Professional Documents
Culture Documents
Hipaa Gap Analysis 13
Hipaa Gap Analysis 13
Hipaa Gap Analysis 13
Challenge
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
T. Brian Granier
te
tu
sti
In
NS
SA
©
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Abstract ................................................................................................................ 3
Part 1: Methodology and Process ........................................................................ 4
Business Structure............................................................................................ 4
Target Client Base ............................................................................................ 4
General Methodology ....................................................................................... 4
GIAC Enterprises.............................................................................................. 6
Part 2: Proposal and Pitch.................................................................................... 7
s.
Proposal ........................................................................................................... 7
ht
Cover Letter/Executive Summary.................................................................. 7
Proposal/Scope of Work ............................................................................... 8
rig
Pitch................................................................................................................ 11
Part 3: Project Performance ............................................................................... 12
ll
fu
Project Plan .................................................................................................... 12
Overview ..................................................................................................... 12
ins
Objectives ................................................................................................... 12
Phase I........................................................................................................ 14
eta
Phase II....................................................................................................... 16
Phase III...................................................................................................... 18
rr
Budget Details –Estimate........................................................................... 20
ho
Meeting/Interview Facilitation ......................................................................... 21
Introduction ................................................................................................. 21
ut
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Potential Pitfalls .............................................................................................. 24
20
Section A ........................................................................................................ 26
tu
Summary of Results.................................................................................... 27
Administrative Safeguards: Details ............................................................. 29
In
References......................................................................................................... 49
©
2
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Abstract
This practical is written for the GIAC GCSC v 1.0 practical assignment. This
covers the lifecycle of a single engagement for a HIPAA Security Rule Gap
Analysis. GIAC Enterprises is a small clinic that is contracting with Circron
Consulting to perform the Gap Analysis and provide a remediation plan. This
paper will provide a basic explanation of the two organizations, the scope of work
and sales methodology. Next, is information about completing the project,
including a more detailed project plan, sample questions, and potential pitfalls.
s.
Finally, a sample deliverable is provided.
ht
ll rig
fu
ins
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
3
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Part 1: Methodology and Process
Business Structure
Circron Consulting Corporation is a small consulting firm based in Houston,
Texas consisting of two highly trained consultants, three moderately skilled
general technicians and an administrative person that provides accounting, sales
and management responsibilities. Established in 1995, Circron has found a niche
s.
market in consulting to legal and medical clientele with a focus on medium to
ht
small practices. Typical services include complete management of server
rig
systems such as email, antivirus, firewalls, file servers and business critical
application servers. The founding lead consultant has 12 years of experience
with primary strengths in networking, IT security, Microsoft products and four
ll
fu
years of experience focusing on HIPAA compliance. The second lead consultant
has 20 years of experience with primary strengths in UNIX administration, web
ins
development, and technical infrastructure design and is currently a certified
Paralegal in Texas. The administrative lead spent the majority of her career
eta
selling DEC and later Compaq mainframe systems to large oil firms. The
rr
technicians provide standard services and support as directed by the two lead
consultants and are responsible for ongoing maintenance. One of the technicians
ho
previously worked as a nurse for a large hospital before changing careers and
joining Circron three years ago. Circron was originally an LLC, but growth needs
ut
Texas has limited the additional costs associated with this change in status due
to lack of state taxes.
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
focused on growing their medical business. With HIPAA legislation, there has
tu
medium companies that are targeted by Circron. The administrative lead has
In
under HIPAA legislation. The smallest customer in this target market is a five-
employee dentist office and the largest is a 500-employee third party
SA
administrator.
©
General Methodology
Circron distinguishes itself from competitors through involvement in the industry
and certification programs. Employees are encouraged to pursue certifications on
their own time through a bonus incentive program. A company library of technical
books is provided to all employees and new books are purchased, within reason,
upon request. If an employee is able to find a way to pay for a certification class,
whether through volunteering at SANS, from their own money or other methods,
they are granted the time to do the class and Circron will provide airfare, hotel
4
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
and a daily stipend to adequately cover travel expenses once per year. This offer
is dependant upon scheduling in advance in order to manage the timing of
projects with clients. Certification exams are covered by Circron, provided that
the test is passed. All technical personnel are tasked with writing a published
article or book review for at least one trade magazine each year with an incentive
program to reward employees who publish more than three articles in a year.
s.
AMIA and the Houston Bar Association. Other professional organizations can be
ht
substituted, but it must be submitted for review and approval. The goal is to
rig
cover memberships with a representative sample of legal, medical, computing
and IT security. The networking that is established in these associations is used
ll
as the primary source from which leads are taken. Employees are trained by the
fu
administrative lead on how to network and to identify potential opportunities.
ins
Circron pays membership dues and meeting fees. To encourage the sales role
that employees take as they participate in these organizations, commissions are
eta
awarded to any employee that identifies a successful opportunity to the
administrative lead. rr
ho
While a substantial amount of revenue is generated from one-time projects, the
focus remains on signing support agreements with three or more year terms in
ut
of all one-time projects end with some type of ongoing support agreement that
prov idesamont hl
ysour ceofr ev enue,howeversmal l.Thispr ov i
dest he“ br ead
04
Key t
er”t hathel
fingerprint
and but = psCi
AF19 r
FA27cr
ontosur
2F94 vi
998Dvewhent
FDB5 hel
DE3D argerpr
F8B5 oj
06E4ectsar
A169el i
ght
4E46 .
20
Technical employees are paid a base salary plus bonuses from the above
incentive programs. Additional overtime and holiday pay is given as the situation
te
warrants. The administrative lead generates the vast majority of her salary from
tu
commissions, but is also given a small base salary to cover the non-sales
functions that she fulfills.
sti
In
Circron has established a partner relationship with one of its longest standing
clients. This partnership is with a law firm who is familiar with regulatory
NS
compliance needs. Circron barters its services in exchange for meeting the
SA
technical needs of the law office. In exchange, Circron receives legal counsel
and other required legal work, such as contract reviews. This partnership is
predominantly leveraged with regards to HIPAA related projects as Circron refers
©
any necessary legal work and often receives referrals to perform technical work
towards HIPAA compliance. It is clear that this relationship produces a potential
environment for a conflict of interest if legal issues arise between Circron and a
mutual client with the partnered law firm. However, this has been more beneficial
than damaging as the partner has been called in as a mutually trusted third party
arbiter; hence producing expedient and low impact resolution to conflicts.
5
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
GIAC Enterprises
GIAC Enterprises is a small family practice clinic consisting for three doctors, six
nurses and one assistant who schedules appointments, manages the computers,
maintains records and maintains supplies. They are currently located in a single
office park, but have plans of expanding to a second location with three years.
s.
Security Rule, which unquestionably applies to them. Their infrastructure consists
ht
of a claim transaction system, medical records database, scheduling application
and accounting software. Therear ethreenur ses’wor kstationsf orr ecords
rig
access, a Nokia IP40 firewall with permanent Internet connection, wireless tablet
PCs used by the doctors, a system dedicated for the office assistant and two
ll
fu
servers (one running Unix and the other a Windows 2000 Server).
ins
GIAC Enterprises is seeking a GAP Analysis and remediation plan for the HIPAA
Security Rule.
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
6
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Part 2: Proposal and Pitch
Proposal
Cover Letter/Executive Summary
s.
ht
rig
September 14, 2004
ll
GIAC Enterprises
fu
ATTN: Mrs. Jane Receptionist
65432 Medical Row
ins
Houston, TX 77654
eta
Dear Mrs. Receptionist:
rr
This document is in follow-up to our discussion about your HIPAA Compliance needs. As
you may recall, Mr. Lawyer has been a client of Circron for six years and gave you our contact
ho
information when he provided assistance with meeting these federal regulations. We believe we are
uniquely positioned to provide the best service for this project.
ut
,A
Circron has focused a lot of effort on providing assistance to small and medium practices,
such as GIAC Enterprises, with their HIPAA compliance needs. We know that your primary business
04
is in providing care to your patients. We can help you meet the HIPAA requirements in as
Key fingerprint
economical= AF19 FA27 2F94
and expedient manner998D FDB5
as possible so DE3D
that you F8B5 06E4
can focus A169
on your 4E46
core business. Towards
20
this goal, we have managed to employ one of the co-authors of HIPAA Security Implementation Step
by Step Guide published by SANS Press, in addition to another employee who is a former nurse. We
te
have also obtained individual HIPAA certifications from two separate organizations to help ensure
that our staff is knowledgeable and capable of understanding your needs.
tu
sti
We hope that this proposal will meet your expectations. If you need adjustments made to the
project scope or to understand anything being presented, please feel free to contact me via email or
In
Sincerely,
SA
<signed by hand>
©
Circron Consulting
Keeping your business running around the clock
7
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Proposal/Scope of Work
s.
ht
Contacts
rig
Company Name GIAC Enterprises
Customer Contact Jane Receptionist 281-555-1234 jreceptionist@giacenterprises.com
ll
Circron Account Manager Joselyn Admin 713-555-5555 jsadmin@circronconsulting.com
fu
Circron Project Lead Brian Granier 713-555-5566 bgranier@circronconsulting.com
ins
Summary
eta
SOW Creation Date 8/2/04 Project Name GE –HIPAA Gap & Rem. Plan
Estimated Billable Hours 76
rr
Start Date TBD
Offer ID GE 19022 Project Type Audit
ho
ut
Scope Definition
,A
Scope Definition Circron Consulting will perform a HIPAA Gap Analysis based specifically
against the Final Security Rule and create a remediation plan for GIAC
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Enterprises.
20
Scope Inclusions Circron Consulting will perform the following duties during the course of this
project:
te
business goals
Review existing policies and procedures with respect to HIPAA
sti
methods
Provide a report that clearly identifies the findings and providing
SA
Scope Exclusions Circron Consulting is not expecting to perform the following tasks within the
scope of this project:
Implement remediation plan
Provide policies or procedures to meet compliance needs
Perform Gap Analysis and remediation plan for HIPAA Privacy
Rule or HIPAA Data Transaction and Code Set Standards
Any tasks not specifically defined in this scope of work
8
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Expectations
Customer Expectations GIAC Enterprises is expected to provide the following resources:
Make available staff for necessary interviews as specified in the
scope of work
Provide administrative access to technical infrastructure as is
required to complete the technical audit
Provide any and all policies and procedures related to this
project
Supply all hardware, software and licenses required to complete
s.
this project
ht
Circron Expectations Circron Consulting will perform the following activities:
rig
Prepare interviews with efficiency in mind to minimize the time
needed of GIAC Enterprises staff
Take precautions to avoid interfering with GIAC Enterprises
ll
normal work flow
fu
Provide knowledge transfer during the engagement
ins
eta
Project Team
Joselyn Sales Admin rr
Joselyn joins Circron from project management and sales roles with leading
oil industry firms in the Houston area. With 20 years of experience and an
ho
MBA from Rice University, she has made contacts with some of the most
influential business professionals in the Houston area. In this project, her role
ut
Brian Granier Brian is the founder of Circron Consulting. As co-author to SANS HIPAA
04
for this project is to take primary responsibility for gathering the information
tu
Nova Ustabe Nurse Nova previously worked at Large Houston Hospital as a Registered Nurse
(RN). She has been with Circron Consulting for approximately three years,
In
providing a unique perspective on how to meet the technical needs within the
medical industry. She is currently Microsoft certified and in additional to her
NS
9
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Overview of Project Plan
Task # Description Est. hours
PHASE I: Collection of Information
1 Perform interviews of staff 12
2 Gather and review existing policies and procedures 10
3 Perform audit of technical infrastructure 12
PHASE II: Gap Analysis Creation
4 Analyze gathered information 16
5 Create Gap Analysis Report 8
s.
6 Deliver Gap Analysis in a live presentation 4
ht
PHASE III: Remediation Plan
rig
7 Discuss options to close the gaps identified in the Gap Analysis report 8
8 Assist client with making decisions on specific technologies to close gaps 4
ll
9 Document remediation plan and provide written report 2
fu
Estimated Duration 4 Weeks Estimated Hours 76 Hours
ins
eta
Cost
Item Description rr Est. Hours Unit Cost Extended Cost
Estimated Billable Hours 76 $180 $13680
ho
TOTAL $13680
ut
,A
Key
fingerprint
Quote = AF19 FA27
is valid 2F94
for 30 998D
days FDB5
from DE3D F8B5 06E4 A169 4E46
delivery
20
and a half
tu
the estimated quote before any work begins. An additional 15% will be
due upon completion of Phase I. An additional 15% will be due upon
In
completion of Phase II. The remainder of the final amount due will be
payable immediately upon completion of Phase III.
NS
This Scope of Work will be billed on a time and materials basis. While
SA
every effort has been made to estimate actual required work effort, it
may take more time to complete this project. Circron will discuss with
©
the client immediately if there is concern that the estimated hours will
be exceeded to reach a mutual understanding on how to proceed.
_____________________________ Date:_____
Circron Consulting Signature
10
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Pitch
At first, it might seem strange that the proposal is addressed to the receptionist
role position. However, this person is the decision maker for this proposal and is
the primary contact as well. She also serves functionally as the office manager
and fulfills technical duties for GIAC Enterprises. From conversations with the
customer and with Mr. Lawyer, it is clear that the customer is very motivated to
move quickly and that they understand the pending April deadlines for
s.
compliance for the Security Rule. We also know that the client has budgeted
ht
approximately $15,000 for the project. Joselyn Sales Admin has established a
very strong relationship with the client and is taking a lead on closing the deal.
rig
Circron has the edge on winning this bid due to recommendations from Mr.
Lawyer who is a personal friend of the primary doctor at the clinic.
ll
fu
To help sell this deal, Joselyn will be highlighting the industry publications and
ins
certifications that the team has obtained. Specifically, she will be pushing the
SANS HIPAA Step by Step Guide that was co-authored by the lead consultant.
eta
When meeting with Jane Receptionist to deliver the proposal, she will bring a
copy of that book and give it to the potential customer. This will help provide a
rr
tangi bler emi nderoft hepr ojec tandofthel eadcons ultant
’sski l
l-set. Normally,
ho
this type of gift is given after an engagement is signed or at the end of the
project, but since there is a high expectation of winning the bid and we are trying
ut
to manage first impressions, the decision was made to take the risk of providing it
,A
up front.
04
Key
Sincefingerprint
the client= will
AF19 beFA27 2F94
looking for998D FDB5 DE3D
a remediation F8B5
plan 06E4
at the A169
very end,4E46
Circron will
20
be looking for ways to meet the compliance needs for GIAC Enterprise by
providing ongoing service to offload IT services from Jane Receptionist by more
te
help win this ongoing business, Circron is going to ensure over-deliverance and
sti
will make every effort to come in under the estimated hours for the project.
In
NS
SA
©
11
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Part 3: Project Performance
Project Plan
Overview
The high-level project plan has been provided in the scope of work. All of the
information provided in this section is considered internal information for Circron
s.
Consulting as it involves proprietary methodology information. Please note that
ht
the hours projected on the project plan are estimates only. Circron employees
rig
will be strongly encouraged to try to complete the work in less time than allotted
without sacrificing quality. This can assist with making time for any unexpected
problems during the engagement that require more time than expected and will
ll
fu
also assist in keeping the project on target and aid in the overall objective of
having a good first impression in order to win future business.
ins
Immovable scheduled targets have been identified for Friday during each week
eta
of the engagement .Thisdat ei sselect edast hes mal lcl
inici
scl osedonFr i
day ’
s
rr
and the client has agreed to make this day generally available for conducting
meetings and interviews with GIAC Enterprises staff. This constraint has made
ho
the first Friday of the project the date for staff interviews. The second Friday is
reserved for any additional information gathering that is necessary as part of
ut
Phase I. The third Friday is reserved for the delivery of the Gap Analysis report
,A
and for working with client to explain what options are available to close the gaps
and identifying the solutions that GIAC Enterprises wants to select. The fourth
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Friday is scheduled for the close of the project and is the date scheduled for
20
delivery of the final Remediation plan. All of the other tasks related to this project
will be scheduled around these fixed milestones. Other days during the week will
te
between 8 and 9 am. Other time needed during the day will be on a limited basis.
sti
As a result, Circron has identified that it would be ideal to begin the project on the
first Friday.
In
NS
Objectives
SA
In order to help keep the project on target, the following objectives have been
created for internal use:
©
Phase I:
Obtain all information possible to be able to perform a thorough
analysis of GIAC Enterprises current compliance stance with regard to
the HIPAA Security Rule.
Keep the client informed of what information is being collected and why
in order to foster knowledge transfer and to ensure that the client
continues to perceive that we are staying on task.
12
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Do not be negative about weaknesses found. Only collect the data
without judgment.
Be thorough.
Phase II:
Ensure that all identified gaps are measured against HIPAA
regulations and not necessarily against personal preference or
different best practice models.
s.
Provide actual legislation text and review all public comments on each
ht
requirement before finalizing analysis for each Implementation
Specification.
rig
Create the Gap Analysis report in a clearly organized, understandable
and professional manner.
ll
fu
Deliver on time!
ins
Phase III:
Be able to identify and discuss the pros and cons of at least three
eta
possible solutions for each problem being solved.
rr
Be prepared to give a professional opinion on which option Circron
consulting will recommend.
ho
Look for opportunities where Circron can obtain ongoing business that
won’ tcostt hecl i
entmor et hanthey’dbepay ingforal ter nat
esol uti
ons.
ut
Deliver on time!
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The people who are identified with responsibilities in the following project plan
20
are as follows:
te
Peter Lead Doctor (PLD): The owner and primary practitioner at GIAC Enterprises
tu
Jane Receptionist (JR): Office Manager/Technical Lead and primary contact for GIAC Enterprises
sti
These acronyms will be used to refer to these individuals in the project plan
sections listed below.
SA
©
13
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Phase I
For the interview process, the team member selected to interview each of the two
s.
ht
employees who will be involved in this assessment was done with an
understanding of the personalities involved. Joselyn Sales Admin has identified
rig
that Jane Receptionist is a Type D personality and will work best with direct
questions. Brian Granier is chosen to interview her, because of the two, he is
ll
better equipped to handle this personality type from past experience. Peter Lead
fu
Doctor, however, has been identified as a Type I personality. This is not
ins
surprising given the high percentage of this personality type in the medical
industry. Nova Ustabe Nurse was selected to be his interviewer because she has
eta
developed exceptional skills at handling this personality type, likely as a result of
her background as a nurse. rr
ho
For the gathering of documentation, generically speaking, Nova Ustabe Nurse
will be responsible for these task items. She is best equipped to navigate the
ut
clinic and to keep a low profile, again because of her experience as a nurse. This
,A
should help keep the client satisfied that there is minimal impact to their normal
business practices. Part of the unwritten task that will be performed is for her to
04
Key
keepfingerprint
her eyes =and
AF19 FA27
ears 2F94
open 998D
during FDB5
this DE3DtoF8B5
process 06E4
be able to A169 4E46
identify areas
20
where written policy/procedure are adhered to and where they differ from reality.
While she is predominantly gathering data related to the administrative
te
safeguards, she will also be paying attention to details associated with physical
tu
safeguards.
sti
the technical safeguards. The specific details of how to do this are not
NS
A more detailed breakout of the tasks to be performed during this portion of the
project is provided on the following page:
14
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
s.
ht
ll rig
fu
ins
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
15
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Phase II
This phase will mostly be performed off-site, if the client permits it. Since Circron
has performed a large number of audits, there are a number of templates and
process esthathav ebeendev elopedaspar tofCi rcr on’sintel
lect ual propertythat
makes this process very efficient.
Brian Granier is tasked with the creation of the Gap Analysis report. Since this is
s.
a relatively small client, there is not really a reason to divide this between him
ht
and Nova. By having just one author, it will be much easier to maintain
consistency of style and to ensure that all of the appropriate areas are covered.
rig
Nova Ustabe Nurse will be primarily responsible for prepared for Phase III. Since
ll
fu
the target is to be able to move directly from the Gap Analysis presentation into
working with the client to create a remediation plan that they are comfortable
ins
with, significant preparation will need to be performed in a short period of time.
Since Brian will be busy creating the Gap Analysis report, this responsibility is
eta
assigned to Nova.
rr
Note, while Jane Receptionist is the primary source of contact for this work and is
ho
the one who made the decision to hire Circron Consulting, Joselyn Sales Admin
has been able to determine that the decisions for the remediation plan creation
ut
are expected to be made by Peter Lead Doctor. With Jane Receptionist, the
,A
options would have been more pointed and the delivery would be very strong on
the recommendation side. Since Peter Lead Doctor is the target, this will be
04
Key fingerprint
intentionally = AF19 FA27
softened. 2F94and
The pros 998D FDB5
cons for DE3D F8B5 06E4
each solution willA169 4E46 along
be provided
20
likes to work in these types of situations. Circron will be prepared to make their
tu
Joselyn Sales Admin time is not billable. However, she is involved in reviewing
NS
the Gap Analysis plan as an effort to ensure the best possible first impressions
with GIAC Enterprises in order to help with getting future business. Her
SA
attendance at the Gap Analysis presentation is towards this goal as well and so
that she can be available to answer sales oriented questions during the
©
A more detailed breakout of the tasks to be performed during this portion of the
project is provided on the following page:
16
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
s.
ht
ll rig
fu
ins
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
17
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Phase III
Phase III will be performed in a very short period of time. Since the delivery of the
Gap Analysis will occur simultaneous with moving forward to identify the methods
to close the gaps, the preparatory work for this performed during Phase II will be
very important to the success of this Phase. To a very large extent, this portion
of a Gap Analysis/Remediation Plan has become very routine. From previous
engagements, Circron has spent a lot of time researching different solutions to
s.
meet clients HIPAA compliance needs and have rehearsed the discussions of
ht
thepr osandc onsofeachsol utiononmanyoccasi ons.Tot hisex tent,Cir
cron’
s
role is predominantly to identify possibilities and to assist the client towards
rig
making a decision to meet their budgetary and compliance concerns.
ll
fu
With respect to administrative safeguard compliance issues, Nova Ustabe Nurse
will take the lead on these discussions. For physical and technical safeguard
ins
issues, Brian Granier will take the lead. For discussions on how Circron would
price potential future engagements to help close the gap, Joselyn Sales Admin
eta
will take the lead.
rr
The end date of Phase III is scheduled for a date earlier than the agreed upon
ho
due date. This is to help facilitate the under-promise/over-deliver principle. It also
gives time to deal with unexpected issues that might take more time than was
ut
expected.
,A
A more detailed breakout of the tasks to be performed during this portion of the
04
Key fingerprint
project = AF19
is provided on FA27 2F94 998D
the following FDB5 DE3D F8B5 06E4 A169 4E46
page:
20
te
tu
sti
In
NS
SA
©
18
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
s.
ht
ll rig
fu
ins
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
19
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Budget Details –Estimate
This budget estimate is a tool used by Circron prior to beginning work on a
project to ensure that the engagement will result in profit. Once the detailed
project plan has been made, as provided above, this estimate is generated
based upon the information provided in that document. Therefore, making the
project plan as accurate as possible is crucial to ensuring that engagement
remains profitable.
s.
This budget estimate is not meant to be used as an accounting tool to record
ht
actual flows of cash. As a result, this estimation does not cover the overhead
expenses associated with being in business, such as the partial salary paid to
rig
Joselyn Sales Admin, software and equipment purchased directly by Circron,
bonus/incentive pr ograms,mar ket ing,et c…
ll
fu
Gross Income:
ins
Estimated 76 hours @ $180/hour $13,680
Expenses:
eta
HIPAA Step by Step Guide –SANS Press ($60)
Sales related expenses (travel/lunch) rr ($100)
Per diem granted to consultants on site $25/ estimated @ 10 total days from plan * ($250)
ho
Total: ($410)
Compensation:
ut
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Total: ($9,675)
20
* Note that since the client is local, the per diem expense is lower than it
would be in other situations. Per Diems are awarded to billable consultants only
sti
for days on which they spend more than 4 hours at the customer site. Mileage
In
estimated for compensation to the employees does not necessarily match the
number of hours quoted to the client. There have been cases where hours spent
SA
by a consultant are billable to the Circron, but may not necessarily be billable to
the client. Additionally, by having this extra room for budget estimations, it can be
©
possible to cover additional time spent without eating into the profits if the
process goes just a little slower than it should. This can make it possible to still
deliver at the original quoted price even if the engagement takes more hours than
expected. When building the budget estimate, Circron will use the project plan
created and assume the estimated hours for each task are accurate and that
each team member on the task will be spending 100% of the estimated time for
that step. This practice has worked well for Circron, but may not be advisable for
others. It has usually resulted in a higher net profit than budgeted.
20
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Meeting/Interview Facilitation
The organization of this section is based upon the flow for the interview and
discusses specifically the initial interviews that will be conducted of Peter Lead
Doctor and Jane Receptionist. Note that Peter Lead Doctor has been identified
as a type I personality and Nova Jane Receptionist as a type D. These factors
directly effect the prepared organization for each of these interviews. This section
will cover the major aspects of the planned interview process and provide some
s.
sample questions that could be asked during each portion of the interview.
ht
Introduction
rig
The introduction of the interview is going to set the tone for the rest of the
ll
conversation. The purpose of this phase is to introduce who the interviewee is
fu
and what the goal of the interview is to be.
ins
Peter Lead Doctor Introduction: Asat ypeIper sonality,it
’susual lybestt o
open with some small talk and be personable. Let the client warm up to the
eta
conversation before diving into the business purpose for being there. Try to ask
rr
an open-ended question and avoid anything that could be politically or
emotionally charged.
ho
not t o
=ask:I’
vebee nhe aringFDB5
alotofst
orieslatel
yabA169
outhumancl
oni
ng,
04
Question
Key fingerprint AF19 FA27 2F94 998D DE3D F8B5 06E4 4E46
what ’
sy ourt akeont hesubject?
20
Once enough small talk has occurred and Peter begins to open up, start into the
te
purpose of the introduction. Consider using his desire for being recognized for
tu
Quest i
ont oask:SoIunder standt haty ou’vebeenv er yhel pfultoJaneasshe’ s
NS
success.Asy ouar eawar e,she’ saskedust ohel pcont inuet heef fortbylooking
at GIAC Enterprises through the eyes of the HIPAA Security Rule. You may have
©
seen this high-level project plan (sliding the short project plan from the scope of
wor ktohi m) .Wast hereany t
hi ngy ou’ dliketounder standaboutt hepr oject
before we begin?
21
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Quest iont oask:Jane,i t
’sapl easuret omeety ou.I ’
m Brian. I will be taking the
lead responsibility for providing the Gap Analysis and Remediation plan. I know
y ou’ v ebeengi v ent hehigh-level overview of the steps we will be taken (noticing
it in front of her). Do you have any questions?
Question not to ask: See the more longwinded question asked of Peter Lead
Doctor.
s.
ht
The purpose of this phase of the interview is to identify what the client really
wants to have. In this case, we know they want a Gap Analysis and Remediation
rig
plan, so we will be focused on how they want it delivered, if there are any specific
areas that they wanted highlighted over another and generally how the client will
ll
identify the engagement as successful.
fu
ins
Peter Lead Doctor IKS:
Question to ask: We want to make sure that what we provide for you is the way
eta
you want it and that your employees can use. I understand that you selected XYZ
Consulting firm when you reviewed your HIPAA Privacy compliance stance. How
rr
did that go? What did they do well and what could have been done better?
ho
Be careful with this question. The goal is to find out what it will take for you to
ut
succeed. Not to discuss the negative aspects of XYZ Consulting who may or may
,A
Key fingerprint
Question not to= ask:
AF19I FA27
heard2F94 998D
you did FDB5
your DE3D
HIPAA F8B5 06E4
Privacy Rule A169 4E46
Gap Analysis with
20
XYZConsul t
ing.I ’
vehear dsomebadt hi
ngsaboutt hem.Whatwasy our
experience?
te
tu
Question to ask: I know you did a HIPAA Privacy Gap Analysis with XYZ
Consulting. How did that go? What did they do well and what have been done
In
better?
NS
Question to ask: We want to make sure that the reports we provide are in a
SA
format that works for you and that you can be happy with. I have brought a
couple of samples from previous engagements with permission from our clients
©
and that have been altered so as not to reveal their identity. Would you mind
looking them over and giving some feedback on the general format of the
presentation and let me know any areas you want brought out?
Information Gathering
This portion of the interview is the primary purpose of the interview. In this case it
is to begin the process of gathering data for the HIPAA Gap Analysis. In this
22
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
case, questions covering each of the three areas (administrative, physical and
technical) will be asked. A focus will be on what is a documented policy or
procedure vs. de facto policy or procedure. Also look for hot buttons the client
might have in particular areas. In some cases there may be agendas or ulterior
motives affecting their opinion. If these can be identified and incorporated into the
project without defeating the purpose of the project or causing scope creep, it will
help in the long run for the acceptance of the final work product.
s.
Question to ask: Have you implemented any type of virus filtering for your
ht
workstations?
rig
Follow-up Question to ask: Can you disable it if is causing your system to run
ll
slow?
fu
ins
This follow-up question is key. It goes to two different issues. First is the
administrative capability for users to disable anti-virus. The second is to identify if
eta
t
hey ’vebeeneduc atedabouthowi mpor t
anti ti
s.
rr
Question not toask:Ican’ tbeli
ev ey ouchoseabcant i-virus solution. They have
ho
the worst reputation in the industry. Have you had a lot of viruses get through?
ut
the client for what is, that is saved for being presented in a constructive way in
the Gap Analysis report if it is appropriate. By being judgmental, you are also
04
Key fingerprint
reducing = AF19 FA27
the likelihood 2F94 998D
of getting FDB5
thorough andDE3D F8B5 information.
accurate 06E4 A169 4E46
20
This section of the interview is to provide time for the client to unload anything
tu
else they might have or ask any questions. First, try to ask as open-ended a
sti
question as possible in order to get the client to talk. If you can get them talking
and getting everything out that they have to say, there can be some useful
In
information. Be careful of clients who have too much to say and try to keep things
NS
on track, but allow for some room to stray. Once this is done, recap the meeting.
Insomec ases,i t
’sbet tertodot hisl at
erinanemai l
.Somet imesi t’
sbet t
ert odoi t
SA
at the meeting directly. This is a choice of personal style and is impacted by the
type of client environment that is being dealt with.
©
Question not t
oask:Gr
eat
.Wel
lIt
hinkwe’
redoneher
e.Thanksf
ory
ourt
ime.
Where’ sthedoor?
23
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
And for the recap:
Question to ask: Okay. Ther e’sal otofi nformat i
onher ethatneedst obe
organized.Woul di tbeokayi fIputt oget heranemai ldocument i
ngwhatwe’
ve
discussed so that you can review it to identify any areas that I may have
misunderstood?
Potential Pitfalls
s.
Project behind schedule
Wi thalmos tev eryproject,t her e’sar i
skofget ti
ngbehi ndschedul e.Thi sis
ht
especi al
lycrit
icalinthispr oj ectsi nceit’sar el ati
velyshorttimef rameandt he
rig
ev ent sschedul edf orFri
day ’sar efix
ed.Whi lethedoc ument edpr ojectplani snot
meant to be set in stone, it is intended to be used as a guideline. If the project is
ll
fu
falling behind the scheduled events in the project plan, then quick action will
need to be taken. Most likely, this action will be simply working longer days by
ins
doing work at homet ocat chup.I t’
snotex pec t
edt hatbri
ngi nganot her
consultant on the job would work, since the time frame is short and it would take
eta
time for the new person on the project to catch up.
rr
Del iver abledoesn’ tmeetcl i
ent s’expect ations
ho
Again, this is a risk with basically all projects. This potential pitfall is specifically
addressed during the initial interviews with questions that probe at how the
ut
pay attention to the style of the documents collected that were created by the
client, especially the ones that will be determining the success of the project.
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
While this project is specifically targeted at the HIPAA Security Rule, we will also
tu
be reviewing the documents created by/for the client as it pertains to the HIPAA
sti
will be reading these documents anyways, it would not take much additional
effort to identify potential short falls or to provide a validation that GIAC
NS
24
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
collection of information as a workbook as a tool for future auditors, there may be
a perception of added value that already exists anyways.
With respect to additional work opportunities, there are many areas that Circron
can provide follow on projects. Since the point of this project is to identify what
actions need to be taken to comply with HIPAA regulations, Circron can position
themselves as an obvious choice for the implementation of these tasks. Circron
strives to identify and win long-term contracts to help ensure the ongoing
success of the business. By understanding the technical environment and
s.
building the client relationship, GIAC Enterprises can likely fit well within this
ht
business objective.
ll rig
fu
ins
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
25
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Part 4: Final Deliverables
Section A
Note that this deliverable is made for a gap analysis that was never actually
performed as this is a theoretical engagement. This has resulted in less than
thorough coverage in this example deliverable. Typically, during a Gap Analysis
of any kind, it is important to be as specific as possible about the environment.
s.
Details such as software applications and versions, system names and functions,
ht
policies and procedures reviewed,i nterviewsconduct ed,etc… shoul dal lbe
includedwi tht he“ currentst ateassess ment ”informat i
on.Thepr ocessofgoi ng
rig
through a Gap Analysis will reveal much more information than is available in this
sample deliverable. However, the general flow and organization of the document
ll
fu
demonstrates an appropriate flow for a HIPAA Security Rule Gap Analysis. Note
that the scope of work calls for both a Gap Analysis report and a Remediation
ins
plan. While remediation options are given with this report, the Remediation plan
for this engagement is intended to identify specific tasks and technologies to
eta
close the gaps instead of a general explanation of what the task goals need to be
asshowni nt heGapAnal y sis.Inthissensetrrhe“ Remedi ati
onpl an”i sr eal
lymore
of a task identification and project management process. The Remediation plan
ho
is not provided in this practical.
ut
,A
Executive Summary
04
The fingerprint
Key following document provides
= AF19 FA27 a Gap
2F94 998D Analysis
FDB5 DE3Dperformed
F8B5 06E4byA169
Circron
4E46
Consulting for GIAC Enterprises with specific focus on the HIPAA Security Rule
20
federal regulations.
te
tu
Privacy Rule and the resulting changes made to the organization in a timely
In
26
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
legally discoverable document as it could be considered attorney/client privileged
information.1
s.
general are addressed through an ongoing process and should not be expected
ht
to be completed once and then forgotten. Fortunately, through ongoing auditing
rig
requirements written into the Security Rule, this cyclical process will be built into
GIAC Enterprises compliance strategy.
ll
fu
Circron Consulting would like to thank you for your business. We look forward to
ins
continue working with you on your compliance and general information
technology and security needs.
eta
Summary of Results rr
The following table provides a high level review of the HIPAA Security Rule
ho
standards and general compliance stance. This table was modeled after the Gap
Analysis table provided in the HIPAA Security Implementation: Step by Step
ut
afterwards.
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
1
This is currently a legally untested theory. Consult with legal counsel for details.
27
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
User Management (WBS
Disaster Recovery (WBS
Training/Awareness (WS
Policies and Procedures
Technical Architecture
Security Management
Human Resources
System/Network
(WBS 3.0)
(WBS 7.0)
10.0)
2.0)
6.0)
s.
ht
rig
ll
fu
Rule/Section Gap
s
in
Administrative Safeguards
a
164.308(a)(1) Security Management Process
et
rr
164.308(a)(2) Assigned Security Responsibility
164.308(a)(3) Workforce Security
ho
164.308(a)(4) Information Access Management
ut
164.308(a)(5) Security Awareness and Training
,A
164.308(a)(6) Security Incident Procedures
04
164.308(a)(7) Contingency Plan
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
164.308(a)(8) Evaluation 20
164.309(b)(1) Business Associates Contracts
te
Physical Safeguards
tu
Technical Safeguards
SA
164.312(c) Integrity
164.312(d) Person or Entity Authentication
164.312(e) Transmission Security
= Full Compliance, = Partial Compliance, = No Compliance, N/A = Not Applicable
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
The following table provides an explanation of the WBSAD categories used in the
summarization table above. This table was taken from the HIPAA Security
Implementation: Step by Step Guide p. 84-86:
WBS
REMEDIATION OPTION WBS ACTIVITY DESCRIPTION (BRIEF)
ELEMENT
1 Security Management Formal and central management structure that
Program creates, administers, and oversees security related
policies and procedures to ensure the prevention,
detection, containment, and correction of security
s.
breaches.
ht
2 Business Continuity Contingency planning to respond to a system
Planning and Disaster emergency or disaster. Plans must be formally
rig
Recovery documented and periodically tested.
3 Policies and An organizational framework that establishes
Procedures needed levels of information security and privacy
ll
to achieve the desired confidentiality goals.
fu
4 Human Resource Personnel security and other security related
Policies and aspects of dealing with employees.
ins
Procedures
5 Business Associate Contract between two business partners for the
eta
Agreements electronic exchange or handling of data, protecting
the integrity and confidentiality of the data
rr
exchanged or handled.
6 Security Training and Education of the entity workforce regarding
Awareness security and the reinforcement of that education
ho
the organization.
,A
The following sections provide the actual text from the Final Security Rule,
available at http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
164.308(a)(1)(i) Standard: Security management process. Implement
policies and procedures to prevent, detect, contain, and correct security
violations.
s.
ht
A Risk Analysis was Policies and Procedures have Establish and implement a
rig
performed as a result of the not been implemented to policy for regularly scheduled
HIPAA Privacy Rule Gap ensure that the risk analysis is intervals to review, renew and
Analysis. performed on a periodic basis maintain the Risk Analysis
ll
or otherwise kept updated. Report at least on a yearly
fu
The Risk Analysis covered all basis.
of the details appropriate for
ins
both the Privacy and Security
Rule. See Appendix A for the
eta
Risk Analysis Report.
rr
(B) Risk management (Required). Implement security measures sufficient to
ho
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Steps necessary to reduce Items detailed in the The remaining remediation
20
risks were identified in the remediation plan attached to steps identified in the attached
Risk Analysis that was Appendix A. Risk Analysis needs to be
te
30
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Current HR documents reflect HR documentation does not Modify HR policies to include
sanction policies for the extend these sanctions to the HIPAA Security Rule in
HIPAA Privacy Rule. employees violating HIPAA addition to Privacy Rule in its
Security Rules. sanction policy.
The sanctions are reasonable.
s.
ht
(D) Information system activity review (Required). Implement procedures
rig
to regularly review records of information system activity, such as audit logs,
access reports, and security incident tracking reports.
ll
fu
Current State Assessment Identified Gaps Remediation Options
ins
System auditing parameters This Implementation GIAC Enterprises can choose
for all systems are in their Specification has not been to train an internal employee
eta
default configuration. No addressed in any manner. to comply with this
policies or procedures exist to Implementation Specification.
review logs and this task is rr
Technical logging and auditing Alternatively, this task can be
currently not part of any job are inadequate to properly outsourced to a third party
ho
description at GIAC track events that should be contractor.
Enterprises. reviewed.
ut
Systems need to be
configured to log meaningful
,A
information to provide
adequate information and to
04
who is responsible for the development and implementation of the policies and
procedures required by this subpart for the entity.
©
31
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
The policy identifying Jane currently filled by Jane
Receptionist as the HIPAA Receptionist.
Privacy officer and as the
person responsible for HIPAA
Policies and Procedures in
any form has been attached in
Appendix C.
s.
ensure that all members of its workforce have appropriate access to electronic
ht
protected health information, as provided under paragraph (a)(4) of this section,
rig
and to prevent those workforce members who do not have access under
paragraph (a)(4) of this section from obtaining access to electronic protected
ll
health information.
fu
(A) Authorization and/or supervision (Addressable). Implement procedures
ins
for the authorization and/or supervision of workforce members who work with
eta
electronic protected health information or in locations where it might be
accessed. rr
Current State Assessment Identified Gaps Remediation Options
ho
implemented
Key an acceptable
fingerprint = AF19 FA27 No
2F94gaps identified.
998D FDB5 DE3D F8B5 06E4 A169 4E46
use policy. The acceptable
20
information sent to a
clearinghouse with whom
GIAC Enterprises has a
SA
Business Associate
Agreement. This agreement
©
32
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
(B) Workforce clearance procedure (Addressable). Implement procedures
to determine that the access of a workforce member to electronic protected
health information is appropriate.
s.
need to access ePHI. checks.
ht
rig
(C) Termination procedures (Addressable). Implement procedures for
ll
terminating access to electronic protected health information when the
fu
employment of a workforce member ends or as required by determinations made
as specified in paragraph (a)(3)(ii)(B) of this section.
ins
eta
Current State Assessment Identified Gaps Remediation Options
Key fingerprint
systems where ePHI= AF19
are FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
termination procedure.
sti
In
implement policies and procedures that protect the electronic protected health
information of the clearinghouse from unauthorized access by the larger
organization.
33
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
(B) Access authorization (Addressable). Implement policies and procedures
for granting access to electronic protected health information, for example,
through access to a workstation, transaction, program, process, or other
mechanism.
s.
Currently, any external access The policy needs to be Incorporate Security Rule
ht
to PHI in any form (including strengthened to include the terminology in the Access
ePHI) must be approved by specific terminology used in Authorization Policy.
rig
the Privacy. this implementation
specification.
ll
This policy can be found in
fu
Appendix F.
ins
(C) Access establishment and modification (Addressable). Implement
eta
policies and procedures that, based upon the entity's access authorization
policies, establish, document, review, and modify a user's right of access to a
rr
workstation, transaction, program, or process.
ho
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46and modify
Implementation Specification. practice to comply with this document, review,
Implementation Specification a user's right of access to a
20
workstation, transaction,
program,orpr ocess”
te
containing ePHI.
tu
sti
awareness and training program for all members of its workforce (including
management).
NS
GIAC Enterprises currently While the HIPAA Privacy Rule Include security reminders
includes periodic reminders is trained appropriately with with the privacy rule training
about compliance issues to ongoing training, security on a semi-annual basis.
the HIPAA Privacy Rule. Most issues are not included.
notably, new employees must Incorporate security specific Obtain more regular security
sign off on attendance to reminders. awareness training to the
training on Privacy Rule issues HIPAA Security Officer.
semi-annually and are
followed up with a quiz to
ensure their understanding of
34
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
the material.
GIAC Enterprises has There is a lack of policy and Implement more robust firewall
s.
currently implemented a procedures identifying solution.
Linksys Cable/DSL router compliance with this
ht
between them and the Implementation Specification. Create appropriate policies
rig
Internet. They are using and procedures.
McAfee antivirus solution. Users should not be able to
Virus definitions are kept up to disable antivirus software. Disable ability for users to
ll
fu
date. Users are able to disable disable anti-virus solution.
antivirus. No detection Protections provided by
ins
procedures or reporting Linksys Cable/DSL router are Implement IDS solution.
procedures exist. No too limited, even with built-in
“fi
rewal l”prot ect
iont urnedon. Implement system integrity
eta
documentation exists
identifying GIAC Enterprises solution to help identify
compliance stance. No IDS solution or system
rr potentially malicious software
integrity software exists. on the two servers on the
network that contain ePHI.
ho
ut
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Current State Assessment Identified Gaps Remediation Options
20
Failed and successful login Logging is not occurring for Create policies and
te
attempts are not logged on the access on Windows systems. procedures for logging and
tu
Specification is clearly
assigned and that the
responsible person is trained
SA
35
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
requirements for employees
not to share their passwords.
Workstations were checked to
look for papers that had
username/passwords and
none existed. Passwords are
changed every thirty days as
enforced by operating system
configuration. Employees were
quizzed on their understanding
s.
of the policies outlined in the
ht
employee manual and all
employees understood and
rig
are in compliance with the
stated policies.
ll
fu
This policy is included in
Appendix G
ins
eta
(6)(i) Standard: Security incident procedures. Implement policies and
procedures to address security incidents. rr
Response and Reporting (Required). Identify and respond to suspected or
ho
security incidents that are known to the covered entity; and document security
,A
Current
Key State Assessment
fingerprint Identified
= AF19 FA27 2F94 998D FDB5 Gaps Remediation
DE3D F8B5 06E4 A169 4E46Options
20
example, fire, vandalism, system failure, and natural disaster) that damages
NS
information.
36
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
(B) Disaster recovery plan (Required). Establish (and implement as needed)
procedures to restore any loss of data.
Backups are not tested. Full Backups need to be tested. Create and implement a policy
backup tapes are taken home and procedure to regular test
by Jane Receptionist every Tapes are not properly restorations from backup
Friday. These tapes are stored secured when off-site. media.
i
nJane’ sdeskdr awerat
s.
home. Jane lives twenty-five Restoration procedures are Obtain additional hard drives
ht
minutes away. Restoration not well understood or in order to test complete
rig
procedures are not written. practiced. restoration on an annual basis.
Document process to perform
complete restoration.
ll
fu
Provide an environmentally
controlled safe for Jane
ins
Receptionist or use an off-site
tape storage service to keep
eta
off-site copies of backup
rr tapes.
ho
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Current State Assessment Identified Gaps Remediation Options
20
available to purchase
equipment necessary to
rebuild their environment.
Medical equipment is available
to GIAC Enterprises as part of
their agreement with GIAC
Health.
37
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
(D) Testing and revision procedures (Addressable). Implement procedures
for periodic testing and revision of contingency plans.
The contingency plan is No procedures exist for testing Completely testing the
reviewed between GIAC contingency plan. contingency plan (independent
Enterprises and GIAC Health of other Implementation
on a yearly basis as per their Specifications in this realm) is
s.
contingency contract. deemed as overly costly.
ht
Since GIAC Enterprises is a
rig
small organization, it may be
appropriate to document that
no further steps to test the full
ll
contingency plan would be
fu
appropriate. This decision
ins
should be reviewed closely
with legal counsel. Document
this decision clearly.
eta
rr
(E) Applications and data criticality analysis (Addressable). Assess the
ho
relative criticality of specific applications and data in support of other contingency
plan components.
ut
,A
Key fingerprint
A thorough = AF19 FA27 The
data criticality 2F94data
998D FDB5analysis
criticality DE3D F8B5Copy
06E4and
A169 4E46
modify data
analysis was performed as from the Risk Assessment has criticality analysis from Risk
20
part of the Risk Analysis not been extracted and Assessment and include as a
performed in compliance with documented as an order of prioritization of restoration in
te
the HIPAA Security Rule. This restoration in contingency the event of contingency plan
tu
which an entity's security policies and procedures meet the requirements of this
subpart.
©
GIAC Enterprises has Documented policy for HIPAA Expand existing policy to
documented a policy for a third Privacy Rule is not enforced. include HIPAA Security Rule.
party audit on an annual basis
with regards to HIPAA Privacy Annual review is specifically Enforce documented policy.
Rules. However, they have not worded to be targeted at the
complied with this policy since privacy rule; thus no such
it has been 18 months since policy exists as it relates to
38
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
the last audit. HIPAA Security Rule.
s.
ht
(4) Written contract or other arrangement (Required). Document the
rig
satisfactory assurances required by paragraph (b)(1) of this section through a
written contract or other arrangement with the business associate that meets the
ll
applicable requirements of Sec. 164.314(a).
fu
Current State Assessment Identified Gaps Remediation Options
ins
GIAC Enterprises has GIAC Enterprises is in No actions required.
eta
implemented appropriate compliance.
business associate contracts rr
with all appropriate parties as
part of the HIPAA Privacy
ho
regulations.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
procedures to limit physical access to its electronic information systems and the
In
facility or facilities in which they are housed, while ensuring that properly
authorized access is allowed.
NS
needed) procedures that allow facility access in support of restoration of lost data
under the disaster recovery plan and emergency mode operations plan in the
©
event of an emergency.
39
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
locks within the office.
s.
Locks are in place and Despite weaknesses, GIAC Create policy for fulltime
ht
correctly used on all points of Enterprises has taken occupancy of nursing station
entry. There is a card access significant steps to comply during business hours.
rig
system required to enter the with this requirement.
treatment area. Patients are Company policy should Work with building to enforce
ll
escorted in by nurses. The include a requirement of an policies on removal of
fu
nur ses’ st
ati
onhasf ullviewof employee always being in the equipment.
all treatment rooms within the nursing station.
ins
clini cfrom thenur ses’ station Document policies and
and during business hours, Policies written by building procedures addressing third
eta
this area is almost always management should be party access.
occupied by GIAC Enterprises enforced.
staff. No access is available to rr
ePHI in the treatment rooms No policies exist with regards
ho
except for information that are to ensuring third parties who
carried in by employees for have a business need to work
ut
Key fingerprint
presence = AF19
of patients are FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
A Business Associate
SA
be found in Appendix I.
40
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
building tenant. Authorized
building tenant is defined by
someone who has signed the
lease or whom someone has
the lease has authorized. This
policy was tested and found
not to be enforced.
s.
tape. Tapes are overwritten on
ht
a weekly basis and are
available to be retrieved
rig
through the building
management company.
ll
Cameras cover all points of
fu
entry/exit to the building.
ins
(iii) Access control and validation procedures (Addressable). Implement
eta
procedures to control and validate a person's access to facilities based on their
role or function, including visitor control, and control of access to software
rr
programs for testing and revision.
ho
Policies and procedures exist Employee and patient access Document and implement
documenting that the Privacy procedures are documented procedures to control access
04
Officer must authorize all and properly implemented, but to people other than patients
Key
accessfingerprint = AF19 FA27 procedures
to PHI. Procedures 2F94 998Dneed FDB5 DE3D F8B5and
to be 06E4 A169 4E46
employees who need
20
exist controlling where patients expanded to incorporate other access to the facility. Ensure
are permitted to be people who may need access that the procedure includes
te
41
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
(b) Standard: Workstation use. Implement policies and procedures that
specify the proper functions to be performed, the manner in which those
functions are to be performed, and the physical attributes of the surroundings of
a specific workstation or class of workstation that can access electronic protected
health information.
s.
use policy exists. The procedures are appropriate,
ht
acceptable use policy also enforceable, and
covers details associated with implemented. No gaps have
rig
positioning of workstations to been identified.
reduce the risk of unintentional
ll
exposure of (e)PHI. See
fu
Appendix J
ins
These documents were
created as a result of the
eta
HIPAA Privacy Rule.
rr
ho
procedures that govern the receipt and removal of hardware and electronic
media that contain electronic protected health information into and out of a
NS
42
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
this implementation contractor to ensure that
specification is the disposition hardware and media are
of tapes used for performing properly disposed of.
backups. Tape retention
policies include the retirement
of tapes, so appropriate steps
must be taken to properly
dispose of this tape media
since it undoubtedly will
contain ePHI.
s.
ht
(ii) Media re-use (Required). Implement procedures for removal of electronic
rig
protected health information from electronic media before the media are made
available for re-use.
ll
fu
Current State Assessment Identified Gaps Remediation Options
ins
All equipment at GIAC For GIAC Enterprises, Complete remediation steps
eta
Enterprises is considered by compliance with this for the disposal
the company to contain ePHI. implementation specification is implementation specification.
As a result, re-use of rr
inherent in compliance with
equipment does not occur the disposal implementation
ho
within the organization. specification above.
ut
,A
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
equipment. Backup tapes are happens to both hardware and document the movement of all
sti
taken home by Jane media containing ePHI. This hardware and electronic media
Receptionist as part of the will include mostly the backup from GIAC Enterprises.
In
43
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
intent to move facilities or with the intent of this Enterprises interprets and
equipment. However, backups specification. Documentation believes to comply with the
are performed according to of this interpretation needs to intent of this implementation
policy. exist. specification.
s.
procedures for electronic information systems that maintain electronic protected
ht
health information to allow access only to those persons or software programs
rig
that have been granted access rights as specified in Sec. 164.308(a)(4).
ll
fu
number for identifying and tracking user identity.
ins
Current State Assessment Identified Gaps Remediation Options
eta
Two accounts exist for each Compliance with this Document the currently
employee at GIAC Enterprises implementation specification
rr implemented policy for user
that have access to ePHI. The needs to be identified. account creation.
first is a windows account that
ho
is an active directory Review and consider
username. This account is implemented a method to use
ut
procedure.
tu
sti
44
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
password changes.
GIAC Enterprises accesses all The implemented procedure Document the implemented
s.
ePHI from their workstations. addresses the intent of this procedure and identify it as the
ht
Screen savers are specification. intended method to comply
implemented to initiate in 10 with this implemented
rig
minutes of inactivity and are specification.
password protected.
ll
fu
(iv) Encryption and decryption (Addressable). Implement a mechanism to
ins
encrypt and decrypt electronic protected health information.
eta
Current State Assessment Identified Gaps Remediation Options
rr
The Unix system is accessed Encryption in transit for ePHI Turn on encryption amongst
ho
via SSH. A review of access to on GIAC Enterprises network Windows systems.
ePHI on the windows system can easily be achieved
ut
Key fingerprint
on backup = AF19
tapes or while itFA27 Encryption
2F94 998DofFDB5
data atDE3D F8B5respect
rest has 06E4 A169 4E46 with this
to compliance
20
encrypted. Document
sti
The two applications used at Failed and successful Turn on auditing for
GIAC Enterprises for ePHI login/logoff auditing was applications that access ePHI
storage and retrieval have discussed in the administrative to record who is viewing ePHI
software mechanisms for safeguards section. data.
recording an audit trail. These
are currently turned off. Audit logs for the ePHI Document a procedure on how
applications needs to be to review these logs.
enabled.
45
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
A procedure for examining
these logs needs to be
documented and
implemented.
s.
(2) Mechanism to authenticate electronic protected health information
ht
(Addressable). Implement electronic mechanisms to corroborate that electronic
rig
protected health information has not been altered or destroyed in an
unauthorized manner.
ll
fu
Current State Assessment Identified Gaps Remediation Options
ins
Servers containing ePHI are GIAC Enterprises has Document GIAC Enterprises
eta
using RAID 5. identified that additional interpretation of the lack of
integrity controls are need for them to take
unnecessary for their
rr additional technical steps to
environment. comply with this
ho
implementation specification.
Review these documents with
ut
legal counsel.
,A
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
verify that a person or entity seeking access to electronic protected health
20
46
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
(i) Integrity controls (Addressable). Implement security measures to ensure
that electronically transmitted electronic protected health information is not
improperly modified without detection until disposed of.
GIAC Enterprises would like to Policy needs to be established Document policy specifying
implement a method to to ensure that the future what technical specifications
transfer ePHI to business IPSEC tunnel planned meets are acceptable when
s.
partners (specifically their the integrity control transferring ePHI through a
ht
clearinghouse vendor) via a requirement. VPN tunnel to a business
site to site VPN. partner.
llrig
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic
fu
protected health information whenever deemed appropriate.
ins
Current State Assessment Identified Gaps Remediation Options
eta
Along with Integrity of the site Ensure that the policy for the Ensure compliance with this
to site VPN discussed in the site to site VPN includes
rr implementation specification in
previous section is encryption encryption requirements. the integrity implementation
needs. specification requirement.
ho
ut
Appendices
tu
for inclusion in the appendices do not actually exist. Here is the list of documents
In
Appendix A: Risk Analysis performed during HIPAA Privacy Rule Gap Analysis
SA
47
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
Appendix G: Password Policy from Employee Manual
s.
ht
Appendix K: External access to PHI authorization and verification policy
ll rig
fu
ins
eta
rr
ho
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
48
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
References
1. Compt on,Chri
s“ Pr ovi
dingNet wor
kTraf f
icAnal
ysisServices to a
Gov ernmentCont ractor
”URL:
http://www.giac.org/practical/GCSC/Chris_Compton_PPT_GCSC.pdf
(August 2004)
s.
2. “FinalHI PAASecur it
yRul e”URL:
ht
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
rig
(August 2004)
ll
fu
by Step Guide v 1.0
ins
4. Musgrave, Garry, “10CommonPr ojectPi t
fallsandHowToAv oi
dThem”
URL: http://www.conceptron.com/articles/pdf/ten_pitfalls.pdf (January
eta
2001)
rr
5. “Pl
an,DO,Check,Act–PDCA”URL:http://www.isixsigma.com/me/pdca/
ho
(August 2004)
ut
,A
04
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
te
tu
sti
In
NS
SA
©
49
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.