This document was obtained from the Internet by AuditNet® using advanced search

techniques.

The document is from a site which has not identified restrictions on permitted use
and are sharing this information for the benefit of the audit community. However,
while we have attempted to provide accurate information no representation is made
or warranty given as to the completeness or accuracy of the document. In particular,
you should be aware that the document may be incomplete, may contain errors, or
may have become out of date.

While every reasonable precaution has been taken in the preparation of this
document, neither the author nor AuditNet® assumes responsibility for errors or
omissions, or for damages resulting from the use of the information contained herein.
The information contained in this document is believed to be accurate. However, no
guarantee is provided. Use this information at your own risk.
Audit Program Licensing Terms
1. You accept that this product is intended for your use (individual
subscription) or your group (multi-user subscription), and you will not
duplicate in any form or manner, electronic or otherwise, copies of this
product nor distribute this product to anyone else. Licensee shall not
knowingly permit anyone other than Authorized Users to use the Licensed
Materials.
2. Licensee may not use the Licensed Materials for commercial
purposes, including but not limited to the sale of the Licensed Materials or
bulk reproduction or distribution of the Licensed Materials in any form.
3. You recognize that the product and its content are the sole property of
AuditNet® (the Publisher), and that we have copyrighted the product.
4. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service
provider, personal computer, browser or other software or hardware
components. You accept that there is no guarantee that this product is
totally error free. You further understand and accept that the Publisher
intends to provide reliable information but does not guarantee the accuracy
or completeness of any information, and is not responsible for any results
obtained from the use of such information.
5. This license is effective until terminated, when the license or
subscription period ends without renewal, or when you destroy this product
and any related documentation. The Publisher may terminate your license
without notice if you fail to comply with the conditions set forth in this
agreement, and may pursue any other legal recourse.
This form can be used to inventory cloud-related assets within the information technology portfolio. The knowledge of what
technology exists in an organization is vital to any good information security program. This worksheet will guide the team thro
inventory process by asking the right questions, gathering valuable information, and resulting in a full assessment of the locati
inter-relatedness of all cloud-related information technology assets that store, process or transmit electronic protected health

Category (Clinical
Application, Business
Application, Data Center
Name of Application or System Operating System
Application, Biomedical
Application, Web
Application, etc)

Electronic Health Record Hosted (Cloud Based) Clinical

Email Hosted (Cloud Based) Business

Patient Scheduling System Hosted (Cloud Based) Business

Remote Backup Software Hosted (Cloud Based) Business

Pathology Data System Hosted (Cloud Based) Clinical

Collaboration/File Sharing Software Hosted (Cloud Based) Business

PACS/Imaging Hosted (Cloud Based) Clinical

Business Intelligence Hosted (Cloud Based) Business

Customer relationship management

(CRM) Hosted (Cloud Based) Business

Customer Service (e.g. survey tools) Hosted (Cloud Based) Business

technology portfolio. The knowledge of what information
ogram. This worksheet will guide the team through a detailed
, and resulting in a full assessment of the location, condition, and
process or transmit electronic protected health information (ePHI).

Data Classification / Data Stored (&

Description ~Number Of Users System Criticality
Regulation volume)

Electronic Health Record for the

Outpatient Facility

Email

Patient Scheduling

Software to backup the data

Ancillary system for where lab work is

documented, charges developed, and
sends results to EHR

Employee collaboration

Clinical Picture Archiving

Communication System
Business analytic tool

Manage customer relations

Survey customers regarding satisfaction

 Risk Vendor
Reports Business/
Data Transmitted Assessment Contact &
Generated (& Business Function System Dept Vendor
(how and where) Frequency in Support
for who) Owner
Months Information
Access vendor
has?
Access Primary
VPN, WebEx, Primary Support Primary Phone Responsible BAA on File?
Control HW/OS
PCAnywhere, Secondary Support Secondary Phone Analyst (Y, N, N/A)
Contact Support
dial up,
etc?
 Microsoft Patches
Source of approved
patches to apply. Microsoft Patches
Secondary HW/OS 1. Vendor emails Scheduled Maintenance Dependent Systems Interfaces / Connections
Location
Support notifications Downtime
2. We call vendor to (ex: 4th Thu of Month)
verify patches
3 Other - Explain
Logs / Monitoring Malware / IDS Protection
Cloud Computing Risk Assessment Module
The following is intended as a sample risk assessment for health care organizations that utilize cloud services. It is intended to address the risks to
confidentiality, integrity, and availability that the health care organization should consider addressing. It is not intended to address the risks to the cloud
provider, who should separately perform its own risk assessment. The identified risks are examples, and should be modified based on the specific
circumstances of the cloud provider, who likely will have a different set of existing controls, different risk levels, and may face additional categories of risks.
Recommended Best Practice Controls are potential ways to address risks and are not intended to represent the only appropriate controls.

As vulnerabilities are discovered you can record them and evaluate the level of risk using this report.

Vulnerability Risk Threat Existing Likelihood Impact Risk Potential Best Practice Organizational
Name Description Source Controls of Occurrence Severity Level Control Comments Owner

Describe the threats that could take

advantage of this vulnerability.
Consider the 4 categories of threats:
Describe a particular weakness or Adversarial, Accidental, Structural, Describe the safeguards Very High,
flaw in your security that could be Describe, in business terms, the Environmental; as well as more already in place that reduce High, Give a recommendation for Need to assign an
exploited by a threat source to type of harm to the specific examples such as external / this risk. Consider physical, Very High, High, Very High, High, Moderate, the best new safeguard(s) that owner
cause a security violation or organization if this vulnerability internal, users, visitors, virus, natural technical and administrative Moderate, Low, Moderate, Low, Low, Very can reduce the risk from this (accountability and
breach. is exploited by a threat source. hazard, etc. safeguards. Very Low Very Low Low vulnerability further. follow-up)

Obtain assurances that cloud

provider conducts periodic risk
Cloud provider fails to periodically assessments, including
conduct a risk assessment including Information maintained by the Adverserial, accidental, structural, information about who
penetration testing (including web cloud provider is compromised environmental, etc. None High High High conducts risk assessment, how
application security) often, and whether such
assessments include
penetration testing.

Obtain documentation that

cloud provider has a
Cloud provider has inadequate comprehensive security
Information maintained by the Adverserial, accidental, structural,
administrative, physical, and None High High High program that adheres to a
cloud provider is compromised environmental, etc.
technical safeguards recognized framework (e.g.,
ISO) and is periodically
reviewed by a third party.

Information is intercepted and

Unauthorized access during exploited by an unauthorized Information sent to cloud No additional control
Adversarial outsider (e.g., hacker) Low High Low
transmission to cloud provider third party during transmission provider is encrypted in transit necessary
to the cloud provider

Turn on vendor feature

Unauthorized person is able to
Weak password protections for
obtain access to information by
cloud services
guessing a password
Vendor default password and requiring strong passwords
Adversarial insider or outsider no administrative password Moderate High Moderate and implement policy
policy prohibiting weak password
practices

Unauthorized person uses

Unlimited password attempts for Vendor default does not limit Turn on vendor feature
automated attack to obtain Adversarial outsider (e.g., hacker) Moderate High Moderate
cloud services password attempts limiting failed login attempts
passwords

Institute policy and provide

Unauthorized person obtains
Social engineering attempt to training that users may not
password by posing as insider Adversarial outsider (e.g., hacker) None Moderate High Moderate
obtain password to cloud services share passwords with others,
(e.g., IT department)
including IT department

Institute policy and provide

Password to cloud services is Unauthorized person obtains
training that users may not
written down and available to copy of written password to Adversarial insider or outsider None Moderate High Moderate
write down passwords and
unauthorized persons cloud services
leave unattended

Determine appropriate
Authorized user downloads download policy (e.g.
local copy of information from information may only be
Download of cloud information Users None High High High
cloud onto unsecure device, downloaded in limited
which is lost or stolen circumstances and only to
properly secured devices)

Corruption during transit
Information is partial or
incorrect (e.g. due to packet
Software application checks No additional control
loss), resulting in patient safety Accidental Very Low High Low
integrity of transmitted data necessary
concerns due to incomplete
medical information

Evaluate business continuity

Lack of access to information,
potentially including electronic
Service outage at cloud provider
health records and billing
information
and disaster recovery options
(e.g. from cloud provider or
Accidental or environmental None Moderate High Moderate
through on-premise recovery)
and implement and test
appropriate solution.

Lack of access to information, Maintain reasonably current

Service outage at local internet potentially including electronic local backup of critical
Accidental or environmental None High High High
service provider health records and billing information and test ability to
information recover information

Lack of access to information,

Maintain backup generator for
potentially including electronic
Loss of local power Environmental None High High High powering critical IT systems
health records and billing
and use local backup
information
Definitions of Key Terms: Likelihood, Impact, Risk

Risk
The determination of risk for a particular threat / vulnerability pair is a function of:
1) The likelihood of a given threat-source’s attempting to exercise a given vulnerability
2) The magnitude of the impact should a threat-source successfully exercise the vulnerability
3) The adequacy of planned or existing security controls for reducing or eliminating risk

The following matrix demonstrates how risk is calculated based on the impact and likelihood scores

Likelihood

Likelihood is an indication of the probability that a potential vulnerability may be exercised given the threat
environment.
Consider the following factors:
1) Threat-source motivation and capability
2) Nature of the vulnerability
3) Existence and effectiveness of current or planned controls

Likelihood Likelihood Definition

Level Anticipated frequency of occurrence is:

Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a
Very High year.
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a
High year.
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times
Moderate a year.
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but
Low more than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every
Very Low 10 years.

Impact
The level of impact from a threat event is the magnitude of harm that can be expected to result
from the unauthorized disclosure, modification, disruption, destruction, or loss of information
and/or denial of service. Such adverse impact, and hence harm, can be experienced by a variety of
organizational and non-organizational stakeholders including, for example, heads of agencies,
mission and business owners, information owners/stewards, mission/business process owners,
information system owners, or individuals/groups in the public or private sectors relying on the
organization—in essence, anyone with a vested interest in the organization’s operations, assets, or
individuals, including other organizations in partnership with the organization, or the Nation (for critical
infrastructure-related considerations)

The following are adverse impacts that should be considered when scoring:

Type of Impact Impact

Harm to
Operations

> Inability to perform current missions/business functions.

> In a sufficiently timely manner.
> With sufficient confidence and/or correctness.
> Within planned resource constraints.
> Inability, or limited ability, to perform missions/business functions in the future.
> Inability to restore missions/business functions.
> In a sufficiently timely manner.
> With sufficient confidence and/or correctness.
> Within planned resource constraints.
> Harms (e.g., financial costs, sanctions) due to noncompliance.
> With applicable laws or regulations.
> With contractual requirements or other requirements in other binding agreements.
> Direct financial costs.
> Relational harms.
> Damage to trust relationships.
> Damage to image or reputation (and hence future or potential trust relationships).
Harm to Assets

> Damage to or loss of physical facilities.

> Damage to or loss of information systems or networks.
> Damage to or loss of information technology or equipment.
> Damage to or loss of component parts or supplies.
> Damage to or of loss of information assets.
> Loss of intellectual property.
Harm to
Individuals
> Identity theft.
> Loss of Personally Identifiable Information [or Protected Health Information].
> Injury or loss of life.
> Damage to image or reputation.
> Physical or psychological mistreatment.
Harm to Other
Organizations

> Harms (e.g., financial costs, sanctions) due to noncompliance.

> With applicable laws or regulations.
> With contractual requirements or other requirements in other binding agreements.
> Direct financial costs.
> Relational harms.
> Damage to trust relationships.
> Damage to reputation (and hence future or potential trust relationships).
Harm to the
nation

> Damage to or incapacitation of a critical infrastructure sector.

> Loss of government continuity of operations.
> Relational harms.
> Damage to trust relationships with other governments or with nongovernmental
entities.
> Damage to national reputation (and hence future or potential trust relationships).
> Damage to current or future ability to achieve national objectives.

Magnitude of Impact Definition

Impact

The threat event could be expected to have multiple severe or catastrophic adverse
effects on organizational operations, organizational assets, individuals, other organizations,
Very High or the Nation.

The threat event could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the
Nation. A severe or catastrophic adverse effect means that, for example, the threat event
might: (i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary functions;
(ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv)
result in severe or catastrophic harm to individuals involving loss of life or serious life-
High threatening injuries.

The threat event could be expected to have a serious adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A serious
adverse effect means that, for example, the threat event might: (i) cause a significant
degradation in mission capability to an extent and duration that the organization is able to
perform its primary functions,
but the effectiveness of the functions is significantly reduced; (ii) result in significant
damage to organizational assets; (iii) result in significant financial loss; or (iv) result in
significant harm to individuals that does not involve loss of life or serious life-threatening
Moderate injuries.
 The threat event could be expected to have a limited adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A limited
adverse effect means that, for example, the threat event might: (i) cause a degradation in
mission capability to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in
minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in
Low minor harm to individuals.

No significant impact. The threat event could be expected to have a negligible adverse
effect on organizational operations, organizational assets, individuals other organizations,
Very Low or the Nation.

Note: These definitions are taken from NIST Special Publication 800-30 Revision 1, Initial Public
Draft, Guide for Conducting Risk Assessments, September 2011, p 9-10, and appendices G-3, H-2,
I-3. Some content is from NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems, July 2002