

Manage customer relations

Survey customers regarding satisfaction

 Risk Vendor
Reports
Data Transmitted Assessment Business/Sy Contact &
Generated (& Business Function Dept Vendor
(how and where) Frequency in stem Owner Support
for who)
Months Information
Access vendor
has?
Access Primary
VPN, WebEx, Primary Support Primary Phone Responsible BAA on File?
Control HW/OS
PCAnywhere, Secondary Support Secondary Phone Analyst (Y, N, N/A)
Contact Support
dial up,
etc?
 Microsoft Patches
Source of approved
patches to apply. Microsoft Patches
Secondary HW/OS 1. Vendor emails Scheduled Maintenance
Location Dependent Systems Interfaces / Connections
Support notifications Downtime
2. We call vendor to (ex: 4th Thu of Month)
verify patches
3 Other - Explain
Logs / Monitoring Malware / IDS Protection
Cloud Computing Risk Assessment Module
The following is intended as a sample risk assessment for health care organizations that utilize cloud services. It is intended to address the risks to
confidentiality, integrity, and availability that the health care organization should consider addressing. It is not intended to address the risks to the cloud
provider, who should separately perform its own risk assessment. The identified risks are examples, and should be modified based on the specific
circumstances of the cloud provider, who likely will have a different set of existing controls, different risk levels, and may face additional categories of risks.
Recommended Best Practice Controls are potential ways to address risks and are not intended to represent the only appropriate controls.

As vulnerabilities are discovered you can record them and evaluate the level of risk using this report.

Vulnerability Risk Threat Existing Likelihood Impact Risk Potential Best Practice Organizational
Name Description Source Controls of Occurrence Severity Level Control Comments Owner

Describe the threats that could take

advantage of this vulnerability.
Consider the 4 categories of threats:
Describe a particular weakness or Adversarial, Accidental, Structural, Describe the safeguards Very High,
flaw in your security that could be Describe, in business terms, the Environmental; as well as more already in place that reduce High, Give a recommendation for the Need to assign an
exploited by a threat source to type of harm to the specific examples such as external / this risk. Consider physical, Very High, High, Very High, High, Moderate, best new safeguard(s) that can owner
cause a security violation or organization if this vulnerability internal, users, visitors, virus, natural technical and administrative Moderate, Low, Moderate, Low, Low, Very reduce the risk from this (accountability and
breach. is exploited by a threat source. hazard, etc. safeguards. Very Low Very Low Low vulnerability further. follow-up)

Obtain assurances that cloud

provider conducts periodic risk
Cloud provider fails to periodically assessments, including
conduct a risk assessment including Information maintained by the Adverserial, accidental, structural, information about who
None High High High
penetration testing (including web cloud provider is compromised environmental, etc. conducts risk assessment, how
application security) often, and whether such
assessments include
penetration testing.

Obtain documentation that

cloud provider has a
Cloud provider has inadequate comprehensive security
Information maintained by the Adverserial, accidental, structural,
administrative, physical, and None High High High program that adheres to a
cloud provider is compromised environmental, etc.
technical safeguards recognized framework (e.g.,
ISO) and is periodically
reviewed by a third party.

Information is intercepted and

Unauthorized access during exploited by an unauthorized Information sent to cloud No additional control
Adversarial outsider (e.g., hacker) provider Low High Low
transmission to cloud provider third party during transmission is encrypted in transit necessary
to the cloud provider

Turn on vendor feature

Unauthorized person is able to Vendor default password and requiring strong passwords
Weak password protections for obtain access to information by Adversarial insider or outsider no administrative password Moderate High Moderate and implement policy
cloud services guessing a password policy prohibiting weak password
practices

Unauthorized person uses

Unlimited password attempts for Vendor default does not limit Moderate Turn failed
on vendor feature limiting
automated attack to obtain Adversarial outsider (e.g., hacker) Moderate High
cloud services password attempts login attempts
passwords

Unauthorized person obtains Institute policy and provide

Social engineering attempt to training that users may not
password by posing as insider Adversarial outsider (e.g., hacker) None Moderate High Moderate
obtain password to cloud services share passwords with others,
(e.g., IT department) including IT department

Institute policy and provide

Password to cloud services is Unauthorized person obtains training that users may not
written down and available to copy of written password to Adversarial insider or outsider None Moderate High Moderate write down passwords and
unauthorized persons cloud services leave unattended

Determine appropriate
Authorized user downloads download policy (e.g.
local copy of information from information may only be
Download of cloud information Users None High High High
cloud onto unsecure device, downloaded in limited
which is lost or stolen circumstances and only to
properly secured devices)

Corruption during transit
Information is partial or
incorrect (e.g. due to packet
Software application checks No additional control
loss), resulting in patient safety Accidental Very Low High Low
integrity of transmitted data necessary
concerns due to incomplete
medical information

Evaluate business continuity

Lack of access to information,
potentially including electronic
Service outage at cloud provider
health records and billing
information
and disaster recovery options
(e.g. from cloud provider or
Accidental or environmental None Moderate High Moderate
through on-premise recovery)
and implement and test
appropriate solution.

Lack of access to information, Maintain reasonably current

Service outage at local internet potentially including electronic local backup of critical
Accidental or environmental None High High High
service provider health records and billing information and test ability to
information recover information

Lack of access to information, Maintain backup generator for

potentially including electronic
Loss of local power Environmental None High High High powering critical IT systems
health records and billing and use local backup
information
Definitions of Key Terms: Likelihood, Impact, Risk

Risk
The determination of risk for a particular threat / vulnerability pair is a function of:
1) The likelihood of a given threat-source’s attempting to exercise a given vulnerability
2) The magnitude of the impact should a threat-source successfully exercise the vulnerability
3) The adequacy of planned or existing security controls for reducing or eliminating risk

The following matrix demonstrates how risk is calculated based on the impact and likelihood scores

Likelihood

Likelihood is an indication of the probability that a potential vulnerability may be exercised given the threat
environment.
Consider the following factors:
1) Threat-source motivation and capability
2) Nature of the vulnerability
3) Existence and effectiveness of current or planned controls

Likelihood Likelihood Definition

Level Anticipated frequency of occurrence is:

Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a
Very High year.
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a
High year.
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times
Moderate a year.
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but
Low more than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every
Very Low 10 years.

Impact
The level of impact from a threat event is the magnitude of harm that can be expected to result
from the unauthorized disclosure, modification, disruption, destruction, or loss of information
and/or denial of service. Such adverse impact, and hence harm, can be experienced by a variety of
organizational and non-organizational stakeholders including, for example, heads of agencies,
mission and business owners, information owners/stewards, mission/business process owners,
information system owners, or individuals/groups in the public or private sectors relying on the
organization—in essence, anyone with a vested interest in the organization’s operations, assets, or
individuals, including other organizations in partnership with the organization, or the Nation (for critical
infrastructure-related considerations)

The following are adverse impacts that should be considered when scoring:

Type of Impact Impact

Harm to
Operations

> Inability to perform current missions/business functions.

> In a sufficiently timely manner.
> With sufficient confidence and/or correctness.
> Within planned resource constraints.
> Inability, or limited ability, to perform missions/business functions in the future.
> Inability to restore missions/business functions.
> In a sufficiently timely manner.
> With sufficient confidence and/or correctness.
> Within planned resource constraints.
> Harms (e.g., financial costs, sanctions) due to noncompliance.
> With applicable laws or regulations.
> With contractual requirements or other requirements in other binding agreements.
> Direct financial costs.
> Relational harms.
> Damage to trust relationships.
> Damage to image or reputation (and hence future or potential trust relationships).
Harm to Assets

> Damage to or loss of physical facilities.

> Damage to or loss of information systems or networks.
> Damage to or loss of information technology or equipment.
> Damage to or loss of component parts or supplies.
> Damage to or of loss of information assets.
> Loss of intellectual property.
Harm to
Individuals
> Identity theft.
> Loss of Personally Identifiable Information [or Protected Health Information].
> Injury or loss of life.
> Damage to image or reputation.
> Physical or psychological mistreatment.
Harm to Other
Organizations

> Harms (e.g., financial costs, sanctions) due to noncompliance.

> With applicable laws or regulations.
> With contractual requirements or other requirements in other binding agreements.
> Direct financial costs.
> Relational harms.
> Damage to trust relationships.
> Damage to reputation (and hence future or potential trust relationships).
Harm to the
nation

> Damage to or incapacitation of a critical infrastructure sector.

> Loss of government continuity of operations.
> Relational harms.
> Damage to trust relationships with other governments or with nongovernmental
entities.
> Damage to national reputation (and hence future or potential trust relationships).
> Damage to current or future ability to achieve national objectives.

Magnitude of Impact Definition

Impact

The threat event could be expected to have multiple severe or catastrophic adverse
effects on organizational operations, organizational assets, individuals, other
Very High organizations, or the Nation.

The threat event could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the
Nation. A severe or catastrophic adverse effect means that, for example, the threat event
might: (i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary functions;
(ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv)
result in severe or catastrophic harm to individuals involving loss of life or serious life-
High threatening injuries.

The threat event could be expected to have a serious adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A serious
adverse effect means that, for example, the threat event might: (i) cause a significant
degradation in mission capability to an extent and duration that the organization is able to
perform its primary functions,
but the effectiveness of the functions is significantly reduced; (ii) result in significant
damage to organizational assets; (iii) result in significant financial loss; or (iv) result in
significant harm to individuals that does not involve loss of life or serious life-threatening
Moderate injuries.
 The threat event could be expected to have a limited adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A limited
adverse effect means that, for example, the threat event might: (i) cause a degradation in
mission capability to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in
minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in
Low minor harm to individuals.

No significant impact. The threat event could be expected to have a negligible adverse
effect on organizational operations, organizational assets, individuals other organizations,
Very Low or the Nation.

Note: These definitions are taken from NIST Special Publication 800-30 Revision 1, Initial Public
Draft, Guide for Conducting Risk Assessments, September 2011, p 9-10, and appendices G-3, H-2,
I-3. Some content is from NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems, July 2002