Project planning
System discovery and identification
Baseline existing systems with regard to the HIPAA security rule
Gap analysis, risk analysis, risk management and residual risk acceptance
Remediation projects-closing the gaps
Review and follow-up
Need to have a mandate or project charter
Before you begin, your need a mandate or project charter from management
You need to authority or mandate to put together a HIPAA security rule project plan
HIPAA Security rule awareness training (for those directly involved with the HIPAA security project)
Checkout online resources like the CMS web site and related sites
Read books like SANS HIPAA SBS
Consult you companies legal and\or compliance department
Attend courses and seminars
Things you need to consider before you begin
Are you a covered entity? If so what kind of covered entity?
Security officer assignment, if possible (must have authority)
Need a mandate or project charter from management
Identify the HIPAA Security officer
Does not have to be the one implementing the plan
Does have to have the authority
Does not have to be in IT. Many think that since HIPAA security is more technical, IT should be the ones in charge. This is not necessarily true.
Define project scope and goals
Scope: what the project will and will not cover
The foundation of any successful project lies in having a clear understanding of the overall goals and objectives of the project.
Goals and objectives are 'what do we need to do?'
Without goals and objectives, how will you know you are finished or where you are in the project?
Decide on and document target HIPAA goals or performance objectives
Determine how you are going to measure project ˜success' or ˜failure'
Identify key players, potential road blocks and resources (friend and enemies of the project)
Clearly defined roles and responsibilities
Determine and document deliverables and milestones
Identify resources that can be used to address or work the plan
Need to have upper-management sign off on the plan
Identify who or what group will QA or review the plan
Determine risks to the project itself, what could go wrong with the plan?
Develop your project plan and the work breakdown structure (WBS)
Can use the HIPAA Security rule itself as a basis for the plan
If the HIPAA Security rule implementation specification is addressable, do you want to implement as-is or modify? To what extent?
Identify ePHI systems affected by the HIPAA Security Rule
System name and version (is it ˜HIPAA Security ready' according to the vender?)
System owner and contact, vender contact information
What kind of ePHI does the system have
Identify the flow of the ePHI. Where does the ePHI come from and where does it go.
General system information (See discovery questionnaire example).
Systems can include not only Applications and databases but also networks, groups of laptop users, lab systems, server room, building security, etc..
ID resources you many be able to use
HIPAA Security rule awareness training (staff and management)
Identify person responsible for completing the standard or specification and documenting it for each ePHI system.
Determine a completion date for System Discovery and Identification
Identify current policies and procedures for each system, if exists. This can be part of the baseline for comparisons to the HIPAA Security standards
Expect to find more systems affected by the HIPAA Security rule as you continue with the project but beware of scope creep.
Baseline using existing policies, standards, procedures and other pertinent information
Identify person responsible for completing the baseline and documenting it for each system.
Perform an inventory of the current security environment with respect to policies, procedures, processes and technology.
Develop a plan for baseline each system with respect to the HIPAA Security rule standards
Don't just inventory policies and procedures but investigate how the systems really used and where the ePHI goes.
Determine a target baseline completion date
Document the result, decide who needs to sign off on it
The Baseline is milestone and can be a deliverable in terms of the project plan
Gap Analysis
Identify the gap, (the difference between the baseline and company goal)
Identify any future company plans or projects that will affect the gap and will go into effect before the HIPAA Security rule compliance does.
Existing controls? (can include company HIPAA Privacy policy)
What is the difference between the baseline and the HIPAA Security implementation Specification for each system?
Risk Analysis
'Risk analysis considers the various threats to security and then suggests the remedies that are the most cost-effective '
Identify and document who should be involved in risk analysts section
Consider scope (just ePHI systems or all systems?)
Determine the likely sources of risk to the system (for example: insiders vs. outsiders, public, users, others, groups, companies\organization, trading partners , business associates , etc )
Determine the likely threat vectors: (for example: physical access, internet, intranet, dial-up, etc..)
Determine the level of resources required to mitigate each threat source
Try and quantify each risk, use a standard scale or annual dollar amount loss
Consider new products (hardware, software, services, procedures, policies) to reduce risk
Document decisions and results
Risk Management
Determine level of acceptable risk
Have management agree to this level of risk in writing and with full knowledge of the risk
Identify and verify HIPAA Security items completed
Identify HIPAA Security items not completed
Identify systems for testing
Add to Task\Action item list or matrix
Action item \ Task List Matrix
See below
Project planning and scheduling
Include deliverables and milestones
Include WBS
Identify critical paths
Update MS Project plan
Cost, resources, time, etc
P&P
System upgrades or new systems installs
New system and P&P training
Manage and revise project plan as needed
Have regular meetings with management and project resources to review project status and progress.
Keep management informed of progress and any road blocks. Do not wait until the last minute to tell management about problems or issues.
Review finished project and sign off
Team members , Project Manager and management need to sign off