Network ReviewHave you completed a Security Risk Assessment before?YesNoNot sureHIPAA § 164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR, IP, RS.MI HICP: TV1, Practice #7, 10Who is responsible for developing and implementing information security policies and procedures?Designated Security Officer that is identified by name in policy documentation.A member of our workforce, but is not identified by name in policy documentation.No one is formally named or identified in policy.HIPAA § 164.308(a)(2) NIST PR.AT, DE.DP, ID.IGV RS.CO, PR.IP, ID.AM HICP: TV1 Practice #10Are roles and job duties defined in regards to accessing ePHI?We have written job description, roles, and required qualifications documented for all workforce members with access to ePHI.We have written job titles, but no written roles or responsibilities for workforce members with access to ePHI.We do not have written job roles or responsibilities for workforce members with access to ePHI.HIPAA § 164.308(a)(3)(ii)(A) NIST CSF: ID.AM, PR.MA, DE.CM DE.DP, PR.IP HICP: TV1, Practice #3Are all workforce members (including management) given security training?Yes, on a periodic basis with documention.Yes, on a periodic basis without documentation.Yes, occasional training with documention.Yes, training is not documented or done periodically.NoHIPAA § 164.308(a)(5)(i) NIST CSF: PR.AT, ID.RM, PR.IP HICP: TV1, Practice #1, 4Are there procedures to monitor log-in attempts and report discrepancies?Yes, we have procedures to monitor log-in discrepancies.No, we do not have proceduresNot sure, but believe access is being monitoredHIPAA § 164.308(a)(5)(ii)(C) NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT HICP: TV1, Practice #3Are there procedures covering your malicious software protection strategy (i.e. timely antivirus/security updates and malware protection)?Yes, is documented and includes reviewing safeguard procedures and how workforce members can detect and report malicious software.Yes, is documented, but does not cover how workforce members can detect and report malicious software.We have safeguards in place, but are not included in our security proceduresNo protection from malicious software is being usedHIPAA §164.308(a)(5)(ii))(B) NIST CSF: PR.AT, PR.IP HCIP: TV1, Practice #2, 9Do your workforce members have individual logins to access ePHI?Yes, with unique IDs and passwordsYes, but sometimes they share loginsNo, we share generic loginsNo, anyone can access ePHIHIPAA § 164.312(a)(2)(i) NIST CSF: PR.AC, PR.PT, DE.CM HICP: TV1, Practice #3Is your data/ePHI encrypted?Yes, we use file/folder encryption.Yes, we use full disk encryption.No, we do not encrypt data.Not sure.HIPAA § 164.312(a)(2)(iv) & §164.312(e)(2)(ii) NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM, PR.MA, PR.PT HICP: TV1, Practice #1,2, 4Do you have automatic logoff enabled on devices and platforms accessing ePHI?YesNoHIPAA §164.312(a)(2)(iii) NIST CSF: PR.AC, PR.DS HICP: TV1, Practice #3Do you have hardware, software, or other processes that record and examine activity on information systems with access to ePHI?YesNoNot sureHIPAA § 164.312(b) NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM HICP: TV1, Practice #3Do you have a process for data backup and restoration?Yes, we use an image based backup solutionYes, we use a file-based backup solutionYes, we use a cloud backup solutionNo, we do not have a backup solutionNot sureHIPAA §164.308(a)(7)(iii)(A), §164.308(a)(7)(ii)(B), and §164.308(a)(7)(ii)(E) NISFT CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP, RS.RP, RS.CO, RC.CO, RC.RP, PR.DS HICP: TV1, Practice #10Other Concerns, Questions, Suggestions?0 / 180Contact InfoName *Company NameEmail Address *Phone Number *Send Message
