HIPAA Security Risk Analysis
Version 2 - 2006
The Health Insurance Portability and Accountability Act
(HIPAA) requires that a covered entity perform a security risk analysis of its
repositories of electronic Protected Health Information (ePHI). The following represents the security risk
analysis of the
1) SERVERS
A. The Rosalie Server contains that ePHI of all
electronic patient records of the
Location:
maintained in the 4th floor Machine Room of the
Physical access:
Physical access is limited to authorized Information Technology Services
personnel, and is made by swipe-card access at all entrances and exits to the
room. The Rosalie server is located in a
locked cabinet to which only approved ITS staff have keys. Room staffed 24x7,
security cameras all entrances.
Physical security measures in place: The Rosalie server is located in a locked
cabinet; the Machine Room in which the server is located is fire-rated.
Electronic access:
only two individuals have administrative log-in rights to Rosalie (Carl
Hasten & Paula Smith);
Electronic security measures in place: The server is protected by a campus-wide
firewall (redundant Cisco PIX 525); an email is sent to Carl Hasten @ Paula
Smith when there are log-in failures on Rosalie. There is no history of
unapproved electronic access to Rosalie.
B. The Joseph backup server is located in another
facility - Lucas Hall data center. Similar security features as the Rosalie
server. Room not fire rated. Room not staffed but video cameras monitor access to
the server 24x7.
Risk Factor: 5
Vulnerability: 1
Total Risk Assessment: 6
2) WORKSTATIONS:
through the workstations, access is available to the electronic patient
records of the
A) Clinic
Workstations:
Location:
Physical Access:
Access is available to the clinic to all faculty, students and staff;
access to the clinic is limited to those permitted such access by the
receptionist at the clinic entrance.
Physical Security Measures in place: All entrances to the Clinic, except the main
entrance, are kept locked and alarmed.
The Clinic entrance has a reception desk that is occupied during clinic
hours. All patients entering the clinic
are required to sign in; sometimes people accompanying the patient are
permitted into the clinic area without signing in.
Electronic Access:
Access is available to all faculty and students, and staff with clinic
responsibilities.
Electronic Security Measures in place: To access a workstation, a user must have a unique
UMSL SSO user login and password. Login and password is required to access
Eyecare. Password protected screensavers are in use at workstations left
unattended for 5 minutes or more. The
operating system on each workstation is kept current with security patches and
hotfixes thru the use of Microsoft Update Service. Logins are recorded on a domain controller,
monitored by ITS. Local security policies are in place on each workstation to
limit workstation access to authorized staff only. User logins and passwords are kept
confidential.
Risk factor: 5
Vulnerability: 3
Total Risk Assessment: 8
B)
Pediatrics/Binocular Vision Clinic
Location: Second
Floor of Marillac Hall
Physical Access: Open access-there are no locked doors to
this clinic.
Physical Security Measures in place: All but one workstation (at the Reception
Desk) are located in rooms that are locked at night, or when the clinic is
closed; the workstation at the Receptionist’s desk is still available to access
even if the clinic is closed.
Electronic Access and Security: same as 2(A) above.
Risk Factor: 5
Vulnerability: 4
Total Risk Assessment: 9
C) Pre-Clinic
Location: Second
Floor of Marillac Hall
Physical Access:
all students and two of faculty members have key access
Physical Security Measures in place: all workstations are kept inside a locked
room.
Electronic Access:
Students and a 4-5 faculty members
Electronic Security measures in place: There is no access
to the servers. To access a workstation,
a user must have a unique UMSL SSO user login and password. Login and password
is required to access an older version of Eyecare. Access to Eyecare is limited
to winter semester for student training.
Risk Factor: 5
Vulnerability: 5
Total Risk Assessment: 10
D) Faculty Offices
There is no access to ePHI thru faculty office computers.
3) BACKUP TAPES
A) Daily: Daily backup tapes of Rosalie are made and
stored in the locked Computer Room
B) Saturday: A weekly backup tape is made, which is stored
off-site by Recall Service, a bonded storage service company. Access to these
tapes is only available to those persons with the correct number from
Recall. A paper log is maintained of the
tapes going to Recall for storage. A
HIPAA Business Associate agreement is in place with Recall.
4) REMOTE CLINIC SITES (Optometric Center,
A) Clinic
Workstations:
Location: Front
desk and examination rooms
Physical Access:
Access is available to the clinic to all faculty, students and staff;
access to the clinic is limited to those permitted such access by the
receptionist at the clinic entrance.
Physical Security Measures in place: All entrances to the Clinics are kept locked
and alarmed (HEC is not alarmed). Clinic
entrances have a reception desk that is occupied during clinic hours. All patients are allowed into the Clinics by
front desk staff. All patients entering the clinic are required to sign in;
sometimes people accompanying the patient are permitted into the clinic area
without signing in.
Electronic Access:
Access is available to assigned faculty only and all students and staff
with clinic responsibilities.
Electronic Security Measures in place: same as 2A above,
except
for automatic updates (not
in UMSL-Users domain).
Risk factor: 5
Vulnerability: 3
Total Risk Assessment: 8