Document Category:
State: Alabama
Subject Matter: DUE DILIGENCE: SECURITY AND PRIVACY ISSUES
Document Title:
Comments:

Risk Analysis & Risk Management (RA/RM)

•        
Does
the organization have a formal, ongoing, and documented process for risk
analysis and risk management? Request and review a copy of the last Risk
Analysis and Risk Mitigation Plan.

•        
Is
Risk Analysis conducted on a regular basis? What factors or triggers dictate
updating the analysis (e.g., new technology, new leadership, new threats, new
regulations)?

•        
Is
Risk Analysis for security incorporated into organization-wide risk management initiatives?

•        
Does
the organization have cyber insurance? Request and review policy.

•        
How
is the risk analysis used in the meaningful use process?

•        
How
is the Meaningful Use documented? How? Who coordinates? Is documentation
centralized?

•        
Is
the organization ready for a Meaningful Use audit?

•        
Does
the organization have a policy that articulates the approach to risk analysis
and risk management in protecting confidential information?

•        
How
do board members and senior leaders support the RA/RM processes?

•        
What
role do department managers, physician leaders, and others play in the RA/RM
process?

•        
Is
there a budget line item for security, including resources identified for risk
mitigation activities?

Program Infrastructure and Resources

•        
Is
there a designated privacy officer (PO)? Designated Information Security
officer (ISO)?

•        
Are
there written job descriptions for the officers?

•        
Do
the officers have other responsibilities or are they dedicated full-­‐time to the PO and
ISO roles?

•        
How
is information regarding how to contact the officers provided to the workforce?

•        
Where
do the PO and ISO appear on the organization chart?

•        
Do
the PO and ISO deliver reports directly to the board or to a board committee at
least annually?

•        
Do
the privacy and security functions have enough resources to address all the
requirements of the programs and to adequately provide program coordination?
How is this measured and decided?

•        
Do
the officers participate in strategic planning, risk assessment and management
processes, EHR development, Meaningful Use, and regional/state HIE planning and
implementation initiatives?

•        
Do
the officers have adequate training to perform their functions?

•        
Are
the officers credentialed in privacy and security? Do they have the opportunity
to participate in ongoing education and training activities in order to
maintain and enhance their skills?

•        
Do
the officers report on a regular basis to the management group and provide
information on current issues and critical topics related to privacy and
security?

Physical Security

•        
How
does the organization deploy physical safeguards to protect confidential
information?

•        
What
types of safeguards are deployed – facility access controls, access control and
validation procedures, device and media controls (disposal, accountability),
etc.?

•        
Request
and review environment of care process documents. Is security included in this
process?

•        
Request
and review audits of physical environment as they pertain to protecting
information.

Technical Security

•        
Does
the organization have an intrusion and detection prevention system?

•        
Are
the following controls in place: firewalls, access control policies, IDS and
IPS vendor information (e.g., product documentation, manuals, rules)?

•        
What
is the nature of the patching policy for past 6 months?

•        
Is
there a list of logging systems and storage locations, a schedule of
vulnerability assessments, penetration tests, code reviews and audits,
including dates, scope, results, risk mitigation taken?

•        
Request
and review list of anti malware systems including locations, licenses, update
policy, incident reports and activity logs.

•        
Request
and review listing of critical information systems.

•        
Request
and review schedule of known information security breaches, exposures and other
incidents relating to web applications for past 3 years, including
countermeasures adopted.

•        
Request
and review incident management policy and procedures, details of remediation
capabilities.

•        
Request
and review penetration testing policy and results from technical analyses
conducted in past 3 years, including mitigation taken.

•        
Request
and review disaster recovery plan and results of last testing.

•        
Request
and review business continuity plan and schedule of tests undertaken. What
changes were made in the last process?

•        
Request
and review data backup and verification policies and procedures.

Breach Notification Policy and Procedures

•        
Request
and review breach notification and reporting policy and procedures.

•        
Is
the breach policy current? Does it include Omnibus Rule and State reporting
requirements?

•        
Request
and review breach statistics and incident response statistics for previous 4
years.

•        
What
were the results of any breaches? What information was reported and to which
agencies? What remediation activities occurred due to the breach?

•        
Request
and review OCR letters and complaints. Results?

Business Associates & Sub-contractors

•        
Request
and review inventory of business associates. Is the listing complete?

•        
Are
business associate agreements and contracts centralized and automated? Who is
responsible for maintenance of the listing and assuring that all agreements are
current?

•        
Request
and review business associate policy and business associate agreement template.
Are these current?

•        
Has
the organization completed a risk profile of its business associates, i.e.,
indicating which vendors/partners/BAs represent potential risk to the
organization by virtue of their function and access to confidential
information?

•        
Has
the organization requested and received copies of critical BA privacy and
security policies?

•        
How
does the organization communicate with the BA regarding each party’s
responsibilities?

•        
Does
the organization communicate with the security officers of critical BAs?

•        
How
does the organization provide access to confidential information to the BA? How
is access monitored? Is access promptly terminated when no longer required or a
change in personnel?

Auditing and Monitoring Processes

•        
Does
the organization have a formal, documented plan for auditing and monitoring?

•        
Does
auditing and monitoring pertain to both access to systems with confidential
information and review of physical and environment safeguards?

•        
Request
and review the plan and reports completed in previous 3 years. What issues were
identified? How were results of the auditing and monitoring processes used to
change, improve, or remediate practices for safeguarding information?

Office for Civil Rights (OCR) and Patient Complaints

•        
Request
and review patient complaint and mitigation policy.

•        
How
are patient complaints handled, including documentation, response to patient,
tracking, etc.?

•        
Who
is responsible for coordinating the patient complaint process?

•        
Request
and review all letters and correspondence received from OCR, including patient
complaints, investigations, audits, etc.

Assessment and Audit Results

•        
How
does the organization evaluate its privacy and security programs?

•        
Who
is responsible for coordinating the evaluation?

•        
How
are program evaluations documented?

•        
Request
and review reports for evaluations conducted in past 3 years.

•        
How
are the evaluations used to improve the programs?

•        
Request
and review any P&S reports completed by internal or external audit.

Program Documentation

•        
How
is documentation for the privacy and security programs maintained? This
includes: policies, including revision history, approvals; risk analysis
reports and risk mitigation plans; audit and monitoring reports; patient
complaint files; breach reports and statistics; reports provided to board and
management; training documentation, etc.

•        
Is
documentation centralized and easily retrievable?

•        
Who
is responsible for coordinating documentation?

Results of the Process – What’s Next?

Due diligence requires a
carefully thought-out and structured process in order to obtain the right
amount of appropriate information to evaluate the organization’s privacy and
security programs from a risk perspective.

Following
are questions that should be answered before the acquisition/merger occurs:

•        
What
will be the resultant privacy and security program?

•        
How
will programs be combined?

•        
How
will strengths of each be utilized to best advantage? How will weaknesses be
shored up?

•        
Does
the partner come with potential liabilities (unreported breaches, meaningful
use attestation and other audit issues, patient complaints not addressed)?

Integrating programs will require
a mindset change and a culture change. It’s about culture, awareness,
governance, and relationships. Privacy and security are integral to the
organization’s mission and must be embedded core values.

Pendulum
Legal Risk Management Network

  Ric Henry  | 
President

  Pendulum, LLC 
|  Albuquerque, New Mexico

  505-889-8262  | 
888-815-8250

  Ric.Henry@WeArePendulum.com 
www.WeArePendulum.com

 We’re social:  Facebook 
Twitter 
LinkedIn

Check out our weekly Risk Reduction Recommendations!

 


Document Author: Ric henry
Firm/Company: Pendulum
Document Date: Sept 2013
Search Tags: Risk Management
File Attachments:

Copyright:

loggedout