Genitech SRA^TM (Security Risk Analysis)

1. Interviews will be conducted with management or other employees or person(s) responsible for entering, reviewing, and maintaining protected and confidential health information.

2. Documentation will be reviewed that is pertinent to the network, system controls, electronic medical records application, as well as information provided to employees with regards to security of protected health information.

3. The existing security plan, security hardware, and contingency and disaster recovery plans will be reviewed

4. Documentation of the configuration of security solutions including firewall, antivirus/malware, and disaster-recovery solution for all servers/PCs where protected health information may reside will be reviewed.

An IT Risk Assessment, as it relates to Meaningful Use, is not explicitly defined with respect to methodology or documentation by CMS. With that undertanding, Genitech’s security assessment team will follow NIST Publication 800-30 as a baseline with additional steps amended as needed. Publication 800-30 is a widely accepted IT assessment methodology and one often referenced by CMS for Meaningful Use. The following elements are incorporated in our planned approach for this assessment

5. Scope of the Analysis – Identify the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI created, received, maintained or transmitted across all locations and all media types

6. Data Collection – Identify where e-PHI is stored, received, maintained, or transmitted by reviewing documentation, performing interviews of key personnel or other methods as needed

7. Identify & Document Threats and Vulnerabilities – determine reasonably anticipated threats to e-PHI as specific to the organization and environment and document these items

8. Assess Current Security Measures – review and document the current security measures in place, whether security measures required by the Security Rule are in place and if current security measures are configured and used properly

9. Determine Likelihood of Threat Occurrence – review the probability of potential risks to e-PHI and use these results along with previous findings to determine reasonably anticipated threats

10. Determine Magnitude of Risk and Potential Impact – assign risk levels for all threat and vulnerability combinations identified while considering the potential impact to confidentiality, integrity and availability of e-PHI

11. Document Findings – formally document the assessment, risk analysis and all decisions that demonstrate compliance with the HIPAA Security Rule

Efficiency Through Technology^TM