Risk management
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-05-05
- reviewed: 2022-08-31
- Applicability: standard
Perform risk management
- Improve the effectiveness of our policies and procedures.
- Protect our business, our assets, our personnel, and the PHI that we possess.
- Identify, analyze, prioritize, and minimize risks to information privacy, security, integrity, and availability.
- Recommend improvements to reduce risk, and use the recommendations to reduce risk as much as is practicable.
Maintain a continuous cadence of risk management assessments and tests
- Update on a regular schedule
- Update all assessments annually
- Update when significant changes occur
- when the internal environment or operations significantly change
- when the external environment significantly changes
| Code | Section | Title |
|---|---|---|
| HIPAA | 164.308(a)(8) | Standard: Evaluation |
Acquire and maintain independent certifications
- HITRUST
- a private US certification organization that maintains the HITRUST Common Security Framework (CSF)
- primarily targets the healthcare industry
- compliance is audited by an independent authorized assessor organization
- HITRUST verifies the assessment and issues the certification
- SOC 2
- an auditing standard developed by the American Institute of CPAs (AICPA) consisting of the Trust Services Criteria
- targets the services industry
- compliance is audited by an independent authorized assessor organization
- the assessor then issues a SOC 2 report
Acquire and maintain independent risk assessments
- Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA)
- conducted by an independent expert
- review technical, administrative and physical safeguards
- review control objectives, controls, policies, processes, procedures
- Model the assessment on
- ISO 27005 (Information security risk management) as the primary framework
- NIST SP 800-30 (Guide for Conducting Risk Assessments) as an additional framework
- business and information-technology best practices
- Involve the necessary parties, including
- senior management
- software development and operations
| Code | Section | Title |
|---|---|---|
| ISO | 8.2 | Information security risk assessment |
Acquire and maintain independent security tests
- Pen tests
- Commission third-party penetration tests.
- Network scans
- Commission third-party network and port scans.
Perform internal reviews and assessments of information security risk
- Review
- Information processing and procedures, for compliance with the appropriate security policies, standards and any other security requirements
- Information systems, for compliance with the organization’s information security policies and standards
- Third party vendors
| Code | Section | Title |
|---|---|---|
| ISO | A.18.2.2 | Compliance with security policies and standards |
| ISO | A.18.2.3 | Technical compliance review |
| SOC2 | CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
Distribute the results of reviews to
- senior management
- software development and operations
- external parties, as appropriate
| Code | Section | Title |
|---|---|---|
| SOC2 | CC4.2 | COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
Manage and treat risk
- Use the results of risk analyses and assessments
- Integrate the results into management’s decision-making process.
- Use the results to guide decisions related to the protection of PHI.
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | 8.3 | Information security risk treatment |
| ISO | A.18.2 | Information security reviews |
| ISO | A.18.2.1 | Independent review of information security |
| CHI | SR1 | Threat and Risk Assessment |
| CHI | SR4 | Independent Review of Security Policy Implementation |
| HIPAA | 164.308(a)(1)(i) | Standard: Security management process |
| HIPAA | 164.308(a)(1)(ii)(A) | Risk analysis (Required) |
| HIPAA | 164.308(a)(1)(ii)(B) | Risk management (Required) |
| SOC2 | CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
| SOC2 | CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
| SOC2 | CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
| SOC2 | P8.1 | The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner. |