This policy establishes the scope, objectives, and procedures of RosettaHealth’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 03.a - Risk Management Program Development

  • 03.b - Performing Risk Assessments

  • 03.c - Risk Mitigation

  • 12.b - Business Continuity and Risk Assessment

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(1)(ii)(A) - HIPAA Security Rule Risk Analysis

  • 164.308(a)(1)(ii)(B) - HIPAA Security Rule Risk Management

  • 164.308(a)(8) - HIPAA Security Rule Evaluation

Risk Management Policies

  1. It is the policy of RosettaHealth to conduct thorough and timely risk assessments of the potential threats and vulnerabilities pertaining to:

    1. the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers

    2. The technical operations of the RosettaHealth Platform

    3. The business operations of RosettaHealth

  2. Risk analysis and risk management are recognized as important components of RosettaHealth’s corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).

  3. Risk analysis and assessments are done throughout product life cycles:

    1. Before the integration of new system technologies and before changes are made. These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the RosettaHealth Platform.

    2. RosettaHealth performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.

  4. Based on the results of risk analysis and assessment activities RosettaHealth implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

    1. Ensure the confidentiality, integrity, and availability of all ePHI RosettaHealth receives, maintains, processes, and/or transmits for its Customers;

    2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;

    3. Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and

    4. Ensure compliance by all workforce members.

  5. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and RosettaHealth’s Security Officer.

  6. All RosettaHealth workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation, as outlined in the Compliance Roles.

  7. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of RosettaHealth’s Security Officer (or other designated employee), and the identified Risk Management Team.

  8. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.

  9. The details of the Risk Management Process, including risk assessment, discovery, and mitigation, are outlined in detail below.

  10. The Security Officer is assigned to carry out the Risk Management Procedures.

  11. All findings are documented in the RosettaHealth Risk Assessment.xlsx.

Risk Management Procedures

Risk Assessment

The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

  1. System Characterization

    • The first step in assessing risk is to define the scope of the effort. To do this, identify where ePHI is received, maintained, processed, or transmitted. Using information-gathering techniques, the RosettaHealth solution boundaries are identified.

    • Output - Characterization of the RosettaHealth solution assessed, a good picture of the environment, and delineation of boundaries. This is captured in the RosettaHealth Applications and Data Criticality Analysis_AWS.xlsx spreadsheet.

  2. Vulnerability/Threat Identification

    • Potential threats (the potential for threat-sources to successfully exercise a particular vulnerability) are identified and documented. All potential threat-sources from historical incidents and data from intelligence agencies, the government, etc., are reviewed to help generate a list of potential threats. A list of technical and non-technical vulnerabilities that could be exploited or triggered by potential threat-sources.

    • Output - A threat list containing a list of threat-sources that could exploit identified vulnerabilities.

  3. Likelihood Determination

    • Determine the overall likelihood rating that indicates the probability that a vulnerability could be exploited by a threat-source given the existing or planned security controls.

    • Output - Likelihood rating of low (.1), medium (.5), or high (1). Refer to the NIST SP 800-30 definitions of low, medium, and high.

  4. Impact Analysis

    • Determine the level of adverse impact that would result from a threat successfully exploiting a vulnerability. Factors of the data and systems to consider should include the importance to RosettaHealth’s mission; sensitivity and criticality (value or importance); costs associated; loss of confidentiality, integrity, and availability of systems and data.

    • Output - Magnitude of impact rating of low (10), medium (50), or high (100). Refer to the NIST SP 800-30 definitions of low, medium, and high.

  5. Risk Level

    • Establish a risk level. By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk rating also presents actions that senior management must take for each risk level.

    • Output - Risk level of low (1-10), medium (>10-50) or high (>50-100). Refer to the NIST SP 800-30 definitions of low, medium, and high.

Risk Mitigation

Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of RosettaHealth Platform ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

  1. Control Recommendations

    • Identify controls that could reduce or eliminate the identified risks, as appropriate to the organization’s operations to an acceptable level. Factors to consider when developing controls may include effectiveness of recommended options (i.e., system compatibility), legislation and regulation, organizational policy, operational impact, and safety and reliability. Control recommendations provide input to the risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized, and implemented.

    • Output - Recommendation of control(s) and alternative solutions to mitigate risk.

  2. Identified Required Resources

    • Determine the workforce member(s) required to implement the recommended controls.

    • Output - List of required resources.

  3. Assign Responsibility

    • Identify the workforce member(s) that will be responsible for ensuring the recommended controls are implemented. Also identify the equipment, training and other resources needed for the successful implementation of controls. Resources may include time, money, equipment, etc.

    • Output - List of resources, responsible persons and their assignments

  4. Define Timeframe for Implementation

    • Determine a timeframe within which the specified controls should be implemented. In some cases the controls are continuous (ex. applying Software Dev Practices).

    • Output - Timeframe for each control to be implemented

Risk Management Schedule

The two principle components of the risk management process - risk assessment and risk mitigation - will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of RosettaHealth’s information security program:

  • Scheduled Basis - an overall risk assessment of RosettaHealth’s information system infrastructure will be conducted annually. The assessment process should be completed in a timely fashion so that risk mitigation strategies can be determined and included in the corporate budgeting process.

  • Throughout a System’s Development Life Cycle - from the time that a need for a new, untested information system configuration and/or application is identified through the time it is disposed of, ongoing assessments of the potential threats to a system and its vulnerabilities should be undertaken as a part of the maintenance of the system.

  • As Needed - the Security Officer (or other designated employee) or Risk Management Team may call for a full or partial risk assessment in response to changes in business strategies, information technology, information sensitivity, threats, legal liabilities, or other significant factors that affect RosettaHealth’s Platform.

Process Documentation

Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.