HIPAA Security Risk Analysis
Version 3 - 2007
The Health Insurance Portability and Accountability Act
(HIPAA) requires that a covered entity perform a security risk analysis of its
repositories of electronic Protected Health Information (ePHI). The following represents the security risk
analysis of the
1) SERVERS
A. The Rosalie Server contains that ePHI of all
electronic patient records of the
Location:
maintained in the 4th floor Machine Room of the
Physical access:
Physical access is limited to authorized Information Technology Services
personnel, and is made by swipe-card access at all entrances and exits to the
room. The Rosalie server is located in a
locked cabinet to which only approved ITS staff has keys. Room staffed 24x7,
security cameras all entrances.
Physical security measures in place: The Rosalie server is located in a locked
cabinet; the Machine Room in which the server is located is fire-rated.
Electronic access:
only two individuals have administrative log-in rights to Rosalie (Carl
Hasten & Paula Smith);
Electronic security measures in place: The server is protected by a campus-wide
firewall (redundant Cisco PIX 525); an email is sent to Carl Hasten and Paula
Smith when there are log-in failures on Rosalie. There is no history of
unapproved electronic access to Rosalie.
B. The Joseph backup server is located in another
facility - Lucas Hall data center. Similar security features as the Rosalie
server. Room not fire rated. Room not staffed but video cameras monitor access to
the server 24x7. There is no history of unapproved electronic access to
Rosalie.
Risk Factor: 5
Vulnerability: 1
Total Risk Assessment: 6
2) WORKSTATIONS:
through the workstations, access is available to the electronic patient
records of the
A) Clinic
Workstations:
Location:
Physical Access:
Access is available to the clinic to all faculty, students and staff;
access to the clinic is limited to those permitted such access by the
receptionist at the clinic entrance.
Physical Security Measures in place: All entrances to the Clinic, except the main
entrance, are kept locked and alarmed.
The Clinic entrance has a reception desk that is occupied during clinic
hours. All patients entering the clinic
are required to sign in; sometimes people accompanying the patient are
permitted into the clinic area without signing in.
Electronic Access:
Access is available to all faculty and students, and staff with clinic
responsibilities. No ePHI is stored on workstations.
Electronic Security Measures in place: To access a workstation, a user must have a unique
UMSL SSO user login and password. Login and password is required to access
Eyecare. Password protected screensavers are in use at workstations left
unattended for 5 minutes or more. The
operating system on each workstation is kept current with security patches and
hotfixes thru the use of Microsoft Update Service (through UMSL-Users domain). Login attempts are recorded on a domain
controller, monitored by ITS. Windows firewall is available on all workstations
to prevent unwanted access. User logins
and passwords are kept confidential.
Risk factor: 5
Vulnerability: 3
Total Risk Assessment: 8
B)
Pediatrics/Binocular Vision Clinic
Location: Second
Floor of Marillac Hall
Physical Access: Open access-there are no locked doors to
this clinic.
Physical Security Measures in place: All but one workstation (at the Reception
Desk) are located in rooms that are locked at night, or when the clinic is
closed; the workstation at the Receptionist’s desk is still available to access
even if the clinic is closed.
Electronic Access and Security: same as 2(A) above.
Risk Factor: 5
Vulnerability: 4
Total Risk Assessment: 9
C) Pre-Clinic
Location: Second
Floor of Marillac Hall
Physical Access: Students
enrolled in pre-clinic courses and assigned faculty members have UMSL ID card
swipe access.
Physical Security Measures in place: all workstations are kept inside a locked
room with UMSL ID card swipe access.
Electronic Access:
Second year students and a 4-5 faculty members
Electronic Security measures in place: There is no access
to the Rosalie or Joseph servers. To
access a workstation, a user must have a unique UMSL SSO user login and
password. Login and password is required to access an older version of Eyecare
installed on each workstation. Workstations have internet access. Access to
Eyecare is limited to winter semester for second year student training.
Risk Factor: 5
Vulnerability: 5
Total Risk Assessment: 10
D) Faculty Offices
There is no access to ePHI thru faculty office computers.
3) BACKUP TAPES
A) Daily: Daily backup tapes of Rosalie are made and
stored in the locked Computer Room
B) Saturday: A weekly backup tape is made, which is stored
off-site by Recall Service, a bonded storage service company. Access to these
tapes is only available to those persons with the correct number from
Recall. A paper log is maintained of the
tapes going to Recall for storage. A
HIPAA Business Associate agreement is in place with Recall.
4) REMOTE CLINIC SITES (Optometric Center,
A) Clinic
Workstations:
Location: Front
desk and examination rooms
Physical Access:
Access is available to the clinic to all faculty, students and staff;
access to the clinic is limited to those permitted such access by the
receptionist at the clinic entrance.
Physical Security Measures in place: All entrances to the Clinics are kept locked
and alarmed (HEC is not alarmed). Clinic
entrances have a reception desk that is occupied during clinic hours. Patient waiting areas are outside the main
clinic suite. All patients are allowed into the Clinics by front desk staff,
through locked entry. All patients entering the clinic are required to sign in;
sometimes people accompanying the patient are permitted into the clinic area
without signing in.
Electronic Access:
Access is available to assigned faculty only, and all students and staff
with clinic responsibilities.
Electronic Security Measures in place: same as 2A above.
Risk factor: 5
Vulnerability: 3
Total Risk Assessment: 8