The purpose of this assignment is to assess the results of an organization’s HIPAA risk assessment. This assignment has two parts. Review the “Case Study: Town of Grand Canyon” resourced and the “Case Study HIPAA Risk Assessment” spreadsheet, provided in the topic materials.
The “Case Study: Town of Grand Canyon” resource provides insight into the status of the organization and will help you ascertain its security posture in safeguarding electronic protected health information (ePHI). The case study will inform your answers on the “Case Study HIPAA Risk Assessment” spreadsheet.
Part 1: Access the “Case Study HIPAA Risk Assessment.” Complete columns E and F, which include a brief explanation of compliance and the HIPAA compliance status.
Part 2: In a 500-750-word document, provide an executive summary in which you: 1. Describe the consequences for the lack of security controls in relation to meeting customer/patient privacy. 2. Provide brief recommendations for the town of Grand Canyon in resolving the deficiencies you have identified. General Requirements: Submit the executive summary (Word document) and spreadsheet (Excel) to your instructor.
While APA style is not required for the body of this assignment, solid academic writing is expected, and documentation of sources should be presented using APA formatting guidelines, which can be found in the APA Style Guide, located in the Student Success Center. This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion.
Case Study: Town of Grand Canyon
The Town of Grand Canyon (TOG) recognizes the need to measure its current security maturity and effectiveness on a continued basis as it seeks to hold high security standards and trust for its stakeholders, customers, and the Town of Grand Canyon as it provides critical infrastructure services. The Lopes Risk Analysis Team was tasked with conducting a comprehensive HIPAA risk assessment that includes a detailed risk assessment of the information technology infrastructure, organizational-level policies and procedures, and physical security safeguards.
The scope of this risk analysis effort is limited to the security controls applicable to the TOG environments relative to its conformance with the Health Information Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). These minimum requirements address general security controls in the areas of policies, procedures, computer hardware and software, patient data, operations, administration, management, information, facility, communication, personnel, and contingency. The purpose of this readiness assessment is to identify conditions where electronic protected health information (ePHI) could be disclosed without proper authorization, improperly modified, or made unavailable when needed. This information will then be used to make risk management decisions on whether current safeguards are sufficient, and, if not, what additional actions are needed to reduce risk to an acceptable level.
HIPAA Current Assessment Summary
TOG is in the early stages of establishing a strong security program. TOG has established several best practice security measures to include encryption, backup and restoration strategies, and the use of cybersecurity-related tools and technologies to manage incidents, which has laid the foundation for HIPAA compliance. From onboarding personnel to physical security measures, TOG has implemented best practices across the environment.
Based on the defined scope and objectives of the security tests TOG contains major deficiencies within its cybersecurity program, with various controls not consistently implemented. Out of the 245 controls, 95 were identified as in compliance, while the remaining 150 were not in place or were inefficiently applied during this assessment. These 150 potential vulnerabilities have severity labels applied to simplify prioritization for remediation and aid in the decision-making process for management. Lopes identified “High,” and “Medium” risk severity findings (see Figure 1). The five “High” risk items are further defined in this report and should be used to determine next steps for Town of Grand Canyon.
Significant gaps identified in the assessment are the lack of data mapping and categorization of ePHI, an established security program (risk management, vulnerability assessment, IRP, security awareness training), and HIPAA policy development . TOG has provided evidence of procedures to execute in response to an incident or disaster to include backup and restoration processes. However, TOG has not fully identified and classified all information systems that store, process, or manage ePHI to ascertain if appropriate measures are in place to protect the confidentiality, integrity, and availability and measure the effectiveness of the incident management or disaster recovery responses regarding ePHI data. Additionally, documentation of various procedures and polices consists of 64% of the deficiencies documented. TOG is a combination of fire and rescue, police department, and overall corporate (which consists of IT, HR, training, physical security, etc.). A risk identified in this organizational structure is the silos in policy development and enforcement displayed. Policy templates and naming schemes are significantly different among the three major units (fire and rescue, police department, and corporate). The lack of established information governance, document control, inconsistent policy/procedure templates, storage locations, and insufficient content structure throughout the different departments can precipitate a variety of problems in training and compliance management.
Figure 1. Security Risk Levels
Several of the findings are associated with visibility of ePHI data flow. The development and enforcement of policies, procedures, and program elements around a comprehensive understanding of ePHI data flow is a major gap identified during this assessment. This gap results in a lack of HIPAA control implementation within incident response processes, disaster recovery plan, change control, and vulnerability management practices, as well as appropriate identification of the workforce members who require HIPAA training. Additionally, the lack of a Security Operations Center (SOC) reduces efficiencies in managing the threat landscape of the organization. A SOC can provide oversight in many of the risk management activities listed throughout this report to include incident responses, vulnerability assessments, and asset management.
The following are deficiencies that align with the HIPAA initiative and should be implemented to resolve the findings:
Electronic Protected Health Information (ePHI) Data Mapping Initiative
- A comprehensive data map of ePHI that includes where ePHI data is processed, stored, and transmitted.
- No integration of data controls into the various log monitoring, incident response, change control, disaster recovery, and backup and restoration procedures.
HIPAA Policy Development
- Lack of a complete review or update of missing policies to align with documentation standards and business requirements. This includes providing appropriate training and awareness of policies to stakeholders who interact with ePHI.
- The police department (counseling section) does not maintain, communicate, or train appropriate personnel on the HIPAA policies defined; this includes establishing a notice of privacy practices.
Risk Management Program (Security Program) Creation
- A vulnerability assessment tool (i.e., Qualys) and integration of a vulnerability management processes into a threat awareness and risk management model to establish threat and risk profiles does not exist.
- A framework for workstation, servers, and network devices that enhances the security of the default configurations is not developed or implemented across all ePHI-related devices.
- A comprehensive identification and documentation of all critical information systems that store, process, or transmit sensitive data (ePHI, PII, IP, etc.) is missing.
- An asset tracking and inventory system (e.g., servers, mobile devices, printers, faxes, VOIP, etc.) for, at minimum, critical systems.
Security Awareness Training Implementation
- Security awareness training and continuous awareness initiatives (flyers, e-mail campaigns, newsletters, etc.) need to be established. Such training should be implemented during new-hire training that includes a receipt of acknowledgement from users. The acknowledgement should be securely stored and updated annually.
Last Updated on