Data Security Wiki

Information Security Risk Assessment Process

Introduction

Mount Sinai Health System (MSHS) is responsible for the security of the information stored in business, clinical and research systems.  MSHS delegates the assessment of information security risks to the Information Security team (InfoSec). 

In order to provide the highest level of service for MSHS, InfoSec has established this Risk Assessment Process in order to set expectations in terms of work effort, timelines, and quality of the service provided. 

Requesting Service

InfoSec receives requests from many different organizational units within MSHS.  In each case, InfoSec is flexible in how that first contact is received – email, phone, or otherwise.  However, the recommended method for contacting InfoSec for an action is to submit a support ticket through the Help Desk.  The ticket will be routed to an InfoSec team member for action.

Risk Consultation or Risk Assessment

Service Description: Once the implementation design for a particular project is complete, InfoSec will provide consultation services that will result in one of the two types of reports being delivered to the requester.  InfoSec will use Appendix A to determine which report is required.

  • Risk Consultation Report (RCR): For projects that are deemed lower risk due to the classification of the data involved, the type of project, the smaller scope of the project, or other factors, InfoSec will provide a Risk Consultation Report.  This RCR will identify high-level risks identified by the InfoSec team member and make recommendations for remediation or mitigation of those risks.  The team member will base this analysis on whatever information is provided by the requester.
  • Risk Assessment Report (RAR): For projects that are deemed higher risk due to the classification of the data involved, the type of project, the larger scope of the project, or other factors, InfoSec will provide a Risk Assessment Report.  To create the RAR, the requester will be required to complete a Risk Assessment Questionnaire (RAQ), often with the assistance of a vendor who developed the system to be implemented. Once the RAQ is completed, any supporting materials and the RAQ must be delivered to InfoSec for review. 

Note: A Requester can request an RAR instead of an RCR for any project when a deeper analysis of the information security risks is preferred.

The typical process is as follows for a Risk Consultation or Risk Assessment request.

Step Action Description Responsible Party Estimated Time
1 Initial contact from Requester. Requester Varies
2 Requester completes the InfoSec Intake Form. Requester 10 mins.
3 Initial conference call with InfoSec and Requester.  This call will establish the scope of the project and whether a RAR or a RCR will be required. InfoSec Scheduling varies based on availability, typically within 1 week; 30 mins. for the call.
4 If a RAR is required, Requester completes the Risk Assessment Questionnaire (RAQ). Typically, the vendor may provide the information requested, but it is the responsibility of the Requester to provide this to InfoSec. Requesters and vendors are encouraged to include any documentation or diagrams that provide a more complete picture of the security architecture. Requester 1-4 weeks, but varies based on response from Requester and vendor
5 InfoSec reviews the information provided and drafts the RAR or RCR.  This often involves follow-up questions from InfoSec that will require answers from the Requester or vendor.  InfoSec also performs quality assurance checks on all of its own reports. InfoSec After RAQ and other information is provided to InfoSec (#4) --
RCR: 1 week
RAR: 4 weeks*
6 InfoSec distributes the draft RCR/RAR to the HIPAA Risk Management team and Requester for review and comments. In return the HIPAA Risk Management team members and Requestor send comments to InfoSec. InfoSec, HIPAA Risk Management Team, Requester 2 weeks after distribution for comment
7 After receiving comments, InfoSec finalizes the report and delivers it to Requester. InfoSec 2 days

*Option to Expedite: Upon request to expedite the drafting process, InfoSec can use contract resources to be paid for by the business unit who is responsible for implementing the project. Costs are usually between $10,000 and $12,000 per RAR, and are based on the amount of time spent reviewing the information and creating the report, the technical expertise of the contracted worker, and the availability of workers.  The hourly rates (as of May 2017) are below.  Rates are subject to change with each engagement, so be sure to check your individual agreement.

Resource Role Rate Schedule Role Hourly Rate
Security Risk Assessment - Specialist Analyst/Consultant $250
Security Risk Assessment - Sr. Specialist Sr. Consultant $275
Senior Security Architect / Advisor Architect / Executive $300

The RCR or RAR will identify the information security risks associated with the project and offer recommendations for a more secure implementation when applicable.  Ultimately, it is not the role of the InfoSec team to determine whether or not the identified risk is acceptable; that responsibility belongs to the business unit responsible for deciding whether or not to implement the new system.

Initiating a Request: InfoSec recommends that users initiate a request as early as possible after the design stage has been completed and all major decisions concerning the implementation plan are complete.

Timeline: 

  • RCR:  Time for completion of an RCR is approximately three (3) weeks and two (2) days from the time the information to be reviewed is provided from the Requestor to InfoSec.
  • RAR: Because the timeline depends heavily on the amount and quality of the information provided to InfoSec and communication with outside parties, the time it takes to complete a RAR is approximately ten (10) weeks from the time that the RAQ and other information is provided to InfoSec.  If a third-party contractor is used, this can shorten this turnaround by up to four (4) weeks.
  • For faster service: The requester should collect as much information from the vendor before the first call.  This should include diagrams that include the infrastructure and data flow, whitepapers concerning security, third-party assessments (i.e., SOC 2 Type 2 reports), certifications (i.e., HITRUST Certification), and third-party testing reports (i.e., penetration testing reports or vulnerability testing reports).  Typically, the more information that is available to the InfoSec team member, the less follow-up questions will need to be answered.

Contacts

Request a Risk Consultation or Risk Assessment: ITSecurityRisk@mountsinai.org

Information Security Organization (as of 7/5/2017)

Appendix A – Required Action Procedures by Data Classification

Required Information Security Action Procedures by Data Classification 

Requester Assessment Target Public Restricted
De-identified HI/
Non-Confidential
Confidential
Sensitive/PHI
Protected
Highly Sensitive/
Identified Genetic Info
IRB - Investigator Sponsor's System Consultation - Voluntary Consultation - Mandatory Consultation - Mandatory Risk Assessment Report
IRB - Investigator Collaborator's System Consultation - Voluntary Consultation - Mandatory Risk Assessment Report Risk Assessment Report
IRB - Investigator Vendor's System Consultation - Mandatory Consultation - Mandatory Risk Assessment Report Risk Assessment Report
Population Health New System Consultation - Voluntary Consultation - Mandatory Risk Assessment Report Risk Assessment Report
Population Health Current System add-on Consultation - Voluntary Consultation - Voluntary Consultation - Mandatory Risk Assessment Report
eHealth New Medical Device Consultation - Mandatory Consultation - Mandatory Risk Assessment Report Risk Assessment Report
eHealth New System Consultation - Voluntary Consultation - Mandatory Risk Assessment Report Risk Assessment Report
eHealth Current System add-on Consultation - Voluntary Consultation - Voluntary Consultation - Mandatory Risk Assessment Report
Clinical Services New Medical Device Consultation - Mandatory Consultation - Mandatory Risk Assessment Report Risk Assessment Report
Clinical Services New System Consultation - Voluntary Consultation - Mandatory Risk Assessment Report Risk Assessment Report
Clinical Services Current System add-on Consultation - Voluntary Consultation - Voluntary Consultation - Mandatory Risk Assessment Report
Genetics New System Consultation - Voluntary Consultation - Mandatory Risk Assessment Report Risk Assessment Report
Genetics Current System add-on Consultation - Voluntary Consultation - Voluntary Consultation - Mandatory Risk Assessment Report
Other Business/IT New System Consultation - Voluntary Consultation - Mandatory Risk Assessment Report Risk Assessment Report
Other Business/IT Current System add-on Consultation - Voluntary Consultation - Voluntary Consultation - Mandatory Risk Assessment Report

Descriptions of Actions

Actions Description
Consultation - Voluntary On a voluntary basis a requester can petition Information Security team for a consultation on a particular project or system implementation.  Information Security will make formal documented recommendations based on the information provided.
Consultation - Mandatory A requester must request that information security provide a consultation on a particular project or system implementation.  Information Security will make formal documented recommendations based on the information provided.
Risk Assessment Report A requester must request that Information Security team provide a Risk Assessment Report for on a particular project or system implementation.  Requesters will be responsible for completing a Risk Assessment Questionnaire with any third party input, and any supporting documentation requested.  Information Security will supply a formal document that has been vetted by HIPAA Compliance and Security personnel.

Revisions

Published on 11/30/2016. Added links to forms and updated expedited costs on 6/1/2017. Added Thomas Smith and corrected some spelling errors on 7/5/2017.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.