UMSL College of Optometry

HIPAA Security Risk Analysis

1-24-2005

 

            The Health Insurance Portability and Accountability Act (HIPAA) requires that a covered entity perform a security risk analysis of its repositories of electronic Protected Health Information (ePHI).  The following represents the security risk analysis of the College of Optometry.

 

1)  THE ROSALIE SERVER

            The Rosalie Server contains that ePHI of all electronic patient records of the Optometry School.

            Location:  maintained in the 4^th floor Machine Room of the Campus Computer Building on the UMSL Campus.

            Physical access:  Physical access is limited to authorized Information Technology Services personnel, and is made by swipe-card access at all entrances and exits to the room.  The Rosalie server is located in a locked cabinet to which only approved ITS staff have keys.

            Physical security measures in place:  The Rosalie server is located in a locked cabinet; the Machine Room in which the server is located is fire-rated (Fire Suppression 200).

            Electronic access:  only two individuals have administrative log-in rights to Rosalie (identify);

            Electronic security measures in place:  The server is protected by a campus-wide firewall (redundant Cisco PIX 525); an email is sent to ____ when there are log-in failures on Rosalie. There is no history of unapproved electronic access to Rosalie.

 

Risk Factor:  5

Vulnerability: 1

Total Risk Assessment:  6

 

2)  WORKSTATIONS:  through the workstations, access is available to the electronic patient records of the Optometry College.

 

            A)  Clinic Workstations:

            Location:  Optometry College Clinic in Marillac Hall, UMSL

            Physical Access:  Access is available to the clinic to all faculty, students and staff; access to the clinic is limited to those permitted such access by the receptionist at the clinic entrance.

            Physical Security Measures in place:  All entrances to the Clinic, except the main entrance, are kept locked and alarmed.  The Clinic entrance has a reception desk that is occupied during clinic hours.  All patients entering the clinic are required to sign in; sometimes people accompanying the patient are permitted into the clinic area without signing in.

            Electronic Access:  Access is available to all faculty and students, and staff with clinic responsibilities.

            Electronic Security Measures in place:  To access a workstation, a use must have a unique user login and password;  Password protected screensavers are in use at workstations left unattended for 5 minutes or more.  The operating system on each workstation is kept current with security patches and hotfixes thru the use of Microsoft Update Service.  Local security policies are in place on each workstation to limit workstation access to authorized staff only.  Use Logins and Passwords are kept confidential.

 

Risk factor:  5

Vulnerability: 3

Total Risk Assessment:  8

 

            B)  Peds Clinic

            Location:  Second Floor of Marillac Hall

            Physical Access: Open access-there are no locked doors to this clinic (how many doors are there?)

            Physical Security Measures in place:  All but one workstation at the Reception Desk are located in rooms that are locked at night, or when the clinic is closed; the workstation at the Receptionist’s desk is still available to access even if the clinic is closed.

            Electronic Access and Security:  same as 2(A) above.

 

Risk Factor:  5

Vulnerability: 4

Total Risk Assessment:  9

 

            C)  Pre-Clinic

            Location:  Second Floor of Marillac Hall

            Physical Access:  all students and a couple of faculty members have key access

            Physical Security Measures in place:  all workstations are kept inside a locked room.

            Electronic Access:  students and a couple of faculty members

            Electronic Security measures in place:  only a snapshot of patient information is available at these workstations; use login and password are required.

 

Risk Factor:  4

Vulnerability: 3

Total Risk Assessment:  7

 

            D)  Faculty Offices

            There is no access to ePHI thru the faculty office computers.

 

 

3)  BACKUP TAPES

            A)  Daily:  Daily backup tapes of Rosalie are made and stored in the locked Computer Room

 

            B)  Saturday:  A weekly backup tape is made, which is stored off-site by Recall Service, a bonded storage service company. Access to these tapes is only available to those persons with the correct number from Recall.  A paper log is maintained of the tapes going to Recall for storage.  A HIPAA Business Associate agreement is in place with Recall.