Professional Documents
Culture Documents
Risk Analysis Template 26
Risk Analysis Template 26
Risk Analysis Template 26
Date:
Unit:
Contact (name and email):
Purpose:
This template provides an approach for assessing risk to Electronic Protected Health Information (ePHI) in your department. This template is
based on:
Office for Civil Rights (“OCR”) HIPAA Security Standards: Guidance on Risk Analysis Requirements under the HIPAA Security Rule -
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Dept. of Health and Human Service (HHS) HIPAA Security Series: Basics of Risk Analysis and Risk Management
-http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
UCSC's Practices for HIPAA Security Rule Compliance: http://its.ucsc.edu/policies/hipaa-practices.html
Each UCSC unit that works with ePHI is required to complete a risk analysis for that data. This template is a suggested way to complete that risk
analysis and begin the process of risk management. Completed risk analyses are to be maintained by the unit and also submitted to the campus
HIPAA Security Official for review.
Disclaimer:
This template has been developed for UCSC HIPAA entities as a tool in the process of analyzing and documenting risk to ePHI, as required
under HIPAA. It is based on industry best practice, and has been targeted for our environment. UCSC makes no guarantee of compliance based
on completion of this form.
Any data collected as a result of using this template, including the completed analysis, itself, should be considered sensitive and confidential and
must be safeguarded as such.
Please direct questions to the office of the campus HIPAA Security Official: itpolicy@ucsc.edu
Inventory:
Identify where ePHI is created, stored, received, or transmitted. This includes identifying external sources of ePHI, such as vendors or
consultants who create, receive, maintain or transmit ePHI. Also indicate whether there is a documented process for updating the inventory.
Access:
Identify who can access ePHI (intentional and risk of unintentional). Identification by role is acceptable.
Definitions:
Definitions (cont.)
Risk Levels:
Instructions:
1. Assess whether each security concern in the matrix below applies to your unit or not. For items that aren't applicable, indicate N/A and a
reason. Leave everything else blank for the N/A items.
3. Add any unit-specific security concerns in the available boxes at the end.
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
1. [System] 1. Are patches current?* 1. 1. HML/HML
Data accessed or
2. Have default passwords been 2. 2. 1.
corrupted by hacker
changed? 3. 3. 2.
through exploiting OS or
application/ database 3. Are unnecessary services disabled?* 4. 3.
weaknesses. 4. Are firewalls installed/enabled?* 5.
5. Is access to databases/applications 6.
Summary: [Is residual technically limited based on IP
7.
risk accepted?] address, domain, or VPN?
8. High/ High/ High/
6. Are proper software development/ Med/ Med/ Med/
coding practices used for in-house Low Low Low
apps?
7. Is a host-based intrusion detection/
prevention system (HIDS/HIPS)1
used?
8. Are DB/file access monitoring/
alerting applications used (e.g.
Imperva, IBM Guardium, etc.)?
9. Is printer software kept up to date?
1
Host-based intrusion detection/prevention system (HIDS/HIPS): Host based intrusion prevention system (HIDS)/host based intrusion prevention system (HIPS). These are software packages
installed on a host system that detect attacks against the host and take action against such attacks, such as tuning host based firewall rules to shunt/block attacking IPs. Tools such as Blackice
Defender, Verisys, Tripwire, and OSSEC (which is what IT Security uses) would be considered HIDS/HIPS apps.
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
2. [System/Human] 1. Does the server have anti-phishing 1. 1. HML/HML
Disclosure due to controls? 2. 2. 1.
unauthorized account
2. Is instant messaging (IM) 3. 3. 2.
access (shared, stolen,
controlled?
hacked, phished 4. 3.
credentials) 3. Are users educated about IM &
5.
email safety, phishing, phone
scams, other social engineering, 6.
Summary: [Is residual
password policy? 7.
risk accepted?]
4. Are individuals issued unique 8.
accounts for access to ePHI? 9.
5. Are strong passwords technically 10.
enforced where possible? 11.
6. Are apps set not to remember
High/ High/ High/
passwords?
Med/ Med/ Med/
7. Is anti-virus/anti-malware Low Low Low
current?*
8. Is installation of unauthorized
applications disallowed (technically
or procedurally)?
9. Are session timeouts/screen locking
administratively and technically
enforced – including for
workstations with shared or generic
logins, if any?*
10. Is HIDS/HIPS1 used?
11. Are authentication systems
periodically tested and upgraded
when upgrades are available?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
3. [System] 1. Is anti-virus/anti-malware 1. 1. HML/HML
Data loss, disclosure, or current?* 2. 2. 1.
inability to access data
2. Is more than one anti-virus being 3. 3. 2.
due to malware. Includes
run?
remote access by a 4. 3.
hacker due to malware. 3. Are patches current?*
5.
4. Is web surfing to known malware
6.
Summary: [Is residual sites blocked technically?
7.
risk accepted?] 5. Are appropriate and inappropriate
uses of workstations, including 8.
shared-access workstations, 9.
defined? 10.
6. Is installation of unauthorized 11.
applications disallowed (technically 12.
or procedurally)? High/ High/ High/
13.
7. Is user education in place? Med/ Med/ Med/
14. Low Low Low
8. Are browser security standards
15.
implemented?
9. Have default logins/passwords been
changed or removed?
10.Are unnecessary services disabled?*
11.Have proper file/directory
ownership/permissions been set?
12. Is email malicious code filtering
implemented?
13. Are firewalls installed/enabled?*
14. Are periodic network vulnerability
scans performed?
15. Is HIDS/HIPS1 used?
Template Rev. 12/19/13 Page 10 of 33 itpolicy@ucsc.edu
UCSC HIPAA Security Rule Risk Analysis
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
4. [System/Human] 1. Are patches current?* 1. 1. HML/HML
Disclosure or data loss
2. Is anti-virus/anti-malware 2. 2. 1.
due to application or OS
current?* 3. 3. 2.
weaknesses introduced
by users on workstations 3. Is education about safe computing 4. 3.
/ laptops/portable practices in place?
5.
devices/electronic media 4. Is web surfing to known malware
6. High/ High/ High/
sites blocked technically?
7. Med/ Med/ Med/
Summary: [Is residual 5. Is installation of unauthorized Low Low Low
risk accepted?] applications disallowed (technically
or procedurally)?
6. Are users set not to run as admin?
7. Are appropriate controls in place to
restrict remote system access, or is
remote access disabled?
5. [System] 1. Is anti-virus/anti-malware 1. 1. HML/HML
Unauthorized access to a current?* 2. 2. 1.
system via 0-day exploit
2. Is access to databases/applications 3. High/ High/ High/ 3. 2.
technically limited based on IP Med/ Med/ Med/
Summary: [Is residual 4. 3.
address, domain, or VPN? Low Low Low
risk accepted?]
3. Are users set not to run as admin?
4. Is HIDS/HIPS1 used?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
6. [System] 1. Is stored ePHI encrypted? 1. 1. HML/HML
Disclosure due to theft of
2. Are workstations and laptops 2. 2. 1.
workstation/
containing ePHI physically 3. 3. 2.
laptop/portable
secured?*
device/electronic media 4. 3.
3. Is ePHI not stored on portable
5.
Summary: [Is residual devices?
6.
risk accepted?] 4. Are portable devices and electronic High/ High/ High/
media containing ePHI physically Med/ Med/ Med/
secured when unattended?* Low Low Low
5. Is there a policy against leaving
portable devices containing ePHI in
vehicles?
6. Are systems and electronic media
containing ePHI in physically
secure locations?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
7. [System] 1. Are applications configured not to 1. 1. HML/HML
Disclosure due to remember passwords? 2. 2. 1.
physical access of a
2. Are screen locks or session timeouts 3. 3. 2.
workstation /
in place – including for
laptop/portable 4. 3.
workstations with shared or generic
device/electronic media 5.
logins, if any?*
(use, not theft) 6.
3. Is ePHI not stored?
4. Is stored ePHI encrypted? 7.
Summary: [Is residual
risk accepted?] 5. Are strong passwords required to 8.
access system or resume session?* 9.
6. Is installation of unauthorized 10.
applications disallowed High/ High/ High/
technically? Med/ Med/ Med/
7. Do typical users not have admin Low Low Low
access?
8. Are workstations and other devices
containing ePHI housed in
physically secure facilities?
9. Are workstations and other devices
that may display ePHI positioned
to only allow viewing by
authorized individuals?
10. Are workstations physically
restricted to limit access to only
authorized personnel?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
8. [System] 1. Is ePHI not stored on non- 1. 1. HML/HML
Disclosure due to storage University equipment (except by a 2. 1.
of ePHI on non- third party with a HIPAA BAA)? High/ High/ High/
University devices 3. 2.
Med/ Med/ Med/
Low Low Low 3.
Summary: [Is residual
risk accepted?]
9. [System] 1. Is management approval required 1. 1. HML/HML
Disclosure/unauthorized for accessing ePHI from a non- 2. 2. 1.
access due to inadequate University device?
security controls on non- 3. 3. 2.
2. Are all required HIPAA
University workstations / 4. 3.
protections applied to non-
laptops/portable 5.
University devices used to remotely
devices/electronic media 6.
access ePHI, and are they verified
used for remote access of
periodically?
ePHI
3. Are non-University devices used to
Summary: [Is residual remotely access ePHI not shared High/ High/ High/
risk accepted?] with others, including family Med/ Med/ Med/
members? Low Low Low
4. Are procedures in place to log out
of programs and remove all
viewable ePHI before leaving the
device unattended?
5. Are non-University devices
configured not to save passwords
that provide access to ePHI?
6. Is ePHI never accessed from a
public, non-University device?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
10. [Network] 1. Are switches hardened? (This is a 1. 1. HML/HML
Disclosure due to an question for ITS.) 2. 2. 1.
attacker re-routing
2. Is all traffic encrypted, including 3. 2.
network traffic to their
remote access? High/ High/ High/
system (ARP spoofing / 3.
Med/ Med/ Med/
man-in-the-middle
Low Low Low
attack)
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
13. [System] 1. Is anti-virus/anti-malware 1. 1. HML/HML
Disclosure due to current?* 2. 2. 1.
software keylogger
2. Is user education in place? 3. 3. 2.
Summary: [Is residual 3. Is web surfing to known malware 4. High/ High/ High/ 3.
risk accepted?] sites blocked technically? Med/ Med/ Med/
5.
4. Is installation of unauthorized Low Low Low
applications disallowed
(technically or procedurally)?
5. Is HIDS/HIPS1 used?
14. [Network] 1. Is all traffic encrypted, including 1. 1. HML/HML
Unauthorized device on remote access? 2. 2. 1.
network used to capture
2. Are there port based restrictions on 3. 3. 2.
traffic or credentials
who/what can connect to network?
3.
(This is a questions for ITS.)
Summary: [Is residual High/ High/ High/
risk accepted?] 3. Is Network Access Control/ Med/ Med/ Med/
Protection (NAC/NAP) Low Low Low
implemented? (This technically
enforces requiring host systems to
meet a specified security standard
before being granted full network
access.)
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
15. [System] 1. Is there a policy against installing 1. 1. HML/HML
Unauthorized access unapproved modems? 2. 2. 1.
through modem
2. Are computers regularly examined 3. 3. 2.
connection from a
for foreign devices?
networked PC. 4. 3.
3. Is auto-answer disabled on High/ High/ High/
5.
Summary: [Is residual modems? Med/ Med/ Med/
risk accepted?] 4. Does the modem application require Low Low Low
authentication when answering?
5. Are strong passwords used for
modem access, and have default
passwords been changed?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
16. [Human] 1. Are accounts & access terminated 1. 1. HML/HML
Unauthorized access to or disabled ASAP upon separation 2. 2. 1.
workstation / laptop or or leave, including security codes &
application/database/ 3. 3. 2.
admin access?
server/media by former 4. 3.
2. Are passwords to shared accounts
employees, employees 5.
changed?
on leave or disability, 6.
employees whose job 3. Are shared or generic accounts
known and documented? 7.
duties no longer include
authorized access to 4. Are passwords to shared or generic 8.
ePHI; includes data accounts/logins changed when 9.
corruption by these someone leaves the group? 10.
employees. 5. Are keys/access cards collected, lock 11.
codes cancelled, and shared codes
Summary: [Is residual changed?
risk accepted?] 6. Is log monitoring proactive?
High/ High/ High/
7. Is a Data Loss Protection (DLP) Med/ Med/ Med/
system implemented (to identify Low Low Low
sensitive cleartext information
leaving the network)?
8. Is HIDS/HIPS1 used?
9. Are DB/file access monitoring/
alerting applications used (e.g.
Imperva, IBM Guardium, etc.)?
10.Is there a periodic review of
individuals with accounts/
codes/keys that provide access to
ePHI or to secure facilities that
house ePHI?
11.Are there separate procedures for
Template Rev. 12/19/13 Page 18 of 33 itpolicy@ucsc.edu
UCSC HIPAA Security Rule Risk Analysis
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
17. [Human] 1. Is log monitoring proactive? 1. 1. HML/HML
Unauthorized access to
2. Are employees educated about 2. 2. 1.
or corruption of data by High/ High/ High/
appropriate and inappropriate 3. 3. 2.
authorized employees Med/ Med/ Med/
access?
Low Low Low 3.
Summary: [Is residual 3. Is a DLP system implemented? (see
risk accepted?] above)
18. [Environmental] 1. Is data backed up regularly? 1. 1. HML/HML
Data loss or data access
2. Is there spare hardware? 2. 2. 1.
loss due to non-Data
Center SHS, SHR, or 3. Are data recovery procedures 3. 3. 2.
County Health server(s) documented? 4. High/ High/ High/ 3.
outage by failure or 4. Are data restoration procedures 5. Med/ Med/ Med/
environmental causes tested periodically? Low Low Low
6.
5. Are there backups and redundant
Summary: [Is residual systems in an alternate location?
risk accepted?] 6. Are UPSs & UPS alerts in place?
19. [Environmental] 1. Is data backed up regularly? 1. 1. HML/HML
Data loss or data access
2. Is there spare hardware? 2. 2. 1.
loss due to Data Center
server(s) outage by 3. Are data recovery procedures 3. 3. 2.
failure or environmental documented? 4. High/ High/ High/ 3.
causes. 4. Are data restoration procedures 5. Med/ Med/ Med/
tested periodically? Low Low Low
6.
Summary: [Is residual 5. Are there backups and redundant
risk accepted?] systems in an alternate location?
6. Are UPSs & UPS alerts in place?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
20. [Environmental] 1. Is data backed up regularly? 1. 1. HML/HML
Data access loss due to
2. Are there backups and redundant 2. 2. 1.
SHS, SHR, Fire Dept High/ High/ High/
systems in an alternate location? 3. 3. 2.
building closure. Med/ Med/ Med/
3. Are alternate work or data access 3.
Low Low Low
Summary: [Is residual procedures documented?
risk accepted?]
21. [Environmental] 1. Is data backed up regularly? 1. 1. HML/HML
Data access loss due to
2. Are there backups and redundant 2. 2. 1.
Data Center building
systems in an alternate location? 3. High/ High/ High/ 3. 2.
closure.
3. Can Data Center systems be 4. Med/ Med/ Med/ 3.
administered remotely? Low Low Low
Summary: [Is residual
risk accepted?] 4. Are alternate work or data access
procedures documented?
22. [Human] 1. Are physical access controls in 1. 1. HML/HML
Data loss or data access place? 2. 2. 1.
loss due to non-Data
2. Is data backed up regularly? 3. 3. 2.
Center SHS, SHR, or
County Health server(s) 3. Is there spare hardware? 4. 3.
failure from physical 4. Are there backups and redundant 5. High/ High/ High/
sabotage systems in an alternate location? Med/ Med/ Med/
6.
5. Are alternate work or data access Low Low Low
7.
Summary: [Is residual procedures documented?
risk accepted?] 6. Are data restoration procedures
tested periodically?
7. Are UPSs & UPS alerts in place?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
23. [Human] 1. Are physical access controls in 1. 1. HML/HML
Data loss or data access place? 2. 2. 1.
loss due to Data Center
2. Is data backed up regularly? 3. 3. 2.
server(s) failure from
physical sabotage 3. Is there spare hardware? 4. 3.
4. Are there backups and redundant 5. High/ High/ High/
Summary: [Is residual systems in an alternate location? Med/ Med/ Med/
6.
risk accepted?] 5. Are alternate work or data access Low Low Low
7.
procedures documented?
6. Are data restoration procedures
tested periodically?
7. Are UPSs & UPS alerts in place?
24. [Network] 1. Is there spare hardware? 1. 1. HML/HML
Data access loss due to
2. Are data recovery procedures 2. 2. 1.
network interruption
documented? 3. 3. 2.
from a
hacker/virus/worm 3. Are data restoration procedures 4. 3.
exploiting network tested periodically?
5.
insecurities 4. Are there backups and redundant High/ High/ High/
6.
systems in an alternate location? Med/ Med/ Med/
7. Low Low Low
Summary: [Is residual 5. Are alternate work or data access
risk accepted?] procedures documented?
6. Are UPSs & UPS alerts in place?
7. Are there redundant pathways
w/automatic switching? (This is a
question for ITS.)
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
25. [Network] 1. Is there spare hardware? 1. 1. HML/HML
Data access loss due to
2. Are data recovery procedures 2. 2. 1.
network interruption
documented? 3. 3. 2.
from environmental
factors or sabotage 3. Are data restoration procedures 4. 3.
tested periodically?
5.
Summary: [Is residual 4. Are there backups and redundant High/ High/ High/
6.
risk accepted?] systems in an alternate location? Med/ Med/ Med/
7. Low Low Low
5. Are alternate work or data access
procedures documented?
6. Are UPSs & UPS alerts in place?
7. Are there redundant pathways
w/automatic switching? (This is a
question for ITS.)
26. [Human] 1. Is education in place? 1. 1. HML/HML
Disclosure due to
2. Is automatic monitoring and 2. 2. 1.
inadvertent transmission
blocking in place for unencrypted 3. 2.
of data (includes High/ High/ High/
traffic?
misdirected data Med/ Med/ Med/ 3.
transmissions) Low Low Low
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
27. [Human] 1. Is education in place? 1. 1. HML/HML
Disclosure due to
2. Is automatic monitoring and 2. 2. 1.
intentional transmission
blocking in place for unencrypted 3. High/ High/ High/ 3. 2.
of data (malicious or out
traffic? Med/ Med/ Med/
of ignorance) 3.
3. Are background checks performed? Low Low Low
Summary: [Is residual
risk accepted?]
28. [Human] 1. Is all emailed ePHI encrypted? 1. 1. HML/HML
Disclosure due to email
2. Is ePHI never sent via email? 2. 2. 1.
being hijacked or stolen High/ High/ High/
by hackers 3. 2.
Med/ Med/ Med/
Low Low Low 3.
Summary: [Is residual
risk accepted?]
29. [Human] 1. Is education to double-check prior 1. 1. HML/HML
Disclosure due to to sending in place? 2. 2. 1.
printing to unintended
2. Are procedures in place to confirm 3. 3. 2.
printer, faxing to
receipt of documents?
unintended fax machine, 3.
emailing to unintended 3. Are available printers limited?
High/ High/ High/
recipient, leaving Med/ Med/ Med/
material in copy Low Low Low
machine, misaddressed
paper mail
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
30. [Human] 1. Does everyone receive HIPAA 1. 1. HML/HML
Disclosure due to training prior to obtaining access to 2. 2. 1.
authorized employee ePHI?
lack of knowledge 3. 3. 2.
2. Does training include UCSC
regarding ePHI security 4. 3.
Password Standards and the
requirements
importance of protecting against High/ High/ High/
malicious software and exploitation Med/ Med/ Med/
Summary: [Is residual
of vulnerabilities? Low Low Low
risk accepted?]
3. Are there periodic training updates
and reminders?
4. Are there periodic tests for
understanding of HIPAA security
requirements?
31. [Human] 1. Do HIPAA training and training 1. 1. HML/HML
Delay in detection of updates include incident response 2. 2. 1.
disclosure due to High/ High/ High/
and reporting procedures?
improper or lack of Med/ Med/ Med/ 3. 2.
2. Are there periodic tests for
incident reporting Low Low Low 3.
understanding of HIPAA incident
response and reporting procedures?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
32. [System] 1. Is education in place? 1. 1. HML/HML
Disclosure due to
2. Are procedures to destroy or 2. 2. 1.
improper disposal of
securely wipe prior to disposal, re- 3. 3. 2.
equipment
use, return to vendor, including for
4. 3.
copiers, faxes, printers, etc.,
Summary: [Is residual High/ High/ High/
documented?
risk accepted?] Med/ Med/ Med/
3. Does management verify that
Low Low Low
disposal policies are being carried
out (e.g. spot checks that devices
have been wiped)?
4. Is stored ePHI encrypted, including
on copiers, faxes, printers, etc.
33. [System] 1. Are alternate work procedures 1. 1. HML/HML
Loss of access to External documented? 2. 2. 1.
Service Provider from a
2. Are troubleshooting procedures High/ High/ High/ 3. 2.
system failure on the
with external service provider Med/ Med/ Med/
remote end. 3.
documented? Low Low Low
Summary: [Is residual
risk accepted?]
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
34. [Network] 1. Are alternate work procedures 1. 1. HML/HML
Loss of access to External documented? 2. 2. 1.
Service Provider system
2. Are troubleshooting procedures 3. 2.
from a connection failure
with external service provider High/ High/ High/
caused by hacker, virus 3.
documented? Med/ Med/ Med/
or worm, or network
Low Low Low
outage.
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
36. [System] 1. Is the data backup and recovery 1. 1. HML/HML
Disclosure or lack of plan for all original sources of 2. 2. 1.
availability due to an essential ePHI documented and
inadequate data backup 3. 3. 2.
implemented, including restoration
and recovery plan priorities? 4. 3.
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
37. [Human] 1. Are backups containing ePHI 1. 1. HML/HML
Disclosure due to stored securely? 2. 2. 1.
improper handling of
2. Are backups stored temporarily 3. 3. 2.
backups containing ePHI
before transporting to a permanent
4. 3.
facility stored in a secure manner?
Summary: [Is residual 5. High/ High/ High/
risk accepted?] 3. Is the method of transportation of
Med/ Med/ Med/
backups, if any, secure?
Low Low Low
4. Do only authorized, HIPAA-
trained personnel handle backups
containing ePHI?
5. Is a HIPAA BAA is in place for all
non-UC offsite storage?
38. [Human] 1. Are movements of hardware and 1. 1. HML/HML
Disclosure due to electronic media containing ePHI 2. 2. 1.
inadequate tracking of formally tracked?
the movements of 3. 2.
2. Is hardware and electronic media High/ High/ High/
hardware and electronic Med/ Med/ Med/ 3.
containing ePHI transported by
media containing ePHI Low Low Low
secure methods and authorized
personnel only?
Summary: [Is residual
risk accepted?]
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
39. [System] 1. Is there proactive log review/ 1. 1. HML/HML
Lack of discovery of monitoring, including of activities 2. 2. 1.
disclosure or performed with elevated privileges
unauthorized data 3. 2.
or by authorized users?
modification/ destruction 3.
2. If there is shared or generic access High/ High/ High/
due to inadequate
to a workstation, are other controls Med/ Med/ Med/
information system
in place to tie activity on the Low Low Low
activity review/log
workstation to an individual?
monitoring
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
42. [Servers] 1. Are systems and electronic media 1. 1. HML/HML
Disclosure due to containing ePHI in physically 2. 2. 1.
physical access to servers secure locations with physical
(to pull data, mirror 3. 3. 2.
access controls?*
drive, install a malicious 4. 3.
2. Are there technical access controls? High/ High/ High/
device) 5.
3. Is ePHI stored on servers Med/ Med/ Med/
Summary: [Is residual encrypted? Low Low Low
risk accepted?] 4. Are unauthorized apps technically
disallowed on servers?
5. Is periodic visual inspection of
servers performed?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
43. [Servers] 1. Is OS & application patching 1. 1. HML/HML
Disclosure or data current?* 2. 2. 1.
corruption due to server
2. Are unnecessary services disabled* 3. 3. 2.
OS or application
on servers?
weaknesses or malware 4. 3.
on servers 3. Is anti-virus on Windows servers
5.
current?*
6.
Summary: [Is residual 4. Are there physical access controls?
7.
risk accepted?] 5. Are there technical access controls?
8. High/ High/ High/
6. Do sessions time out?*
9. Med/ Med/ Med/
7. Is installation of unauthorized Low Low Low
applications disallowed (technically 10.
or procedurally)?
8. Are all default passwords changed?
9. Are strong passwords required to
access system or resume session?*
10. Are authentication systems
periodically tested and upgraded
when upgrades are available?
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
44. [Servers] 1. Are background checks performed? 1. 1. HML/HML
Disclosure, loss of data
2. Is access limited to the least 2. 2. 1.
access or data corruption
necessary to perform job functions? 3. 3. 2.
due to corrupt admins
3. Is there separation of duties 4. 3.
High/ High/ High/
Summary: [Is residual wherever possible?
5. Med/ Med/ Med/
risk accepted?] 4. Is there proactive log review/ Low Low Low
monitoring, including of activities
performed with elevated privileges?
5. Is stored and transmitted data
(ePHI) encrypted?
45. [Servers] 1. Are stored passwords encrypted? 1. 1. HML/HML
Disclosure due to use of
2. Are there physical access controls? 2. 2. 1.
stored passwords
3. Are session timeouts/screen locking 3. High/ High/ High/ 3. 2.
Summary: [Is residual in place?* 4. Med/ Med/ Med/ 3.
risk accepted?] 4. Is a master password used for Low Low Low
5.
access to any stored passwords?
5. Is a “password vault” used?
46. Unit-Specific Risk #1 1. 1. 1. HML/HML
High/ High/ High/ 2. 1.
Med/ Med/ Med/
Summary: [Is residual 3. 2.
Low Low Low
risk accepted?] 3.
47. Unit-Specific Risk #2 1. 1. 1. HML/HML
High/ High/ High/ 2. 1.
Med/ Med/ Med/
Summary: [Is residual 3. 2.
Low Low Low
risk accepted?] 3.
Maturity
Existing Mitigations/Controls
Level (0-5) Next Steps: Effort/Cost to
Security Concern/ (possible controls/suggestions in italics; Likeli-
Impact Risk Identified Action Items Mitigate Risk
Threat/Vulnerability * = part of UCSC’s Minimum Network hood
for each and Owners (High/Med/Low)
Connectivity Requirements)
Mitigation
48. Unit-Specific Risk #3 1. 1. 1. HML/HML
High/ High/ High/ 2. 1.
Med/ Med/ Med/
Summary: [Is residual 3. 2.
Low Low Low
risk accepted?] 3.
49. Unit-Specific Risk #4 1. 1. 1. HML/HML
High/ High/ High/ 2. 1.
Med/ Med/ Med/
Summary: [Is residual 3. 2.
Low Low Low
risk accepted?] 3.
50. Unit-Specific Risk #5 1. 1. 1. HML/HML
High/ High/ High/ 2. 1.
Med/ Med/ Med/
Summary: [Is residual 3. 2.
Low Low Low
risk accepted?] 3.