From 124f738b8bf76fa79e040d5f834c85647feedda5 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Fri, 5 Apr 2024 22:26:12 +0200 Subject: [PATCH 1/2] add NIST SP-800-66 (HIPAA) --- .../libraries/nist-sp-800-66-rev2.yaml | 4244 +++++++++++++++++ .../cprt_SP800_66_2_0_0_04-05-2024.xlsx | Bin 0 -> 47157 bytes tools/nist/sp-800-66/nist-sp-800-66-rev2.xlsx | Bin 0 -> 40953 bytes tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml | 4244 +++++++++++++++++ tools/nist/sp-800-66/nist-sp-800-66.py | 77 + 5 files changed, 8565 insertions(+) create mode 100644 backend/library/libraries/nist-sp-800-66-rev2.yaml create mode 100644 tools/nist/sp-800-66/cprt_SP800_66_2_0_0_04-05-2024.xlsx create mode 100644 tools/nist/sp-800-66/nist-sp-800-66-rev2.xlsx create mode 100644 tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml create mode 100644 tools/nist/sp-800-66/nist-sp-800-66.py diff --git a/backend/library/libraries/nist-sp-800-66-rev2.yaml b/backend/library/libraries/nist-sp-800-66-rev2.yaml new file mode 100644 index 000000000..642cf412b --- /dev/null +++ b/backend/library/libraries/nist-sp-800-66-rev2.yaml @@ -0,0 +1,4244 @@ +urn: urn:intuitem:risk:library:nist-sp-800-66-rev2 +locale: en +ref_id: NIST-SP-800-66-rev2 +name: NIST SP-800-66 rev2 (HIPAA) +description: 'Implementing the Health Insurance Portability and Accountability Act + (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 + + Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home + + ' +copyright: With the exception of material marked as copyrighted, information presented + on NIST sites are considered public information and may be distributed or copied. +version: '1' +provider: NIST +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:nist-sp-800-66-rev2 + ref_id: nist-sp-800-66-rev2 + name: NIST SP-800-66 rev2 (HIPAA) + description: 'Implementing the Health Insurance Portability and Accountability + Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 + + Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home + + ' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + assessable: false + depth: 1 + ref_id: '164.308' + description: "Administrative Safeguards:\nDefined in the Security Rule as the\ + \ \u201Cadministrative actions and policies, and procedures to manage the\ + \ selection, development, implementation, and maintenance of security measures\ + \ to protect electronic protected health information and to manage the conduct\ + \ of the covered entity's workforce in relation to the protection of that\ + \ information.\u201D" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(1) + description: 'Security Management Process: + + HIPAA Standard: Implement policies and procedures to prevent, detect, contain, + and correct security violations.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Identify all ePHI and Relevant Information Systems + description: 'Identify where ePHI is generated within the organization, where + it enters the organization, where it moves within the organization, where + it is stored, and where it leaves the organization. + + + Identify all systems that house ePHI. Be sure to identify mobile devices, + medical equipment, and medical IoT devices that store, process, or transmit + ePHI. + + + Include all hardware and software that are used to collect, store, process, + or transmit ePHI. + + + Analyze business functions and verify the ownership and control of information + system elements as necessary. + + + Consider the impact of a merger or acquisition on risks to ePHI. During a + merger or acquisition, new data pathways may be introduced that lead to ePHI + being stored, processed, or transmitted in previously unanticipated places.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node4 + name: Sample questions + description: 'Has all ePHI generated, stored, processed, and transmitted within + the organization been identified? + + + Are all hardware and software for which the organization is responsible periodically + inventoried? + + + Is the hardware and software inventory updated on a regular basis? + + + Have hardware and software that maintains or transmits ePHI been identified? + Does this inventory include removable media and remote access devices? + + + Is the current configuration of organizational systems documented, including + connections to other systems? + + + Has a BIA been performed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Conduct Risk Assessment + description: Conduct an accurate and thorough assessment of the potential risks + and vulnerabilities to the confidentiality, integrity, and availability of + ePHI held by the covered entity or business associate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node6 + name: Sample questions + description: "Are there any prior risk assessments, audit comments, security\ + \ requirements, and/or security test results?\n\nIs there intelligence available\ + \ from agencies, the Office of the Inspector General (OIG), the US-CERT, virus\ + \ alerts, and/or vendors?\n\nWhat are the human, natural, and environmental\ + \ threats to systems that contain, store, process, or transmit ePHI?\n\nWhat\ + \ are the current and planned controls?\n\nHave likelihood and impact been\ + \ determined for relevant threats and vulnerabilities?\n\nHave risk ratings\ + \ been determined for relevant threats and vulnerabilities?\n\nIs the facility\ + \ located in a region prone to any natural disasters, such as earthquakes,\ + \ floods, or fires?\n\nHas responsibility been assigned to check all hardware\ + \ and software \u2013 including hardware and software used for remote access\ + \ \u2013 to determine whether selected security settings are enabled?\n\n\ + Is there an analysis of current safeguards and their effectiveness relative\ + \ to the identified risks?\n\nHave all processes involving ePHI been considered,\ + \ including creating, receiving, maintaining, and transmitting it?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Implementation Specification (Required) + description: Conduct an accurate and thorough assessment of the potential risks + and vulnerabilities to the confidentiality, integrity, and availability of + ePHI held by the covered entity or business associate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node8 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Implement a Risk Management Program + description: "Implement security measures sufficient to reduce risks and vulnerabilities\ + \ to a reasonable and appropriate level to comply with \xA7164.306(a).\n\n\ + Risk management should be performed with regular frequency to examine past\ + \ decisions, reevaluate risk likelihood and impact levels, and assess the\ + \ effectiveness of past remediation efforts\n\nCreate a Risk Management policy\ + \ and program that outlines organizational risk appetite and risk tolerance,\ + \ personnel duties, responsible parties, the frequency of risk management,\ + \ and required documentation.\n\nA risk management methodology is included\ + \ in Section 4.\n\nRisk management resources are also included in Appendix\ + \ F." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node11 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node10 + name: Sample questions + description: 'Is executive leadership and/or management involved in risk management + decisions? + + + Has a risk management program been created with related policies? + + + Does the regulated entity need to engage other resources (e.g., external expertise) + to assist in risk management? + + + Do current safeguards ensure the confidentiality, integrity, and availability + of all ePHI? + + + Do current safeguards protect against reasonably anticipated uses or disclosures + of ePHI that are not permitted by the Privacy Rule? + + + Has the regulated entity used the results of risk assessment and risk management + processes to guide the selection and implementation of appropriate controls + to protect ePHI? + + + Has the regulated entity protected against all reasonably anticipated threats + or hazards to the security and integrity of ePHI? + + + Has the regulated entity assured compliance with all policies and procedures + by its workforce?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Implementation Specification (Required) + description: "Implement security measures sufficient to reduce risks and vulnerabilities\ + \ to a reasonable and appropriate level to comply with \xA7164.306(a)" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node13 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node12 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Acquire IT Systems and Services + description: 'Regulated entities should consider how cloud services and other + third-party IT system and service offerings can both assist regulated entities + in protecting ePHI while also potentially introducing new risks to ePHI. + + + Although the HIPAA Security Rule does not require purchasing any particular + technology, adequately protecting information may require additional hardware, + software, or services. Considerations for their selection should include the + following:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node15 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node14 + name: Sample questions + description: 'Will new security controls work with the existing IT architecture? + + + Have the security requirements of the organization been compared to the security + features of existing or proposed hardware and software? + + + Has a cost-benefit analysis been conducted to determine the reasonableness + of the investment given the security risks identified? + + + Has a training strategy been developed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Create and Deploy Policies and Procedures + description: 'Implement the decisions concerning the management, operational, + and technical controls selected to mitigate identified risks. + + + Create policies that clearly establish roles and responsibilities, and assign + ultimate responsibility for the implementation of each control to particular + individuals or offices. + + + Create procedures to be followed to accomplish particular security-related + tasks. + + + Establish a frequency for reviewing policy and procedures' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node17 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node16 + name: Sample questions + description: 'Has the regulated entity documented an organizational risk assessment/management + policy that outlines the duties, responsible parties, frequency, and required + documentation of the risk management program? + + + Are policies and procedures in place for security? + + + Is there a formal (documented) system security plan? + + + Is there a formal contingency plan? + + + Is there a process for communicating policies and procedures to the affected + workforce members? + + + Are policies and procedures reviewed and updated as needed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Develop and Implement a Sanction Policy + description: "Apply appropriate sanctions against workforce members who fail\ + \ to comply with the security policies and procedures of the covered entity\ + \ or business associate\n\nDevelop policies and procedures for imposing appropriate\ + \ sanctions (e.g., reprimand, termination) for noncompliance with the organization\u2019\ + s security policies.\n\nImplement sanction policy as cases arise." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node19 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node18 + name: Sample questions + description: 'Does the regulated entity have existing sanction policies and + procedures to meet the requirements of this implementation specification? + If not, can existing sanction policies be modified to include language related + to violations of these policies and procedures? + + + Is there a formal process in place to address system misuse, abuse, and fraudulent + activity? + + + Have workforce members been made aware of policies concerning sanctions for + inappropriate access, use, and disclosure of ePHI? + + + Has the need and appropriateness of a tiered structure of sanctions that accounts + for the magnitude of harm and possible types of inappropriate disclosures + been considered? + + + How will managers and workforce members be notified regarding suspect activity?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node20 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Implementation Specification (Required) + description: Apply appropriate sanctions against workforce members who fail + to comply with the security policies and procedures of the covered entity + or business associate + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node21 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node20 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node22 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Develop and Deploy the Information System Activity Review Process + description: 'Implement procedures to regularly review records of information + system activity, such as audit logs, access reports, and security incident + tracking reports. + + + Implement regular reviews of information system activity, and consider ways + to automate the review for the protection of ePHI.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node23 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node22 + name: Sample questions + description: 'Is there a policy that establishes what reviews will be conducted? + + + Are there corresponding procedures that describe the specifics of the reviews? + + + Who is responsible for the overall process and results? + + + How often will reviews take place? + + + How often will review results be analyzed? + + + Has the regulated entity considered all available capabilities to automate + the reviews? + + + Where will audit information reside (e.g., separate server)? Will it be stored + external to the organization (e.g., cloud service provider)?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node24 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Implementation Specification (Required) + description: Implement procedures to regularly review records of information + system activity, such as audit logs, access reports, and security incident + tracking reports. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node25 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node24 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node26 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Develop Appropriate Standard Operating Procedures + description: Determine the types of audit trail data and monitoring procedures + that will be needed to derive exception reports. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node27 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node26 + name: Sample questions + description: 'How will exception reports or logs be reviewed? + + + Where will monitoring reports and their reviews be documented and maintained?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node28 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) + name: Implement the Information System Activity Review and Audit Process + description: 'Activate the necessary review process. + + + Begin auditing and logging activity.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node29 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node28 + name: Sample questions + description: 'What mechanisms will be implemented to assess the effectiveness + of the review process (measures)? + + + What is the plan to revise the review process when needed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(2) + description: 'Assigned Security Responsibility: + + HIPAA Standard: Identify the security official who is responsible for the + development and implementation of the policies and procedures required by + this subpart for the covered entity or business associate.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node31 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2) + name: Select a Security Official to be Assigned Responsibility for HIPAA Security + description: 'Identify the individual who has final responsibility for security. + + + Select an individual who is able to assess effective security to serve as + the point of contact for security policy, implementation, and monitoring.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node32 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node31 + name: Sample questions + description: 'Who in the organization: + + + Does the security official have adequate access and communications with senior + officials in the organization, such as executives, chief information officers, + chief compliance officers, and in-house counsel? + + + Who in the organization is authorized to accept risks from systems on behalf + of the organization?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node33 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2) + name: "Assign and Document the Individual\u2019s Responsibility" + description: "Document the assignment to one individual\u2019s responsibilities\ + \ in a job description.\n\nCommunicate this assigned role to the entire organization." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node34 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node33 + name: Sample questions + description: 'Is there a complete job description that accurately reflects assigned + security duties and responsibilities? + + + Have the staff members in the organization been notified as to whom to call + in the event of a security problem?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(3) + description: 'Workforce Security: + + HIPAA Standard: Implement policies and procedures to ensure that all members + of its workforce have appropriate access to electronic protected health information, + as provided under paragraph (a)(4) of this section, and to prevent those workforce + members who do not have access under paragraph (a)(4) of this section from + obtaining access to electronic protected health information.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node36 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Implement Policies and Procedures for Authorization and/or Supervision + description: Implement procedures for the authorization and/or supervision of + workforce members who work with ePHI or in locations where it might be accessed. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node37 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node36 + name: Sample questions + description: 'Have chains of command and lines of authority been established? + + + Have staff members been made aware of the identity and roles of their supervisors?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node38 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Implementation Specification (Addressable) + description: Implement procedures for the authorization and/or supervision of + workforce members who work with ePHI or in locations where it might be accessed. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node39 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node38 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node40 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Establish Clear Job Descriptions and Responsibilities + description: 'Define roles and responsibilities for all job functions. + + + Assign appropriate levels of security oversight, training, and access. + + + Identify in writing who has the business need and who has been granted permission + to view, alter, retrieve, and store ePHI and at what times, under what circumstances, + and for what purposes.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node41 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node40 + name: Sample questions + description: 'Are there written job descriptions that are correlated with appropriate + levels of access to ePHI? + + + Are these job descriptions reviewed and updated on a regular basis? + + + Have staff members been provided copies of their job descriptions and informed + of the access granted to them, as well as the conditions by which this access + can be used' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node42 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Establish Criteria and Procedures for Hiring and Assigning Tasks + description: 'Ensure that staff members have the necessary knowledge, skills, + and abilities to fulfill particular roles (e.g., positions involving access + to and use of sensitive information). + + + Ensure that these requirements are included as part of the personnel hiring + process.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node43 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node42 + name: Sample questions + description: 'Have the qualifications of candidates for specific positions been + checked against the job description? + + + Have determinations been made that candidates for specific positions are able + to perform the tasks of those positions?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node44 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Establish a Workforce Clearance Procedure + description: 'Implement procedures to determine that the access of a workforce + member to ePHI is appropriate. + + + Implement appropriate screening of persons who will have access to ePHI. + + + Implement a procedure for obtaining clearance from appropriate offices or + individuals where access is provided or terminated.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node45 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node44 + name: Sample questions + description: "Is there an implementation strategy that supports the designated\ + \ access authorities?\n\nAre applicants\u2019 employment and educational references\ + \ checked, if reasonable and appropriate?\n\nHave background checks been completed,\ + \ if reasonable and appropriate?\n\nAre there procedures for determining that\ + \ the appropriate workforce members have access to the necessary information?\n\ + \nDo procedures exist for obtaining appropriate sign-offs to grant or terminate\ + \ access to ePHI?\n\nHave clearance and supervision procedures been developed\ + \ for non-US based workforce members that are applicable to their location?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node46 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Implementation Specification (Addressable) + description: Implement procedures to determine that the access of a workforce + member to ePHI is appropriate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node47 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node46 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node48 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Establish Termination Procedures + description: "Implement procedures for terminating access to ePHI when the employment\ + \ of or other arrangement with a workforce member ends or as required by determinations\ + \ made as specified in \xA7164.308(a)(3)(ii)(B).\n\nDevelop a standard set\ + \ of procedures that should be followed to recover access control devices\ + \ (e.g., identification badges, keys, access cards) when employment ends.\n\ + \nDeactivate computer access accounts (e.g., disable user IDs and passwords)\ + \ and facility access (e.g., change facility security codes/PINs)." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node49 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node48 + name: Sample questions + description: "Are there separate procedures for voluntary termination (e.g.,\ + \ retirement, promotion, transfer, change of employment) versus involuntary\ + \ termination (e.g., termination for cause, reduction in force, involuntary\ + \ transfer, criminal or disciplinary actions), if reasonable and appropriate?\n\ + \nIs there a standard checklist for all action items that should be completed\ + \ when a workforce member leaves (e.g., return of all access devices, deactivation\ + \ of logon accounts [including remote access], and delivery of any needed\ + \ data solely under the employee\u2019s control)?\n\nDo other organizations\ + \ need to be notified to deactivate accounts that the workforce member had\ + \ access to in the performance of their employment duties?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node50 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) + name: Implementation Specification (Addressable) + description: "Implement procedures for terminating access to ePHI when the employment\ + \ of or other arrangement with a workforce member ends or as required by determinations\ + \ made as specified in \xA7164.308(a)(3)(ii)(B)." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node51 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node50 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(4) + description: 'Information Access Management: + + HIPAA Standard: Implement policies and procedures for authorizing access to + electronic protected health information that are consistent with the applicable + requirements of subpart E of this part.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node53 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Isolate Healthcare Clearinghouse Functions + description: 'If a healthcare clearinghouse is part of a larger organization, + the clearinghouse must implement policies and procedures that protect the + ePHI of the clearinghouse from unauthorized access by the larger organization. + + + Determine whether a component of the regulated entity constitutes a healthcare + clearinghouse under the HIPAA Security Rule. + + + If no clearinghouse functions exist, document this finding. If a clearinghouse + exists within the organization, implement procedures for access that are consistent + with the HIPAA Privacy Rule.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node54 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node53 + name: Sample questions + description: 'If healthcare clearinghouse functions are performed, are policies + and procedures implemented to protect ePHI from the other functions of the + larger organization? + + + Does the healthcare clearinghouse share hardware or software with a larger + organization of which it is a part? + + + Does the healthcare clearinghouse share staff or physical space with staff + from a larger organization? + + + Has a separate network or subsystem been established for the healthcare clearinghouse, + if reasonable and appropriate? + + + Has staff of the healthcare clearinghouse been trained to safeguard ePHI from + disclosure to the larger organization, if required for compliance with the + HIPAA Privacy Rule?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node55 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Implementation Specification (Required) + description: If a healthcare clearinghouse is part of a larger organization, + the clearinghouse must implement policies and procedures that protect the + ePHI of the clearinghouse from unauthorized access by the larger organization. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node56 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node55 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node57 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Implement Policies and Procedures for Authorizing Access + description: 'Implement policies and procedures for granting access to ePHI, + such as through access to a workstation, transaction, program, process, or + other mechanism. + + + Decide and document procedures for how access to ePHI will be granted to workforce + members within the organization. + + + Select the basis for restricting access to ePHI. + + + Select an access control method (e.g., identity-based, role-based, or other + reasonable and appropriate means of access.) + + + Decide and document how access to ePHI will be granted for privileged functions. + + + Ensure that there is a list of personnel with authority to approve user requests + to access ePHI and systems with ePHI. + + + Identify authorized users with access to ePHI, including data owners and data + custodians. + + + Consider whether multiple access control methods are needed to protect ePHI + according to the results of the risk assessment. + + + Determine whether direct access to ePHI will ever be appropriate for individuals + external to the organization (e.g., business partners or patients seeking + access to their own ePHI).' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node58 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node57 + name: Sample questions + description: "Have appropriate authorization and clearance procedures, as specified\ + \ in Workforce Security (\xA7 164.308(a)(3)), been performed prior to granting\ + \ access?\n\nDo the organization\u2019s systems have the capacity to set access\ + \ controls?\n\nAre there documented job descriptions that accurately reflect\ + \ assigned duties and responsibilities and enforce segregation of duties?\n\ + \nHas the organization documented procedures that specify how authorized personnel\ + \ will be granted access to ePHI?\n\nDoes the organization grant remote access\ + \ to ePHI?\n\nWhat methods of access control are used (e.g., identity-based,\ + \ role-based, location-based, or a combination) to protect ePHI?\n\nAre there\ + \ additional access control requirements for users who will be accessing privileged\ + \ functions?\n\nHave organizational personnel been explicitly authorized to\ + \ approve user requests to access ePHI and/or systems with ePHI?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node59 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Implementation Specification (Addressable) + description: Implement policies and procedures for granting access to ePHI, + such as through access to a workstation, transaction, program, process, or + other mechanism. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node60 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node59 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node61 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Implement Policies and Procedures for Access Establishment and Modification + description: "Implement policies and procedures that \u2013 based on the covered\ + \ entity or business associate\u2019s access authorization policies \u2013\ + \ establish, document, review, and modify a user's right of access to a workstation,\ + \ transaction, program, or process.\n\nEstablish standards for granting access\ + \ to ePHI.\n\nProvide formal authorization from the appropriate authority\ + \ before granting access to ePHI.\n\nRegularly review personnel access to\ + \ ePHI to ensure that access is still authorized and needed.\n\nModify personnel\ + \ access to ePHI, as needed, based on review activities." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node62 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node61 + name: Sample questions + description: 'Are duties separated such that only the minimum necessary ePHI + is made available to each workforce member based on their job requirements? + + + Are access decisions justified, approved, logged, and retained? + + + Is personnel access to ePHI regularly reviewed to ensure that access is still + authorized and needed? + + + Are activities that review access to ePHI logged and retained, including decisions + that arise from review activities? + + + Are decisions related to the establishment and modification of workforce member + authorization to access ePHI documented?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node63 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Implementation Specification (Addressable) + description: "Implement policies and procedures that \u2013 based on the covered\ + \ entity or business associate\u2019s access authorization policies \u2013\ + \ establish, document, review, and modify a user's right of access to a workstation,\ + \ transaction, program, or process." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node64 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node63 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node65 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) + name: Evaluate Existing Security Measures Related to Access Controls + description: 'Evaluate the security features of access controls that are already + in place or those of any planned for implementation, as appropriate. + + + Determine whether these security features involve alignment with other existing + management, operational, and technical controls, such as policy standards, + personnel procedures, the maintenance and review of audit trails, the identification + and authentication of users, and physical access controls.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node66 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node65 + name: Sample questions + description: 'Are there policies and procedures related to the security of access + controls? If so, are they updated regularly? + + + Are authentication mechanisms used to verify the identity of those accessing + systems protected from inappropriate manipulation? + + + Does management regularly review the list of access authorizations, including + remote access authorizations, to verify that the list is accurate and has + not been inappropriately altered?[1]' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(5) + description: 'Security Awareness and Training: + + HIPAA Standard: Implement a security awareness and training program for all + members of its workforce (including management).' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node68 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Conduct a Training Needs Assessment + description: 'Determine the training needs of the organization. + + + Interview and involve key personnel in assessing security training needs. + + + Use feedback and analysis of past events to help determine training needs + + + Review organizational behavior issues, past incidents, and/or breaches to + determine what training is missing or needs reinforcement, improvement, or + periodic reminders.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node69 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node68 + name: Sample questions + description: 'What awareness, training, and education programs are needed? Which + are required? + + + Is the organization monitoring current threats to determine possible areas + of training needs? + + + Are there current, relevant threats (e.g., phishing, ransomware) about which + personnel need training? + + + Do workforce members need training on any particular organization devices + (e.g., medical IoT) or technology that pose a risk to ePHI? + + + What is the current status regarding how these needs are being addressed (e.g., + how well are current efforts working)? + + + Where are the gaps between the needs and what is being done (e.g., what more + needs to be done)? + + + What are the training priorities in terms of content and audience?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node70 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Develop and Approve a Training Strategy and a Plan + description: "Address the specific HIPAA policies that require security awareness\ + \ and training in the security awareness and training program.\n\nSet organizational\ + \ expectations for protecting ePHI.\n\nIn the security awareness and training\ + \ program, outline the program\u2019s scope, goals, target audiences, learning\ + \ objectives, deployment methods, and evaluation and measurement techniques,\ + \ as well as the frequency of training" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node71 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node70 + name: Sample questions + description: 'Is there a procedure in place to ensure that everyone in the organization + receives security awareness training, including teleworkers and remote personnel? + + + What type of security training is needed to address specific technical topics + based on job responsibility? + + + When should training be scheduled to ensure that compliance deadlines are + met? + + + Has the organization considered the training needs of non-employees (e.g., + contractors, interns)? + + + Is there a need to implement information security training tailored to individual + roles?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node72 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Protection from Malicious Software, Login Monitoring, and Password Management + description: "As reasonable and appropriate, train workforce members regarding\ + \ procedures for:\n\nIncorporate information concerning workforce members\u2019\ + \ roles and responsibilities in implementing these implementation specifications\ + \ into training and awareness efforts." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node73 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node72 + name: Sample questions + description: 'Do workforce members know the importance of the timely application + of system patches to protect against malicious software and the exploitation + of vulnerabilities? + + + Are workforce members aware that login attempts may be monitored? + + + Do workforce members who monitor login attempts know to whom to report discrepancies? + + + Do workforce members understand their roles and responsibilities in selecting + a password of appropriate strength, safeguarding their password, and changing + a password when it has been compromised or is suspected of being compromised? + + + Are there policies in place that prohibit workforce members from sharing passwords + with others?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node74 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Implementation Specification (Protection from Malicious Software) + description: 'As reasonable and appropriate, train workforce members regarding + procedures for:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node75 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node74 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node76 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Implementation Specification (Log-in Monitoring) + description: 'As reasonable and appropriate, train workforce members regarding + procedures for:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node77 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node76 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node78 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Implementation Specification (Password Management) + description: 'As reasonable and appropriate, train workforce members regarding + procedures for:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node79 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node78 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node80 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Develop Appropriate Awareness and Training Content, Materials, and Methods + description: 'Select topics to be included in the training materials, and consider + current and relevant topics (e.g., phishing, email security) for the protection + of ePHI. + + + Incorporate new information from email advisories, online IT security daily + news websites, and periodicals, as reasonable and appropriate. + + + Consider using a variety of media and avenues according to what is appropriate + for the organization based on workforce size, location, level of education, + and other factors. + + + Training should be an ongoing, evolving process in response to environmental + and operational changes that affect the security of ePHI.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node81 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node80 + name: Sample questions + description: "Are the topics selected for training and awareness the most relevant\ + \ to the threats, vulnerabilities, and risks identified during the risk assessment?\n\ + \nDoes the organization periodically review the topics covered in training\ + \ and awareness in light of updates to the risk assessment and current threats?\n\ + \nHave workforce members received a copy of and do they have ready access\ + \ to the organization\u2019s security procedures and policies?\n\nDo workforce\ + \ members know whom to contact and how to handle a security incident?\n\n\ + Do workforce members understand the consequences of noncompliance with the\ + \ stated security policies?\n\nDo workforce members who travel, telework,\ + \ or work remotely know how to handle physical laptop security issues and\ + \ information security issues?\n\nHas the regulated entity researched available\ + \ training resources?\n\nIs dedicated training staff available for the delivery\ + \ of security training? If not, who will deliver the training?\n\nWhat is\ + \ the security training budget?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node82 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Implement the Training + description: 'Schedule and conduct the training outlined in the strategy and + plan. + + + Implement any reasonable technique to disseminate the security messages in + an organization, including newsletters, screensavers, video recordings, email + messages, teleconferencing sessions, staff meetings, and computer-based training.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node83 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node82 + name: Sample questions + description: 'Have all workforce members received adequate training to fulfill + their security responsibilities? + + + Are there sanctions if workforce members do not complete the required training?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node84 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Implement Security Reminders + description: 'Implement periodic security updates. + + + Provide periodic security updates to staff, business associates, and contractors. + + + Consider the benefits of ongoing communication with staff (e.g., emails, newsletters) + on training topics to achieve HIPAA compliance and protect ePHI.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node85 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node84 + name: Sample questions + description: 'What methods are available or already in use to make or keep workforce + members aware of security (e.g., posters, booklets, anti-phishing training)? + + + Is the organization making use of existing resources (e.g., from the 405(d) + program or other resources listed in Appendix F) to remind staff of important + security topics? + + + Is security refresher training performed on a periodic basis (e.g., annually)? + + + Is security awareness discussed with all new hires? + + + Are security topics reinforced during routine staff meetings?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node86 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Implementation Specification (Addressable) + description: Implement periodic security updates. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node87 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node86 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node88 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) + name: Monitor and Evaluate the Training Plan + description: 'Keep the security awareness and training program current. + + + Solicit trainee feedback to determine whether the training and awareness are + successfully reaching the intended audience. + + + Conduct training whenever changes occur in the technology and practices as + appropriate. + + + Monitor the training program implementation to ensure that all workforce members + participate. + + + Implement corrective actions when problems arise.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node89 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node88 + name: Sample questions + description: 'Are the workforce members'' training and professional development + programs documented and monitored, if reasonable and appropriate? + + + How are new workforce members trained on security? + + + Are new non-employees (e.g., contractors, interns) trained on security?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(6) + description: 'Security Incident Procedures: + + HIPAA Standard: Implement policies and procedures to address security incidents.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node91 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) + name: Determine the Goals of Incident Response + description: "Gain an understanding as to what constitutes a true security incident.\ + \ Under the HIPAA Security Rule, a security incident is the attempted or successful\ + \ unauthorized access, use, disclosure, modification, or destruction of information\ + \ or interference with system operations in an information system (45 CFR\ + \ \xA7 164.304).\n\nEnsure that the incident response program covers all parts\ + \ of the organization in which ePHI is created, stored, processed, or transmitted.\n\ + \nDetermine how the organization will respond to a security incident.\n\n\ + Establish a reporting mechanism and a process to coordinate responses to the\ + \ security incident.\n\nProvide direct technical assistance, advise vendors\ + \ to address product-related problems, and provide liaisons to legal and criminal\ + \ investigative groups as needed." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node92 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node91 + name: Sample questions + description: 'Has the HIPAA-required security risk assessment resulted in a + list of potential physical or technological events that could lead to a breach + of security? + + + Is there a procedure in place for reporting and handling incidents? + + + Has an analysis been conducted that relates reasonably anticipated organizational + threats (that could result in a security incident) to the methods that would + be used for mitigation? + + + Have the key functions of the organization been prioritized to determine what + would need to be restored first in the event of a disruption?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node93 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) + name: Develop and Deploy an Incident Response Team or Other Reasonable and Appropriate + Response Mechanism + description: 'Determine whether the size, scope, mission, and other aspects + of the organization justify the reasonableness and appropriateness of maintaining + a standing incident response team. + + + Identify appropriate individuals to be part of a formal incident response + team if the organization has determined that implementing an incident response + team is reasonable and appropriate. + + + Consider assigning secondary personnel to be part of the incident response + team in the event that primary personnel are unavailable.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node94 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node93 + name: Sample questions + description: "Do members of the team have adequate knowledge of the organization\u2019\ + s hardware and software?\n\nDo members of the team have the authority to speak\ + \ for the organization to the media, law enforcement, and clients or business\ + \ partners?\n\nHas the incident response team received appropriate training\ + \ in incident response activities?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node95 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) + name: Develop and Implement Policy and Procedures to Respond to and Report Security + Incidents + description: 'Identify and respond to suspected or known security incidents; + mitigate, to the extent practicable, harmful effects of security incidents + that are known to the covered entity or business associate; and document security + incidents and their outcomes. + + + Ensure that an organizational incident response policy is in place that addresses + all parts of the organization in which ePHI is created, stored, processed, + or transmitted. + + + Document incident response procedures that can provide a single point of reference + to guide the day-to-day operations of the incident response team. + + + Review incident response procedures with staff who have roles and responsibilities + related to incident response; solicit suggestions for improvements; and make + changes to reflect input if reasonable and appropriate. + + + Consider conducting tests of the incident response plan. + + + Update the procedures as required based on changing organizational needs.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node96 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node95 + name: Sample questions + description: 'Has the organization determined that maintaining a staffed security + incident hotline would be reasonable and appropriate? + + + Has the organization developed processes for documenting and tracking incidents? + + + Has the organization determined reasonable and appropriate mitigation options + for security incidents? + + + Has the organization developed standardized incident report templates to record + necessary information related to incidents? + + + Has the organization determined that information captured in the reporting + templates is reasonable and appropriate to investigate an incident? + + + Has the organization determined the conditions under which information related + to a security breach will be disclosed to the media? + + + Have appropriate (internal and external) persons who should be informed of + a security breach been identified? Has a contact information list been prepared? + + + Has a written incident response plan been developed and provided to the incident + response team? + + + Has the incident response plan been tested?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node97 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) + name: Implementation Specification (Required) + description: Identify and respond to suspected or known security incidents; + mitigate, to the extent practicable, harmful effects of security incidents + that are known to the covered entity or business associate; and document security + incidents and their outcomes. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node98 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node97 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node99 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) + name: Incorporate Post-Incident Analysis into Updates and Revisions + description: 'Measure effectiveness and update security incident response procedures + to reflect lessons learned, and identify actions to take that will improve + security controls after a security incident. + + + Incidents caused by or influenced by known risks should feed back into the + risk assessment process for a reevaluation of impact and/or likelihood. + + + Remediation and corrective action plans that arise from incidents should serve + as input to the risk assessment/management process.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node100 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node99 + name: Sample questions + description: 'Has the organization analyzed records (e.g., log files, malware) + to understand the nature, extent, and scope of the incident? + + + Does the organization reassess risk to ePHI based on findings from this analysis? + + + Does the incident response team keep adequate documentation of security incidents + and their outcomes, which may include what weaknesses were exploited and how + access to the information was gained? + + + Do records reflect the new contacts and resources identified for responding + to an incident? + + + Does the organization consider whether current procedures were adequate for + responding to a particular security incident?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(7) + description: 'Contingency Plan: + + HIPAA Standard: Establish (and implement as needed) policies and procedures + for responding to an emergency or other occurrence (for example, fire, vandalism, + system failure, and natural disaster) that damages systems that contain electronic + protected health information' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node102 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Develop a Contingency Planning Policy + description: "Define the organization\u2019s overall contingency objectives.\n\ + \nEstablish the organizational framework, roles, and responsibilities for\ + \ this area.\n\nAddress scope, resource requirements, training, testing, plan\ + \ maintenance, and backup requirements." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node103 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node102 + name: Sample questions + description: 'What critical services must be provided within specified time + frames? + + + Have cross-functional dependencies been identified to determine how a failure + in one system may negatively impact another one?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node104 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Conduct an Applications and Data Criticality Analysis + description: 'Assess the relative criticality of specific applications and data + in support of other Contingency Plan components. + + + Identify the activities and material involving ePHI that are critical to business + operations. + + + Identify the critical services or operations and the manual and automated + processes that support them involving ePHI. + + + Determine the amount of time that the organization can tolerate disruptions + to these operations, materials, or services (e.g., due to power outages). + + + Evaluate the current and available levels of redundancy and geographic distribution + of any storage service providers to identify risks to service availability + and determine restoration times. + + + Consider whether any vendor/service provider arrangements are critical to + operations and address them as appropriate to ensure availability and reliability. + + + Establish cost-effective strategies for recovering these critical services + or processes.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node105 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node104 + name: Sample questions + description: 'What hardware, software, and personnel are critical to daily operations? + + + What is the impact on desired service levels if these critical assets are + not available? + + + What, if any, support is provided by external providers (e.g., cloud service + providers, internet service providers, utilities, or contractors)? + + + What is the nature and degree of impact on the operation if any of the critical + resources or service providers are not available? + + + Has the organization identified vendors or service providers that are critical + to business operations? + + + Has the organization sufficiently addressed the availability and reliability + of these services (e.g., via service level agreements, contracts)?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node106 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Implementation Specification (Addressable) + description: Assess the relative criticality of specific applications and data + in support of other Contingency Plan components. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node107 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node106 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node108 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Identify Preventive Measures + description: 'Identify preventive measures for each defined scenario that could + result in the loss of a critical service operation involving the use of ePHI. + + + Ensure that identified preventive measures are practical and feasible in terms + of their applicability in a given environment.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node109 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node108 + name: Sample questions + description: 'What alternatives for continuing operations of the organization + are available in case of the loss of any critical function or resource? + + + What is the cost associated with the preventive measures that may be considered? + + + Are the preventive measures feasible (i.e., affordable and practical for the + environment)? + + + What plans, procedures, or agreements need to be initiated to enable the implementation + of the preventive measures if they are necessary?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node110 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Develop Recovery Strategy + description: 'Finalize the set of contingency procedures that should be invoked + for all identified impacts, including emergency mode operation. The strategy + must be adaptable to the existing operating environment and address allowable + outage times and the associated priorities identified in Key Activity 2. + + + If part of the strategy depends on external organizations for support, ensure + that formal agreements are in place with specific requirements stated.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node111 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node110 + name: Sample questions + description: 'Have procedures related to recovery from emergency or disastrous + events been documented? + + + Has a coordinator who manages, maintains, and updates the plan been designated? + + + Has an emergency call list been distributed to all workforce members? Have + recovery procedures been documented? + + + Has a determination been made regarding when the plan needs to be activated + (e.g., anticipated duration of outage, tolerances for outage or loss of capability, + impact on service delivery, etc.)?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node112 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Data Backup Plan and Disaster Recovery Plan + description: 'Establish and implement procedures to create and maintain retrievable + exact copies of ePHI. + + + Establish (and implement as needed) procedures to restore any loss of data.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node113 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node112 + name: Sample questions + description: 'Is there a formal, written contingency plan? Does it address disaster + recovery and data backup? + + + Does the disaster recovery plan address what data is to be restored and in + what order? + + + Do data backup procedures exist that include all ePHI? + + + Is the frequency of backups appropriate for the environment? + + + Are responsibilities assigned to conduct backup activities? + + + Are data backup procedures documented and available to other staff? + + + Are backup logs reviewed and data restoration tests conducted to ensure the + integrity of data backups? + + + Is at least one copy of the data backup stored offline to protect against + corruption due to ransomware or other similar attacks? + + + Are backups or images of operating systems, devices, software, and configuration + files necessary to support the confidentiality, integrity, and availability + of ePHI included in the data backup plan?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node114 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Implementation Specification (Required) + description: Establish and implement procedures to create and maintain retrievable + exact copies of ePHI. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node115 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node114 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node116 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Implementation Specification (Required) + description: Establish (and implement as needed) procedures to restore any loss + of data. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node117 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node116 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node118 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Develop and Implement an Emergency Mode Operation Plan + description: "Establish (and implement as needed) procedures to enable the continuation\ + \ of critical business processes to protect the security of ePHI while operating\ + \ in emergency mode.\n\n\u201CEmergency mode\u201D operation involves only\ + \ those critical business processes that must occur to protect the security\ + \ of ePHI during and immediately after a crisis situation." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node119 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node118 + name: Sample questions + description: 'Have procedures been developed to continue the critical functions + identified in Key Activity 2? + + + If so, have those critical functions that also involve the use of ePHI been + identified? + + + Would different staff, facilities, or systems be needed to perform those functions? + + + Has the security of ePHI in that alternative mode of operation been assured?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node120 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Implementation Specification (Required) + description: Establish (and implement as needed) procedures to enable the continuation + of critical business processes to protect the security of ePHI while operating + in emergency mode. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node121 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node120 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node122 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Testing and Revision Procedure + description: 'Implement procedures for the periodic testing and revision of + contingency plans. + + + Test the contingency plan on a predefined cycle (stated in the policy developed + under Key Activity 1), if reasonable and appropriate. + + + Train those with defined plan responsibilities in their roles. + + + If possible, involve external entities (e.g., vendors, alternative site or + service providers) in testing exercises. + + + Make key decisions regarding how the testing is to occur (e.g., tabletop exercise + versus staging a real operational scenario, including actual loss of capability). + + + Decide how to segment the type of testing based on the assessment of business + impact and the acceptability of a sustained loss of service.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node123 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node122 + name: Sample questions + description: 'How is the contingency plan to be tested? + + + Does testing lend itself to a phased approach? + + + Is it feasible to actually take down functions or services for the purposes + of testing? + + + Has the organization conducted backup recovery testing to ensure that critical + data can be recovered using existing data backups? + + + Does the backup recovery testing verify the ability to recover data and operations + based on identified testing scenarios using actual tests (i.e., not tabletop + exercises)? + + + Can testing be done during normal business hours or must it take place during + off hours? + + + Have the tests included personnel with contingency planning responsibilities? + + + Have the results of each test been documented and any problems with the test + reviewed and corrected? + + + If full testing is infeasible, has a tabletop scenario (e.g., a classroom-like + exercise) been considered? + + + How frequently will the plan be tested (e.g., annually)? + + + When should the plan be revised?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node124 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) + name: Implementation Specification (Addressable) + description: Implement procedures for the periodic testing and revision of contingency + plans. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node125 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node124 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(a)(8) + description: "Evaluation:\nHIPAA Standard: Perform a periodic technical and\ + \ nontechnical evaluation, based initially upon the standards implemented\ + \ under this rule and subsequently, in response to environmental or operational\ + \ changes affecting the security of electronic protected health information,\ + \ that establishes the extent to which a covered entity\u2019s or business\ + \ associate\u2019s security policies and procedures meet the requirements\ + \ of this subpart." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node127 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) + name: Determine Whether Internal or External Evaluation is Most Appropriate + description: 'Decide whether the evaluation will be conducted with internal + staff resources or external consultants. + + + Engage external expertise to assist the internal evaluation team where additional + skills and expertise are determined to be reasonable and appropriate. + + + Use internal resources to supplement an external source of help because these + internal resources can provide the best institutional knowledge and history + of internal policies and practices.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node128 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node127 + name: Sample questions + description: 'Which staff has the technical experience and expertise to evaluate + the systems? + + + Are the evaluators sufficiently independent to provide objective reporting? + + + How much training will staff need on security-related technical and non-technical + issues? + + + If an outside vendor is used, what factors should be considered when selecting + the vendor, such as credentials and experience? + + + What is the budget for internal resources to assist with an evaluation? + + + What is the budget for external services to assist with an evaluation?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node129 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) + name: Develop Standards and Measurements for Reviewing All Standards and Implementation + Specifications of the Security Rule + description: "Develop and document organizational policies and procedures for\ + \ conducting evaluation.\n\nOnce security controls have been implemented in\ + \ response to the organization\u2019s risk assessment and management processes,\ + \ periodically review these implemented security measures to ensure their\ + \ continued effectiveness in protecting ePHI.\n\nConsider determining any\ + \ specific evaluation metrics and/or measurements to be captured during evaluation.\ + \ Metrics and/or measurements can assist in tracking progress over time.\n\ + \nUse an evaluation strategy and tool that considers all elements of the HIPAA\ + \ Security Rule and can be tracked, such as a questionnaire or checklist.\n\ + \nImplement tools that can provide reports on the level of compliance, integration,\ + \ or maturity of a particular security safeguard deployed to protect ePHI.\n\ + \nIf available, consider engaging corporate, legal, or regulatory compliance\ + \ staff when conducting the analysis.\n\nLeverage any existing reports or\ + \ documentation that may already be prepared by the organization addressing\ + \ the compliance, integration, or maturity of a particular security safeguard\ + \ deployed to protect ePHI." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node130 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node129 + name: Sample questions + description: 'Has the organization documented policies and procedures for conducting + the evaluation of security controls? + + + Have management, operational, and technical issues been considered? + + + Do the elements of each evaluation procedure (e.g., questions, statements, + or other components) address individual, measurable security safeguards for + ePHI? + + + Has the organization developed evaluation procedures that capture any desired + metrics or measurements? + + + Has the organization determined that the procedure must be tested in a few + areas or systems? + + + Does the evaluation tool consider all standards and implementation specifications + of the HIPAA Security Rule? + + + Does the evaluation tool address the protection of ePHI that is collected, + used, or disclosed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node131 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) + name: Conduct Evaluation + description: 'Determine in advance what departments and/or staff will participate + in the evaluation. + + + Determine what constitutes an environmental or operational change that affects + the security of ePHI. + + + Determine when evaluations are conducted in response to an environmental or + operational change that affects the security of ePHI (e.g., prior to the change, + contemporaneous with the change, after the change). + + + Secure management support for the evaluation process to ensure participation. + + + Collect and document all needed information. Collection methods may include + the use of interviews, surveys, and the outputs of automated tools, such as + access control auditing tools, system logs, and the results of penetration + testing. + + + Conduct penetration testing (where testers attempt to compromise system security + for the sole purpose of testing the effectiveness of security controls), if + reasonable and appropriate. + + + Evaluation may include reviewing organizational policies and procedures, assessing + the implementation of security controls, collecting evidence of security control + implementation, and performing physical walk- throughs.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node132 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node131 + name: Sample questions + description: 'If available, have staff members with knowledge of IT security + been consulted and included in the evaluation team? + + + Are appropriate personnel notified of planned environmental or operational + changes that could affect the security of ePHI? + + + Is a change management process in place that includes identification and communication + of environmental and operational changes that could affect the security of + ePHI? + + + If penetration testing has been determined to be reasonable and appropriate, + has specifically worded, written approval from senior management been received + for any planned penetration testing? + + + Has the process been formally communicated to those who have been assigned + roles and responsibilities in the evaluation process? + + + Has the organization explored the use of automated tools to support the evaluation + process?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node133 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) + name: Document Results + description: 'Document each evaluation finding, as well as remediation options, + recommendations, and decisions. + + + Document known gaps between identified risks, mitigating security controls, + and any acceptance of risk, including justification. + + + Develop security program priorities, and establish targets for continuous + improvement. + + + Utilize the results of evaluations to inform impactful security changes to + protect ePHI. + + + Communicate evaluation results, metrics, and/or measurements to relevant organizational + personnel.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node134 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node133 + name: Sample questions + description: 'Does the process support the development of security recommendations? + + + When determining how best to display evaluation results, have written reports + that highlight key findings and recommendations been considered? + + + If a written final report is to be circulated among key staff, have steps + been taken to ensure that it is made available only to those persons designated + to receive it? + + + Does the organization use evaluation results to enhance the protection of + ePHI rather than for the sake of compliance?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node135 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) + name: Repeat Evaluations Periodically + description: 'Establish the frequency of evaluations, and consider the sensitivity + of the ePHI controlled by the organization as well as the organization''s + size, complexity, and environmental and/or operational changes (e.g., other + relevant laws or accreditation requirements). + + + In addition to periodic reevaluations, consider repeating evaluations when + environmental and operational changes that affect the security of ePHI are + made to the organization (e.g., if new technology is adopted or if there are + newly recognized risks to the security of ePHI).' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node136 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node135 + name: Sample questions + description: 'Do security policies specify that evaluations will be repeated + when environmental and operational changes are made that affect the security + of ePHI? + + + Do policies on the frequency of security evaluations reflect any and all relevant + federal or state laws that bear on environmental or operational changes affecting + the security of ePHI? + + + Has the organization explored the use of automated tools to support periodic + evaluations?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 + ref_id: 164.308(b)(1) + description: "Business Associate Contracts and Other Arrangements:\nHIPAA Standard:\ + \ A covered entity may permit a business associate to create, receive, maintain,\ + \ or transmit electronic protected health information on the covered entity\u2019\ + s behalf only if the covered entity obtains satisfactory assurances, in accordance\ + \ with \xA7 164.314(a), that the business associate will appropriately safeguard\ + \ the information. A covered entity is not required to obtain such satisfactory\ + \ assurances from a business associate that is a subcontractor." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node138 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) + name: Identify Entities that are Business Associates Under the HIPAA Security + Rule + description: 'Identify the individual or department who will be responsible + for coordinating the execution of business associate agreements or other arrangements. + + + Reevaluate the list of business associates to determine who has access to + ePHI in order to assess whether the list is complete and current. + + + Identify systems covered by the contract/agreement. + + + Business associates must have a BAA in place with each of their subcontractor + business associates. Subcontractor business associates are also directly liable + for their own Security Rule violations.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node139 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node138 + name: Sample questions + description: 'Does each written and executed BAA contain sufficient language + to ensure that ePHI and any other required information types will be protected? + + + Have all organizations or vendors that provide a service or function on behalf + of the organization been identified? Such services may include: + + + Have outsourced functions that involve the use of ePHI been considered? Such + functions may include:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node140 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) + name: Establish a Process for Measuring Contract Performance and Terminating + the Contract if Security Requirements Are Not Being Met + description: 'Maintain clear lines of communication between covered entities + and business associates regarding the protection of ePHI as per the BAA or + contract. + + + Establish criteria for measuring contract performance.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node141 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node140 + name: Sample questions + description: 'What is the service being performed? + + + What is the expected outcome? + + + Is there a process for reporting security incidents related to the agreement? + + + Are additional assurances of protections for ePHI from the business associate + necessary? If so, where will such additional assurances be documented (e.g., + in the BAA, service-level agreement, or other documentation), and how will + they be met (e.g., providing documentation of implemented safeguards, audits, + certifications)?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node142 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) + name: Written Contract or Other Arrangement + description: "Document the satisfactory assurances required by this standard\ + \ through a written contract or other arrangement with the business associate\ + \ that meets the applicable requirements of \xA7164.314(a). Readers may find\ + \ useful resources in Appendix F, including OCR BAA guidance and/or templates\ + \ that include applicable language.\n\nExecute new or update existing agreements\ + \ or arrangements as appropriate.\n\nIdentify roles and responsibilities.\n\ + \nInclude security requirements in business associate contracts and agreements\ + \ to address the confidentiality, integrity, and availability of ePHI.\n\n\ + Specify any training requirements associated with the contract/agreement or\ + \ arrangement, if reasonable and appropriate." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node143 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node142 + name: Sample questions + description: 'Who is responsible for coordinating and preparing the final agreement + or arrangement? + + + Does the agreement or arrangement specify how information is to be transmitted + to and from the business associate? + + + Have security controls been specified for the business associate? + + + Are clear responsibilities identified and established regarding potentially + overlapping HIPAA obligations (e.g., if hosting ePHI in the cloud, will the + CE, BA, or both address encryption)? + + + Have appropriate organizational personnel been trained in the process of initiating + and maintaining a business associate agreement (BAA)?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node144 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) + name: Implementation Specification (Required) + description: "Document the satisfactory assurances required by this standard\ + \ through a written contract or other arrangement with the business associate\ + \ that meets the applicable requirements of \xA7164.314(a). Readers may find\ + \ useful resources in Appendix F, including OCR BAA guidance and/or templates\ + \ that include applicable language." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node145 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node144 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 + assessable: false + depth: 1 + ref_id: '164.310' + description: "Physical Safeguards:\nDefined as the \u201Cphysical measures,\ + \ policies, and procedures to protect a covered entity\u2019s electronic information\ + \ systems and related buildings and equipment, from natural and environmental\ + \ hazards, and unauthorized intrusion.\u201D" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 + ref_id: 164.310(a) + description: 'Facility Access Controls: + + HIPAA Standard: Implement policies and procedures to limit physical access + to its electronic information systems and the facility or facilities in which + they are housed, while ensuring that properly authorized access is allowed.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node148 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Conduct an Analysis of Existing Physical Security Vulnerabilities + description: 'Inventory facilities and identify shortfalls and/or vulnerabilities + in current physical security capabilities. + + + Assign degrees of significance to each vulnerability identified and ensure + that proper access is allowed. + + + Determine which types of facilities require access controls to safeguard ePHI, + such as:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node149 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node148 + name: Sample questions + description: 'If reasonable and appropriate, do non-public areas have locks + and cameras? + + + Are computing devices protected from public access or viewing? + + + Are entrances and exits that lead to locations with ePHI secured? + + + Do policies and procedures already exist regarding access to and use of facilities + and equipment? + + + Are there possible natural or human-made disasters that could happen in the + environment? + + + Do normal physical protections exist (e.g., locks on doors, windows, and other + means of preventing unauthorized access)? + + + Are network wiring cables protected and not exposed to unauthorized personnel? + + + Is there a list of workforce members who can access the facility after hours + via the use of keys, badge access, and knowledge of the security or alarm + system?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node150 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Identify Corrective Measures + description: 'Identify and assign responsibility for the measures and activities + necessary to correct deficiencies, and ensure that proper physical access + is allowed. + + + Develop and deploy policies and procedures to ensure that repairs, upgrades, + and/or modifications are made to the appropriate physical areas of the facility + while ensuring that proper access is allowed.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node151 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node150 + name: Sample questions + description: 'Who is responsible for security? + + + Is a workforce member other than the security official responsible for facility/physical + security? + + + Are facility access control policies and procedures already in place? Do they + need to be revised? + + + What training will be needed for workforce members to understand the policies + and procedures? + + + How will decisions and actions be documented? + + + Is a property owner or external party (e.g., cloud service provider) required + to make physical changes to meet the requirements?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node152 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Develop a Facility Security Plan + description: "Implement policies and procedures to safeguard the facility and\ + \ the equipment therein from unauthorized physical access, tampering, and\ + \ theft.\n\nImplement appropriate measures to provide physical security protection\ + \ for ePHI in a regulated entity\u2019s possession.\n\nInclude documentation\ + \ of the facility inventory, physical maintenance records, and a history of\ + \ changes, upgrades, and other modifications.\n\nIdentify points of access\ + \ to the facility and existing security controls." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node153 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node152 + name: Sample questions + description: 'Is there an inventory of facilities and existing security practices? + + + What are the current procedures for securing the facilities (e.g., exterior, + interior, equipment, access controls, maintenance records)? + + + Is a workforce member other than the security official responsible for the + facility plan? + + + Is there a contingency plan already in place, under revision, or under development?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node154 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Implementation Specification (Addressable) + description: Implement policies and procedures to safeguard the facility and + the equipment therein from unauthorized physical access, tampering, and theft. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node155 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node154 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node156 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Develop Access Control and Validation Procedures + description: 'Implement procedures to control and validate a person''s access + to facilities based on their role or function, including visitor control and + control of access to software programs for testing and revision. + + + Implement procedures to provide facility access to authorized personnel and + visitors and exclude unauthorized persons.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node157 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node156 + name: Sample questions + description: 'What are the policies and procedures in place for controlling + access by staff, contractors, visitors, and probationary workforce members? + + + Do the procedures identify individuals, roles, or job functions that are authorized + to access software programs for testing and revision? + + + How many access points exist in each facility? Is there an inventory? + + + Is monitoring equipment necessary? + + + Is there a periodic review of personnel with physical access?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node158 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Implementation Specification (Addressable) + description: Implement procedures to control and validate a person's access + to facilities based on their role or function, including visitor control and + control of access to software programs for testing and revision. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node159 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node158 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node160 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Establish Contingency Operations Procedures + description: Establish (and implement as needed) procedures that allow facility + access in support of the restoration of lost data under the Disaster Recovery + Plan and Emergency Mode Operations Plan in the event of an emergency. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node161 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node160 + name: Sample questions + description: 'Are there procedures to allow facility access while restoring + lost data in the event of an emergency? + + + Who needs access to ePHI in the event of a disaster? + + + What is the backup plan for access to the facility and/or ePHI? + + + Who is responsible for the contingency plan for access to ePHI? + + + Who is responsible for implementing the contingency plan for access to ePHI + in each department or unit? + + + Will the contingency plan be appropriate in the event of all types of potential + disasters (e.g., fire, flood, earthquake, etc.)?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node162 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Implementation Specification (Addressable) + description: Establish (and implement as needed) procedures that allow facility + access in support of the restoration of lost data under the Disaster Recovery + Plan and Emergency Mode Operations Plan in the event of an emergency. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node163 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node162 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node164 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Maintain Maintenance Records + description: Implement policies and procedures to document repairs and modifications + to the physical components of a facility that are related to security (e.g., + hardware, walls, doors, and locks). + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node165 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node164 + name: Sample questions + description: 'Are policies and procedures developed and implemented that specify + how to document repairs and modifications to the physical components of a + facility that are related to security? + + + Are records of repairs to hardware, walls, doors, and locks maintained? + + + Has responsibility for maintaining these records been assigned?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node166 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) + name: Implementation Specification (Addressable) + description: Implement policies and procedures to document repairs and modifications + to the physical components of a facility that are related to security (e.g., + hardware, walls, doors, and locks). + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node167 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node166 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 + ref_id: 164.310(b) + description: 'Workstation Use: + + HIPAA Standard: Implement policies and procedures that specify the proper + functions to be performed, the manner in which those functions are to be performed, + and the physical attributes of the surroundings of a specific workstation + or class of workstation that can access electronic protected health information.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node169 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) + name: Identify Workstation and Device Types and Functions or Uses + description: "Inventory workstations and devices that create, store, process\ + \ or transmit ePHI. Be sure to consider the multitude of computing devices\ + \ (e.g., medical equipment, medical IoT devices, tablets, smart phones, etc.).\n\ + \nDevelop policies and procedures for each type of device and identify and\ + \ accommodate their unique issues.\n\nClassify devices based on the capabilities,\ + \ connections, and allowable activities for each device used.\n\nDetermine\ + \ the proper function and manner by which specific workstations or classes\ + \ of workstations are permitted to access ePHI (e.g., applications permitting\ + \ access to ePHI that are allowed on workstations used by a hospital\u2019\ + s customer service call center or its radiology department)." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node170 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node169 + name: Sample questions + description: 'Do the policies and procedures identify devices that access ePHI + and those that do not? + + + Is there an inventory of device types and locations in the organization? + + + Who is responsible for this inventory and its maintenance? + + + What tasks are commonly performed on a given device or type of device? + + + Are all types of computing devices used as workstations identified along with + the use of these devices? + + + Are all devices that create, store, process, or transmit ePHI owned by the + regulated entity? + + + Are some devices personally owned or owned by another party? + + + Has the organization considered the use of automation to manage device inventory?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node171 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) + name: Identify the Expected Performance of Each Type of Workstation and Device + description: Develop and document policies and procedures related to the proper + use and performance of devices that create, store, process, or transmit ePHI. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node172 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node171 + name: Sample questions + description: 'How are these devices used in day-to-day operations? + + + Which devices are involved in various work activities? + + + What are key operational risks that could result in a breach of security? + + + Do the policies and procedures address the use of these devices for any personal + use? + + + Has the organization updated training and awareness content to include the + proper use and performance of these devices?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node173 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) + name: Analyze Physical Surroundings for Physical Attributes + description: "Ensure that any risks associated with a device\u2019s surroundings\ + \ are known and analyzed for possible negative impacts.\n\nDevelop policies\ + \ and procedures that will prevent or preclude the unauthorized access of\ + \ unattended devices, limit the ability of unauthorized persons to view sensitive\ + \ information, and dispose of sensitive information as needed." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node174 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node173 + name: Sample questions + description: 'Do the policies and procedures specify where to place devices + to only allow viewing by authorized personnel? + + + Where are devices located? + + + Where does work on ePHI occur? + + + Are some devices stationary? + + + Are some devices mobile and leave the physical facility? + + + Is viewing by unauthorized individuals restricted or limited on these devices? + + + Do changes need to be made in the space configuration? + + + Do workforce members understand the security requirements for the data they + use in their day-to-day jobs? + + + Are any computing components (e.g., servers, workstations, medical devices) + kept in locations that put the confidentiality, integrity, and availability + of ePHI at risk?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 + ref_id: 164.310(c) + description: 'Workstation Security: + + HIPAA Standard: Implement physical safeguards for all workstations that access + electronic protected health information, to restrict access to authorized + users.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node176 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) + name: Identify All Methods of Physical Access to Workstations and Devices + description: 'Document the different ways that users access workstations and + other devices that create, store, process, or transmit ePHI. Be sure to consider + the multitude of computing devices (e.g., medical equipment, medical IoT devices, + tablets, smart phones, etc.). + + + Consider any mobile devices that leave the physical facility as well as remote + workers who access devices that create, store, process, or transmit ePHI.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node177 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node176 + name: Sample questions + description: 'Is there an inventory of all current device locations? + + + Are any devices located in public areas? + + + Are laptops or other computing devices used as workstations to create, access, + store, process, or transmit ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node178 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) + name: Analyze the Risks Associated with Each Type of Access + description: Determine which type of access identified in Key Activity 1 poses + the greatest threat to the security of ePHI. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node179 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node178 + name: Sample questions + description: 'Do any devices leave the facility? + + + Are any devices housed in areas that are more vulnerable to unauthorized use, + theft, or viewing of the data they contain? + + + What are the options for modifying the current access configuration to protect + ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node180 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) + name: Identify and Implement Physical Safeguards for Workstations and Devices + description: 'Implement physical safeguards and other security measures to minimize + the possibility of inappropriate access to ePHI through computing devices. + + + If there are impediments to physically securing devices and/or the facilities + where devices are located, additional safeguards should be considered, such + as:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node181 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node180 + name: Sample questions + description: 'Are physical safeguards implemented for all devices that access + ePHI to restrict access to authorized users? + + + Are devices and other tools used in the provisioning of treatment, payment + and operations protected from unauthorized access, viewing, modification, + and/or theft within mobile healthcare environments? + + + What safeguards are in place,(e.g., locked doors, screen barriers, cameras, + guards)? + + + Are additional physical safeguards needed to protect devices with ePHI? + + + Do any devices need to be relocated to enhance physical security? + + + Are safeguards such as anti-theft devices, physical privacy screens, or other + procedures used to help prevent unauthorized audio and video recording + + + Have workforce members been trained on security? + + + Are some devices not owned by the organization? Do these ownership considerations + preclude the use of any physical security controls on the device? + + + Do the policies and procedures specify the use of additional security measures + to protect devices with ePHI, such as using privacy screens, enabling password-protected + screen savers, or logging off the device?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 + ref_id: 164.310(d) + description: 'Device and Media Controls: + + HIPAA Standard: Implement policies and procedures that govern the receipt + and removal of hardware and electronic media that contain electronic protected + health information into and out of a facility, and the movement of these items + within the facility.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node183 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Implement Methods for the Final Disposal of ePHI + description: 'Implement policies and procedures to address the final disposition + of ePHI and/or the hardware or electronic media on which it is stored. + + + Determine and document the appropriate methods to dispose of hardware, software, + and the data itself. + + + Ensure that ePHI is properly destroyed and cannot be recreated.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node184 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node183 + name: Sample questions + description: 'What ePHI is created, stored, processed, and transmitted by the + organization? On what media is it located? + + + Is data stored on removable, reusable media (e.g., flash drives, Secure Digital + (SD) memory cards)? + + + Are policies and procedures developed and implemented that address the disposal + of ePHI and/or the hardware and media on which ePHI is stored? + + + Is there a process for destroying data on all media? + + + What are the options for disposing of data on hardware? What are the costs? + + + Prior to disposal, have media and devices containing ePHI been sanitized in + accordance with SP 800-88?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node185 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Implementation Specification (Required) + description: Implement policies and procedures to address the final disposition + of ePHI and/or the hardware or electronic media on which it is stored. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node186 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node185 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node187 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Develop and Implement Procedures for the Reuse of Electronic Media + description: 'Implement procedures for the removal of ePHI from electronic media + before the media become available for reuse. + + + Ensure that ePHI previously stored on any electronic media cannot be accessed + and reused. + + + Identify removable media and their uses. + + + Ensure that ePHI is removed from reusable media before they are used to record + new information.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node188 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node187 + name: Sample questions + description: 'Do policies and procedures already exist regarding the reuse of + electronic media (i.e., hardware and software)? + + + Have reused media been erased to the point where previous ePHI is neither + readily available nor recoverable? + + + Is one individual and/or department responsible for coordinating the disposal + of data and the reuse of the hardware and software? + + + Are workforce members appropriately trained on the security risks to ePHI + when reusing software and hardware?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node189 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Implementation Specification (Required) + description: Implement procedures for the removal of ePHI from electronic media + before the media become available for reuse. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node190 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node189 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node191 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Maintain Accountability for Hardware and Electronic Media + description: 'Maintain a record of the movements of hardware and electronic + media and any person responsible for them. + + + Ensure that ePHI is not inadvertently released or shared with any unauthorized + party. + + + Ensure that an individual is responsible for and records the receipt and removal + of hardware and software with ePHI.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node192 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node191 + name: Sample questions + description: 'Have policies and procedures been implemented that govern the + receipt and removal of hardware and electronic media that contain ePHI into + and out of a facility, and the movement of these items within the facility? + + + Has a process been implemented to maintain a record of the movements of and + persons responsible for hardware and electronic media that contain ePHI? + + + Where is data stored (i.e., what type of media)? + + + What procedures already exist to track hardware and software within the organization + (e.g., an enterprise inventory management system)? + + + If workforce members are allowed to remove electronic media that contain or + may be used to access ePHI, do procedures exist to track the media externally? + + + Who is responsible for maintaining records of hardware and software?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node193 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Implementation Specification (Addressable) + description: Maintain a record of the movements of hardware and electronic media + and any person responsible for them. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node194 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node193 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node195 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Develop Data Backup and Storage Procedures + description: 'Create a retrievable exact copy of ePHI, when needed, before movement + of equipment. + + + Ensure that an exact retrievable copy of the data is retained and protected + to maintain the integrity of ePHI during equipment relocation.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node196 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node195 + name: Sample questions + description: 'Has a process been implemented to create a retrievable, exact + copy of ePHI when needed and before the movement of equipment? + + + Are backup files maintained offsite to ensure data availability in the event + that data is lost while transporting or moving electronic media that contain + ePHI? + + + If data were to be unavailable while media are transported or moved for a + period of time, what would the business impact be?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node197 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) + name: Implementation Specification (Addressable) + description: Create a retrievable exact copy of ePHI, when needed, before movement + of equipment. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node198 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node197 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 + assessable: false + depth: 1 + ref_id: '164.312' + description: "Technical Safeguards:\nDefined as the \u201Cthe technology and\ + \ the policy and procedures for its use that protect electronic protected\ + \ health information and control access to it.\u201D" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 + ref_id: 164.312(a) + description: "Access Control:\nHIPAA Standard: Implement technical policies\ + \ and procedures for electronic information systems that maintain electronic\ + \ protected health information to allow access only to those persons or software\ + \ programs that have been granted access rights as specified in \xA7 164.308(a)(4)." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node201 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Analyze Workloads and Operations to Identify the Access Needs of All Users + description: 'Identify an approach for access control. + + + Consider all applications and systems containing ePHI that should only be + available to authorized users, processes, and services. + + + Integrate these activities into the access granting and management process.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node202 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node201 + name: Sample questions + description: "Have all applications and systems with ePHI been identified?\n\ + \nWhat user roles are defined for those applications and systems?\n\nIs access\ + \ to systems containing ePHI only granted to authorized processes and services?\n\ + \nWhere is the ePHI supporting those applications and systems currently housed\ + \ (e.g., stand-alone computer, network storage, database)?\n\nAre data and/or\ + \ systems being accessed remotely?\n\nHave access decisions been based on\ + \ determinations from \xA7 164.308(a)(4) Information Access Management?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node203 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Identify Technical Access Control Capabilities + description: "Determine the access control capabilities of all systems with\ + \ ePHI.\n\nDetermine whether network infrastructure can limit access to systems\ + \ with ePHI (e.g., network segmentation).\n\nImplement technical access controls\ + \ to limit access to ePHI to only that which has been granted in accordance\ + \ with the regulated entity\u2019s information access management policies\ + \ and procedures (see 45 CFR 164.308(a)(4))." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node204 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node203 + name: Sample questions + description: "How are the systems accessed for viewing, modifying, or creating\ + \ data?\n\nCan identified technical access controls limit access to ePHI to\ + \ only what is authorized in accordance with the regulated entity\u2019s information\ + \ access management policies and procedures (see 45 CFR 164.308(a)(4))?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node205 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Ensure that All System Users Have Been Assigned a Unique Identifier + description: 'Assign a unique name and/or number for identifying and tracking + user identity. + + + Ensure that system activity can be traced to a specific user. + + + Ensure that the necessary data is available in the system logs to support + audit and other related business functions.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node206 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node205 + name: Sample questions + description: 'How should the identifier be established (e.g., length and content)? + + + Should the identifier be self-selected, organizationally selected, or randomly + generated? + + + Are logs associated with access events created? + + + Are these access logs regularly reviewed? + + + Can the unique user identifier be used to track user access to ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node207 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Implementation Specification (Required) + description: Assign a unique name and/or number for identifying and tracking + user identity. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node208 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node207 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node209 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Develop Access Control Policy and Procedures + description: 'Establish a formal policy for access control that will guide the + development of procedures. + + + Specify requirements for access control that are both feasible and cost-effective.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node210 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node209 + name: Sample questions + description: 'Have rules of behavior been established and communicated to system + users? + + + How will rules of behavior be enforced?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node211 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Implement Access Control Procedures Using Selected Hardware and Software + description: Implement the policy and procedures using existing or additional + hardware or software solutions. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node212 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node211 + name: Sample questions + description: 'Who will manage the access control procedures? + + + Are current users trained in access control management? + + + Will user training be needed to implement access control procedures? + + + Do the medical devices in use by the organization support user authentication? + Are there processes in place to manage this authentication?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node213 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Review and Update Access for Users and Processes + description: "Enforce the policy and procedures as a matter of ongoing operations.\n\ + \nDetermine whether any changes are needed for access control mechanisms.\n\ + \nEnsure that the modification of technical controls that affect a user\u2019\ + s access to ePHI continue to limit access to ePHI to that which has been granted\ + \ in accordance with the regulated entity\u2019s information access management\ + \ policies and procedures (see 45 CFR 164.308(a)(4)).\n\nEstablish procedures\ + \ for updating access when users require the following:" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node214 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node213 + name: Sample questions + description: 'Have new workforce members/users been given proper instructions + for protecting data and systems? + + + What are the procedures for new employee/user access to data and systems? + + + Are there procedures for reviewing and, if appropriate, modifying access authorizations + for existing users, services, and processes? + + + Do users and processes have the appropriate set of permissions to ePHI to + which they were granted access and to the appropriate systems that create, + store, process, or transmit ePHI? + + + Has the regulated entity considered the use of automation for reviewing the + access needs of users and processes?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node215 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Establish an Emergency Access Procedure + description: 'Establish (and implement as needed) procedures for obtaining necessary + electronic protected health information during an emergency. + + + Identify a method for supporting continuity of operations should the normal + access procedures be disabled or unavailable due to system problems.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node216 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node215 + name: Sample questions + description: 'Are there policies and procedures in place to provide appropriate + access to ePHI in emergency situations? + + + When should the emergency access procedure be activated? + + + Who is authorized to make the decision? + + + Who has assigned roles in the process? + + + Will systems automatically default to settings and functionalities that will + enable the emergency access procedure or will the mode be activated by the + system administrator or other authorized individual?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node217 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Implementation Specification (Required) + description: Establish (and implement as needed) procedures for obtaining necessary + electronic protected health information during an emergency. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node218 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node217 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node219 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Automatic Logoff and Encryption and Decryption + description: 'Consider whether the addressable implementation specifications + of this standard are reasonable and appropriate:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node220 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node219 + name: Sample questions + description: "Are automatic logoff features available for any of the regulated\ + \ entity\u2019s operating systems or other major applications?\n\nIf applications\ + \ have been created or developed in-house, is it reasonable and appropriate\ + \ to modify them to feature an automatic logoff capability?\n\nWhat period\ + \ of inactivity prior to automatic logoff is reasonable and appropriate for\ + \ the regulated entity?\n\nWhat encryption capabilities are available for\ + \ the regulated entity\u2019s ePHI?\n\nIs encryption appropriate for storing\ + \ and maintaining ePHI (i.e., at rest)?\n\nBased on the risk assessment, is\ + \ encryption needed to effectively protect ePHI at rest from unauthorized\ + \ access?\n\nIs email encryption necessary for the organization to protect\ + \ ePHI?\n\nAre automated confidentiality statements needed for email leaving\ + \ the organization?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node221 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Implementation Specification (Automatic Logoff) + description: 'Consider whether the addressable implementation specifications + of this standard are reasonable and appropriate:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node222 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node221 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node223 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Implementation Specification (Encryption and Decryption) + description: 'Consider whether the addressable implementation specifications + of this standard are reasonable and appropriate:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node224 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node223 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node225 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) + name: Terminate Access if it is No Longer Required + description: 'Ensure that access to ePHI is terminated if the access is no longer + authorized. + + + Consider implementing a user recertification process to ensure that least + privilege is enforced.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node226 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node225 + name: Sample questions + description: 'Are rules being enforced to remove access by staff members who + no longer have a need to know because they have changed assignments or have + stopped working for the organization? + + + Does the organization revisit user access requirements regularly to ensure + least privilege?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 + ref_id: 164.312(b) + description: 'Audit Controls: + + HIPAA Standard: Implement hardware, software, and/or procedural mechanisms + that record and examine activity in information systems that contain or use + electronic protected health information.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node228 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) + name: Determine the Activities that Will Be Tracked or Audited + description: "Determine the appropriate scope of audit controls that will be\ + \ necessary in information systems that contain or use ePHI based on the regulated\ + \ entity\u2019s risk assessment and other organizational factors.\n\nDetermine\ + \ what activities need to be captured using the results of the risk assessment\ + \ and risk management processes." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node229 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node228 + name: Sample questions + description: 'Where is ePHI at risk in the organization? + + + What systems, applications, or processes make ePHI vulnerable to unauthorized + or inappropriate tampering, uses, or disclosures? + + + What activities will be audited (e.g., creating ePHI, accessing ePHI, modifying + ePHI, transmitting ePHI, and/or deleting files or records that contain ePHI)? + + + What should the audit record include (e.g., user responsible for the activity; + event type, date, or time)? + + + Are audit records generated for all systems/devices that create, store, process, + or transmit ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node230 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) + name: Select the Tools that Will Be Deployed for Auditing and System Activity + Reviews + description: Evaluate existing system capabilities and determine whether any + changes or upgrades are necessary. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node231 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node230 + name: Sample questions + description: 'What tools are in place? + + + What are the most appropriate monitoring tools for the organization (e.g., + third party, freeware, or operating system-provided)? + + + Are changes/upgrades to information systems reasonable and appropriate?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node232 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) + name: Develop and Deploy the Information System Activity Review/Audit Policy + description: "Document and communicate to the workforce the organization\u2019\ + s decisions on audits and reviews." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node233 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node232 + name: Sample questions + description: "Who is responsible for the overall audit process and results?\n\ + \nHow often will audits take place?\n\nHow often will audit results be analyzed?\n\ + \nWhat is the organization\u2019s sanction policy for employee violations?\n\ + \nWhere will audit information reside (e.g., separate server)?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node234 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) + name: Develop Appropriate Standard Operating Procedures + description: 'Determine the types of audit trail data and monitoring procedures + that will be needed to derive exception reports. + + + Determine the frequency of audit log reviews based on the risk assessment + and risk management processes.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node235 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node234 + name: Sample questions + description: "How will exception reports or logs be reviewed?\n\nHas the organization\ + \ considered the use of automation to assist in the monitoring and review\ + \ of system activity?\n\nAre the organization\u2019s monitoring system activity\ + \ and logs reviewed frequently enough to sufficiently protect ePHI?\n\nWhere\ + \ will monitoring reports be filed and maintained?\n\nIs there a formal process\ + \ in place to address system misuse, abuse, and fraudulent activity?\n\nHow\ + \ will managers and workforce members be notified, when appropriate, regarding\ + \ suspect activity?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node236 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) + name: Implement the Audit/System Activity Review Process + description: 'Activate the necessary audit system. + + Begin logging and auditing procedures.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node237 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node236 + name: Sample questions + description: 'What mechanisms (e.g., metrics) will be implemented to assess + the effectiveness of the audit process? + + + What is the plan to revise the audit process when needed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 + ref_id: 164.312(c) + description: 'Integrity: + + HIPAA Standard: Implement policies and procedures to protect electronic protected + health information from improper alteration or destruction.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node239 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Identify All Users Who Have Been Authorized to Access ePHI + description: 'Identify all approved users with the ability to alter or destroy + ePHI, if reasonable and appropriate. + + + Address this Key Activity in conjunction with the identification of unauthorized + sources in Key Activity 2.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node240 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node239 + name: Sample questions + description: 'How are users authorized to access the information? + + + Is there a sound basis for why they need the access? + + + Have they been trained on how to use the information? + + + Is there an audit trail established for all accesses to the information?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node241 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Identify Any Possible Unauthorized Sources that May Be Able to Intercept + the Information and Modify It + description: 'Identify scenarios that may result in modification to the ePHI + by unauthorized sources (e.g., hackers, ransomware, insider threats, business + competitors, user errors). + + + Conduct this activity as part of a risk analysis. + + + Consider how the organization will detect unauthorized modification to ePHI' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node242 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node241 + name: Sample questions + description: 'What are likely sources that could jeopardize information integrity? + + + What can be done to protect the integrity of the information when it is residing + in a system (at rest)? + + + What procedures and policies can be established to decrease or prevent alteration + of the information during transmission? + + + What options exist to detect the unauthorized modification of ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node243 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Develop the Integrity Policy and Requirements + description: Establish a formal written set of integrity requirements based + on the results of the analysis completed in Key Activities 1 and 2. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node244 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node243 + name: Sample questions + description: 'Have the requirements been discussed and agreed to by identified + key personnel involved in the processes that are affected? + + + Have the requirements been documented? + + + Has a written policy been developed and communicated to personnel?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node245 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Implement Procedures to Address These Requirements + description: 'Identify and implement methods that will be used to protect ePHI + from unauthorized modification. + + + Identify and implement tools and techniques to be developed or procured that + support the assurance of integrity.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node246 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node245 + name: Sample questions + description: 'Are current audit, logging, and access control techniques sufficient + to address the integrity of ePHI? + + + If not, what additional techniques (e.g., quality control process, transaction + and output reconstruction) can be utilized to check the integrity of ePHI? + + + Are technical solutions in place to prevent and detect the malicious alteration + or destruction of ePHI (e.g., anti-malware, anti-ransomware, file integrity + monitoring solutions)? + + + Can the additional training of users decrease instances attributable to human + errors?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node247 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Implement a Mechanism to Authenticate ePHI + description: 'Implement electronic mechanisms to corroborate that ePHI has not + been altered or destroyed in an unauthorized manner. + + + Consider possible mechanisms for integrity verification, such as:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node248 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node247 + name: Sample questions + description: 'Are the uses of both electronic and non-electronic mechanisms + necessary for the protection of ePHI? + + + Are appropriate electronic authentication tools available? + + + Are available electronic authentication tools interoperable with other applications + and system components? + + + If ePHI is detected as altered by unauthorized users or improperly altered + by authorized users, is a process in place to respond? + + + Is this response process tied to organizational incident management processes?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node249 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Implementation Specification (Addressable) + description: Implement electronic mechanisms to corroborate that ePHI has not + been altered or destroyed in an unauthorized manner. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node250 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node249 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node251 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) + name: Establish a Monitoring Process to Assess How the Implemented Process is + Working + description: 'Review existing processes to determine whether objectives are + being addressed. + + + Continually reassess integrity processes as technology and operational environments + change to determine whether they need to be revised.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node252 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node251 + name: Sample questions + description: 'Are there reported instances of information integrity problems? + Have they decreased since integrity procedures were implemented? + + + Does the process, as implemented, provide a higher level of assurance that + information integrity is being maintained?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 + ref_id: 164.312(d) + description: 'Person or Entity Authentication: + + HIPAA Standard: Implement procedures to verify that a person or entity seeking + access to electronic protected health information is the one claimed.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node254 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) + name: Determine Authentication Applicability to Current Systems/Applications + description: "Identify the methods available for authentication. Under the HIPAA\ + \ Security Rule, authentication is the corroboration that a person is the\ + \ one claimed (45 CFR \xA7 164.304).\n\nIdentify points of electronic access\ + \ that require or should require authentication. Ensure that the regulated\ + \ entity\u2019s risk analysis properly assesses risks for such access points\ + \ (e.g., risks of unauthorized access from within the enterprise could be\ + \ different than those of remote unauthorized access).\n\nAuthentication requires\ + \ establishing the validity of a transmission source and/or verifying an individual\u2019\ + s claim that they have been authorized for specific access privileges to information\ + \ and information systems." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node255 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node254 + name: Sample questions + description: 'What authentication methods are available? + + + What are the advantages and disadvantages of each method? + + + Can risks of unauthorized access be sufficiently reduced for each point of + electronic access with available authentication methods? + + + What will it cost to implement the available methods in the environment? + + + Are there trained staff who can maintain the system or should outsourced support + be considered? + + + Are passwords being used? If so, are they unique to the individual? + + + Is MFA being used? If so, how and where is it implemented?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node256 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) + name: Evaluate Available Authentication Options + description: 'Weigh the relative advantages and disadvantages of commonly used + authentication approaches. + + + There are three commonly used authentication approaches available: + + + MFA utilizes two or more authentication approaches to enforce stronger authentication. + + + Consider implementing MFA solutions when the risk to ePHI is sufficiently + high.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node257 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node256 + name: Sample questions + description: 'What are the strengths and weaknesses of each available option? + + + Which can be best supported with assigned resources (e.g., budget/staffing)? + + + What level of authentication is appropriate for each access to ePHI based + on the assessment of risk? + + + Has the organization identified all instances of access to ePHI (including + by services, vendors, or application programming interfaces [APIs]) and considered + appropriate authentication requirements based on the risk assessment? + + + Has the organization considered MFA for access to ePHI that poses high risk + (e.g., remote access, access to privileged functions)? + + + Has the organization researched available MFA options and made a selection + based on risk to ePHI? + + + Is outside vendor support required to implement the process? + + + Are there password-less authentication options (e.g., biometric authentication) + available that can sufficiently address the risk to ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node258 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) + name: Select and Implement Authentication Options + description: 'Consider the results of the analysis conducted under Key Activity + 2, and select appropriate authentication methods based on the results of the + risk assessment and risk management processes. + + + Implement the methods selected in organizational operations and activities.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node259 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node258 + name: Sample questions + description: "Has the organization\u2019s selection of authentication methods\ + \ been made based on the results of the risk assessment?\n\nIf passwords are\ + \ being used as an authentication element, are they of sufficient length and\ + \ strength to protect ePHI? Is this enforced by technical policies?\n\nHas\ + \ necessary user and support staff training been completed?\n\nHave a formal\ + \ authentication policy and procedures been established and communicated?\n\ + \nHas necessary testing been completed to ensure that the authentication system\ + \ is working as prescribed?\n\nDo the procedures include ongoing system maintenance\ + \ and updates?\n\nIs the process implemented in such a way that it does not\ + \ compromise the authentication information (e.g., password file encryption,\ + \ etc.)?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 + ref_id: 164.312(e)(1) + description: 'Transmission Security: + + HIPAA Standard: Implement technical security measures to guard against unauthorized + access to electronic protected health information that is being transmitted + over an electronic communications network.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node261 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + name: Identify Any Possible Unauthorized Sources that May Be Able to Intercept + and/or Modify the Information + description: 'Identify all pathways by which ePHI will be transmitted into, + within, and outside of the organization. + + + Identify scenarios (e.g., telehealth, claims processing) that may result in + access to or modification of the ePHI by unauthorized sources during transmission + (e.g., hackers, disgruntled workforce members, business competitors). + + + Identify scenarios and pathways that may put ePHI at a high level of risk.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node262 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node261 + name: Sample questions + description: 'Have all pathways by which ePHI will be transmitted (e.g., file + transfers, email, web portals, mobile apps, communications with servers or + databases containing ePHI, online tracking) been identified? + + + Has a risk assessment been used to determine transmission pathways and scenarios + that may pose high risk to ePHI? + + + What measures exist to protect ePHI in transmission? + + + Have appropriate protection mechanisms been identified for all scenarios and + pathways by which ePHI is transmitted? + + + Is there an auditing process in place to verify that ePHI has been protected + against unauthorized access during transmission? + + + Are there trained staff members to monitor transmissions?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node263 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + name: Develop and Implement Transmission Security Policy and Procedures + description: 'Establish a formal written set of requirements for transmitting + ePHI. + + + Identify methods of transmission that will be used to safeguard ePHI. + + + Identify tools and techniques that will be used to support the transmission + security policy. + + + Implement procedures for transmitting ePHI using hardware and/or software, + if needed.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node264 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node263 + name: Sample questions + description: 'Have the requirements been discussed and agreed to by identified + key personnel involved in transmitting ePHI? + + + Has a written policy been developed and communicated to system users?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node265 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + name: Implement Integrity Controls + description: Implement security measures to ensure that electronically transmitted + ePHI is not improperly modified without detection until disposed of. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node266 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node265 + name: Sample questions + description: 'What security measures are currently used to protect ePHI during + transmission? + + + What measures are planned to protect ePHI in transmission? + + + Is there assurance that information is not altered during transmission?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node267 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + name: Implementation Specification (Addressable) + description: Implement security measures to ensure that electronically transmitted + ePHI is not improperly modified without detection until disposed of. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node268 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node267 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node269 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + name: Implement Encryption + description: Implement a mechanism to encrypt ePHI whenever appropriate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node270 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node269 + name: Sample questions + description: 'Is encryption reasonable and appropriate to protect ePHI in transmission? + + + Based on the risk assessment, is encryption needed to effectively protect + the information from unauthorized access during transmission? + + + Has the organization considered the use of email encryption and automated + confidentiality statements when emailing outside of the organization? + + + Is encryption feasible and cost-effective in this environment? + + + What encryption algorithms and mechanisms are available? + + + Are available encryption algorithms and mechanisms of sufficient strength + to protect electronically transmitted ePHI? + + + Is electronic transmission hardware/software configured so that the strength + of encryption used in transmitting ePHI cannot be weakened? + + + Have all applications used on devices that support the provisioning of health + services been assessed to verify that strong transmission security is implemented? + + + Does the covered entity have the appropriate staff to maintain a process for + encrypting ePHI during transmission? + + + Are workforce members skilled in the use of encryption?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node271 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) + name: Implementation Specification (Addressable) + description: Implement a mechanism to encrypt ePHI whenever appropriate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node272 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node271 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314 + assessable: false + depth: 1 + ref_id: '164.314' + description: 'Organizational Requirements: + + Includes standards for business associate contracts and other arrangements + between a covered entity and a business associate and between a business associate + and a subcontractor, as well as requirements for group health plans.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314 + ref_id: 164.314(a) + description: "Business Associate Contracts or Other Arrangements:\nHIPAA Standard:\ + \ (i) The contract or other arrangement between the covered entity and its\ + \ business associate required by \xA7 164.308(b)(3) must meet the requirements\ + \ of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.\ + \ (ii) A covered entity is in compliance with paragraph (a)(1) of this section\ + \ if it has another arrangement in place that meets the requirements of \xA7\ + \ 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii)\ + \ of this section apply to the contract or other arrangement between a business\ + \ associate and a subcontractor required by \xA7 164.308(b)(4) in the same\ + \ manner as such requirements apply to contracts or other arrangements between\ + \ a covered entity and business associate." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node275 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Contract Must Provide that Business Associates Will Comply with the Applicable + Requirements of the Security Rule + description: 'Contracts between covered entities and business associates must + provide that business associates will implement administrative, physical, + and technical safeguards that reasonably and appropriately protect the confidentiality, + integrity, and availability of the ePHI that the business associate creates, + receives, maintains, or transmits on behalf of the covered entity. + + + Readers may find useful resources in Appendix F, including OCR BAA guidance + and templates that include applicable language.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node276 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node275 + name: Sample questions + description: Does the written agreement between the covered entity and the business + associate address the applicable functions related to creating, receiving, + maintaining, and transmitting ePHI that the business associate is to perform + on behalf of the covered entity? + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node277 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Implementation Specification (Required) + description: Contracts between covered entities and business associates must + provide that business associates will implement administrative, physical, + and technical safeguards that reasonably and appropriately protect the confidentiality, + integrity, and availability of the ePHI that the business associate creates, + receives, maintains, or transmits on behalf of the covered entity. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node278 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node277 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node279 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Contract Must Provide that the Business Associates Enter into Contracts + with Subcontractors to Ensure the Protection of ePHI + description: "In accordance with \xA7 164.308(b)(2), ensure that any subcontractors\ + \ that create, receive, maintain, or transmit ePHI on behalf of the business\ + \ associate agree to comply with the applicable requirements of this subpart\ + \ by entering into a contract or other arrangement that complies with this\ + \ section." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node280 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node279 + name: Sample questions + description: "Has the business associate identified all of its subcontractors\ + \ that will create, receive, maintain, or transmit ePHI?\n\nHas the business\ + \ associate ensured that contracts in accordance with \xA7 164.314 are in\ + \ place with its subcontractors identified in the previous question?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node281 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Implementation Specification (Required) + description: "In accordance with \xA7 164.308(b)(2), ensure that any subcontractors\ + \ that create, receive, maintain, or transmit ePHI on behalf of the business\ + \ associate agree to comply with the applicable requirements of this subpart\ + \ by entering into a contract or other arrangement that complies with this\ + \ section." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node282 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node281 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node283 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Contract Must Provide that Business Associates will Report Security Incidents + description: "Report to the covered entity any security incident of which it\ + \ becomes aware, including breaches of unsecured PHI as required by \xA7 164.410.\n\ + \nMaintain clear lines of communication between covered entities and business\ + \ associates regarding the protection of ePHI as per the BAA or contract.\n\ + \nEstablish a reporting mechanism and a process for the business associate\ + \ to use in the event of a security incident or breach." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node284 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node283 + name: Sample questions + description: 'Is there a procedure in place for reporting security incidents, + including breaches of unsecured PHI by business associates? + + + Have key business associate staff been identified as points of contact in + the event of a security incident or breach? + + + Does the contract include clear time frames and responsibilities regarding + the investigation and reporting of security incidents and breaches?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node285 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Implementation Specification (Required) + description: "Report to the covered entity any security incident of which it\ + \ becomes aware, including breaches of unsecured PHI as required by \xA7 164.410." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node286 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node285 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node287 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Other Arrangements + description: "The covered entity complies with paragraph (a)(1) of this section\ + \ if it has another arrangement in place that meets the requirements of \xA7\ + \ 164.504(e)(3)." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node288 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node287 + name: Sample questions + description: 'Has the covered entity made a good faith attempt to obtain satisfactory + assurances that the security standards required by this section are met? + + + Are attempts to obtain satisfactory assurances and the reasons that assurances + cannot be obtained documented?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node289 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Implementation Specification (Required) + description: "The covered entity complies with paragraph (a)(1) of this section\ + \ if it has another arrangement in place that meets the requirements of \xA7\ + \ 164.504(e)(3)." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node290 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node289 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node291 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Business Associate Contracts with Subcontractors + description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this + section apply to the contract or other arrangement between a business associate + and a subcontractor in the same manner as such requirements apply to contracts + or other arrangements between a covered entity and business associate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node292 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node291 + name: Sample questions + description: Do business associate contracts or other arrangements between the + business associate and its subcontractors include appropriate language to + comply with paragraphs (a)(2)(i) and (a)(2)(ii) of this section? + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node293 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) + name: Implementation Specification (Required) + description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this + section apply to the contract or other arrangement between a business associate + and a subcontractor in the same manner as such requirements apply to contracts + or other arrangements between a covered entity and business associate. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node294 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node293 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314 + ref_id: 164.314(b) + description: "Requirements for Group Health Plans:\nHIPAA Standard: Except when\ + \ the only electronic protected health information disclosed to a plan sponsor\ + \ is disclosed pursuant to \xA7 164.504(f)(1)(ii) or (iii), or as authorized\ + \ under \xA7 164.508, a group health plan must ensure that its plan documents\ + \ provide that the plan sponsor will reasonably and appropriately safeguard\ + \ electronic protected health information created, received, maintained, or\ + \ transmitted to or by the plan sponsor on behalf of the group health plan." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node296 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: "Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor\u2019\ + s Security of ePHI" + description: Amend the plan documents to incorporate provisions to require the + plan sponsor to implement administrative, technical, and physical safeguards + that will reasonably and appropriately protect the confidentiality, integrity, + and availability of ePHI that it creates, receives, maintains, or transmits + on behalf of the group health plan. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node297 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node296 + name: Sample questions + description: 'Does the plan sponsor fall under the exception described in the + standard? + + + Do the plan documents require the plan sponsor to reasonably and appropriately + safeguard ePHI?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node298 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: Implementation Specification (Required) + description: Amend the plan documents to incorporate provisions to require the + plan sponsor to implement administrative, technical, and physical safeguards + that will reasonably and appropriately protect the confidentiality, integrity, + and availability of ePHI that it creates, receives, maintains, or transmits + on behalf of the group health plan. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node299 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node298 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node300 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: Amend Plan Documents of the Group Health Plan to Address Adequate Separation + description: "Amend the plan documents to incorporate provisions to require\ + \ the plan sponsor to ensure that the adequate separation between the group\ + \ health plan and plan sponsor required by \xA7164.504(f)(2)(iii) is supported\ + \ by reasonable and appropriate security measures." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node301 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node300 + name: Sample questions + description: "Do plan documents address the obligation to keep ePHI secure with\ + \ respect to the plan sponsor\u2019s workforce members, classes of workforce\ + \ members, or other persons who will be given access to ePHI?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node302 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: Implementation Specification (Required) + description: "Amend the plan documents to incorporate provisions to require\ + \ the plan sponsor to ensure that the adequate separation between the group\ + \ health plan and plan sponsor required by \xA7164.504(f)(2)(iii) is supported\ + \ by reasonable and appropriate security measures." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node303 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node302 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node304 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: "Amend Plan Documents of the Group Health Plan to Address the Security\ + \ of ePHI Supplied to the Plan Sponsors\u2019 Agents and Subcontractors" + description: Amend plan documents to incorporate provisions to require the plan + sponsor to report any security incident of which it becomes aware to the group + health plan. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node305 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node304 + name: Sample questions + description: Do the plan documents of the group health plan address the issue + of subcontractors and other agents of the plan sponsor implementing reasonable + and appropriate security measures? + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node306 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: Implementation Specification (Required) + description: Amend plan documents to incorporate provisions to require the plan + sponsor to ensure that any agent to whom it provides ePHI agrees to implement + reasonable and appropriate security measures to protect the ePHI. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node307 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node306 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node308 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: Amend Plan Documents of Group Health Plans to Address the Reporting of + Security Incidents + description: 'Amend plan documents to incorporate provisions to require the + plan sponsor to report any security incident of which it becomes aware to + the group health plan. + + + Establish a specific policy for security incident reporting. + + + Establish a reporting mechanism and a process for the plan sponsor to use + in the event of a security incident.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node309 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node308 + name: Sample questions + description: 'Is there a procedure in place for security incident reporting? + + + Are procedures in place for responding to security incidents?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node310 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) + name: Implementation Specification (Required) + description: Amend plan documents to incorporate provisions to require the plan + sponsor to report any security incident of which it becomes aware to the group + health plan. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node311 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node310 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316 + assessable: false + depth: 1 + ref_id: '164.316' + description: 'Policies and Procedures and Documentation Requirements: + + Requires the implementation of reasonable and appropriate policies and procedures + to comply with the standards, implementation specifications, and other requirements + of the Security Rule; the maintenance of written (may be electronic) documentation + and/or records that include the policies, procedures, actions, activities, + or assessments required by the Security Rule; and retention, availability, + and update requirements related to the documentation.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316 + ref_id: 164.316(a) + description: "Policies and Procedures:\nHIPAA Standard: Implement reasonable\ + \ and appropriate policies and procedures to comply with the standards, implementation\ + \ specifications, or other requirements of this subpart, taking into account\ + \ those factors specified in \xA7 164.306(b)(2)(i), (ii), (iii), and (iv).\ + \ This standard is not to be construed to permit or excuse an action that\ + \ violates any other standard, implementation specification, or other requirements\ + \ of this subpart. A covered entity or business associate may change its policies\ + \ and procedures at any time, provided that the changes are documented and\ + \ are implemented in accordance with this subpart." + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node314 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a) + name: Create and Deploy Policies and Procedures + description: 'Implement reasonable and appropriate policies and procedures to + comply with the standards, implementation specifications, and other requirements + of the HIPAA Security Rule. + + + Consider the importance of documenting processes and procedures for demonstrating + the adequate implementation of recognized security practices. + + + Periodically evaluate written policies and procedures to verify that:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node315 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node314 + name: Sample questions + description: 'Are reasonable and appropriate policies and procedures to comply + with each of the standards, applicable implementation specifications, and + other requirements of the HIPAA Security Rule in place? + + + Are policies and procedures reasonable and appropriate given:' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node316 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a) + name: Update the Documentation of the Policy and Procedures + description: Change policies and procedures as is reasonable and appropriate + at any time, provided that the changes are documented and implemented in accordance + with the requirements of the HIPAA Security Rule. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node317 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node316 + name: Sample questions + description: 'Is a process in place for periodically reevaluating the policies + and procedures and updating them as necessary? + + + Should HIPAA documentation be updated in response to periodic evaluations, + following security incidents, and/or after acquisitions of new technology + or new procedures? + + + As policies and procedures are changed, are new versions made available and + are workforce members appropriately trained?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316 + ref_id: 164.316(b) + description: 'Documentation: + + HIPAA Standard: (i) Maintain the policies and procedures implemented to comply + with this subpart in written (which may be electronic) form; and (ii) if an + action, activity or assessment is required by this subpart to be documented, + maintain a written (which may be electronic) record of the action, activity, + or assessment.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node319 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Draft, Maintain, and Update Required Documentation + description: 'Document decisions concerning the management, operational, and + technical controls selected to mitigate identified risks. + + + Written documentation may be incorporated into existing manuals, policies, + and other documents or be created specifically for the purpose of demonstrating + compliance with the HIPAA Security Rule. + + + Consider the importance of documenting the processes and procedures for demonstrating + the adequate implementation of recognized security practices. + + + Use feedback from risk assessments and contingency plan tests to help determine + when to update documentation.' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node320 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node319 + name: Sample questions + description: 'Are all required policies and procedures documented? + + + Should HIPAA Security Rule documentation be maintained by the individual responsible + for HIPAA Security Rule implementation? + + + Should HIPAA Security Rule documentation be updated in response to periodic + evaluations, following security incidents, and/or after acquisitions of new + technology or new procedures? + + + Have dates of creation and validity periods been included in all documentation? + + + Has appropriate management reviewed and approved all documentation? + + + Are actions, activities, and assessments required by the Security Rule documented + as appropriate?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node321 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Retain Documentation for at Least Six Years + description: Retain documentation required by paragraph (b)(1) of this section + for six years from the date of its creation or the date when it last was in + effect, whichever is later. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node322 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node321 + name: Sample questions + description: "Have documentation retention requirements under HIPAA been aligned\ + \ with the organization\u2019s other data retention policies?" + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node323 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Implementation Specification (Required) + description: Retain documentation required by paragraph (b)(1) of this section + for six years from the date of its creation or the date when it last was in + effect, whichever is later. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node324 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node323 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node325 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Ensure that Documentation is Available to Those Responsible for Implementation + description: Make documentation available to those persons responsible for implementing + the procedures to which the documentation pertains. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node326 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node325 + name: Sample questions + description: 'Is the location of the documentation known to all staff who need + to access it? + + + Is availability of the documentation made known as part of education, training, + and awareness activities?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node327 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Implementation Specification (Required) + description: Make documentation available to those persons responsible for implementing + the procedures to which the documentation pertains. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node328 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node327 + name: Sample questions + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node329 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Update Documentation as Required + description: Review documentation periodically and update as needed in response + to environmental or operational changes that affect the security of the ePHI. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node330 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node329 + name: Sample questions + description: 'Is there a version control procedure that allows for the verification + of the timeliness of policies and procedures, if reasonable and appropriate? + + + Is there a process for soliciting input on updates of policies and procedures + from staff, if reasonable and appropriate? + + + Are policies and procedures updated in response to environmental or operational + changes that affect the security of ePHI? + + + When were the policies and procedures last updated or reviewed?' + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node331 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) + name: Implementation Specification (Required) + description: Review documentation periodically and update as needed in response + to environmental or operational changes that affect the security of the ePHI. + - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node332 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node331 + name: Sample questions diff --git a/tools/nist/sp-800-66/cprt_SP800_66_2_0_0_04-05-2024.xlsx b/tools/nist/sp-800-66/cprt_SP800_66_2_0_0_04-05-2024.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..39f593971512adf386b24740a3b31415c292219b GIT binary patch literal 47157 zcmeFX^;aEB6z7Y3aCdityK6Xja0qaMySux)2Z!M9?(P!Y-Q8UtH}}qa^VZCNFw;L& zud_@+nlveEH`m~nu>NTW26U$%|Cifm$A!ct|pCK#9kK06u9gQ_SS1I-8}nnm10 zE8UxNs_Q6RBgHewJAcq-%}iPj?vip_S<$!%;`Ekv^?B8siVSg6`or-Fie09KQe`U zN&Kc4K@`lx>oCh%tR_AC1Tk`DMlXAa*Ip>L(D3^<@C;fqqhk!@ut_cHH}eNG#pJm; zY5lwkhlZQDy5!IF@ja{x{y^_Sh(CUy-=iG0+;oW`4|kD}dj_9v4ju8jpHA)l@ISvw zI`U?DhXMil_y7k{`2S&9ufjxj`>8dVPwL=5u>{%~TG%sw{ipoDIQ}2Z;QuuBvN&1! zUM7T~3(42up@+G(7-SJ?XJN@!5@jzRz$#LGWG*@0S|=4gvNEne_&4u%uh)^4HNME> zA(H!Twz6TT1vYl3EQ%*J`|_9ySe+6Z&I$*PVLdOrAx^BeMI?>)d806B26iL}oA6X{9 z4N_#^d280OU5#eA_Hn}YmJVGG`-Kw~t$${y{}mEnfrR9nPm8pCLV^nd1L|VI_%A2U z)^_H4*4F0#WUv3h4CrSH`yA!}?5j*sR=SS~xgGvJn8`WK2?J%xfsyo7Cr+&EkR=(t7-692`dPtenvA z8zdU)>G4VF89ZXDJzBFs+z@>xI@kUqH3d#^ZUL#-ZS!;xo7n`DBa4~+6v4=+W=89F zeVzl9PRsr38XJjIX^i$hnnhRcp|bp3iT>Q+zykQbxPtsSoF$=q>=wU=xo&$kl69Rh z@6LTj*uyWCCM;p+_Xu(z4j%eOMAL}F*ICgp z>xxM~LWz0iMAl*q`774ON1MyHAKnGyJ7Oo_AV5Y6nrtehV5&8`rHz~&`!U1{mJ`Oh zXZetS;7r*4usN3k{AP*(3NOc49IS+%NJuBbHn>B=6zL<9jPa*4|&=wQ(=;!V~t8ex#0 zl}Mh>L|Q^r<|ydi0DuVc+H*Fnr~{hy;Nr}yNJu5M!TK2F{4K)#UkIvp9W2xbN~+S% zUqr07l<))p=wLqs{g|Tib|jbwJvL03hwyfRNrtd# zi*);N%6KVycKRf)J&{A?rBn#%#**e=q$dJfi>S!aRH4T-x3o{&W=Az$Q+UhsDd6UX zQ-m22{JAL2e;chJJ|k(=jxB@5W%FBV;MJ7qlesPR$2vR zw+QsAb;ZlkRSbW%{7ANWg6QyGsH;}XD(-}{hRj;xqI~W3uU$K~ z4v8JQIxfeit+)JBIvHk`(2dcE>jA91H{K=@>P+`|(8Xm7SXaU1lGS!Wv~@hu{lx%{ z^Y&zBZmTVlG?88Ihe}+&$7aCJL3BngLF#Gx#gu@?3P@gUGdHo(rqYJ%L?j*HMF95| z{C~#@AKA3-?k6XQpPYR8mlJyjR|`Y?e?n@W%8Jzr6M`pEl{fP3`H0gFJ*)+mtP(h6 zgPsuU&&n_cDiKF!atcSD(~WOS%}s|@(l4m-2@ZX|qRdAsbdbx;`pv31QC~$Oe$hJi z&++tbB#AS15Al@H($?wWth0t!UPlutp4|KKTVUJ65GRaZ4m2A{gfMW*D7xq175vPf zmr#VR&_G+kmY_R90tjz2;iCbXd-!`~l0Lvli(OYago_PD34pfUYaP8kl1a6#_0vHW z5P8cIWSYM@aMQ5s_gw&3o{rJG`F~Uw&cSR#E6jCj7LMeG6Q-^sAcm|(!%$HN7@HdR zBPGf77NgvsY%=FHxx=N}RS^3E#5`e*qNN0jdl;X7cGAh8u`YiHjfIKlW2m2kvQ?>0 zQo+f5{PjET&ba7hMa#%pRm|x%VS+90CsKS_Vml`H zw)Lw=(KcNRye6xB5+U3XKglSE=Z)%O<^9zQ3(0fO4mWp*#5x zIhok}ILq`JE9`m3%k$7JLN*HhSnPZ%;7^2Om+eHPV9!roFy#$eToqnQf?Z|HwWK-L zFbB{gg>y%k$OU@rYjBNx3`UO@-ntkYBad|_bQ`7%!Umte?<3J7-w3)cYXhx<8JBT0 zw}={V0t|oJy6JV)1LIc%k*-!J#k}8UtmkEp$8I%O0d%XbVvbT z0`CvDr|$(Xl<#zBiMeNbFy%w6jHgBj8)br%(C2}r+!-aOj-%Fz_;$0BCkfR|WsR>x z68hT<;dwVcWhV}{B1)4016M+r+~z~b4?mIkptI-|>wlXz?tj(^H$j7dppgFamHant zIG7k(8Z!PZng4;}RC7EUuMwjYdgw!FOnZLp&|Q~%s*v;k+-)mSdsh;W5Tr9`6rp|M+l#tMCw*pSo^zBoSriy>+A*p`+oc2 zAZN7wLwxD49C%XlJ-`C|`6D6eaKxl(&8eF_<&M;fsN$AE6pp;)!Vk0~PrHkq=<{uG zjM!hqG4i{h=WelzN5b{A#!L}=1etLVUO#M5^dTGdG&0~lVBPdpzj$_PL^8|rC2V5P z3TVf1$U-_nBnv=jOryz~Ak@iz=Mq!&33H8)z zA9GHg_9si%TYvOJHzO;#8%W#f-z1Ojf!*9pjnO2{oaMb!TP*mOdx8Hn!{RhM`6w3v z@2bV&Gabk;V>MxWbNZz(oqal;(>eoZ#?g`2+0e^<$o8VUHf=4G^8S3z8pWHd+uMVu z5M+J2>F%|7F-zYDYWTR1*dcIS-xC|inH}h2!rMw`p~UHHL=>s3D%W9A1u!5_ms z7L}w`61gP9W}^4^!H>5)=flpA_Z1}I`*38k;cKb)`}+EN&ihlT8qoXh zn$i35oe0QN_W+TZw1tL?7AiMH;Wno4BBT$OCYTbI29P0@VSvT=wF*9t4Wr*2#%0B- zkhee+z=$!_>Ut?P#$2eCEJJr3du0k^*knE^n+%)*LAukTfR|Stp5|{>Pqd9@?ywo> z?+V@9{6iafE2T{fjZ$rr$&yapMh^R3@?&5U)|PM0I6>2izks!y0!V#}Bkn1aL76gD zj3F5~MH1P~XpSXpQ*W5IQ&=>aa#9?;+au9a(={gSCGyK~;Ke21=2Vfpo0$&p6{d7Z z{Mv%S$Z%DX_VPB4DN4egG+%l@*5`nM`;8>1Z{OjC`NtrKBDLH3v}*u2BU$jP2l5t| zqg??&dBBTyl0=M|XKw^jaQ`0e&%-8k`l;iCk`%pjrvM6{FN9iwGDOI`Aq9R%n|xC{ z;ev&4DBb9-n1$g&X7w8 z(c~|lu~s(KRSlhh6yI&Huan(8lR&iaUp+G2n2rS5=FzpVK-pu$@KV)mo5 z%bnA&@vdT_$T%XK44VB}>xIVtZlHCU`(ke9C1Q941*E)RTi%&%p*^}V>nnUc=VhIE z4;KYIU0T3ZBF&`%gmtg0L(5v8oCwLkGY0L>=~b@KNUMQTl=O9V+DZn==Vvm6CJ5kyMq0s2I5LrPglr#Y`u=3BXF1u2n!k_6X= z;>Z%8f7%yA>A_V?ONExvEF6Ru^PVHci>iyZvktGy`6RmgLAh#EO;d5}v~!E+EvF~c zQa!ACb;ITtw}~^0I0A?g`!tt__D-?#Ut_-ua4zr!Bje!AP~r+efc8qy@~N zTDRW$uih2S@%9x|vH4mfPK+9_cswJ-4I;~-sL}JD8NsfmOtbJ~3^XbU01uL7j6x}I zn!ifbD!>1tN6r8`woj>W?*|XMvUi~hrKMu2E~-vxoGtme)sBkSLbhT|j4Ybpl`ym= zF5=f(1jrXv|LYGHw+mx&CNSDZpXNrLYJtvY!j&J z=hVLO9I4}p%mIbbxrVKBT;BpT<#el;s{B&~nJcl0^s;pzBrk3|HPqpO-D`^c<6uMZ z*Hwl!@%FgyLIzHB>8i($0{c4Wh7iQoyESoFtPmYOep7HPPZ?;d5*S1b$LJzv2 zIulgyK-$keQiLcjP+fE5EPrX@*hel~{Ix_$ly<-2jsTyMkX8f}QSF-bfdA6eBxoY; z^fQA^8xT)j0Kubcwqz;w{I)WqCmwp!R@%%$kZ=nVwO+Z=Nq0YBr47Fci^`)mJ^vzL zJQj+{<{W#J)0;A&KF;s8{KdWgLi}A?W$Y~9}TF|Y+ri- z(z=nXk9oLjqdxG zNk3D)J2PBn1W*ca7B+V}XwRZLa~X)!vr)YL+RchHlvrxPraKG{Xn(1c=d08a^1bx= z3QN%$`G?UjcwCyLY+Io!k$HvKV*sdkYm-atVzae}NGL>8*JHC*Iqb-0P`lH@^&o#P zuOI4Nowtoh81YPFzVVxeFdr9JfZCf-OT3gmvX)$XA|5#Y&N?J}^4%|2UwH5C3MIV@ zZjdXNjhrDuMARZQX)909_gWMn_){+)7^KI{WqnKIL#&^Bj`7bI&|f*EXPiW>HlYLp z4Y!~}(iDMMQN9sFDF;j(Q1=Uz>Uhmmd)$^N~QOQ_3Qgi__)h|W3TJ{dRD3QVs7D`u>w?jIjMfT ztAD$jeSe;RcdO|1nz&yGW~xWpda&5@;Qf+0uw2B~`7HB_M$#*Y!SWjac_UzXMI-GM zq+sEZH`|ZrA++-5M#`L9w(wNV+Mo)D#zYcB%5(mi=8wgRHq_LzBs3s98A5i}MhGQQ zVTnt|U*$sVM%)gb7TY~uqNdoESg>G}dVpi;>6x(~jj+C4Ry_(H4*eT?n)m0aUB@LY z^#sm3gyBulz$_n0d-1`mx>Isvy{vxW|9Fn^D?~r{Y1&akH7(=RddZOu!LND_v$5;0 zZQn!RTSV;IRn%)*>J?nY`)E$#C9NiAww2v483%v-+BnP*?*2zB(G2HyxRHjC)h`r= z%WX}}x0DD3U)jua2NaO#2}1}aFS?8lcL@{~+C<@`21!J9_ytd6^S|rU#6U_y#L?F5 zB>AzrcGmH8_F|_;(8B5AT4Lv`n6EEKi(}f5#weq({#xh97vR<^Sbz0l{tvE%DY<*b!qI}Vp=+ZKqc%XA3}O$c9tkl_?WFqj9p)FQ%mw3un4 zl3T<4Y2=34oXM?`Q)$Y+)_lmp%qc&cE-)QZ+9-;j(iM2mth@gEV0zMv*KDakbL%qCq@m z|8V2o6|v@L+C|m^4TJy3HhN>dBXR)8o{_Iy8Ht{A#5zuq87*~Y9A?DuF)-vR2CR>} z$xi)O(yiMLN%u!I6snr_P@pz z#C!eJ{VHN1vd)d^Z6=$r3#bNd&D)W2=N@g;h8+epq0D#3AZU2GN&mo0+>#5}7Wn@< zyC$Qiv+^}z)uslFxRD>LFV{<>J79ACGyN3oOWosKcn@_OH-XoPpw#S~|NO&GWaM)U zMs#jk1n4gtkY-_1J}PvT2SNRuoyER(dR8ZG6w)5`#QwqfZ+7@E?6;HCMJXLZnE%*x zXu<|=qQCN6!@)cc$*%$7y`|AytbdKxhd>qOxc9B5Z?6}Msah{-h<|4wZ zGI1ZQv&MpoG1%Tq*?(1|VcTY*njU45890$zL58EDS&tM5?asHf^Cy$5`6kWkt#Pck zpB(GWfn!bMu&f%Drd-qCb_iPTAJ;`(F}8&5AmKtB%yXNnN6Xt3u!Nl_NR+q3xc+sJ z#r^uLt^f9;?C||+g`S9L`HVNG6T7G=sD_UiaWUxtPbU=(V%dplk%mc8wIhsjqE#vZ z)?ZPS-QYllfuD?R%tU3xNFz~T2r-X`@PPg!`3PTi&!S&e>YfmVjn73~v$hUG{QuvO zKg$FnnAfVFW6)$Y6_4_*NO#2J zJbb>z@t|bRD4CVlnGK?wefc}D<5>$%E{l=CNCMcnjGE9FZ46~nyQMO)l% zhFWY?hUDZY&0C>1rn87_q(3(QkqYli?KW}jpwk-91*>lvS`@PHzwwR#MlAIirTBCo z$!uK7RK4*#wYle+9pITzqwB9$Jik@uQVgG%0FDn2<72dXLp)4pC)BCG{u6a$+et7q z;WShmPMjpO5NtBCEB}QOg}3NEK|Jo2Ih@>aLPPF4-KK6(gd@>vIdQ?Bl&hH39ajW~ zbXRk!B2AcI5MzqAJQVE5|;l0%W}k>HgyC1ytDXm`30?51Lco1ZzVWbXNeGmzln}a z5#wMRNN%}Mp6SXm<%mf;V%**)8F$kn9+#dM8n>%@Lk@T!(~Mgcd8P!cXqjhjic|O4 zR@i+K3h|%7Q%KYpuPKJZJpjicui;^NUnW7MOXrQK`Ttr*zjoNW8G4jrxbiV>R^y6M zy8w~2Q8BZ zYd{+(SOd_1Do(!?b0xMtosBuIAr>Q~L`Kzp4N3VgMmb4(qASO}?o&uAF>V>WrO%Y! z>dsr4&brYU;QZr`q4gNJ?m%?B6-VAY5x>YzgH|EG|GK7m&U7ElNXA9`ODR%i?URx( zGRdgp){DYHLj4mxYdG`x)YB2G7GH19VoH3Lm>PHeLU3a8Nu8Qjf8$aNGn4@0+U}Fc z=~ZVVxzDsV25J$n2RE9eOO1B_6+g<$t%reltjF|t8o47W-2zpvNxrr@dmYBVGU0io zclcC-XdF*2@$HUyJWKg~4^`pZ$M)D(R&}j)f?sILWDeE~Nf%t$L~Ft5%$cgLoXzpTrX-B0!RA`FKdZ zN>u%z>;*Nz%8d$eohldCR-lxpqdB5t(z2DNW;!c?ZNl@{i)8w5YZiX2BnQwfM$Fpr!4W8P>yJt&oHL8P;ewik4hI z2Xi8>{}K}(sYcTM zSE?2ZeykaNoQmwjKtL?9vjZTD^xwppo6f>MV!o1NrK67pi$VKnM;Me^?aFH zz%@nL#gpy@mh1ixb^e4(T|>+zhx=Hx@#`G4@#8+Z9%1T+t8%COL{@^hv-L(p!x?_M zw0Fd_GVL(7Ez;D22P4hk-gs`4hoA{XYWA9%{LDlK43X1qZOz&?d2>}`UPS1`GeNh+ zwnn=GGBF8NjHe+*4Sg~2r$e39ug6;p2* zVznlPN9#*8w{wrVbv9kq6gd_}#)hK&3119pKXxnUUFYa4x!Fo@zz7hfjLV}vKUn6c z$7GElTF)~o>1#os#ByG_Tm-nE`Z8Yw(8Jd&)YIX@=I)#vL3kp9gTec7bNG1q=mZgw z3|9ijTBg@9MlW_-D$iBFvi-n@BJOz>m=79S~b$`tgUTJ3i}g?O9z($f-qQtVlR=NqJ4kS$avWC&nH|^3nsWV~O`G zcdcgl#d6pt8$m3ROBO~olI&}=hwI4>nc0(hn-x!^EZ*w^jf_PDYPGdAT2=F>z^kRh zc8%5_VRSG38E@OuUan-Fg0!pe;^wV_bhBj>y1LX0>%1$4?9J9dnvj*3{=2vBcQ0Gt z&KB2?O(dLiZ<7znt-=ZQPOmf$ZD( zaXVP?=o?W@=EDoL&ZRtc^0uyw{OY*iOAny(hp0Kfj^F2S$;7TRAJ2R9?*oIS@8H>5 zfgxKhu68#9f{6W}r5c?gy#-2Gf2u&-oI6kcBTZn2f?qf8r;NH4j`YqYuI1V8{ZE|ojM944W8uL8_&<|Pd!R;M($oF z?xDl%nT3XE!5%tROgK+qEXvL%^VyK+p!QReoOk^9O5Tkzz30(j=&6OMky!4sim;d_ z7oW*Tvz9H_(uB{ouj8!i-L}c^*GtwO)H!|1EO_p+sNspBQb=tj3S?*8OFxvKd|dHi zFdE+{-@{Upi8a2a$ExwKY@Pkqv@@^iue<|!UZ$e5Sk6KZr`VXq9g;75(q9j_`%PwT4j+}ELj*NrWGP$bi z`#21-Ghdt()p5bYAa#O^C^BAp05XUnuWQ?A2?XBgGnJ~@_g_B;^0{jm@yq*hfnB!bEOPz@=+NENK`>!>JdqLI{96*_ZLjVot~vKZ)A`?k^*}0gwjCPK`W!E3%llM^g(kHCIn=ED-~(TW89~BRX=%v!k`s0hdR%adLurb|i8HI?L^Qnw zrr41Yr?lR#Uw@x&N6gNm@_xR;|K^MnvRsm*f*%M-Nh>G_`e%#JGfwspsiaO`@HR^Trr?ydTKkYod5K>)*Fm-ZSA;p?bZPH7V%6#bwAar?$2+^thna29Y< z@+!VP2NSX@uvdH($^S{d)if8J2>nJ$(|!I`4SbC{oRe&u?|vz|eqsF}H@b7lGHqc^ zck%WG*!d7oMbx(7@S@VWeroOYwyp+zKfhvJHxJTp1vajDZM;3VzgW3k>}GAQV>$q~Zyan)HIJ-(dd9N~$ew^$bf9YMzF<dGLPj zh8FbpUie&mvX{Qs3BEtKBYD3IuA9rfjAzNMQN1$~z4p3yKA9}O?&t1UdtKikWxc*Z zcRn7z?N|%AWqlZYygIb6oO1SFO%ZZdw(c9cudSso_qsjqMSI_twXUDGI@T_64*qy8 z|B->1w&QuTU3Zr1G$rWuaMoGBqgGc+mZWRKw6~MH#vT?fX z={|ErA=-F$JDY2?)_&gbwpOu1M8ux9w$`xo(YN{B-X5SN;Pm3ud7S#*f}^Lma}248u@`{WWQ3svco`WXdaGbZnJ|@{`~eFz_|&Z{#-J6zO8`(34iG< zdQ%|S)^mdmj(IR;$u2Yz)_HGzHSX5IKM!=jUTgdiScBY1hd%3t7Ifu$)310j)?}{u zb_1Dgw@LZ7^@Js##lc9S9el@_c2I59{0MK31aK?I&~er(`u2+$({)F>?HCFAE3o41 zMAn)WKT`(!!DF1gxx;$-tl_BRvDe=73{v&oG2B+5QuS%?&F0jpcZsvDxgU3hmqXNk z=8PAH0`qNr-{pifM1Sg>)7#0m3YuflShBBs_iBvMX;J8O`Nu{864D^y56hk;;Gz=) zuxqWn^Ky4k@cAlQLYirj9Pbr<#cL%CDs4J`zfoHhG(W~d?~l{l9F#GvNN2Z`fSJ>p zTdi4jj5m+vE5apqzo6hnXT-+x3;X;xbS|l0vWW6-z&aA|S2&K|fkvREym`9%=@diM zeHv!&rg`xDbJ53?`cozLSt_{J-H*(nZw=ViFI_X9t?eK73tAaahvB*=74k1qu$zYp zLUm5oRmHt$`*ItFQv}ZpNB~b3mSWmD!KZ-uBYJw@0DK3w1 z;f_43n_1OxXK-{}7DXJmubsU{E)@B>;-;Cx(P!2Z{Fg9U?lWa8`YWsTgDae8Zy<(_ z8(LRY`dtbLS`_DueIh3m-JQpe)5t^{Xi|#xbP2{oER!2hHP!9GJpW;8=1`cl_Qa041Nz8&W4t5&Lwwfa+= zi$bLvw!jMFN#{jdbwNoM%BCfyx!d5!A$wkl(Ku|uftFQW=qgg>NtdT_(-p$hQl~`( z++!jeLPkLC7zEq0Lgo9(^O)p2Mi5+HD#Oil)~_vLrL{;s~^2 z-KX83)JV!RF_$Of3k(3fH*&sH`Xb=sNYz6zsI$)5) z_Zug(maX)bOlPW6lnBDn$n5XI4zgW&5U@D}ozIOK<~;(re}a#3tltN}JJ^TkVn+uV zw)Kh#c`;-0>Z5lq6f!t+D&rw$$rV&cw;VjtDhh$$@=wdZW`pJ^sEiuXl$*6lDv0w zVov>`K6&u6h3Fm?{i*|Hv%>fI`gB1gFrD&pytgAS;CZ!|yMMQD^IPH&ajwW_Z2ql# z;EKH-jh&~{#@(+HvV5MfI{(LyQ>$p_TX$}?AFpr~6v_;F^kRz73~PRkIJluZhq<;8 zyHHj?B(F7fpwPV>{TkEM)|~8D9?W4=>Ffy$^R4=ktX%)ou4b{tJEKIo8f8^7rQxQpf9 zt9$vvdko9BJIq>+G|w-v;o`+?#hwb`pik?oHZ&&b)~y(Q4`rF}=PMs7G_i*KbfVUy znx!lPVT`+)!W+&7j=NGjFEr1h&UJJ73Ef1&L2P7k-+VL!GC`F&@_8ZjhLC$5r5m}~ z*6!HZ3B-Qk&f%L;yEqrE0sSDE8IYF3XUE85zwGfl4_a0mnS&CUZQl= zA9Hv>tz(J8zk0t74nU2= zIPK$RO0%H(dP8vyMBV-G{4U@=c565aHXB4MWoIbsoYln+C1^eHYY}mM<%k8`7z>-9 zCO@i>_YPpb@A{jrV)oDw<7^%)Dvds-VboCdIsld8MJ|LBA7me7N8`VIz&+bXs_5@V z)Y=@{3^Y<9ic+~~@S6k>Dy53YrQ(eulgn8bo(HWZfetXbnaH&8WGR4Trx@d9$6#zB zy>9-dvm*yy=isjgJF315>Yq>(K6V-QMgw|4po7PSo+i(UyK=B zw3>cot>>Iaq_!*9>xxAOHbb7%9L)|w@#BiD7Z+5+g zsrCCB%+veP6-3A>`VbQ*(~p2d2`5zedu&p$CGWna9nudBvm;9$UAQZ-5&H4Z`qW## z`}VgC5pB{h>L5=8OiHDe)>8m3Z5*WY7qWh=E%JrYwJJu$v;~FFaZv?c!N(En0I1oC9{px(J)Bt~E6d<9EaH!s0)26X1 z6Fy4Fo#l(Mo{?^);y0!6yktCqvpo`_Y#-DqHNX2cn0-bSg8z7 zWq6mR56c^7QDU4D(NVsS8ruNL8TTauh%g!NcRdde9AMKKtTfW>o-BBZz@H!0$%m0n zRlXDi^U)XCju%e=XgrAE#pr6;g%IEoSH)(J)>bvw9vbLDBgPoKrA#9@Gt1Qv$=clt|pu!6=3$UOTK!1bE!hafE^1_@tlT0B_o4a4VD~a zcxx7O(6=W|Pf7%DneFV(_U2w&t>omg(n{wOc8#K0-T!`xvBo*olFrdk)sNeCUxB<9 zAn^Mn1jry^i()#L(-a89XIJHHSMx0z*sF%zAOnd59MC#qy9*e@%s3r!Du3R3e1w}g zWB)zo5H@b7VPXYjh-y5Vv6C9YRT#4ODT@2*k)4m2cae3z(mF%bAN;& zG={YWihNo9=7;J&zh?RJvJc-_#3SF64SA6DpvoP2dvO?E`BSXf`c?F7g?K}k8URs* z`qMXu28>dM5@xP!kqg53cd4ued$t)_3aDn2 zJ$RSEd@ZMFG!Bu0FbyI=rTg-7+HC~|Q}XJrLoDM{ukFC(V+5>ICTr2`v6x=|A3a+- zpJ+Mej|TrZ4~6{?rZE65VVj}%K6e;2CXnRM^dw)|95RdyN$ubeOGEg;pnn2w@xY!r zhO{V*RGituS;b~Zr{j7+ek-R-f;A$9>Z5z3jso%|y+$E$LHJC%i6QK39^<(&=0}vR zA%Q*OJ4nH<&WXjT59#whF3c7i8-eMuJzmSN!51!gPGa}cR?2&t6t3NAX{HZHAuU_-XlH4BBns#j53r|omxH$>hK zLJprK50kRpaGQRO=8J734x22%K~mMv4Eoq7bXta3Pzqez-n^!EAlOAu;bIBEK{ko9 zY^5F|*&9cV?))VA9_hlMqJyN)cAZcG663*J8)%GZh~J_Nf^ao&PVHskujoE*#Y$Y^ zdk^|J_Te9I=LzB!VFCk#P`gp-i-s9u_H~%0mDj~kw)7S+Cyc2qF_gZB+;(LFdO#5= z`d3vgNdl7<^O!=!XpSl)Y~gQ95TU6vU!YGqr+tD<*+Fcb39{2cpM@57yS97n27ZcK zU-Z@o$h>L~5oP>v+|C=pjdi#5 z$KQH=1IT=gX_t-pt_8W}bEUjLXOV8w-EL;{D_lt+32%LFyi#`gim{{q2-Bp25>qd; zW@=B21w~-}T$!foN(mX!P(=ufR!;*Mn=z&9a9hZHuh6lbe04@k#4O5*JU9c-NicXV zj9@@IKUy5MW^D{CVCd%rBat4ZVc`40@Wjh=;P6i7pQ`?74(Kw}w4IOW(B8Rat zXf9To4Njv`?(Ac&;oN&%)xA?=TtUNr#qvCKCIlaaR$)sGP%0+Avaw|4zk|kS6tjcD zWn094LcxKxcezHM@De{rz98u$pQ*>ccH-fUAtT>D z45G=h=d~N#OrUWH{@ay@&;z}lZQR7{Sp!W3ov&p)W4C@2_(s@~7f*=_xhPIFnus|% zC}Wq{Gk)p09HD-Zzs4;}knX*bo9!&$>cJ(DVgPtDo5D_`e~n~P#HG$s9(O8r=G1T+PK9PB=P{3R;x5&>HA@P-rTn83AR&}&&U$RlUA zkQIzkQ=45auaC&4{1;xuoSz2FI}U&N+LZGe(&dWlOqu{levS`QYU#?H@Mt*G>H^2? z=?V`h`F=aPyOTE3O|p=Xl2J7;p!e3Bxh7$Hx?2+3#SJqj|`APj6))a`mp*M^;Yb|MPf++3Bbcy z>s1+*yJ_o0gmCegL{e^3!AW$tDRP*Fm?BWmL&PzY2Uw_XOIXd-s%g7KvN4gOj=Gkndh9U$DWf)aKDv-eUnz)lr-53z{Wn~;Y zbWwW}EyRL@<>eMd`%xTXKdE6ZmghEP%c)kjyzY8qvhI2T5Q zoZifWDGmf)n6`YRMXhH*!YuYrt7m_a-diG?qR3p^%j|wls?Q%BY@pj+aVfaIj8G1f z<;OJy6^awSX^!)?KN%tH8jIVKg3ds`w#2hk%Qt1hZA5vqU=&gz#tD?Mvc9=$->g7;x0>rLAl7s9{HEde zNtmeiZz#WAoYH<}3C+X>6CdT~b%NaZ2zZLz_ZHdUSE8r!GzJ-w90%jhgoY`*ZHhsP zHMyi$%%E&vF`-H#Px&5#-dbR!Zva<$hUo&_&EXsTEy_$etzWv~gC!N5WE|oJjm5c? z8EVuItjFW3HJHNH1@-sq?lH|74P~_S?TB-+hd_F&*Eb4-ll}t+jxIqXc^{LfKdAgs zvy9(0X$Tpu{_OWk9Q%x?STzPZ!MzgbGSbYnpZSYaZbT#14@yB#cuHsZorXv{T*I{S zC(GlvY%e25VBa-kbukviYA;Za&RK>lkAAYlC^HzXbCu@)YM?`Xsy%+h6Wq?C$+=HD z!BzqWx+R5m%rsFJNDFUW53AH%9zbLsQPv)qO%cN$?X2(ME%6go6>dIxEM|NiYYhK% z)P*~*YcO`H)bj%>ZxBy%<`Qm8nQ7W={pQZpeO$71WKLuH&mX7)2%8rrXNyWJUT3JK*Db{o&))$oM?FEwY)Eyun;EgO2lcTpZI?zjyNj+Ue+(jqi)~e-*M`C7rOd`;h`_Qo{zb zsr_N4c%*WC!GdkTunMQBCXtA;SA42jyfx4wUbD!lI$X0A(Cs#j#%lYeUb6A-xV;)L8|h=lItTt`SW4#H-Uv8x((${A@@bHOGLmcyHg*q3gr?@MMwj4mVIE#{4Bi8y2Z zW9xK>iS!>ZR3*DhCn)b5?p5KBqP)~cP#4cdIyEbnuz zA2YFEE}_ z^nKz_U*T`qjNUm-s>fb88^@TbOX-de#HfC}qxvM}(^fHDF8fiw!%N6{e_VDO-CTBC zk4qV{jMC*G85|5F%YNS$p{NXHlmT=H%M^B*L$^DyOoMbo*&)8Gz~3OWzLvByrW9io zry^-A`?T4Ahe&U@J*kzWrp-|&Ttj111>=u}bi5hIMH<14xXp2WAH%^BLbJhs`r;b) zoqKzk<{CjrFSdQ6B`)j=D)RmvYx2X@#UJE$D{bX`$G*%4GVkBxVG5`e_lZ8bk?#<9PH!3|@?q%!9REwhE|Oeqcd{vnS+cZiYLVpQW%9fX zB4kD=xgco8{gT@T&INYgGGk}mYcL^@yW4KjsP}y3m&h=L|adQhd33@g%PA z6^23%#m|3=0_qt~czku`1X#5QTh^kyBMqxd=9vUR24K;_b2l^#I;t^_ogLdMF~JUH zzIk`?JHTWACt7hGA)=cMp}2sA@yt$IgK&RUqW^*{IM@3XYbzQ&*ZMk#Z#Pd}Igj*E z-?ZR^klCxm(=hev*P)gy|Z|!8C}O(c>NPWoqm7?WM!ymFil2nlP%Jyf@f*t z_Od<(L7Fu~Vv-xkViqP`k5UAP(EZ}W#H&JCLXel-?@>Qm+tWGpg_p%Dp&)wU%#nlR zVZjnk6V(o5NoKx`3v-cmDsrIqIW*j2tNZ#pW$FT^*6)lK3GlF z-no5OM&ujXYUGJixnhYu_c_}i3MzAyF99Y9K^ z(u{2@`$MvKhiMuk&)4Y1T5q4T++Cp7+kdUM$9vpR?#zIeTBpDhCNnCy0^79PU$kRI z|1C#PGV2WJ`2A~?2mjX_#UmvUT2GmKc%O5`)yVL$i8(CebyvMff@(w7R)}^Yba28f zpSdP&Hv*1Zdnk^cv$pu=VwTP z^q}H^gveNxYg#ljK-_x5DnKg~)~RlJu;vK9GTG-Sa^reM0oAf6QgHzIDrW_ZH@j~5 zA-}#?j~o*ja;jEvPr!f1s(J3(o8Lrf{*L7-=#w>#jBVSjg0~Q^Mn;Qah%skfu?5G^ z)#jvD^Nf$OMocNv?HGw5?1)qgnskhFv_@twMKD=d>tk3Vfq_&knQLT{8fo@PBOq^g`(r7lK*$2{rXJowN5Xhw;0#H}(j>19x6 ziG-rIl_{%o9s`JzA5qZ`tO~$8OJyd4G|ClQQs6~|QpU%&K%WGDM%1=5c_{DrQWy$_ z7IA@>AVKXI!N4~d(9Z>I?C5smVIEI-utZ0@ThZ-iAdq0Cd)0DQesrm&4+2~0$nmKf zdpe_!8d^DS;p32aA+g2bNj;U-T-hee!~e+mF6qNS9xMGQhyDt<2G>Xx3K&5;E=W1`SI>PYp=anVgR zc`5S$FJ{GmpxQ={q~m{e0F$c~Z3 z9Gw>dRfDlpS_++A{Aulq#c|(zKdPasfJ=SLN_EH7L${$iQO`y?a^#|=O=PA>ftEft=cfwMOQWyfcMXVNx6`&+E;4^YGZEj7?AQx{E$K8<4k zBwBwKZD!HpR5@oX?o(S_G(%uJ%Q>ke-p0+$G*8`AVB)z|>C7!#{<4Rn*CW$y6x)y* zmmMFxvznahDFJ#;9Vm4i5j|i`5Y73hygLtwQ^@p6@MOF##?5NY?^(fL!fh|8N@ZVn zNvi#Asi~^tuV{6q0J#FHr%?R~(tG^vB>yL(AKVsFdCPH;uVe|9#I`0|a3S+{p6Z_h zG1};v3puFtb?6Oj#BWQp%T#7X9gRm{Rd7VF)~dZ~vJVx%k>OIDzz9{{-DJ4TUWDWF zOzh|84*f&uoE8_ls@b1a3UaCuQZKm|*q1XYuCc-9{(-C)tzw^*$ z%FA40G(RYdRaSi-ze3fhpJ$r`Z2lR^yx~G`&q)ba^a7zbl2wND*2ZkCtfC#`_o-tS zv+0%3LYBR%h8Sw3BFU-i1M+shq7B67NRyG}th)oMSDU!#qLiTR=Uvr?aQrsLlV0dL z30_#BfFf|PkweX4GDNU@8Rp&NwPh*5Qr*G4{sXfrD{ zuu#bfaU!ZmHO7IHqQ1BI9egXcK3lHCN-3F=VUvi&L=z>ZhHpM@z80d-2sDTpI;58K z9u+FoRd~^Ov1;;J<_rp)6>Q_JI9F60Bhi>dr2a0(1e120L1;ud1-f;!u_6$we#g@U z9>f(Id^okUcygA1_Rj_OF$X$FKT|*8ajT;-q+qSI1Fft&XM@L2_F1$=G9ydsF8g@0 z0oe=$fCMPK@@Bq-fo{v&3@V`;>K7LXm1$+CF{$=pBm>Czlja;c7$@@uw+p~ zr(U)A8NYqg-jPLie8XVu<#|H49?=WBSXE@s0f&69XQ=UsPp!94ud0 z=_ni=YuL*yJ~&23?}S&Q#s=if!`_k_H}f0oN_7>PvM!_OrkBCqlRa*}fYUNn&Q5XH zkdi`b>5??K@;#$XRce|uD%Y6^Z~K{_Ge^J?996Izf=V{~TUiRg0#Y}h)CyIDbsKiH z>9}kJped}Cq#p9`8^Q;cHP|sXJ$eH{GcbD%RL|EO|HAC5F+8vSXx&ork85>il85G? zm3cPaNHeZC@Ip;1pW-3lH4#*Z0HrG~_NW16h{g=3s0!ngGg^1dsG~1J!1q?Ir3sHt zt2JL`3%B{&l`?^16Vb!0qk?8D!pxKgweh(| zwr*P&>Whj7uTW>WW~%*sj-EWI=uj_#dL639EHe{DO7Zz#VvOE$ZH>OmnCnt=9Fpyr z4hd5%y_t@w+l`rT@eE||EW(STIaVoHXoP-62bHiyR-A<{)`*GJ=m70KF^}v@cu0Xz z2X!B4o9|&V5ja3$6@ZKTjVVliX3`2iy@~latrd>lsvvo2Q8Tl3R9&}QIPbRxX4pmt)m8DzY_(H&`7a@XSXq$D6?CTn4YmINBDS!8dj?NWIlJYjHyrjh3p!1ewoOkCX zH$2#{A^9Cr2{>HkW)Ku4@8MU8;G3EC@YL&6gjlUpBcHxTIc)<9^NEa`ex?t|?(Fzx zhKi;moOWimUIPy3BAgSZ1bG?G4Z0~HJnITN3@qmSJIA(GUA^q)0INSe(=?I6IV|0{E67EgPGTJ1ChGux|EYa0r-I4 zl4{s8>1kWz*|aKK+=F75yr=+kfIuL+(zXmm(RLBzJqc-2p36E-4Ie2wr3cixH*D=HTX1OuMQ~{KnEI68zWsC!vf8 z)kjT@wla&#LSiqZAv5pxA`sOJq=`UZbL_5fM{I$_Xs5ptjf$jU*v}>%G5t7l`4>MK?e-v?a<60Lkj_m;PmseePx3H(#v@}<+6tmk=xa#{?I2T&9 zSJ`hqZw9k2C#M!`vAyXClPTU@z zD>(EVnr@b5XTkto!}C|NEe$MVZ!ue~ToMPK)X8Y5RHYc~WRj_)t90i1_*lvb5O2xC z2|&d3M9nf|4sMV;DF$GTIoz97J9W?oBJjC*B-Z^YeLR z;E2}g7O;jlX#b)8uo9$>m^Krda|m$MsPp&CBrx#E!FVH}ZaSymgJZ$)usGiea=mL9 z5>4YGGc<~>4ss0VN%NH&Xi=IMYRurr%;SJ)7wJHqfmh{(@_N*16`gmzE@e5mxvgSV z%7;e@wVGLb)otyK6C7h&+uJ<2QMTUR8RCZLw{S1*gAae!eDb>&sC9Rm_lJvZSV(&? z0m!J@kAm?vap1f!%wqbT+QeGn1Sik0xLUmQl^(v|`^&}}R#FkQgr24x8(Q!Gt9Hcd z`#0a32{DtG#?e4hFp`F1d3@^}fo6`-QLA1h1=V#KmS!KR{*)Mw6bD2+POl><7k}8@ zT6T$=P@WD15#4dA5qn#9tSZ%WUVRY?%?UpKa$KbZln9k47$T}gklLeiM#p6 z_!x;Qvr5cSTFnYGSdM|rx3|EY5JK#8RjoYhsFeT0wVihL8^2ZcQG{kXoYZ~oVxrtz zx?_!J>bd!{!@Yx;+2`EJ=EXS4Rb#=S(3{Vqx9?Q7FLM4G!xab1IE&}f?`tHnRVV#r z)nw#d;}Dn7I$2K@%o$emAK)vd6Stx=v1J9F-JmlBU-xY$~YT6|AHgAFYT1!g=8^FgO(!zN(#50f$t zRriXFUZ&ENeFk?+`N67{rhHDW&A6p)b~TGEVSQc%7oNZD3c0hhAK>Ron?=kU0@l9D za^KOZ#9!^yqwEckcl!pOuL_KeX(i3Qwc0O|xguJR;;<3Gc4h|)cv{I<;Rr14d|}*Q zJl3Ucj|y9@6=ZP&X@Km|TEAUbp%=2NrI~Z6gIUVvc^(QpWp0ID;`d&d^TZ7-j&M=x zzX~;pe1b19OYacw-VxG(wLu*4NLP6vH1fX8<0g)2AWRWc-t24szIQ1^`PH}>Hce)E zx95_P21N`DoWpO&s_QxD_e?E#TZ|d~-cx5!TT=`38pEc3C}GhN%sZQC(b(Y- zZi~Dis7ELZfaclt`p|`|ie)ahVXoWz$H)FL{!huwq`qF3dar8{q4VOXDxk_*Y%-N_ zKIL5%EX-c}E3_+61sURQly{))gI<{P)q_1bm{bUOil7>k#mw2p7cz`4OqZMgjFqk< z$BOIm$qUOu0===Tj1)@jo{5c^xG=AV~~Q34l)4pO(jQ!;j22Q@jW8R+y8#^G>4(; z-GhQ$-ky}HiQ;CL(I9PdVSO;x5{W2Z8$-IZARg!$1BasTEk&b)?FOY=XJ%YE-NuQ| z-UA+9GqF@zRievfwxrY9V79~pQ&xK-f>7^>)M?^iqAU#eGOCl{8K5PdK6nEP zY|$%9P}TMJM9#H(Fq*ez%mzPDtf&A<6(to$8HAfX!vmW=6ckw%XxYg+%N&b0=flhkJ;lOo0hDIM>r9b_Sf{DU_#Nw$SJ?PT~!BxL(-vuMQ4js7_tMfI9*fM;^IdV z_PwQpLwPXHfbib2x!@e3(hbzG^3#=5wS$Gx^M`b0!PF5ILJ`;CQRHGH`mC9l;M&tS zV9vPDbEi53Yj5Pq|0xr~u?vzXfMryL;a)aa8a2 zcw-N!)=zh%r~EW?wTcmHx;mg9>~UbG z-2RR^a|jj-;wQeDC^VUHQoknM(90V{@hKL4#GR>7IeRsR!A?W_gvoJ1-OnqEAPH9C zxNiV=20z`D$1}D?`oyQq1~}m`%4 zA9W=c=cZ%29UPSvbsajSU4c1aRAg4z6YJ+S!+x^jK%oGM!CE-;=8_TBv;!FQJG&@e z;*%ZRxe8I6Z;zIMgnHD zQ{%#c&)#PKkC2*+*Nno_SSXFcznQ=x?~Q&ks?b!9TY-g<(dO4Lnonz3E1Pnu7_O{= z&S@MxB5Ra3bq%PNwQ#7)VXWkTd0iIauFA=a4DRA9-&GBsM?;3w^)-r<0Bf_d$)R3D zMlOlC&t0uB#!BZk?v#nGF!DVv2kTVxjopepKvmuUd*d^UutPh2VHcIr{6+tgv%kG7 zzm3a1<>;sZ(7L13#pnob3bLlA^er!4GPxA4E&K=rc&6vS=%>oW@R1<>#oZ(|;9m*Q z(f}!nk;O0@hxRH~*G^`B)G}K<6n8|Ju2bgu21^6?b^m&UE901CI#ajL<`Qh(_S%)5 zIhZFZyGrZ&IU2<%9APm=_~;5~a-6taEF8jIu5iNW(8o!fX*KF%wqNL12-2}J*`j-C zl^kj2C1>LEU{M1z3!2yB?#EI-*gWZ;AUwWCG_lsb2L_v2_6Tk>*$YgCmvyWZ6J1=K zm=cpoiIu}tx1$HA@@Nx+J%gy}J`WP~#<#-wLN5*4v^i9OSYt#Ika#_tw|iliOWZe6 zsXjd(zvIOO0Gge_n75HebWuf`=1HN8IoJ(YXu46n_b6I_RFZ7!SUR84IHjnBaiBC+ zzR{EBOHwDz)ZRDY-M4E%&T*ltmOdI5xj6EbWjD74;evbFOY5v?d>nId29Se3qV?*+6G;xwb6+5%xPgK%f9k#Y<}_B7uJd`=P+ zPK1h50Z{28lF0LTNSOse*xZ5~mm7_0B2F2MuJ0`1cY3V`T`zL~38SkVNGVz{5K4;c z{47Q{zF6?5#&D&6Il-y@Ts3N9{qnyx{2_I9^3=(wj5|4_@BoRrs zBzbGR-Stb%QiM;L>nv`8=p0v1=GIs-<8LjVCMF{}f9BW*GVs1GOU&i!F0c_)Q=fV8 z-hcrhe@KlOn+&zB>jrhmfWBbFU31 zElKGDRDj6=q)Xgcz~X!y$kM1d_K0Z@Lm7#=Sd_xvQU*D)<;iOj>ZidWCV#!TVV^K{ zn;`68rF?Y{YPZM-TC)2L^JOj$hYV=(PSUG;~Xs6XkFS(GvEMH_~9&5A{;!?QR@ zFXOS~faT!StHX1M_!JYQC}%%uP2TF`O!D2P#DG2Xl-4L>q082e>eSUUH4F3C9NVK4U*&X9s~ zQ_|#GLOQWgMdq0ey_1$p*D>P+PW=vp%sB#+!zyDV|G}#1u;7k7tnP7Jj_xv95!Ib*hT0wt?YD;$QO04Fi~O_ z4gaP>$XpCYXoMaW*YvbAer&c#kl`vpw6XxnocG4ufmzPvIe~Um7luy?-#Sq#{!S~! zR@~gWHA%ZwtwQd;1;*6Tanra^Bm4Gw9JF|XnMCvuCx$I#g}Tf^ya3bX)cBp-9u8wN z*7YO{a%VndvLeoXu4+>oJA@I$t)6-xja>z!r36%#Cj#O{gXJF#ET2e|LTAAv`VGlrk}ez=vh(KyvY z_tFpjK5v|vYC`3@ry6GbLW5X^s|t?g2b{^4D1>1=?2s9SorwwR=c6#f={(V9{hCbx zwz)83V1>xi(36OlE1DQ^1o*fz1?Tk8_q)er5v3-17!9hdRz83doHviq2-T||O;T>` zJU?v(J*X?Ezvk7g(Q~grCy*u>nkCNNU)W?#O=5N3%P(eZ5HFENOtQcO`NF*wD2-w{ z*`1Nee9>(7Jt ziuL(4V9m1OG$@}Dp|2{o<~$Zz#JYC9;^)OJH$|Q6G$-HI%KJx&y7V>h466=#=ecEY z_cu&r7heRuO;OHiJs+&rQfrbgug0MoB)`^uZTw<70I$G!G)@K^rP|8~&emmBvYl^f zuEo~S`PniXkJ(Y4ZXIaL*o{3#OQ=rKSDi?c9RBi~>Iw_)`xQ0k#_!FvqV-bvB-R_K z0KHwjn**B=vb?T;Ayq`ewe1XbCcjsmVJ?)q=;{oXb)!8V-4tNaO=3ZU_w5I0=Ls;Q zN_4W>wDEKx)`DeJOOl)?$hnv9nn8i?-RVA%=outAvmvX}u_~p{!rH1Zm;5mF8!i7* zbvEKnpdkO8j_i!$3d;Lk zeAbzm-kB%_?#o#>BC9uv!#WZ$7ks+}4oHBlaFmjsc~zdFcBo}*H*V%W%@ek zvYFwoondlj9dDw+F%t(7B$bR=C+}!mcYyvR`T&LEvl1GxhaxXk=~DFh#WjrDb26^0 z&dh;~XCaCEm*wFnNZ_A;np)1Kkbz>9?_k8BEHEF>>-b1HvWh3RKCdOdwCC@ zDo^v-VaSBpO&zC@Ep&R2X7dn2qu|Nc1w?Wo*?F26?Y;#MhkV&GZcd3v2vCZrLB%V_L`_y!qr)yFh`0ri-gU2`X*KU8|=^ze+LtrtMCh2RvnLrmuqHq0$`v~uA>twG#}eYJ!tkM+?! z225LbEvn&{{JE+blz>AhmdcWho5bjKT+qBpe#D0&@>kJ{GX!+lTsG1?-6^&{Ar4F1 zl~Fi*)s|rH4bVIl`pOR$1pcvU$MbSJ$*Ap~tbszpKb-FIYnBwk`sE(uR8+$xV4 zlqu&5ooPkwP=FHo#mpV~a}4LH6=GFbd6{=ZGPsE&%$7rM+U={ySRCDdKEJSt;apq<>B&CxTcXp4j?1WPNZo!r zx(0dwBcpnVvyoZ!3CxfIZ%tG$9aDhn>f%T>Q1aXF-a$u2oH-#S$A?dAupTnq3$kQhUF z(^L{vM6W#*L>JbO-PMVaTJ!&I&%3rN4XEAD)+(YrR+khm40Pl`#QN$jMp(ia${LzS z?#VfHZ!Q64l5;NK%TPfmRGj|3^G=KkA$8M9QK#r()3Z#4W#WoX#=MfLUp35cL3kFy z_6v0dn{|1~zfb*1FCwMZ$V+?B#54%6rU{&01?; zYS&lw9Z|B|?EnMxMI_JpE>*ksb?vn?J?uk~%+>W6ohI9xu7%vDU-JVSB^<3=izaE1 zt$Rn@4c?7L&YSjbI{W(25CA^OGhN*&=FVyH=%gz^*OSlU`y7+7%(X;s%Y?Vd)8cVJ zDv+siZB{d|kO6~Lux?UQ6s*H46^i@^JX9355Meg2CErOWEue!DeoITe1h>8M+ly?C z(F!Q5z3ksf;WUb(bxBMjA*z-;ff5k-99YnqGx(pc9*hzJRm>AK}SvAR^47H+I_#s>a3!R}}R2cyViGn+Qy zl|~De^BjR6Ofe(W4|H`5AF7odbJ(9Uc(U4slH_ezW498y3J^rBbf4dZ;^i6oZH8m0 zIYDv>i5*tbUlxrF?4B>I!fZG`fv(365Gg5UJ7Rp*>F`>d#xJhUE=7xzeTlZEJ`2r7 zaGWcOq()Q5k#;eUfOLPX)D;yP#VK1TJkC3;4WHItUAU|D2_k;SMb)}mpnl1_|Q+2f-tAQ0)r#f?u3s^M!I9(7kUWidT&)I z$OaL8>O4>p9BPE^P0Fzl0Tw*JAAkB_i{LQZoF^}<15v^joW+(^R)E*oqCVUVYl(wR z%u1V&0F0I%*mCD94{g5qeDQrmC^{JLjuqgl@HX}dM5EwW0Z+?D%u#IihgqIi8w>6I zb6g;EVwt^ClT1@5K4cMLJVS_VrilzSAZjnNM|-jjrBjH8L}qqdv!KB-109^a zlhF@7&4KaZ;mBB4guVvNA~JJoT@V6HL4C53@Wo@0bq>N%bZCQRt>_V35TMqOT+i6Y z?mfemg5tx zkCUuprlBTmv;*%M7M?JIB=l&kJ(^RgelAwo#iN7%!n;e2+4Mw*u{W%st;5B^+u2>( zmrFY9zZ~dhFnF+YN?GBWrxUqs%}1e2ssNr^lxzPzO$0k<9V(O`gr074QCLzo?4tQA zwBZ*RxqZf}=kjU3aVrAY84b40Q5C|t=3HWSa%TvFjbnD$TXWlr-;UrL22cJPB~c2> z-r7($0cBD<0EgyDiCO7}uM#JjSBW*6w;MZzAz;8Z=-I#Jf?4qiHmjIkq0y#BDvKhY zWZ=GKjhZlBr$*UT`XRXnsc~9nu0epB@l--Cr@gjnR8U?4bTf?AY5h5xKgD(e%lsN1 zg$E#9cH-gEQ1gVAUaD}FjUySmf~>Tin@5Y5{Zee}NVH(sh5F%`ZfXF$x7wr;%(vPB z30k>>1N~M7+O>KdE{UdIrUYIP8Uc|RiVh>$hDt4G|iWg z8DYnWLrx;$Tf*-Y%$d<_RgsyKr;;-;byfn3276e5CBE+8{-3at@})jR+a(yekl&}$ zVRDNl3+7=OKnE(mP3@`Kq;H=*lOZ4D1Dhjdi+D;aj zMfTp4s6GS(-Qwx>Hhet`X`l0l%A?n<5?*<-#IZT%tC!~@@W@NW6a;+ko%`DKP|t-_ zVWfmeFJNKagQbg6Xa+{NgbJ}NlqgaTp#PRq{Uh?a#Hj8L_<%gAhG+a8_ky&{E$4u=n5914xs_~PT-~u4;0ki{ z}e-g7Bl$<}|#pwgiE@|2j(Lj#N>eA!+rl!K{fWDT)X@LS2qv>fI{WiKWYj4fI& z2i&3L01QfCXo0VS;XE&x&g+ZM_efN!i8cB8OevT zc1tu5A?Oy-V#Uhaxmt{hfO zONt5F4)0M?K-<=cYuCWeful6qiDp*YapFB4ZL<)pR3`bP7L8qdi)hlU;+94#IiZq8&Dn;CdIC;<6raPsSOP1)8o5s~4s?uDR~YsBm(qEy1*=smv^IQNgKI6P)-mAK5wGa_0dKodbx8xD+5G{kz0+*(Nt5?lO zy|FX}g933PUbY16Kmv^}!WHoCBFRR4F{WVw@OTX}O_Whv`MZqfGqhi=cy$<`v{O_s z!Ht&o$7ma7c4eXt?-^Fa4mZ@#Qp!AI2wh^yg@P9%&!FnneW(%-{5Ti8y9>`szLTpE z*TSodT}Je(@04UcmZIp!l3DX(cEDs57dcJG5mLM+Lo^3k^p&l*xF!-Mt=&9?l-j0C z&$Pug>qQX$>q}C&l9SrGzzBzYbC?|SVOJT^te9NlGBjq|+qXWkX_HP@<{@Y7C5`vw zz=`OKJ#Ck9oOqto81N^K?6vT*SA)H?hI$i7yOBjCNi^=Jl!mBau*d(*u@#k+*ti4sG@cwUK17TO=P?1+&go(GuM(&9YJ?ah=EjXlJQg}OpOMa6(POxfVC;(QeoI#btDHjh_VRwtAc1cG_QKyF#T@F za7f7-0m&kK)4Bau&`cQ|uQ98P^WA2B>aet7A1H0WU+_Xo=nF9hSWWXpi|AAW4QD8! z#*I=>O{S8b1*fmOPu!C<8hM<8jhW&LJCCW+@>L3dOzh`EMP(~YVCtlpmUfW2%oZRv z%&*?tp3wq`-QSG%ZQ?YWX;Z{r#jT48u&`n=on}ux3>`G3s?1!Cg_qv z|399U^+GEvLZL^KUJZ!9eC748-j9aLSg*hYJ2<7Pt{bbl_e&v6AsK$Kfh@%TD+hCgMM0+6JZN4%|!<$&-U{6o^Y!80urV?3} zBaGH`#Cyo4%g4<@DgHfVy`lx(SVv_B1&LqvPKbNV2ELU_h@6O}b?q{c#HLXgQ-bL34wFV}FdIz;G?Z0@XnsmYmgAK`*ES0J?y{BdTf{5O;xWXwB&b zCR2gq716@W|8obl>>A%|q672~cZEpv3ZHXG3pTU6?o?z)mWR5M>CPKvG%np9?rv-6 zG$!;kcZselmG<;U{e9aA1T^Td&&qQ(w1vvwjOb0CiZ%PzxY3mFEDiX^SMAk5C+7OS zUN*C0F*FJ?5bKN8eCrw{l(4WbPm(Ehx+ZoAi0!zaP&d&%G6z(C{LzEsAyfY&TxjA( z*+v5LlJ`r{Q};G-t(*cPOA3-l+$o9pAox%XhYX%e0=^?U6dDU_M+}nzOk#LlC!1)g z)1(tiO7l+uL81lB@%!}p8hHU-nRr{eiR5{rNY~$6&k_j;OugN67SuWxu`V%X7A&M- zecgO7UBO>`orotq6E#W^33+s4p0@ptuxf~1(Ag#eJyJ!YX1ioiK`@p z8PuFL{%cFn`2i+Q`D*J%>kQI?JTy`s$wd;L6_P5z@*scMzG?c~k!35(xz2GnKfPuLw-;?#1`wqawL+wZBGR z!iC7GUI3nnq1KJwQFQL0Qe=}c9-XBNq)-8mygK8mhq;}i^|eqdMk}|v6ZZPTmQbSl z(95WDW9EG7>K9Qmi|w|^yXxJt*W!NqP!mXpsJ2>OMP>=FUQ!p$le*pRSvn#Pf&xp* z-BfN|_wB|ec(|bR*fQ3=D^6HhVZ9DffMzq;fBPBl{;JnX9#2=28pe^}9$ z<^=Uy%a!R&Uyc9_$NeQt9)q<)OBNzU&6Gnjh&WKqZM}TLOwXnp1qXuM@CwWFcPeM!M zK*ebkbRhB8{Obwne{~o+&PFPmT*`CR?2a?X55;tdPIbS!0%5VKB!Cs1IySRknSJvF zdwGQg;wU<61fFCIvNs57BZ&%E0kdf(Jq-?gl+H>iQ59M@=X*?tc35f5R)}woMa0Em zl-EGr^X`va4@n$==dELI751}Wo zN&Uzm+8q};KLDUuf#!V%L*U#|3#h?7GuKt@yM^1D9#qr`Ve`dVyBk$3gbz0mD0{+X-1~pO^%?SJvwDD1 zU66(V$+=6Or>*(Nc)5j&<*}@|vHUC$%iyM0NZy#zdc@e&b!Y9&T{(Mm60cox`n6Lj zj4s_c$I%S5l*2O|^8F?|XdMXO`LPDw9R1b^Z5=h~Ua#-Rfms_L(OMFDa$;C+P^OvoZk7go8mMc4|Zs!ngU zykWAuiqO^`t9+c4UYJiRjI$3wV zuf{6Skcp1wy?nIOjCB-UaRBK$Rf)NOIlcf5bJq-7&_l+0Z{Kk0giXaH`eCxlYh?vM zz8^-=SmL-w{*>%a)*}_%C7zZ=2yQ|tC7W|qqZ9Xu;N2BA=w_Iln;kjG$deTY&;d}Y zy!B-1YFm{m5>P9h=Bl}j`&qEmDETtEJx1pfp_)e;Hn@b+N9pCEGi3Pn_KkB=cOwg2 z{OHYde&7T!`9VNe;h7XLQI#OcDinOos#ZG4 zn#+;(>>6FlI&7}IW|GOGTJ*@)EF+hKe?9+Yiz(ms#&}aEMJyB2s)pKd2#2hce_G9=&*xdf*`E?#E z_h9=V&jKy3`H1{Vz_-(A*s6s`FR6b^q*Zf6vu|{zj*Af z5m#e*Pad_SNr$GI-&7H7yWL93a0;7Sl8HS5;Lzhid%A?rbpx4C8+H)w4u{NPz;)hwBJ`l*7OiRMZ zpq2v0TSpAA(!d(MafCeJ>{JFYoDdp$dt+OS@Jw+X|B(B&D2=;gn?*mbU@;jmA%FgS z^Q{lwwADhM9_v&y9;gJ!V~gRBoDxD22EPL-UGDZ`da!RtsU9UGBr|cQS+`PjOJv9y zOCXyE&%b;~+@ZLzdwcVqwd*P`wnI$-dA7o#>CW3iIAS^NEu{_%n$g!(UZL-onpL>Z ztUkam(e(~{vM$BuOK45;-FT?aH$6-g*cvnN-x2pI3KBnC&U$7qAj$Pymn#b)u$YsQ z4cc!xN}KsbIr0l`o9EwcKKtmSN1uK6en89L3pGHz952{IL;Ky0!jj?gVgQ!qP6X7oG;)J&swbAO~JsF-tZS<9< zcoK-dYnK%js$P!vY|!pL>Z?220fH>e$F@4Y3_2I=KeH|*^Lb!7oq8g+!cp-|OoIjr zUjn=IMf0({?dYGeA z+A~uX@01s7xmx8oVC^KBqIBc(QLQArlxin6*FX3?EpMO5FJxkXXUTbhJb{0K!C`&L z0EutW3wa^7MG!a^ElJ@)Db;z{i?a$(6vUWg1;PLRypSWkT6GcV2p|P;0zZ;v$kwM?eEZUW@Vi*Xc zG}CYEJsXF?Z|WLnRTINRoSQ3V`S7pe{(R;Q|Ek)#AqJ&@^#CS4RkbBR~ zRi%jj105k_WqMNXM}ejHU9VU>4RV?597*8>{?VrQacH01eSza)U|4QpaFsh&OKBUkUS1m|P#xX)HS)oA;8 zH|>1|Q{}+A?ZyU&!QBQObmM~#GPn%x?k*d5cXxMpcXxMpXK;5IcwDJ_&pGe>gZGk3 zC#htumVEiTI@S4Bs^6Ua1VZ6Vqsm5FU}1X-4vQ0~?Gkq2cek+ihTjox z6*=4MBL{%(y%>t;OX94tK7C20ELyL>9+9W+@N2MJ`O`0Qs7xP5;SEAuGj1eI(Toub zWjudef2UV)XP!lj$n`#-a|(`7q6MOsSqZtG>GZTBLURYpTjsLrlgyMIe($_&o1H~- z!DWr(SYgj7E}K(-_ERxEHJ(FU(*b)!4TL}Y)DCCY;iA-}cb-RZ3H`aF10{4OlBGLB z=+4Q1=!O_WUJzDB7rMWGK0ED4IawVcuzmWrv@r>HQeO4Zjrz82AyO@}&swL{KcDb` zxCQdNG1A0Qwi9OYakyuRa8^)kkt9{|0)+Z_N1Kw^mapX;%CS>LnBCGrA6VM<=pJwM zH4zKy^21+>QEBb5$~?#&v#VRubw)R-l-q7@txp*+8QpKpiZtwt(zG>>BWmmJL0W-> zkwA^;s3M2 zV8MY(wlvQ}h#pG!C}m9UHpd;Ur~SQnXi8#qD|jO%t)o`;#8$9wUOf>9uA|Mcij{*v z5Q-Bac8``Ew0wmLM`!9{VPQiHWFegWnjP9pd)^QC*N0ur^@fXtXKwwY5KA9hPB zb&7GFqEVHDtJwywO0;Y?e)lJ+BM?m%&69T#03UoyBVDorgx2O_G*7-8W3M6~Ji;)sHYAG^SL~kV>{L1t@ zmp(1CKVV_2cIxseClzH{Ao6Hkv!YTg!h z%!Cf!0IG%Q^&9vXK4b?R6xG4hJ3QERHOY1$`j)J6$BK#DV&866>|fRTsVbR}*hlkx z=?+Y`pIXkAazM3bKmn*fdzUC*(GXE;Q*DT}-e5U#kA0DGG$J zxgONo(`-V{KB64i3i%i!|2uSiwZPYOO*)rIk;5mE2tF};1q!8|;dJ*N?_iQ6vVagr_lrewOI%mjiho^M-WtKerz|6Ym zo*e4)quz^}fVJv{tgu0XE*~nkr9`UVId?h6cBbn_iI?r-;8vZVs680i{A3Q!=|I5I&Ui#-@U}md8eZxA7 zvqACjg|@1QNW-AoJvglV11UlC9WO$F=`AQ5O!sx9;6qt^oF51QjOw8 zOB5w-C!Zfi7MvQWmaRL&!bQ_#Ig-E)9%820UVCu50cOPNbjK75M71;6ChndQe`V9!aU|3VM+f#!%%_H(DeQs8 z{l53&?)$e@dW_E9t3kwG$_N1b5Cukt$OVcmW~(M)L3hv!xJzn6Bhl|%gAfIEu!*yt zwBNS_O6n@+mFf!U*B=2KN-e!Yi9#trc|i;S-o;;^%yZcEH9l8i$*!{k+9L%!IeZRd zQo<0nlcW|Z8&W9UOY}M>RBr{Fyt$2b-!Z8@e%t$m&Hn7_8}r9q&`#ZIJ27F@;mszy z`QeJqq=v9tZF3u~e%yBoBGz(6+lnc5*-v54r~KwK{$H`>E|rr~CuXJiu-M;09@*~M zwMJ6dS;_C9Ch)DEpzI$(Pk9+p4bn$?Ha0kEGqp$+fgYn6-NUVGTwK7IfS&o32d#6z zG37k#vVEnORV|K_l(c?*(Vo!y;H|(jteeputZ@stKwOA4!^wIHwYpcF=hpq&f^_GP zIl5$6^vN@;lsR_(h-fHDJquDg&tjdV!(c*Z#$i=ZH$*=|Rd%~+GYm>o#@8LB`xf#Z z><@j+y1*gXSY8{ecU@?muZ=1@6I~h^DAwYJ_ll^Sr$Y>28_e&o2TgT#l-$s!=%=NM zP?n5fu53+&k#b1a*>yFO1Kd!nuWz4HhNKpI@Wh-t4<&*9p;SNUMz-ta%SImE4p zg&j7I=g!Uko|2-{7Kz`fK zA=B+>5aQFt_jxn_?%usSEi*G{ zmJXjA6+js@!RdUiQkIb<-fUmtt}|7m)W%SSg06Ge`*v$sm;Axxzc%t)FeRa&P=?ZjMgNDge@XEYN z-skz(jwFi~Ay+m9sZGk9BeuvPeuS@t(Ftl6qsB`lqclt-8Ed#uqLJX!{YCr(Uw+oD zn^P+Sn+jXzHnrKm6jC!|xT&^%F||(aq^4F;v7}d`^n%ZuGOa{lOT6$m6;BCpLHp$Y z7`VS!7H&KdW|NK2`pp{|_*ZqiPX!|OP1mD1dp@uy0wYnX}5}N(Tas;^MRa2>O&K&CPRqJS!9P*OPiA1$ zH<5-fRtBtJ#TtiB*zlc<9jHx}h?V^>vA0GIiq(w$;w&cY(ah0Ib|ceGNh0XKlSoLu z5^rMa>nM=L*8V7G=-w7U?hQ<)r%SKxy36^+8x=fx5pJ?X69*61m%`uCCA(K>wh=gV zGpKN`ri_{~=@&#wGKs7-t3pq}6w?pe^Wm>{MJA)lMF?nvqPx%4%gmWk5Fb@cOmNg% zkZ4oLQmAh%w-8#^)Y{0G!oXPQLsAT67eals5|CEoW|wPG3-z$ zU+{To@Ii{c zX}Y^Xo~=o0AnW&{TrK!H(V@ZF=%|jsh^zy8r6hQ8=R};ygN5ecY|-p3&9{L;MRaJ@ z-I`Z{0r9Fq4$`(+d2hBUpu*$CtMsG?eZ$R5Q_pzj@ z;k`-5IU88!5kyBRUwR_d0F%pr&Z=65sw)IvZ{=75)-5vba=jq`!Jx+;v)Z5(;xO+W zBL7FLu5z_kJehYj_XhzZs8#hVXK_tddScUz!Izr>vt9*R&AM1ApfaefZJo00EL6+x zIFSM_8~nvMzGa@Q84K*OTTlh|{9Zz`%`n^A_G_ob5+mY{g~b`M&jLN7opju}sV_Bb z*r#Ax&gHibMF9F}4X7;MSJ$eWT5DiIEr^+rgyU5+Jo+`q(UWKChx632m){{)f1AkJ zME8LUHSiuv5>nzajB^)nESs0$O9ds+1vyrYN%m!7MQ!c}IZc{adsr@0zE0s<2KS%f zfsws#EAKMp!;;)>xEvB>L|c(3{oab<*FfTs7&_tMuVrlzmiH5z*-^t)=6d<`CZUJo-?n#YheNM9;$YI!ZlHbRI zpAa|X6^P71L}N}V#oao=XVxNr`|kz_#BUCzOdo0nX?Fpb8Z@SQ5t;WOCoqnugA?Dt z+$!3@;8H@8axv61F8+i42f|1UYR~Z0n+4F<^g9!p>v2AVXA5W@-7N>fpS{E$Ri3_r zYbmMW>{i~z22Y~z3Qq;obZQ-ysf@LpiZ~hyV{LBE(@|Th+6cX9CGLq`bexU;WCY~o zJLTuSU*C<|dPXX7ij)dKVws175CRm+Cw^Cu8L=IL%u7Y4k=zRs2aedBf5t~MW*Hw2 z%Y9>M7>+mz<2Yr^C_IV|sfAzxWVQ+~^K%G2HEh`xB*>Jv5{RH%Ah64OMKgF5JnC`x z;9_7(E$O)rmL=|}r2j~E63s2Kb(EQV`f45(VEHYRWb3AsD2c$IALlnNwfj^#mRjH> zk)quocG1xht{s%~^bLbgVnrFw{%{DZn1h50s;_&ZRYtkWfoOT8@JOp6w@qZ@_L)65 zZWI1NS@(r%(1;??R(7QaDs6dg`)Ow$tMbsPH@kG<$ zqa#GxcOSKQI?hbMTOoXq2JgB0)?bQdhtL>rI^p(oOhOi$W5D@6Q{Qs7;TH*&8ODfQ zOoh{tcdQEMAv;>aW@pC2c9TbvMD~@SK(;5!klK7Mmo{x}I`HQeIp8vKue?KVt$CdQ z7xgE^)1TQ0W}KJ6HM^~f;2oKD7 z^C>E7*2W4@C+-I!O(YqBD}U<)$ye8?q&4cE1hBN@2&ZSF(7N;6RjH66wp#q1e>KKg zf5smy7)BP>;zG~>hz58*D=!PGZ0GLglpz_5a8gQ`CDbsD1zqrc&ipdpYc*Mx zdv5EFzD(f=xnt$}%Fsx~7J;`>TJtHg6)9Qg^D|=#pzFGOSDmQ1_VWR`c*H^GOAIh( z!s+59vpPh)9BlUIFPeC$g0>0mOiw3!gL$L&d**$tn)?p%M|N{eS!R}2D12?t+wRxR z+FO+K{$0Nv;<{F?N?~=M<_ZFO;jQC$}Evn2qd`1Tx=?<(p5n zu+tF_5;j@%ZLvzTmqC^)h38uysMNHI`^$F)65=cVr5fVgU;!YOFJUTYsC%k6YszG> zlH~#>_#QmiS9t@y+}Vnn(ny_wdT0F!d7Tq}uD|lWL}$b*1t@C3>M*v|AaD!gU#!BR;;sfiskP)0`LN8tBsRrnbxfF*hYXJaZjk%mrwR8f@I2~-?A-Gm#!64L#HP624 zRJsF4I*%0TlODtYPX{5eW=JQC#l5ssJyhN2X(_QMaqKKvPM%wKv&(EqUJxFG3PS+6 z2|vMa2d;@4^zV9I>026_OovqmDBvN-R(q<5#xtohPvx_lpi*vxf?X3gX7I=%WHkp1l1L@iQBol|ERmX$HAf_1=y zIocVR%7~Lk*~*9AdiOG>H5s-KTWCRwydp5J@{tZHe~?*R?#V#m7fT;xd_nA}gz5#p z<5nqm&bN)mm1?t(=byGQ+*-qF#9L&+3%Ff$Wo5ux)WZzzVU&<+N5HcLrE(mZv@aWf*46v^;SSY`H5*R68Q3I8 z|2c^q!MfCgZE3tEC&u&iJw3+}Q=T7kqBL$>8;bQjY6fREwHnhoNL*IVxZZ_D=%%P6 z_%=NlW&#qnoICmoB6k=-bqjMznK<7GLq@m}*pOV`x)>B$0W5-Y-5CwC0U_Ao(RUD3 ztQ5a?a3Gih8vbgFZ1HS-Tn2GU7SO71fk=Kq%X#s9#$bfgALw+t0jv zEEmY>Z+0ndAm!@7P-jm_kkWr(LYAKv;D+d%RPrYU_ZMz&4S_yLr2yf~UrPBxLO*e= zj_$}tfQG(1$NjDijM%^*x6fZq$nrwMK9_l@5oS)}cl78?NJ-kPg{|tBW@$8be$G<; zi^-5V1ySy;9S_pynQ&&yC@4)MP_ajnBSf!t@Dt10FRgq>k@%#Ex14_S8Q}srykafy z$&-wcd_x6IIn(<3I5=(bgXS*X3-RMOAs*r}cu%lZQ)*1M0*3znx!ZQV5a+GcJ02IN zNXi&+BcWW39|r1p7aEhQ)*|a=y=IW{sfJus`B=&Fr>p@C9^IfYNr-*yidHZPlJjq& z2?&SJa%`rPw;Gz=TAE~^dRPeT*z5+L-04(OuX+!$Rem){`@r;ezWZ5ClmJoKeYsS; z#Xuzy;x4zR?LCxRZT(och;TCm4Y7+CxMw`pR~^9qu4v&%I&pzbzL4nx(cmeiViolpE$}Onxc5oI9VM-7keCo z2o|$lF3rHDXEo-}k|E)v_gEDd%rz9O%#C%QphPV)P}IppaA&AXfM-mLN!52DG>KDu zYbuG{JG5mRgo%QYrQ_wM#JO0!t0YyW zD|Z?fJcwq>@IT@-W7F$vIEQlnLwoTift_rucki40)qYH|M1 zi?L96&CbF0q+8W{PCl0GKsM|BONeoR6yJf0mBOQQN?uzswS8BM>T5Kuh+EnSoF%wR z75A9#M$HV^4#uTnVG8uuB>}D<_Q%dRW@6(Ig}yiK5kx0s=CUE>M#%lW7VytwdW9x` zRw6H!E2y9G;fze^$fM_Ui@rxRInO@LT4_Y$9@8$lZI^w_Tg*=vk&MCfD6hTs=gRv|Q58-c;7nCGBP>^UGGZcB?QSXbLyjc2$cF z$$+EhfOC{>^7%PV$sBUzk^+nqoLeqD(!3@#xnAU+k2a-UZzj2jLCp0!Kv+uEPpBGI zOFskceBFxUt~`xp8;7N=>B%f+piL$d`A@(u;{)%RmoQf3$;oQq4`2%fP4wIEB)HSH zS^20l!GR+Z^^ZF_v{AgO0NpyY+q8NAFT@a9#Z*?BLlSL)P`=$*$e^ zn=<}aY!4#xD38b3kAaK62?)<4ljk#T*-TeXWpL3PHLuI4pfKxje*Sc>E4BU;rNz>n zgyPtzKqIZziJ{w<(6?KWEM7j;KUst)Bp&RESrZ}xDcp;KuG~vH?&6)D(MXM^-twSb z@I_1aeJ6~QuLk@bFByODbhrH;_Z@|r*r|RE_)dm;J!(CB+p3LD8%g4S4vGj4tZX!b z#b?L71XBbJ$l@bt2b}}G6ZN=u(7-FV>IdVyqW~GIigNXBBC%3ekp<#mugnLAt9e|4 z{WcN}{VviGbxrc$;=axPhM9lrOdlEsDGPI~3FrHV(%1;`0+-~Z$QPEr)SEHR7SzRn z7lbMnt7)WCYs2;Cn(*6f+hkD4#)+F27{jTz*PLAd;DaY1!qr;u*G1+5j3iZ;W9LxL zSQWb2OJZ;@nYxfz5SE9X-DA?Fz8l9ILM8gU*?P*dS6m-!hvuCSQt%yhpZ`9rxr2=( zl_)VYAP8Vnne3PIte6KDQ>7rzv)|+!xADKDK4W}!0=wWb*9Wi3Re3&5$r$M@-A`Uh zE~Z-BA%89gG5CUr7cm%u?GvVOXOZJONP4Z27WUsIn~Bf(G0@3KBrw2&F1nv&iGBJtD-z+lgZ~+F zu(J?VG<(%W#gjM!o3=qD?mFhkHhy^phl?~9^0I7Hp$2lI;%Gv(mDp*>jKpt_)Hzk~ z%QVF`Cgs@4cs*A=3`hvl#xcvN;hlpkJB3jR#!n-S=V`i7d^(MK=gxqf=3lIp!`U-kdS>JbA&|Tgo55 z^&Vh#gUtD4W)lWW!`~Rf*W;h5PYUX-p7`s39K|~b{5b^l?^c9qv2!X3<4Xu5p%V-~ zaq)P$7O8dS@V|mm$pR1>+3-QEB#>@yK$&WuDj<=2Oaa!iLdTor2&z-BfcjezI$c-k zcrU4x-|Rj>9=NMNo5d+|0|JZ`aGJRpr?+un7;qMGSoYNhR8hkSxlY$o5Dv*J=7OB8 zr+#Q)d5ZQRR#>4)zxPX+AAEgSklLJryB!mUky!f@y`Ti{0n6~7vB<|RO+@xExaBWn zCJx`?HtcmZnlY3AL86oTQj7(`0&z2(q56lDC%DmK9E#4VpGQNxb|?KkCUQ198oT%C zfRfhp0tCZ^TQc||i*j(o?zD36Kn1CG~zUpsX86xp$bj%jZ z83v(yX@iWA*H_ZBfzrznMDXtJ;Z)ZJQJqC2H!D}vkNMqh&|-~4&g7;5_NR$E?iY@6 zYmY#L?&QUKZefSL7G>A$9~r(C_5I=Q5ii|06G%o>;)c(eqGXh4li6V9JQYr*VR+oh zgPcz)VOESm?)}kA1a4I*?|mhEc%H{EVw1RAZqW!1FA2%o+HO`{C04PLKU;n`&dZCm zs#lt-+gbdG99}@w&}!T`Uz>>xD6GllvleMAwS=o*2=xPiB60g_Zn*eFu4mz{!=!mNd*5lm1C`066PDb-( zN;0EXvPOFlI$=h3Jb#EwC)yC6Z&g>X)Rw3UhLcJ{H8Aa;A3iDAH)orr5UIbMw5?!;zGSM((0VdYX>1 zBOE&8UNawt!i38kJP+C6W{IUyxKOwJb1otGoIzZtgC5Z3l1^~Fw_sO*Gei-OS@n%i z(ZQ{K_Yg)hS8JZ@EN#V(4r$iylndUPnC}vOafo+ABxHQDqo|3}SEC%Puu$g(DzB0k zLqvJSoTt&qvtbh%hG#PSP1D~^2+6bTUaRmeTABT0|9-4Y`AqpX7Y6u!lpm;0nYVy2 z*VZl-a4o92m;2bbl1JIZvW&R}_iXDLH9kwEZvUDhVOXe#qs?Au!1VKqCRQM0fAc57 z9idn@#8j57IT#u}s;GUfqF66;WJz>F_Ren!2Ps zHnBZ|`5qA+5+-YvWnL*?rhr5oHPa-Mix&iAY;Z%@=i<4vf(Mh})r{{`a=te`9prvE z@|1zD-ExGjhU!nZK>gQoL6piBSzQrGD$2#6_orpk9{m;YqD7k5A%;;$mvq4wxISB@ zpSm~mi2y;o5Igt>Q1f{NHD{Q0WAws20AjY>XXuN{4Vp%=Q=k9xS+yu(*x zY{gMi1nq2Z^{4H!ZF)qcSVkV~V>9)TZPzewNCH}Fq)YOBP?D6O3Mq9KSu0(ih_QdyG-ykO%3`qNM z0=X6jK2_u2c2CaaXbnxtDnsNsL>?mvVbf{EI;kW(^E1=C8|aoj#fpFxn=Wfo}B?$Eu*qD7CMKtfh@ASh5o z6R#yI>{k}y@Awe&IQ?$e+D?r8x55Zomul*FN^^2&J);VJnoXw^r{J0Lf~>vD3$!*0 zZsJ7gs%n<58x{BJpTs0obeFJe79q2~d}JAK@K$!8qby#`6gbQV2zQ6C;Y zP`!Yk6IuP>ws%Il#l3%?(i}%6VN}ydA-0PV=go;j_~c@KUY-6(WZRylrjKZaEbE;L zFJ2||JE-_&j1_r`oWxFA%kAa5uq#7Nu0c#v7%3sAL+01o4lKpjIwpmoT>#walTqqHI-NQKtX6JVDe2WjH zM|FrIi`NuusM{`Ohngy3?Q(wlY4IdqcyDX?-hANUwkfXcD(ZC6D*XspT^FG`lvAK7 z`EvaiI26h#$?>QQjYsH-$MXC@mtC8h{m?!%pF>2b>mPuHDeGs$7kVm2nh&^i&tG5g zIdBp@(TV1rM7h>dewXF2Y0wYcD&tyq25>W5+S6)NR;h~_5t_j$HX_)i_p5cDD~*mwrzEvVxQmPY;2(lgD%rqY>F z!poSX=k5KrR?+AhGh0K;-!>RkQbmbxIG|87CGc?hUN|dKV9FRLlTFMCm~!9dE9NLp z5Z4a11iSQ`U7JzHB5c5y-g`KQ(wiLhNkrU&o;B}gN-s5*m1b-P6r^(W?oqS@|NQz$ z4*d=6$EkVQ1;Tq#O`TL$@k3N~C!(ZXD0enDyIOW=thbMj<70aj0{uWc)ExSE9Z zY)w61S;}B6o4IPa=aOMJGA)H&b%KYyxutu%oK!zhK|5If1k9 z9Me=hMd%mV9!2`=ylHhxXX|b>ocfB2vaA+*Pj9fE>f>2yr8zS9mDt3wwuwv-^9h0L zPmSs@iNB+8E_jw`Xp0@-yUrT`o^Hg*!qqy`PDJneq41!ORV8i9ymBV zb)}Lp1w-cnAB@|@E9Y!uBP+K~0miou(+~WF`fpiBIdO#7ki=3Kw^RI`pLXVaHeZ z)>$ws37)lb9Wx0jQOKc`>e_ya3}r>pF*vCYaR!_CO+D*n+J4#eAAOOU%o^3MgP)A9 zud0V91a(61C!Gw1XbepYkiief1`MUM|2h|kVL`NDot#@Ok|Nkuk~iBE_HS+cQt9Wi z;Y(?oYA6B51+LA{YK|P}Zm;2R*Hx$p5fk!!vKRQ%j*Ba=X zKftJGIs(SKXijj9w>uE;tb^?$k{;BSYcP+@PPBmjW+zfbMIkJJUNt?Ui0?6nnKYz*x_XHQ#N$VmJ%L4zWY z^zQR^$xmkt|4#%-pKpdX$k4)$f&M?ze+ByR#wXo=0$M+Txc>xf{{jFwTQK|=*2x-V zu4ip+{vUb&Tb|NPZ@kw}j=4`1@;~uhes&k1Jpah>uZ7?yoz>m{1Rs5Z5&sE{h47zX zJ9`%kL%V-h@durH{^rmA3FX_rwj9N0F+TIPH!-v{{I8Vp-x0(G|AdOf1OSGT008WN z${QK$e+q7AVrXb@$MB!Kf6MY!I?+MK7XT=21N(fe|G3Q2{Z|c4bU}s&^7bH8E8~A# zk$>(^|B*ql8UXmeI@f<~!hd#z{|H~L{RjAeyG0oZsL!Sb0N_4X@6U$MYWR<{{{yg7 B`9lBz literal 0 HcmV?d00001 diff --git a/tools/nist/sp-800-66/nist-sp-800-66-rev2.xlsx b/tools/nist/sp-800-66/nist-sp-800-66-rev2.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..89805a7d9652eb6b68047ea8c5dd135b8edb1ab5 GIT binary patch literal 40953 zcmZ^}V~{RPtOhu?ZJe=f`;2Ydwr$(Ct#`~bwr$&<{qEjBdw*h{o#9G7$}Cd#*T z>&Ljz)o#Kz`*%a|zT^*Zh5sY3qQcJ8#eZ^60s{dd|9|B*ws$i9AAw5~2jqqr;llJy zFM3?FLBcC0LoF#15;DLJFt~Ow=35kvmTs;kCszXZ!cwHa{C}<};k_b#3(DubVQi@C z#8=%Ei}cMU%ou?G5R9K|kQPbr_ae$U1HwQ(VsAeLi6$Np@EX~(*klH`7)GyZSUV`c zB`nMXg$mN}T=5F2sXLlv21W#MPfUpaSzuaWg&9?t)7z>HTpkWRcKg_MjR8a^RE!mj zh^BoN7Nfr`ZE)YzY-XDKU`*63gN~BRUEL)0E)b#h3MAb@~!D1d-a|5J>I4TFn?sjcb%&P@NKnrkg> z=M7FYzuWpb5AzpW*irVtwiZ-pOSjFI%#dq2!cb(5SQ}51#1Q{J33jB(H2CWzSwJ=~ z814DzjF`mf8K>vt4ZYD>SVYQ$hrv3-=1NyP!_J;MGbyqVBX)WHT|Z2zj9#mjCD0J3 z?>H*T&{j}1l(Yxh&;ze{QW_TX%T#XqwpO@k5{FsRi7gk%Gy~BGC&bG;gXa_v7J;koP z!Q3aCz7iqmmSW2}leL$Py2P@oSY`ReSKr;sY>OP2SZ(=5YxnKNxX97kIS=^Wd-?F8 zy2#P$IhRXIa*FRd>ymQ}3t{oYOD`1k)?>j%A|MS1x0R^{&@?@&57!i&b^NYvA)Pyo z8?H#?pV1Mp70U(eG*)q^+yrn0AdcaA83mtup|+^K!K4M9gq2yURs|fWtg*mni6G*U zt@`ih^sey|7Oz}i?iuS8f6Hp%^6Reb+2k+hv!nd-L7w8F5rmeCsIJyhTJUZ}C%*ofC^`z${7LJi4{ zkT)c8oP!+a6X$uGPsmd7`4`pht>SbIbl`NXUDhf#+L0BH)c*V09A11>l<5>$2%)fa zQgW0^E823jbi^B!^wEy!P*HEhZJ z24h##iLNs%i3rF^dK~}lorz9B?js1}l*+m;a?}9(&eI!`95@S_H2d!G3tMKfp^bZ$ zSi+P#LL@I2IA>;sEY8w|?g>$|%C8D%<*y)Mh5^6tB;Y^x@_^w;8|_x83-Sj3o!{UX ztbPmX=kllboh`lXeBvuyXy+jDH6K`v*4`1f(;oh;W7=3{rKdDjcbXpir&6CxwZ@g- zfAwv_pLc)#u}&INpQTAhf{`E{*epca@fAIBM?DOEW};07J*l#2$`OT+A$79Z$gx}^~ zfY0{%qU&}8+n(o;s?)ie_t5LrN>&ZqTuMPm8u^Vn9~_ z8CqklM`bhue&+GCr&=FTpzN-t9;^RkCsIyh)r?Fdbj16kec<3 zCqyC#_*k4o)>OzI>o&+?LpKjprn_)@$ql53yzFx6D1JBfmiSsQ`NSWKGxrFZ!=1Ce zItImRel=DI-kEo~95%UkK=n>gX+=u>27IHU0+6eXdI9zF?_@bVE#CKmMA=^}nVp%vW%h5Gl zu`u>R%Yw%On@jK(FYv5*iQsxnnQiRFM{+Q{TR*q(4THmR``6KZ!2j2Q@J&-iJA(oN zeZc|&Vg0WIakqD}cD67zb#Z3+f0zIDB5DIk8=Oczr!*=vWZLKrvSu03;3~*%Zs9|A zibH13B_^E%Fil4-CQ$x;bcn{}=&Pgb zMFB~hy_JHC0=U6s?yMuWHZ)*)90f`v!KB!uWa->laoKAq<;Kc9WNfsF>i}9V0)YVL zaLE+$*+7X-Ivv!A^1~>5L+~48F`%qb+dQ4Lf?C!rVjJ>#TKwt7Y={NgclE)6UM!Zr z?5T|0eA)-e6c42WLC*Z(#aV)rf)sf%mEN2t@zW}Tcc-tMpLlVggLFq&=VJcxE%f9w zej_d$kJ_zbF5Z4i<#zL^KIebs#;lNGe(j5mccA)77*f}&T3jU^B~o@(CSfHr0CB!J zeB}FmjT{3)VMZbeTAueG{_hRLu#I%)Xo8>O~q#cJfku}6#Sv=JCw7mi{&JJM* z#IxDbXcMR`J<6{-y0054LsKyIIaQ7jFyF#ES?#wIDMJ8_b*4Ky0`ae2&Chvl+OP8G zX4?2QI(b%lE=Y(&9;CG=<7{w`rv|Ng^Dg}zcAHO_`rDBK_{0SGjR?>UytxSty#Y#M zu|_|i=%Sb=RYClYWRGbb&jpf|E4E1?j%w^7W2xF_A2+MvR$3Hb9 ztEYi~S_2W&YhM}jJ+{RLvau--vsx#2Y49JC0-mi_MkFV(b4jQ$(M7ic#Xl=ohh$l^ zCKT)#=m3qm)!M0-=S7=f7sj2SgT+Yk*To6T41Rzgm-Q7=j8X#<7qBS7?v#7)rq8I zjZtJMQMp{ug?!aqDym+gk7VliMALq!1r$>?4$C>rR%lL;gVZs$BR7h0>y-Nmg{?eELS(CBC+`5cfJSOL>E{K8YcK7|o)OZ|m! zr?bE2%5>Y=mO%FMrQ2@G2nen%N4JMy*<&uaQfEZ%6%_33=1k!yPtuN6!%ZX!w z-ygS^=XP`R@->M3_xLIwi|JX^x127(58SUu``hWRKX@@U$8mSC9L#I}=YwqLx}d%t zt^c8&|E)eO-SzCkw>u}OU4Xloc5fwzfNHee_iSI^&$o#pee_V-r-r~+=}|r4PQ*vs zWhDP+Z3!_Mg8xPU_X5HQ4fFiS6b!)m!3I-JV=@8zr_QCoEUq{dMUZcxxULj`EIhAQ2(RPZ>Okr?c z+a~%|?_hW;=5%M|4zo*D71IBD=lsz~8i&-FUa?K>>;81`=6PT0)O7Jay&UJ!WYhf_ zyWk1*ins2jG^{IQJj~VB(mL|oW^D)n0A5vPows@?rZzigHa!nS{Nf@roLN%M_f>jj zU7zfLy$#)bZ;SH%7Ms9?_ub|02+ z{V-+Zr1J#|gB$7)>3rv^$2o3}y1s!n3zIN5KkA%NMk52Q5S)y)>8m{V%iiq6qe?-f zfPbF5J|I2QKK>=jSvI%U`EJYP7;Lm^XP|gg<8Isaa?wiRZEakyg%8F8bK72;hX3~G z?Ll&=rNBLUH4o^1gxuJ>kDT16J2|;qY*)2in|Q8aC!T>p`%uhm1Z&T@>0W!z-saS7 z1dKH_MV29oV*B{QHo2=0PUed5@4SpYUy|1kAmnz_{Sny=^(?KJH1$-$_Xxye}GTZf;r`&!2{pP_lL(Iq+EjNzZ%?j4`C zDqHA8gXI1^DRlHYS7&7#KO=Mr6JUG|i)%W2t;Xaej%eE^X*^uSs-17mo5r$spMdE@ zIZHNu#4acEb?7}l8=P``*%v#O6_2E?D|McPF;|g#4+#pM9|+GSx^=(6Xz=!mOE1?o zvNa+EEpg3uR2gy zurlqCkY7gkMpg%jPUH3(weYfp&y5-N{gKt8JiUQc)F{KGO_gtpJDsj}WBSzoRbl&&cqqsq9QhP21|$dGZms{Omj#%sTtXb_oL zE*TO!m-f2sj|MGym}|9^${uZu_9{C&Nwh*0UYorV&h^`21WTxzFgi;_v>U{D#z);w zt2+q`wJpr$FfBge*AC~EV>6~s?-)wEhG`YruE6ETiC7K_!#WqHx+IhnY7)bb+R?um zDx2E8{A76*5)|^(ud0m6W>rG_Zn$V}uW7%vRVtwBmdX>xT_e`3dcPZ;z=07CE4c!+ z9tS+;B5HC4T)FAx+rIrxmF>wOe$iU|GViaGreXlDugmSa?Jm#*y?X{qSdL`O-M-Is zRIjIh@(jB^pZDRF%C}jd5z|df#!lfriX4nl`A7WXkuDBifUfkYnd>(A>tLr-uL^ey zYMU+P8Le9f)bVpM$71S}M(yrjsYLXOQM)L7EO8&*>Wod5{7Ko?x=V2WQFSH)Zw1F} zx-4a)EL=qt)0{+5qMidlkj+Nz2E%zw=uT6{qUQS2W6-TW+9uKGmdlj_cChWpB9Equ z?R*gVx!E;i_#rPEP6tg{>aRQ&=>0lvxW5fE(a^v#A(6j6T=)-0fx1&JW41V7XHp z{-xC>TbP7BaE;H=46pGcqF!3(gH7pZp8i=98%NbGsx_*$0#;fNO z5@Y+D(bYaHeVOlva+UgrM1i?La{1UU-x}Rx)z~ioa_Tzy;!M|ITb`ebYv0UF?$_%+ zad_#ERe2fUi_i~u`|Mzg)V?@-%67^Axn+|QYw(ID{?wPvEc|Zqo-XNX!WbIdl8P9p z(JIOot&nGD7m3pf(ZN~uPNIF!E;q+Ec^8d{JGxCgP>9Fi7NM~#(QwxmX#CINe9sed zt2af4S-QGE5#GsznBxI0=T}YbZ_P^PSc9olJ-w3ld|kRja2M_?a&2usESjA+MQLtL zwmJ}gI}yTGYXeum;2lDwzC5S6`01I&9zVQk#^(4M&l#Lt=jh>iUd6WV^_4u5ps9%~ z(x)fd5hO+wz2WHiW^bM>&Xk`%pjaq5vhUog91UoVBlO%tXxlA)p-{w?gwb@XwuCz( z{}0C-dCne{HYBN@N)<_uW>>DGzXg`XJ<0n?#41c9?dA>TiVB*%Iio@fuCObSq=(kn7@#-&}>$x z$unNK^n_Pj_U7_{tlSwG60m71Xa*LEw%9vDzh73%kwXuppcz6LHg21Rdn7Ejl-&14;2sy5Pii640Nbo3NY<_Q$+Z&51+QzASlX zb?2&T28G?Y*LU2`Jm==?T-N56bThZK%Cz=YTS_3qUhX_Uph9VxcZVHQb1rP<}vV zOg)Rie_WI!Q_y?~3!}DsvenQ=X&Ax1b|by{9i--v0AUH?&=6oL)e?cVbM^V*z2*d; zd9fgU=3Gxa>#1w>cI3NhpR(Va?*{ezh+gm#uc}q*{^0{5m0_^3jP4s`GVosmIHY!Z zIBmgL4S~w>2y)xWQCdO;K|E_TSYCv3UZoJ3)Mz0--0(e)MniNJ+9y@68_mttT5Tb4 zD&>thU@NjYdg`|G5pckKX-LRywX`SJ&!$0MC#IUmSGk{7jt(H`FD|iyjrh(;#10f7 zVZEIh$va1*c7T-cH>H}ux&q5LwZ0a{6(Zu$S5;`GYV#uTRqn049b87~E>JTr|Neq) zO2ss*92KsfMHr&Siji8t$K`du2O_-N)(qFA_9>USQM897meT8EwWo*6d(a2jkc9xqKe{zX?)>Oms?T_ZRMwLz!V z)?C}xPU_kAm@k9vN|GS%eX9|aU?=AvX}%;LT=3%=Ck?x%>UPpy#~h57PZfnb(8!g4 zXKixNo?Vb5Th!OKg@tG~L-6EFRJPA1=QbC;c7!_mmG5z*-Xnop=J}5t<=nxx2Vf?$ zUb;^#SRNKqubA#w7>m%lQywaE4dJ<699|g4`jvw2|CR|i_FsiMqT4G?=tS=V^|t;9 zsEOW-b)d;aEqf>u9y$Nj#|7Cn$UflLH3tEVN}Zw>m8IYYLR1$cLKnUF3hS<@k$bGUo8sje>96!PBYRd>G6&yr|XX7{xcc3Wj&) z|L9OQx{v0>IgRF=ob^#a{XzPxXy-FJ4rj(u6;WC~0ZKL)$a_WR4pa=uf}-LgV{ zkaab!@@~qY9nT}W=Wadx%t4!dAdB72p7T)<1gsU2 z%>`^{%8>m}3e=Es>IjnqB(+;I<3sX*_KsqpmQd*Ka0bqCJu`xFe*93A{F8($ z6Lo#3O#JId4$68bmRsVDMOIPotY8bs>pbUF&!<}#v=8?zk>4cUaaA{K7eq;;Odt7( zoa{bcn2hu7KQ&bn3&J4cfWitd8MBI91T79GDsq&BE8ifyY#6$1&(2d+AD=)z2iGi! zIyvY5<$~=BSYl|M$SU49yt#h{eMA3Xp-?86S*#aECH5m(duc@AYzhY)J)e%2iYdyA z=aLukyppb{hhy>!WCzl>4)i9@RV59;y^^DanbL=P3!6F8|$Jkl}*fjTN zc?+)E9xDbcao9Mg3n7BtiraLnm>^#5Cf_%>xuXSff@0as4^!LWI>@8X3U^vO+>JY0|fOp_Yvl-uYaULS!cTyJ<^zO zii{3z(vWe->-Y=hp%m0Ihi**~#siC_A05wnq45{z(d8lh*PkEt@O3&`mDSVGKQO~? zQ(E1c#728B-S^VKTebaxp6@bQL$g#=B*k`C(LViP5uq|aR~;vKSz7Pk7! zo5k&U-awVXwNu~^lq{br!f(yWJ>Jen7R_cP1-R{@4CiNJ^OYVM#R5)(Ba-Vh=+Tj6 z%VMbqbqdHXz^*Walm$^bkjW2FLvF~-lzFhbr}Log+44$jN1LN_n3I}tVws&V)Wwq& z`J&J#r(a}(K;ZZ3C>2!9aAe$Y6UPT#_7?m3^F{@jLPrc^OqjT?fY8D4%$CtUpTWrY zzeK+kY8g!#Ex}Q#1f!&JofrC30ToOeG2&9i-W%F~eOBCaWLbX}n;4zXX`Hf*N7&#Qf7=e}pL>j_s*@whwBJU?@kFAEFd< zsZtat+}@D716tyZV4k5m=Iz2EAmNlY1~cc1F_^PU@sNdV@6f%JX^rA7EGQ~~MT$|B zBGsJGkt!>MOu_uaEaHfLuk&%m8+Tm>MfD+ltPa7f4ffe_XZ!T5#Jka~bMKmoI)Cpq{P2tH4`I1O z_cM&dqzh}|4^nA?WKSSg0drtb2l1X2n5l%M9MMna@~U5pFD?>$VCD9pusoYtiU{H< zoIqvfx!bsi2v$l)Mg#IP`)UW!J58Rwdn0jDFf_gGB$#YKSI4Ujpee8;yRLF;4oeL3 zH;m#D_zm6ew{9bdO@xE|$4rk+&ee^kAzQke)X}b^?-~(a^y0)bidV)V?*%{q)aT!S zHeh1g)aYI};1j%CRX!$#7uvDQ&QD0wyCrU1pn>2g#xs|QI$&pMlo;_>oypvY(DcRX;;CRZMc&DxW zQ@q#lx|nVU8f|u&q=iMlA0;-Brv>6L|8F4T)_L0$pUnB(AyuvD_XEY#*{%;mWqP%Q z+`G;V3+}3C8+ycSGJ_WKhx8+qE?nZ#IJM#Ona|wt%}P^12R^T-z7`pJlf!j_r8k74 zfvDHedUioAs1>C}@kwbN&F!$|BT7Fg%&8^jx95zQfCYyXNC{50?>mS2TQ#*%R(ke7 z7zDCw^!v)}@p28y0yjoYw>iz*w{hq+){sF~iQ1T;mH1x7MQCZR!Y4IK-6yBSyR2=meIq-4my;ZK&}CBhGr z)W)j8Hxu4;^>TUM8i%~_);Xs+`~Usga%NSHrX=T(#Zp!9l3PQ0TZKoAz)W(6hcS;$ zwW1y<%#qixGemCbdXs;5OSXh9(!Df^R+X9|CQ5O^DEXZh%9E`!$6Hc{{M4re>a#w8 z7+F|te5ug{&E(HUttt4bMcX)zSH>VXx=bzNp4d%2$TGVE7aFEN83FC>^1;n}WuK*+ zxhdOlRiX{AVKB(+?SMr^WVX>1SqKD_N>a|R)#5O9HEOSz z6CX5j=e!|{BwgQ3F7NKmzIctP>3j**nZ=3;PXtx$7VkL63&qGs#fo81gw(%o#|-U+ zU*CSDN#yIAIME5cA_hq)?p*rwP|PJShfDiKj^VMW@nas?^lqKnd(TQCeusH8!bD0m z8_@GQYphNXjruCfNsDk~9W zED5tSy8CE0<(mHVguYPgcpmU_7EM#41L239u+XT$*uH09JZv#}`VgdsL|QpX+cG;n zrkp(%o8dUS0T4|J@s5NjlpSHAcm8bS9XA(V-}~Er?G)>vC-eD_tRK#KBK{E9;<~Gq zqd!dx1rs|zu3=Hxq8;{AaSzx+__%~)%I&q#PZH$yWP+Hyjz|bK((WKvP1k|71umyA z>KT)220!3V)CuzF{)ikQ)PuBvWuBeo~0ja-3?ydJ21mC)YDjCuMrXzWldOzfU>Vz{^|yjvG>) zj^d^waP(agk*h;UeJh$(f9+^kds+-kEB#dYhbT&H5+a)Fy4BvTZDyeK47|i$OT1Fy z%ZzntV+u@e2{&a2%V$X4^l%b*n9E6YJdPfX&>lP!Mfj8dyX`oK?#*B1RT;ZZ-Zzg# z2to#@y~BcS7L_E}cz@jz5-WPzwPklg#0{~nf2a4l2~(U*1Jvy;Yk7-TTzMvFCRdD} zX^_hxbv%3Y^V7rPac9rpHDZyrpK7^)yVW3d;0oofPS&YIiyl&a~vdJ&xIZ zRODZWMbSoq-AH+2K*+eAkgNVD|EW-Z>c5+)@iK!6XWa1+B>OotZ=jd@Lm^P8Ulv?+ zDR37jIugD=IgV?Y9b`M0G6U$?SXL&!)XGtumF{7)%vt;gew;vYX_;95d}3JEK=pxe zt3T$H&3sxT%CW6w-)%LFY^Td$>7+JM@XX7QRVkclpea1)PvB|)XuGcY9^4ZVXaQs3 z81NghMoIETo|8{bnMEM6hEX{S0?Jp=hCa=va>aC!mjOJJud|=jO=NV3dQJt`IDX|V zY(Pgao(%etiFxy(F>&Zs0*ZTu`1kw|+(3>qAB|#vQr-0be(-)L5{(SIBd5n&-E=jH z?6PqKZaHPk39Skc9+uYfKvG(npG<#P?vKwnN?TQe1e>$S)3b={D*A_n8cznMFhJV^ z_ai5)LdqCLU}j?UNijR4Nh4$U1yX6YPk-mMN!zUmF1yZ1EX5J@PL2#<0&$D6yvDBn zfcuVc%&OWwmH==tF(9b%&O_(7UB1Y;_>kuh3N!bEtGn2mHN02JanNePT8cyU90G_~ zE<$);Nw?Wv!CPVeVw2LS)!pv&2ZYtze>hCUIHpM$`5m-(#sB=HM7TR=VNu>>Tjpg3 z7wQ#6eEZ|IgY$i|4%N&gvc-1Ux0Oo$P9BwL z(V3ltY}+xyrveflZ^A{y$^n;_Gv+z3ko`#8s&WB1Uc6YH^h9^4HV7c2XCf%^rQ*No zIR@$oN3AaU2=trB6R5_pB{sjoEn1Xi7sw4aKh*7;?VpRKiCpt~rcwKs7)al;(y&2)2f9a&}*w++t++QB(-JLy*|Xi%(sEy;lzWI33oqznBzt=W{9~Ah~S~g22Jh| zxcqSENqI(pGbG%` z#Lr}ZHU$LKO9A$Lziq(d*I(udLKhlUVM#Uz$*MH`?xdVd!$SDoFlXv>htGZnt{1JE zLue;0ykv2^;zIB8ZVizQb7i!Dk9jYnNJOL#2bwRE1wjxwN=UN`F46665+$eRX);0i zz{!<>X=4GV^T;OLL(9(to@#qkY~>`UWdQG+Z>HRM z&lfdG<$pO`_)O8ec|uks};CX@~0pizDcS0r%8P*IP& zE}r>%^1hZ&0VQQ&7;K+ZVE$NZ95lLgM3kKSPouou!HA*!=Y_edWlGxSPIfGM8l!s& z9sskuTvEoB=h-Jix$l4%ql~KJ;eIWB2h%b0MNH?U$s6)|v_gA))SOc)jp;Zxis5~8PXrs-$(Ck_z86;{25zh( zA5RbX7y+iT4hOuW{t3~|fA9{bZ&f3-t(?;;n0gfPGZqo%p1tj5WeUTySk`k|syB0v z{!j#I=&Wq3lWg2_H;g@Pbn68u_FWO2rt@}O^-H+y9yi=Y>GRWH7ehu;9MqZGo>~!& zqTifvl(@LTJSxk{)yR-7p|Ox|40p^z(>a>C5V~f30vE zVh39E2kjQjY8q{mbRK%{gRc*u6nZCrwBcw(ky%%y2$hOugI{`$(z2ME#V8S z{@rop@g0l80Ni!Ip%v6&hE=4Jh9(^x>RBvGKyOwaC#4M+R{A&Ccbhw=f=oZ%~I zRNW*HJTWdG6gsEj+GR6vc{0AC>QvJMYm*Yw2lIsI6p__LW|vw`=^_~z+~cX9zj$_d zqk+;NpY%ga(k&wiWpGX${4c6B@lT7Di&qoC)pE8!%FtZ>4<->XOac26_j&8xa1PkP z0fsrz9UzKf(A-64@fhCeq6C-BBZhCh@RFm_k_a~781Ro0H^xpyy>+*knFuq5ZF z8M|0*6tdM^2ec;hi}PS&9My?-hrkiW`wSJQ$X!t=TvQ%FcBxTFxl)mhsgDq#1OUR5 zMC9K2GM?l>OJ3;$x+3*M{nuAwd1Zlz??RN&q<+OS)N}B|kO%G5TL!DiM`_ON5`fcK z`0IJ;z1XNJ->5Osa;_#Gl6IM=>_XlsBol`A<@q^Bc-%yjx0|1(veJ(V7gDh?w2}_2 z|J6-Zsmsy$Hy3?&T}tayDskV+jJN5%b9c*(cAHVR`cX3G_?_chIGdBpP*ej1WATlo zxwm0%IQCwOMLb{Ci!O&Myx?QZc9Epnn5#wS%}-=t@I^Nd?IB-qHl{ucYU*S7+oAcW z{ZbKJdnZD<5jSFy-^WM4vxGA~t!P{|j$pr*?RhJL&@9grd@F<3e)MFqSxgmOGR&3lPSE zAXo=1Va;_>L6M-C+Iy6Gl|%{%)Q5Cmrj-Nvr0R^*zPeN@!@ zPxvwbGn!qlB(3@>&nT5}O@m8^i|WN4f9jlckpIJP-mE|^Mtc|phnH^#KTD2DerqAD z_Fk)0<{E$cx%9~`_`T?pJlwM*rwykmi_qS@IbAUP;87g(I6iUcc)K{u_@@g5#)D=Q zc2&qBvuQqBgRMM-Vu>t3+q$m6zc~4-e11=#R%sAV^-8Ho>YP%L|9iV3npqOeO{D!7 zLJb2LN%OK^$PecV)9JB7Zk!cv`YuLPSKgs@?ErYTpbY4~`C~oxJg^RRxD3~oeagsh zSnx>*4wv~(p{p(ono6Tq@~yoJRf#^-Ajr2uKTKBeJm*A>2`1{*?=v&es5A+{h=otc z+8S~4ZnRDrdRyv=?u)fqd+w%nwH@Dc<6yUQwK%S$Ey@_()pJ;b{&C zY9H*a(EDX+;lAJg<;S%nRh;bZiAH3&4Lm@g7}a zd)IJ)}&_2en zN581mATp;~Ijz0NEsW`;$ab3*Y~x1Tq`uv#Lgg13P&-d{(%ypbC#+aHKibhxQ(a_+3eHhEt#B)HX|(mzXJhkH8~B7`xcgB)F-78FRHMh@yoy72=z8fGam8ux znAykp4---OHaXN5g0+OSmUYr;>@W?s+XGx*y_EAqQRTg)y2jyNET`vl0#lVPdf)$! z2blJSiS7@L{HYH^IRy4HP7LPU}uGx+eWB0y;9*YHBi0SA!Zp_<|ERV=OG$H zNpIt0R5wj#%C8ax00_VZbx(mROw+XV7RNHW_K{$KUnd$gv1miX2!&OArfd8+fLh);;>- zbljaHWM$Cu&IT^X*u4!3`w9`K8u^d(D$l5SmA9%hX5y62ERZSxV@CA$4N%mDWW7Lr zEQo_o|6h=am2I23J8d3hlA=v(hMhypEt{XGYDR!ILa@-}k_ECALAtZiH5z7K=ytXN-DWEhlnUR2 zAK-OjdbNfkQPmiO#Fz&Mp8qDYg;3mP9_m5D`*_OZVNy!5qV%CctJ-)y2Q+GdqAQxj zi9eh<6xOFbXg5jp2gk2k-raLU@*`}-0(#>ZZ4oFA^9SMg_+2Fdj*ZYTkyZw}eJTx{ zzj=aNpq(r5#E!@~W+&%N>}0Su9zW;vkn?fO(r$-=8`&;S7qWGFR|UGH81Kx~QOR_w z`#uyS6TUlVEYYo&SW<*lV=&LSh|SwEQdvFYWYgqbFu{Sp;0G0gjdPlNR(y)1zb56s zN(r{-jhI_EwMNy%-`cBq6Z^D1Szj5({@J5~M1iPl+p=;7464T6qKnW;2A*0~mI;vI zL^B|q1_&^2kRu|v+)z^jvp9UA@RT4lZEgXFb1V!q4CMB`pPbMZ zLBSV0aF`d;<5r2*7S!RmJnrIZp{=Akld_#gExP03)!Teqn1Y#(h}aX)hPxjodspMH z9xJlk`>*8bcRUsxC-lenzY?sJoyp*iKG>}h8_f?b9P9` zbFi<-)1pdN7~hl{@SGg_!p*|Y%xm2gO|>HjBVmXK(1TMHZ#eEm)v2eTCM#Hfhp`+; z5GL!S(4H9v7x75><|g6FSs3*V4fdL>7=wd~vV08HC|I&VmuJRpt>c%rVD03TU;Cgh~3818U0Jaf26x5%6_ zBq1=eHURiN27DmeLwB^xyXvrg&dQLkU>>%B=q?j~pJUiw!z+LL4G&q(c4#I+(xMzm zRc*>!=9xSf-#2+Oj-UmX>_j*7b*OqJC4@QvvqmrOs< zE88^HS)$+#@3pJCK}Ti8rHP6lq&{k)A>uxoa@NML$Ds(jT+?WpPsLs?KsE)djb#e9 zbNSWda=N1ADO*R$tBHmN-usI)-q#I}qmnQdCcKoJiPOaZcjQ$ysa2&k5+VwPrzU>N z#zFu3PuT+D(F9Gol+L}g1Ozh(mcv$A!+u-AUOLt$(#q3PuMY-qPwb~R4Dk@5aM{S; zU4H5|ewRlt?H4X|@7}hGjw9BWD#9S@cP)Q&GJSpqD=V-m3HF8Wg5_dU z3gb#LB$f9ER28Ff`zk>nDR06dNTDYWES1LBqM#Oq*N2Bm%pzkWpJEt~;a=s1W{%tZ z5^1cvgOiV!emU*Xs6zj3R*>|g(J?b`xz}fv2$Wiy;5$7#sF7Xix7U8eNKFhAkbbcdDK3XsLm8;GpOn z2Grk`3L9U(lWOWTjdg~ohbnYovV#U@^ufDH_)*sb1`AB(e)?!xhiRh$bvdsXuql|A zm=dO&M;UQWF>MD<>br28s@dZ*t<`6cR28(VEFS(ln<4|;rk8h?!C;%o6M|@~L}ME^o4~hWt5uy53N%7|2{irXOKzD!n2e&5 z$mqy9{O3uP7_uVT@`o5!tIIg~m(uf=WNlX}J2 zazm5jyGx@pGf1WU^e^Dp+<*?zdsvp}47a?A0o=!Pc;#bb?suQ72wJ}cOwMcz6@kpY z`Wyk&JPpf?K>ONVU@L)WlMjvNBUzaN5l$2>ylzK|6|7iWWiD7?k+1JMmLURjV0J?o z-9V++z}xz-w8uN9fvcTVOF*}^CK@_a{Ys*otsPB}o~&S1TLE5%@3%tH1Q-Y0=+c^p zVm8EO@FbIdGZ~uq{?mlfzq}+>=y`VUa@T<~KpB81VidxY6R4qUbxh$XLOCRIL)aw2 zz!B3cMt@3m%nlo|e~6_mM;UBg_h%J;)f;!u1TFF>U3hlrrCn z>Lmk}xt#SmRbMR`xr;I(#*i+;K%)-?B;jP_d zAZvGhltZ`-Ooo)&oXN}fmig>@DVKS%68+KrQt0oiB;fDsXMEpr^P`vP30v+6vA^_q zy*_cg@yl{6_C$pYf+uh5up|arC#C=^mL8}yvB~?r7~jU?&T9+$hA*qy08^774@^Ii zxhJbCU*zcNz|7hb8n-Ik4LOa2%5@-l60kTTPVNGs(M3+?OS%kFN)0 zfjn`sA(M{r$O$Iw4$j^nGlN3UMp5+0;|cMS>`aiDkECxtD&=l;QzpCl4g$NYUnGyd z6Y60R_k&u8#!Y))e`Yuo@EIcrNQnu`1$fA9TQ7{9c{TaLQUM5vP%MglCk2$q`Nz4Z z+!DI<`y^2F-C*hmN~T5Yhztxh0L^B%)XQe{yUD-0#lIzc^>K0vrsgt;rquBgT+xEQ zrfQ@;v>dlU7wR-fCzIM>eh(KmzMH~+)uuZ(2|s~PBJ?6tj3NVGwE3X+SyPqwD51)q zVK(RWz9PyVQLvuk@#wj$F$xmze_1!s=krp+z|6A@%sk7&%!8KWq(rg~nNNQqQ90G9 zo#29UEBEIK`rIlFCRIm_KXq#05EgI!bi;@7P)T18rB;*^qP5 zyvVK-USbjxMt)6@7+m+@U4(O;`iQf&nfs4buwk`hDTz#sQ;0G1u!hC-;$!Zm=mwPy z$vVUcMDB#!Z|YS$(ZYf{^#SUK(V!+1$s}7-PWVdL+sw$A`~m2LODKH;n7=T3Q5dfO z2wtLkxx_HY2*EK#G7u6gsH!iT;a!7mwXMM6T6CT3xDCD(VUmixd>~R)IboOIR7zs> z0Wx3^s#YS6(d};{4>3wgF=%>tK^bNwg=KoCc2N{6p$O?7bz-o-aA>lU!MH$X<6I!K ztP3RB*%w5hr91sQ3hC_Z8QgZ3!EI+*+;-6NIk?BnKwGnM(AF#qZ6!PVqJ>O#`j5I0 z4PZ6P09LasU^Qs@tc5dx)odJKHOm54$ zp%PVK73c6tP~MN{rG1c5Eze4_6A96LQ79hL`EwYddldvwwpB+nli%P5Ae&_XvRM`&8?+p! z@ugb#?ZRFZHnV2B9Z-f&5T72Lv*Q1ZRy>qxg6Wd)oQAiY4N?3+MJ%}$O`9|@Z_%L_ya<*hiBShbSQS2STPlWPu6RmLfLiP;d9 zaj=p*cp69>;4P0jh)>9?LvvdGTsHHn#h1Q^=y>3Aur=Fz#r(7(+1YeE@-Pq#1`c8A z6za>i2Lwa8a*CU@O~4E;o-m6;J53(Ke}>T32}brnB(0Dbx8+JHaiuz!j4-HrZi4K= zWEY9yL+UyHX@a-{Pbrx>?>F<+D2Uv=J{ge;*QQaDoX#R9S-3{{8;ozi1} zXrSg~YnC!o!;Fy$4c=sMNQT@mlqOdO8rpM&lcfTo36Xojh zepWbLj1NKp%>#2Pi}!-hR*c~^sQYJH;GK6&K{Q~{={PXxGz$hLJNv@$nB)EaN;*My z)(i-AngM}Mvmnr*<+Bty0|K3<6W---iR6z#%SiIabz(u1xQ-^F4bwh8uw_)(l~L9+ z$hv^yGx7_c&NgMyM{xjfJskG6P|j25tv3%;55w^PMi}hd!(A)qY??1fV&jZWJrXKK zA^|jkmGHF8k15?NrPwumLvR`_(hXuM>RuwNPn?J)v_`5}Br<1!s+fhR@jWBXj-}`B zz#*PL0R~Mw9hJl^kEi5Dsxu#&{S(I!zuT!-e)6s8xPI4xuzn9AFoqQ?zJt@RM4izR zV42KH$(8ro1YRnd4^O-vK@_KI;vo6mtyNGg{kOXnxMjVb{;~6zO1^Xko)60xQ0IvwxahsU)PD)PFg%K=Bj;2ax0BZ8X7BpP zR9BAgjPzvrSWrbOk+F?PHtAD5a}y>4Rsj7z5}l>Q_J+Hh`GND>*C4Q`>11vBTS|aG zFI`)t&);o?6-1aJ_n3zZ5eHK$_)1Q$dz zu{@In>nYmAL~CN6|ede6fAz4yh&N!udYBbfeMw=2SjbE==lMFwoS z@q=@0hykxdFKIBBOlk;?{4zK(_&pr9VX{AB%>)=5jiaYeBy%5QMX!eW@c=I;N^jX3 z$(AI@hjd!Ed!^y1piKl63e_%B?Oro>kDNzPbDcTt8b-^ucinj=hnWvx? z5iAS??tT9TH2=klJh!Ig2v0!MBNfn?WGS11DX2vE1KB;pFlw?M<;{Qh8O%xOGvj(W z%aB)`WyvcBEk~&s$<}c$DUX*tQA+kSVoL%cQc|EAFWRQoq@o~~zAg}fN8WO*usN&< z_n6mvCS?XmbaJK?SIe108vWx_T~0J2%+tkASrVacJlqwWo6tsd7kS@C@AQaB z&ArYfbw=v7a*!Pam~E(J=9D!=iX+BHmc3rkW4!$aIkv{7&0-nS>rzK-djq0 zLvwzwTF^b^>DL;97R`dB0Obh7#*|1{LP4rxS3(53Lc{U^MPvBifIA8IvXyEY)Tbew zy))lhh0HGtEyEky%Aw{;MX5@P^Hb>P)r22r#S3ZIEuD@DX+X;b^hJ<>hvvR~vLPCAN29S3~W!agaP$-V*3jjs_I(b1* z1_~?C&!`{<#fJdv))p*Xeyy&uOnF;x)DL7mdbk{c${V|>p5UG};F6v3Ms1#_85>j9 z`?X5aAbV*rxT#1xQl7!@GcRLL_Bzv)ZP-7kIZF|Phhp>jrF(r-A6Dx;T5@KB1` zLLN`)N6B&%a_N1f+aoRmj<)Wb1Wb4b0(bIIZZL)uhmEi#ho&~1h3aMS`9vj(&@Ee|9P23g zR7dK%^rTruvnsnF85uMj!w3$r36NU+GIXXJB@KCr(P2k{FF?!czsnPe_uz#${)E^? z;g?Ls&Y7lgBdv1Zzg9)u=5H02 zL6XT4r0HX&qo)WsL&OVm=vamL3 z3yyikn&Ue<)mcc@7i78_QKA`AzTC9CtJ{iWBpENjDP?)NNnw3nqWAyyPc0WJq6*?a zYckb9!+D+1#@Jqz0>>#B{3l+d2|VL3-#Thj7?6fGF((VKmozhhrF|wl(K@4&|;a8stFu!oZjeP&!hf)e~ht zFE3e5u*z8`_3O+=rVL`F1}*zBQg(jCo3)%pbecgWq~ zuFS4#$;bal2`)%pfKggb>H@ipRx7ooM`!0Rij%2_zat-whtt@U8|&er=o*8u4d&EI zLx`HyN;MF~j)NwwEHQAhM&paXC^m$O-+3yzysR`~D`(>p2hXyJgUQa6pXyu59Z;IM z;ofcYrElX$b!`RmMswSXUAC+@C0jhq6`~m6&u%!Pwndi2@U^Iq$dXYa zVSW%}BSk`oowfZ^l{G~RD~Y+Jdm*&|2Z9hKfsZ!B?$Of$ml)?U`y%c-MUs6cdzSSj z*;TLg!(5|pB11(V5f#jveB+iaWU7(+r4&UF?AF+aznXkH_6YG^K^`8Jyme<0_y9Lb zfB=l~&dLs*@b^`{A!(mKBqlWGERzR$md%44v>c~UBtuld?4VLR0$gDf5^PMja4`8o zBJM-9+-}6Z#HVVw+NwToe}KePa%qpGf6W7e5HO6iTJ)1Qvw54w6s33g#`Yz-&2w(N_UGdg zCeO18lgZ9(b?FbLjt50nf#?#AK%%A#iT(RQh=f?a>4WZ)^+(5s_yTbK@9rA=ri3={ z%PzWmlVg1^6bf@FnKFStw`}1WC|O{!;06^hNK6{|Y_WuO?F8qZMIxLK!@U}^_qq=T zc4aC#tn(+&iW>yxFDpULjeGb!lc#x}&C?vT93?@Lt!-?f9L76bPX0W~S~gEXj3d=# zq9PoT`qQlt981NrNHGsX<%MBAa;Jzt#77?+{RiA2x}H8{LJE*XH8oGmH{q;qatczM zDS9TO@472(2#eUYJJ~iTGFcN562u>!OttoiWaD56(zfipLmA{ECVlnGp#-sc z8ZqBPAXEgR+05NR%W-!`x~xY{l_xU>5``#$WhECe;rFS@ zvKV^m8HLI~hFXPGy#c0@uT*c&Tn(bI4r8%V|MTTY1cHxt0k;(?FhgIg_v8hhG_2?) zO3J?OXvYHCy;E^EZjZq4$>gnFgB7dM9$Q`4twvYNorDzhQ=jSi=G&itoQvqYo0S^+^@TuYdQJDM1)XXC^C+>yq@3srm?}{U~lrmzctA4f1ORw;)Yi z!~rkZyF<0{PGZ=Nd%8_gl1u%xq5o}N{K6_RY{^}5=+2iQ zkyQ;NxpB)NvgqDuzLYPdUhpuv@YLf1ijc+`=OHz21K%9M3&p)@ERthR9`&-wnm7bVYLu8;3%VxqS)x z1*#>4D_0WMpEB>?Kh_nniCn1b2c@Mus4G zW~$OF!hOy9uq}2k(Gf1x%|XcNx&SprVR7S#mY;a4_m!I%A?aB`5;ayJzI>Lsqt4Ddy9iVY_OV&=%o9gW$ zJSQHe0rfn(lrTM#7r+X5N?9O=9w?(^;PTIy1aMbiMm;vAj}9WFL+?H0{S?iX?~|Ln49s{bS0q1mgmGAu+Hih*TixQRema;M!+F z;}3b5oO4WYi&GaE^-0w;g>{50iaiG*w}U4&g#ivF(Xf(vVk}G_ft`A?KsiGcQX1CG zz)7Xu1e5l#gDEvk3J?hJn6K$~5(I5*k)%wf*2FGHIdSr`&Yq0fwBw=&1ws<}O+GCxEKvf)&a`q+v zl|Trmb}zEPZnCp4o>BYE`6BpT%6Uolx$_r66oVoufHWj6!cpmA5pgCI5qF*+|yyl)>QxaKWi|GYk z9vhiqiG!Jw*@j73SRKw^Ct)o79{D*C_flC#lD(MHGQwgRT%ZH67q88}<_I=>!~mtQ zrV)yqrRy6)lWD(|MXJ2|t9qspjfPl)bm;re&G9d3o7UUhYe9j$rX&|i2aS+yJ7Q#w)<|7zw zHEylN(;mCtp3w2r>Sj>okqt0W_pXYtbU3F9Yr!}7s|_%%B3JoAa{%JC7;#gi>JGK^ zh~~s|3aqWuncYX121B~cU`Ur)3~A7E)P<95ZJ_VqFvq8ya5b7{q|w(I&dmDgI zB5npf-G#{KV8WoCc)TxHuy-2m2qI~1SGr<75>G@#PuI8f;_ z3o0c$`@*X$+3){C;bSnB%M7M+nZ;BFEuVFX89V)QoSlA|wbPTGX>P!KgMoY`3?#mB zzQ{6HmMr#gPz+n((_nGs!Cs~NBjKmpOtohd;;v{6AL(_`EU3ii1Gw#{;y8rYqBAj{ z<$P&u_{)q9f0?!62QA0lOR3hkP1^qPB!E;*lLnl)%zzV@S#V;| z@>$~A7_65WKKe^*oepBy1}*zBYN120!&L(_s1iUiyA8>;tFp@Ob!syk$}l%R$~)6@s%w4p*>!e{+pJ{BxrDBUBG z7p-L^HbECp%#Y7+Lu2}0j-ztF%u=~0J5vXfU0;~Iw-|FY`2kg2_{Dd&G1d#bL`36_8WCX->$ZQWApeQV})DIMw<|9;ea6Bjo^bF$qB4?EI z1Mo!NJ@Sc+otstmx)ogdsT+m^n-A#fc{=AhGHXaPjbHN~PL5*%+o=I@d#0~%dr*uJl_Y~O>H zqx8FEYeAP&5V!2f;7r=pA;DU=98`o+ja>lX_WZQGxjGdjKJ1XKE1R{F0}rs`n)Hk( zsB5j8RU=jkU?3tkVRxp0YD8}as^Pf;@>dxd^c|c|$zrt@{!ozMz5?bcyV-0c?WV?{ z8P4P2kULTzxexQAC&<9*KnP+Gj8Z)G!yCBw*6nZ~L5iR-r7L0Ey78S9J90x~AWf!V zqSRO!QuHv-6>)9K{CZbF_S6`(?rIzl_f?jMJK0&lD)Ox)M%%=Chzke#_ycc`_#GKP zfNA#bNMVxHaqQ(;vn)QerKR$fp+0L1Y7Q#yVrO%{h$@?qxmFSlwC#P?n572leWT380!0R1H6f+xrq;3133$=zYmNtL+oCO&k+({WlC*Ht?e%gC7R1!;-pRLrx-ub*kn| zSw2s@AnAoFFc_271kPMW0mEm!{%JR4lT88oA;Jf8Ex16=$?;N~yK0hPC?tQ3o^w@1^l+=mH}4O*LmWN!({@$OOufn^B3% zHSx(9o6f3ZyN5YM>VVau5e?F{8%8Gg!jj_@2I8ec2Lc90A6j`?)!19*ul1ekZ@WjM z9~u~oEg7&bO3W-Vs-m|y`Fl^?)w0KX!z;)XK!4D3^rHz9CJ^`U1XNy38$kLh14v(8 z@cq>;d3T^>-c10_AMX`Wo9wbp$bkC}2CrO8J?T^R`Y zY8(W7m4$$lovDfo1^C``fe^Pf{3WPg@>3s`A>}q91Jfj_CQE)%Ete%m+CCJIJncA3 z>elYRlbLs(rO5s^03ofF2SR}bXYf543EE?(uYsx3&5$H`@udA7)O-VeUuD4Wt1S3E zXgTgyO|?$q3JBG3BsW`{DmaZ`?%j?U#Ai}4`N>VO@9MqbdVHe2Z|GAcruW!VHJPN`1(~QwCpMyS~h4oZl|aDAj1u-g2HH6{asDj`DkonLY|_b zTek@{%X?D}QcPX5DaD&lP3Ew;M!fpN43zy83NDsG-cj)CJ!(V_A4#7N;Z?JKU5M;a zxHd5A^|;u(>ul^@va=xR)9V!x<_-MrQ8#A#rCI&OUy9M1u2AV=D+N2qa#Z!N+S%}> z0cuWkGy^e5l|VZ+E}Ze{Zb2pNk}(2fvZTu>n8I{0VfGA}I~H(ZNjwdTl>1MPm2-X? zJHWMp5U(=rd60us0+!`H`_0^Fr4OUM3zjbvL%qIY2|T{Mk^|Z zDH)PV>g_pM^pfUEl}|%vP~8{vNB&k@$kZSX2j&)7mz%vJLg9iP7FEqT9*eT( zuoky;%q=#wq5~o^Q{6p=8vw;Y;GqZ{J)C+Bpb(_;w(DxICtmkjIjCcZ$mfs+MTkY% z9jcC;CxSBe1x6~xWNvad_)>|7mI_n%)~Ez#5d2HgwotU}r9Vu(Y1@L30>DM;)rwB# z(tc7_02;jhI)m3=pXLntLCd}&pP)`lwtMS+-tVE@)|c@gfjn426z7h;Uh}frcbs0Z z#ky~96(t^sa+bW2kM+I;uBRZyrxrG-c1&ziAG$C?$%mV4xt5m4$t$E?Vrgf!xvZjk zZIJWpame{~7CBFL=4W1T0>Q$*L+;17h~U!X!fuamf#bbrV#ciJg9s-HHm*VfXs>4I zB10fUe~oL27os9jXqJWH4S@@;&vYT>RJnK-gV#RHOp;yv+EYA!*Or?laI^Ng*{jy` zWi8+m$1>tX`?CX4iFXEBlX(>U+MwXq85I0Fi-HeYj?;5et$(r~%wNMs@j|U)jnFcb zpV2$w`yCY{rX_^{fX?9D?^>F4>V1L*m_Pzx`Ol_2V00t5m2mt`(XJ;8Cz|0t<1z-J(wRL24(zNLGnn=DxC&|4*$QdN&c1|I^mwQL-EuKI*9Nz~&d_0AXUlR8T0SQ@_S!&| z*D1&_vFumbWlwcx<24K>5Qg|6cvi9k`K_OERCnS#B8hj#vOMJ-M#1sa`GXa{E0;B& zSosBT{hJbrMDXv%8@s5$Qh+E3u<=!}g4#WJk-xae@?$xOJud=MaS_W#L~xX2i~ zw!}taXZEDI|3qS`6jO%`7$ii0YRv7mfn2XM@z&SZ+1;H2Kc9A+CZW^uBz&|_q##Ov z$zD{iN)s-Ror)@>l+v_-I@M6Pt|?j*hXi@xjO@s6(Pi6}RY%olibVwuZQXS{+;y0N z1^=eItlkABomh&QT)m^Eob1ht7nmqyItzn4R=$|8_o0~^76&u-ZsomI$4K{r}F82F68~dH??2B%+qn-X^2{;kucv|! zDhU)Q%5PeO;oM{}oSSUS<)G!L>nPb8Z->-{M8&=OHqfsN)lfe7uZqKP=%lx%hTlB2|c5xy`UQ$JX%eyJ&pEKJt5|FRy7*O`L zD;swywkD>VW4)=u2XexmQ0?!?oobRaP*sDuJ2DlRe2JBoM8h-g5ad)gpWFLPe}4!? z>_mX-}U4Y)EWIgD2sIXQ^K1`%JWEQrA)_qdKvxe(v6efLmm#;;T9)F_}A zu-IwLt4JGUFafkUrWnJ`SZzzbP9HGtptCi1DD>XFC@=91D0MRql)A}+QpwJ~RN|-l z{W}PT?8F)9x4x=v5ytC4E-LpfjXo>=n- ze(d0R%2n0$chJ=zV_C_NJ9&^SP7TU>qAS!=z}fOMPpHvz`jxlJ;pfy$%irQo>S4>? zOebpeq}zq0qB+lWr^}Mf`p(zkp&DLt$31o4l^{$~cOYW~K{@bGis=ES?|_OAUx;2B zyjR>W@lN56nrgMCvXH)To*Ng{51Zhees%5U^u>8L_xbdznOWRXIEOqQ7lrB0Bz_g5 z@iukAF>{8;$xTm?>B$TI@5qV<5v`jI&>1w*yE^?|6D&w*A#!1Q_Ax#lK}a}+cH69W zv?;V+d*~@6vJ8ra!)3m+09YjI%R5&&=U=L7Bd0m&Ps}aQ1|$GzO{4Rh#*G`p7Xnn{ zjyun<{;660Gi_7z2%Q4DTy0w-!PcDJ4g43^4&ZafYvlK|h06UVzWXQk?Om)q? z-<~NmvFNzaax{CCyt25#+FFQSqIi1HdXk6OJ_k{YA}#2v-%F}1~lgEe^Uh!@9% z(&U|yl6=D7>*mdAZ>L|KnN2&&UYEyHA}eXHi|Ftde2>!ljbZbM@A6dNA$doyEQlou zkrax-=I>SZD$$uEOYbhDrf9q7Fz>(!0Qwus6CLhtf0}qx>GmmCzOHsaRqb!qNWHNB zdn6#1?m$%F(XG8M+VF~t#2Ccr5;RjcP;}^ZRt_fa{1zB*^;{YWH3?__bB_y$R` z1yW_KLdc4C#a7G0?haVl0&NWzc%oJyK8rQf;6kOp4xBNx;Y3w=L|H>sqUU@$dfp-E zr`H_zfiJ-&NQBp*B!QUT;*2H|Ud$~Dfzh3bocHxj85vOevHa=2G+Q8zHp$;or~6CL zrgUpK-K=0D#-@7!rrDOemMHsjw?a?aLU<$K-v5;90pcKEwrJS^ND!8$#{3cgr->8Q zi+T&nPYD@I6yAr4d9W}8as~DQ+#?3fL59AbV5=7&wkB!NpmPue7C!ohE3NRxH5*aJ zFAfKCCg1}-n&RxrUzwF3g$c>ysl)#~OepKkPj~w39`NjhU7HC@V?pw_)KU2ru%Oeg zZp=_dMPkU~skKX{{>3Ysd?54&r!K zIUK*-X9n$k;N5^xM^Xb+Q=^O7nFMgh%sFkKS6u;N6RqCk3F?qi zu-7)b;sz?1je`niS*Re{*+(jY13UUhr1Fx}wImW&CRY9+Um4#dX(}s<&`6&hbVzQ2 z9I631RPR&KUa_KzQnR6vzV- ztp^npUL3B4UBV{4wPnZUwzgHg2!1G3##(t5uXJK ze^$1k4xjt_BPyQ3Z)O?%W|qZo1}(?Q!c=P`UXB$kG=(2Cq#%`9s7YIO2g8~QX?uS9 z{bT(VpkyFt$|)6L-NS69@HW|&bE!2555lD@#WdK@=6NdMJ)&BsMBm5>NLxuPRY)0 z<@8MctzH4m1g3-R=FQ{YP+ZGDp&xRH&8LVMFV%bV?GLUqQwbm{nTzEMa!= zbqN`0EF)D0ZHvD`CngqvVk(2^03RX5u==EKOqzSOdx?<(Q_jUtFA2(dRAe#88_SQ< zXJN!l|C7}<{it~i8lze5)Cshg%=1A97)+cTj88xtaO4wVf#3CklN`~hU=gyjFM+D9 z?XW)%DdI>0HdPn_!ucHq<~^c=-g z@ZG>RVb3CpWfB53rcdm~3`?{~<)Y7Bi-f}r7aMSZ-U`HbqPPca5ZOa+0MFBLfahrz z@Jx1gBnG!9TjSSevh&}P_%tx*X$Iyz&BC06me08&PYwQdIu3t3&Ejv#&hm?#yeku{ zoqEe}X|)adbDBYaPP6FGpyjhx+Zf%a<5lDQpyfD)DrXgw-;5#;<%>+pAy4idUPH^JCMW{Q zvY&3$gbHQ!gK`a!h+a_8eECQZ5X`+`vz3$LxUswF_nzG=E%;l(2i+TLLV2UNiMGu5#$cL5$_jMs1B*4-DH5ROOVC-qWE?lvfy| z1R3H^RqwmFP=f2k8NyFzIDmPxV23k}0crth#mU&4@pr>G`!Wwqo*J;=G@Y&_e@ltr zFCnr{x7LVsTY(~3>`g=c+OX!|bRq{C{S}BAVuu-4YY0UOXpcMhA!UPcsRvAqAjY%# zrf%8u{8Mj1WfvB-^CkFALs}{SjRdm)w|Cjlzm?d|G!bT-O^Lsy980FeAwr2>%A=;YMrcr>Lvon(;$fr zCteIY`fAiQIDXJ+#O01IGoG0aE>Jm0u}4%}f!mKu(#e^th8BviY*%n;U=vp=Q4*8; zs@_;PA`;E$8||raZ?F7a)&c<>g(N`ntbC@$nE@@%QqV)<#GGeOOtRLS1ne5|BQ}a8 zpE?0@BxpC&z15(#2rW$-#My0pyor%|(NcgxG~S{F=395?%*#E`I=J22LD}ae*qZ1L z)%R}dl^m^}rv0m_wPyzMIZIa}lfR`-WeSCP+Nn&n*09{c>@i(?OBBwUWANa)on$WENWrp_|h)LE_~*|6m}Igo1o z6A_XttfU3xpe{>$qEfd<-9rMBVok(3x8wS&-m)`+F6Q2K=U_(w=6%(c!^bTjOMXWh z$muK-?{H@Er2*(SXxRt-;-wzb?cNE$)3Yi<7~kU)!$i>e>DGrLMBSe`#%v-)>J%@U z-=hYCIU5(Rah8qONOl%fbEM#J&=gH#XAos|>zVT6t8w%_%$Cp~a}vc&YT&c5J|QIu zhKDN$Jp&%qGGhTbh2vIf&D|~!%Dz>2P5za`w){IKLC=ST2k1{*9~#aY2)aAXuH(7E z9nLf1A?MlfkU`5)vL@MDGO#&dHCSKqBdvo<%HfsTLdj{+)+(}wAJ&iLydd0CJxxN# zfPd@P_*uI_bTzXDrC+uS^i!MjB;XO}j<;gt*`BgXWYCK9anAkotaCrvnLlc~M`zx0 zN$wx*Zu`W$4K?le#Uo%ww+u>xJZnHn9N5ut4Bk^%%)2hW7mkjpotHZ(RIe;TkEZB+ zkTk*bOyKxq{Iu}(wFb-|BFO=;tG9%PR9Z$A5I*-u&3^_~kg@|cuVvt|Y#R3uu7SEZ zAg~6JpQ>ZFh_(=8E13*nWV)Sc-I=)8`Z_b-r~re_d-bdOA3KzFy^Um`mGew2!+AEA zVbF5iSx={IF}Ss&5#Ya;^&S+_U&7+)N{=XN1Lw*wfWO6Dj{_>j-XSD4 zf;`@6j)TgE{GY6Mzc6u01F~7TmF0@&0azh`)+ZpvZOLWn5sS8$?{GjI&&eoqtFglF z)l$SnSzmdBP*!(plQ4r_UfdXL=zLt5$$2)+B-xq32_!9Kfj;<@tdGX?8{bvQ9Is*i z??VF>cXpEP;deyfU+y{60!NmdToePFlJld?r3-sth9f_6`5NTrJQHqmo((q{v>bOJ zv&lyE^>$w1b_5^NK?`0Kt47>_kCy15}G(r><=e4W=L3 zQ=30u27x%wgzB7ULv;o%$DOZSsE(Ek2GwyYpaDTTeG&mbZ61i~*GC#K1yhXkuI`xS z)#QGg4p|BM+kwJUgB)e>Wa0%>%vFV}58eJieo~)acp}%{p>wtoYw7cK$z0^Ip&?+W zX|0-f-pkzKo05Hje8)LS?xp}LuO#hPWdl|Y_pW;B+DWX8`<~*AUlkCh3pTh>qLHy}Lr5lU{q)NVrVY9?!xS{INRMWvPinuPV1$o!TI34)ro>&d0U z$@j);*L$&K%sY|4MHl_PY)r-8CsbWNJvWfjc?MEC&!*4}T8QhlyQeJ2ncPVbWefL-LGf*H6Q?b%UlqhmYwZ`mOxUO3|xpEm8&e^ulF0Ogm#U?1(&e1XP z0U7AA7H4UDB-;GKU^W*S%;qAC*$i5ax?hs5eGWExI`K@2!h>3R1f|j3^FL2K=qd`6 z6WtZ4_`OviI|ykPj9F~WV;VkfX0cxZ;3|YHn?E3j;Fv7MGc7=XA7xo10gTe zZCjR~4Rr^Al25HK&d~zExx6W=?Xh!Vpp%PnK`$5CpqFH4K0+j%JBWe-?ZbP7-mq2o ziK9htjd~Jaw$wWV>UJ^Gdug%3U|vmr+$}hTikDQ%HGVumv6P--#k1~jP}H`9#T_op z_{^h8Z!JNNYN%Ob6gu7j&|4Ep<{KP3p55AkLN0%qlYk=hqA(KN0a6 zMuO(gv4PkwGBHmV*_fw6%W?Nxsx|o}!lltuXib-XaBi`=KO|lbZDIR6k&pK3&fMR{nY7Y`nIf z$}&6(Z>u_7m3stjvG?EI##)0D4&$UGkpo;pM(fCKXM;FijEi}?$i_S+JJU$|TV0)= zF!_F;+4`w&e=4h$aJ)eX>;3Uf4H!F8l_PN6+h|fG1c_6BAeT9=Qd5>sZRt1Q*T4H6 zEFL3`P7poRROD)Kec0xhDM*oTU;=7dskv-Ysip8Xk58hbP-8z$Dr;~`LEp^FK7;IC zWa7LovT!|E`JSETH56y#4U5{jU=t8<&XLfV?WIFvNV9 zVR-Tr0&`)n8?s8Jz(bFBjqG_K8?a;1nn<~!7E{wwl?Bg3)t;or;PydTG;`z$*8K#d z5ob4r&!RC${OQn2zt$c`uCDIx60rSf`t?5H$yy9=I3Is#=*9S^dASiXLNo6>FFQ zO@WZT=T2<#A_-9lgoX9u1Rs(WAO?KC7?(nOkxijZcE(9#un^utoQ%40QeCUy&3oK2 zxCT&Hv~$8pH>vzYV@#hGQD1US{&8XbK^+%ks|n5j1aox*aMw`#k-JYq2l97@0d_Ak zsjnB=)Yn1Fad$?lb?j98L>WD?LjkS}0`>=<@DWQx*uGZ?J=jNeT?JGe%eEaDf(0j7 zfIyJoPVgX^;O_438r&^7!5PTl7TgII+zIaPE`tW=&wY2@|NhH*zk7Ap>Rz=^SM56I zR99D3*TJWuMCt1g>arw7ytldS_o}jWNR9W1j6%2p7fB{?{ZPd1GmQlgdsN5QM=ie6 z2UTysB0kZfFpVoI;@lu(n}iwH4wKk*mwz9+3%CfdNn$*Zc!NKnOt~nzUZ~%yluBjjFS(dQ4XkB~RC5q6?c=3Wdr<^Z%>9gTJ?mI01kw8S1_{m~*1YF>%Z+VN zuDm1(FD<24-idca-U)n_K*fJQO<_Uw%cDZai7SKa=ZlzG8yBskpL;VWE##PJY{bgz zCNYmy)`0gog=k)~)K9=G`s6;fC2h1Z@dK%uDs3^XC%Sd{vTqh+=f-C(zAV`uv&Nr< z@Rx|gGf5C0_&8jrNxosIiLvKyylta7i~WSnI9a?3AHd#;AR>rt-`g&ly!xZ}-Wh!M zq+`}91Z&RO-J4i5(eWCwoE@>$5nkh%6Ma8jdc$z~&Vdp?9bba_WR0${x6$ts9zC)>Ot%zoNox_E|JgR!UMhh7j5(&1|*Oo5o5 zm(NQf*s-p1+2QfcVV~0X!Z5UUx+s~WQ%;<8qApCidU@x;)I`t}n@hF&xKVMXqJ#?m zH@^jFwK&ObtCZwkU3wC|@waHVV7O{RTJFvj&h<&{9~~QdTk|Qx-oWFkC=p4&d+C$4 zvd3=Sckduc?L@KEl)>KL?qHO~pTnWHuuklR!Dmv##mC!+K)_Mfp0aCobkLrY4%)RT z7b5>WcvW7INQ7{H!`iW>un5BzouOjQh$o_z1GXUgd*i@y31TDGX-gB5X+-nx?;P!M z3Uv<8fN%$2e&Wm?(|1yL?8MZtVJLR|G>=$>h=QrDok;SLi&=g?X7T2McI3_O1eQWA zzK^o0;Uw9gLGr1ASO(I)1|X!&vQ3-P_uZTkWx?hGcF|Ou4+>U_Tk? z@J>OTZzdtA_5h>L%ed~O^ef-?65P6DhNuf$dQ^e95N5W^TMBt}fBBEd_9O);mb0@C zs&aKZjX5QLlB&np|8?;SDvmH%A#S%aN+NTXPLsERT%HWa&BvxA5O6@!S};fAOg%x^ z=?@ZAW>5HtNTYt%(JF03=07TZdKK^}GK4iJ6g%o!JpMadX#8D>?_;yumf>0LP3=71$W+co;<5TL z_`_FRt2D&UxgOZc5YVIRSYoLsjT9)-D*c)8dR`x-rNxfb={_5waT22=TveIunnFp~ zc+^X>A}Yi;scNjEG(-^Eg{F0#d?*^nL-XBrwO?lGK&EAU-cA4ZgWOXY_#yktj_7B2 z&Gsgng280_!WuH{c*1;?AwC^^^r#LREV~TH4XDPrmC4j7@serMMeg*AZCWYbc_w$w)g7hPB`B zpDS9e7ab`Zvrq5wK4w(=8^lueO-9S&r_PPM2*Wl$68$P3Jr)0AXfjYM?d-uP%|us& zK#AV+h!n|pzHYhr;D8=KQb6=g;8q()BNZ*xzS&9Ghg-a`ouFOYCMOEgJqznwM7TQ- zA14bJ-{c_PdK<%iMz`7o?guZYwj6f@zoz?h-`4#PBsPMAE(Q}AM0t_iz4!pvs;6E_ z&oD?{e@J-Cmu&fNHr_LnRONyfZE!AJ4k!K~U%RzyOEdJmAan>FVYLfo0`seMeHNSD z>|w$C{lY^tKBOT`J2(6i?cpb#qglpK#}J~ozmC1HOrZ_y?cxYe_tRHv6|KzrC+f}w z8nv{R)HD6=XWi>2lcn{*kZ(az8)I3t#~Fc@#U z!^x&VC-`j-BQYX8NY_4v?71H`mS|qqn^HDM4YG~}_vQZU*q$Ju>z;WC`coS36qldB za3p_jA5-))8ZVAs8Evvfh4q&--lU9H#ugWw%tiHIci3dBIJVnEEr&@L?8)a4b9GYR z#}xkdvg2RRaBH+cza))&yY)LN3}WOW-3;-fivpV@&(kGYg`A!Xupk&aYN~)))dt`(ccU#Wy=u~`h6%D!c6?vsnKzrUc z9gS9xe|s^bQ;`zom+lc%U4^Mvvl4x4xcLtBF4$l&VL2T@_JJ3c)Q`;is7^ZMMse^-Si~`^Ni_^!% zjxrN=>ssKj%YGqi*FrISX_-odA=P&X2qm+ zoTLcpFi5@|*=MUCk`Jwtc>=N-%*pr!x z%7Kq-b5Z4OA;SWlsyj%YAo#m+Ecd-_Lnh9oj|l~1`|G!gt4hciXNL$$IbrXpEHu$O zT%v)4dld1;Raqm@@b}2g&_XWFoh%PuNg?xBgS_{!|Gd)XkhOZ@@jK zH`%{)0AUZ-ppCOUN=hwYg}x|hb$lCoYs9>EZFd@`?h~@qXe#1Jlc$&&g-4zEPSzks zmFbH`u2m?{lxeMEofI*(t820$l^XX=6=mCajERJJnSTWedCO81o>4OH;;*r&2qK?=>7FIE|BJUdK?q^va}U<*XwP%L++W@o_q6AbNh-!|Ia`4&V2hnwGe^ zGs2ctP$K%Rbyf2O81mtVR@2MHE{&7yIH6>f$t$P*p6`z%6g9?9XEgPL>>5UylJIUA z?^~Am>|3RGR5kJ{4zJOv(UCOhq}#O5S3Wuf*C?eN+3H5NnJDXStt@6r6H6T&F*23I zS|^~Op!Ut;_MoTs2Q+rOv8<6`WDyBnf+lS0m#pipo-d214 zO-T%z<)mq=8T`BEtZOjU;qKU*p)yRQYPw0ALrn*#C2|CeNF<|n^>mayrRlpckD*+4 zdyhQNAtUqMqR&;6g{=cqFASdcCC=o7{)`ekY~<0u2@<+dJFoQ1HNa#o&I-c|X!9%fj>)*yB|L zeu~)9gq8H>JeG-$2k>j1_c~Oj`<{mr*Jw8PA)u3&=n|TDyU1`8h^!1s4{E=4`jT|Z z@_@OCspcjmMC{$30v6G}<0|&Bqz@(j`C)CUhcI|&2yGYvnrN1R^I$ivWXDNseaF05 zB8V$4*IkpSOEDS;Pduq|-K}kCxF3}Z5LqgRZY_a?r+|ubx8xw4sLE`hh8YQLa=ECv%l2d=oY-cW_RD5{pqh=#isxPG$kx5zJubiwc;_UCEB zHP{m}<4|v?n1-&?`x(aBXvrN6xpgpYiF3nssv)&HGew+24+3l3R(HS7G7dy1s6x%y zp<%f#>rSa8#l0FNJoqJ;mI=%YS52)c=fhFsA9Mk-?JhGF#tjr{ark?kryjP@CpRd| z6Tblg17g?A;Pf{sY!PExEB|HXb}QL~6d| zCkvx(c&P%)xF0t4x9aTTHZel3WZd~lyz3pen(5d!$a4o8u(t z_#~*KUs@i*9@7gHl@UTZw_oh`TgT@_Pb(Q;v)>U%+eqEN0aex}RNNr!e(^kV)r5A78&9Gq<*21tqGc zB5Wk?tOO!J)A>R8xNd>)Ux9a(+f@?!2J?uyO25L{x*GdLQ5>#!J0&SxU6)a^G<5l_|i5ua@fKDKmc$AI9roO{pT+E?Fxbzh%sdw|oEd;M}J zXXhOnVOd99YIyluxi%+!*IOb5Mv3)oQuY-50%< z{R$n#y)H? zT=lKqG*goO0ohVJfeqNyE2=|yy&JC~0cka?qREaq+&vkbjkiN0!>VtK8Cg{*J)fX# zy+6KGZV@Vch;~sl$Q9pA5JFaPO3ne!_LoVP2W9a`>CB1-cBmPH$-4v-K5dXBD>v5B zDK^`6!6&Vo`!?C0j^A~AdiQex*BcrNa8giObdQTDKE;@_yRz;?@4vdSY;O%F@48)C z37RYJ?8Wdev1wX#zz;0PBHH3)-hitTN}+mYfF=w=1P$ZNgoicYjCx<+i!Yp0G4-wa zI}(wws;vX6I5uy;pq8f?HxJ&5CVMuEY4hqLU?j@*H2k^s>5Q7Dm<3$RIALOBjX!EqDG~Xl^5$I{JhaApi$IS=^o1v! zoc^Q_JyrQ`t5RtTE$BkzxQ=|KwCl;$1&p5Wn!WO?m)ATVHwqEGc(u!ZhS?CI;?jo5 zN!7^9`rzk$Xb0&T`PfV~Wyc=YIgx6Qpy8XvykXS)ru^wARtk^(MHpXc5Wl`lVRV?J)J z);8@#0KO2_66t zM+E@TVRzkaSe#uvY)qY*-ED1_)fOWbS+O4RHZhA5Qqz7=c@(`>uz(E<1?g{V$RRZS zsBWQpytAU(txw-nx>HME1M~86nCG#L6uZ$3WMY16-YUvFnceSbJW)=*Y6hy8J{$0r zf0%e(l6q0TZ0=*uYwbxv2WB#>p-`6DbE%mKTA-h$;pebukTbW8w^b_}pB)p3hHFcv z%V=S5lw)`&YAdQUocOhnP(QeTM8X(%ciJIGx#$^>U|2jQFQzeZtT)sGe<)b|6!#?^ z3q8IinvEK%bBuQDl^j*bo|jFnz8plos^N%J-&@9>aD9Dfs+VhNrH&Ysp0rg)8H#rg zV*R$ir%1dTMNxunW6v2WHBvhcZFJKaH0P@zJJt;_PVbI>o(TR>7&BU+{yvTE*PcSa zq6^z?+wO69iDM?x>Q{`X(GH#`6Ay-%4xxH`1RX0RYPW5c@nA7ih;JcwA~)}Why=~$ z9_gn^hsU4%nX6R`n76ucZN=+M#Ccwg{)d-Vew)#RDju3wpQ58n%CFV=20a`h%K9>U zp=2J)(dEmt9WpKJLow}DI7l-&R({PFxIk7mF27WC_rU~X zpmqkK;@o-n2rk0)R~}OoM8FIMhQKQxMJo8I97SNMK%sLe>bkWcToQG#g+#|C{)>g8 zKsyILDD~h)H3C+Euvi8tOm7Yad64`q*5Jj>Tc3*$LnEt=M|ZQ17sUUmd=27<5$!Og z!-py0OIWDyWNPEg!u;165-)8B&xR&kfn%yK^Sv9Mt#qyu6!!8*_--z^JI=WK@;Z91 zo!kOj`Z*(msRENT%az1=G2f<_wOeOi?R^=b+M3QF!!bvL{=Kv?Q#R+O#+?i5 zex@$FnFbl>2gys+xWgvrT2nXFS66U1ss8eZ>iqfNp!uQaE z;fpKsuQ}qP4vd$u9~VTrCRPY$EdR{A$Tv2sbzj|kz8EWd_2IS+!kQmGF)NDl&c5>Y z#eZfr*zulE5)J@xhGi7rOLoRJW`#QmUOJwOSCDtzu(&czV6CRz*7 znax@LO&Aj==X6;@INB`*3>nji&%5|yRMB!~5t^QE#fqQG6E6933(>YX;KO$JGw;_- zz_}3M*1*n1MI;)(*j(&(ZtaoQ_nZ5r+WBGnJkx3R%Uq5Tf_b@_y5wio_JZ*AXY4~3LGbZxb1#UQHk9WJ`0x1Lq|7kAojsA zLz6;wq+MPKRJQ;AjZ8d^RS$%;=$IsYd@n$0p1qkLki_&_G~hGOFn8UR*cpirP%f#} z3TuP4C191qB>4!OlS=aRvG((F(oN;|&|15GJGB01A%0vwZKC~GWt7~NUW6g+7aW=q zEmHZTB@(DN4T|2Z5u=%D0`vE{J&upD+B;R(b z^xg>lb35s~-!?c}C@NaT_XdiYa9)fm*}6zl+f_+Lh%#e9>T6BR@^?%f;qsMY2HM8ven2(;xqtT<(9hvpTws$y1dEOR4-^*q!&UxYw6VRD>3@TRb-qzzAp!v3X#OtFe-~r}W3I9R=_51)-9NWXv;IskwQ+k;_VOCR#r)&BtD CmYM

1: + (security_rule_id, security_rule, std_id, std, key_activity, description, sample_questions) = (r.value for r in row) + if security_rule_id: + output_table.append(('', 1, security_rule_id, None, security_rule)) + if std_id: + output_table.append(('', 2, std_id, None, std)) + output_table.append(('x', 3, None, key_activity, description)) + output_table.append(('', 4, None, "Sample questions", sample_questions)) + + +print("generating", output_file_name) +wb_output = openpyxl.Workbook() +ws = wb_output.active +ws.title='library_content' +ws.append(['library_urn', f'urn:{packager.lower()}:risk:library:nist-sp-800-66-rev2']) +ws.append(['library_version', '1']) +ws.append(['library_locale', 'en']) +ws.append(['library_ref_id', 'NIST-SP-800-66-rev2']) +ws.append(['library_name', 'NIST SP-800-66 rev2 (HIPAA)']) +ws.append(['library_description', library_description]) +ws.append(['library_copyright', library_copyright]) +ws.append(['library_provider', 'NIST']) +ws.append(['library_packager', packager]) +ws.append(['framework_urn', f'urn:{packager.lower()}:risk:framework:nist-sp-800-66-rev2']) +ws.append(['framework_ref_id', 'nist-sp-800-66-rev2']) +ws.append(['framework_name', 'NIST SP-800-66 rev2 (HIPAA)']) +ws.append(['framework_description', library_description]) +ws.append(['tab', 'controls', 'requirements']) + +ws1 = wb_output.create_sheet("controls") +ws1.append(['assessable', 'depth', 'ref_id', 'name', 'description']) +for row in output_table: + ws1.append(row) +print("generate ", output_file_name) +wb_output.save(output_file_name) + + From 1422043ffa2c8be152020ecbd9f7a6cafe8f1077 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Fri, 5 Apr 2024 22:27:26 +0200 Subject: [PATCH 2/2] Delete nist-sp-800-66-rev2.yaml --- tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml | 4244 ----------------- 1 file changed, 4244 deletions(-) delete mode 100644 tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml diff --git a/tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml b/tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml deleted file mode 100644 index 642cf412b..000000000 --- a/tools/nist/sp-800-66/nist-sp-800-66-rev2.yaml +++ /dev/null @@ -1,4244 +0,0 @@ -urn: urn:intuitem:risk:library:nist-sp-800-66-rev2 -locale: en -ref_id: NIST-SP-800-66-rev2 -name: NIST SP-800-66 rev2 (HIPAA) -description: 'Implementing the Health Insurance Portability and Accountability Act - (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 - - Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home - - ' -copyright: With the exception of material marked as copyrighted, information presented - on NIST sites are considered public information and may be distributed or copied. -version: '1' -provider: NIST -packager: intuitem -objects: - framework: - urn: urn:intuitem:risk:framework:nist-sp-800-66-rev2 - ref_id: nist-sp-800-66-rev2 - name: NIST SP-800-66 rev2 (HIPAA) - description: 'Implementing the Health Insurance Portability and Accountability - Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 - - Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home - - ' - requirement_nodes: - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - assessable: false - depth: 1 - ref_id: '164.308' - description: "Administrative Safeguards:\nDefined in the Security Rule as the\ - \ \u201Cadministrative actions and policies, and procedures to manage the\ - \ selection, development, implementation, and maintenance of security measures\ - \ to protect electronic protected health information and to manage the conduct\ - \ of the covered entity's workforce in relation to the protection of that\ - \ information.\u201D" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(1) - description: 'Security Management Process: - - HIPAA Standard: Implement policies and procedures to prevent, detect, contain, - and correct security violations.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node4 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Identify all ePHI and Relevant Information Systems - description: 'Identify where ePHI is generated within the organization, where - it enters the organization, where it moves within the organization, where - it is stored, and where it leaves the organization. - - - Identify all systems that house ePHI. Be sure to identify mobile devices, - medical equipment, and medical IoT devices that store, process, or transmit - ePHI. - - - Include all hardware and software that are used to collect, store, process, - or transmit ePHI. - - - Analyze business functions and verify the ownership and control of information - system elements as necessary. - - - Consider the impact of a merger or acquisition on risks to ePHI. During a - merger or acquisition, new data pathways may be introduced that lead to ePHI - being stored, processed, or transmitted in previously unanticipated places.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node5 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node4 - name: Sample questions - description: 'Has all ePHI generated, stored, processed, and transmitted within - the organization been identified? - - - Are all hardware and software for which the organization is responsible periodically - inventoried? - - - Is the hardware and software inventory updated on a regular basis? - - - Have hardware and software that maintains or transmits ePHI been identified? - Does this inventory include removable media and remote access devices? - - - Is the current configuration of organizational systems documented, including - connections to other systems? - - - Has a BIA been performed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node6 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Conduct Risk Assessment - description: Conduct an accurate and thorough assessment of the potential risks - and vulnerabilities to the confidentiality, integrity, and availability of - ePHI held by the covered entity or business associate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node7 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node6 - name: Sample questions - description: "Are there any prior risk assessments, audit comments, security\ - \ requirements, and/or security test results?\n\nIs there intelligence available\ - \ from agencies, the Office of the Inspector General (OIG), the US-CERT, virus\ - \ alerts, and/or vendors?\n\nWhat are the human, natural, and environmental\ - \ threats to systems that contain, store, process, or transmit ePHI?\n\nWhat\ - \ are the current and planned controls?\n\nHave likelihood and impact been\ - \ determined for relevant threats and vulnerabilities?\n\nHave risk ratings\ - \ been determined for relevant threats and vulnerabilities?\n\nIs the facility\ - \ located in a region prone to any natural disasters, such as earthquakes,\ - \ floods, or fires?\n\nHas responsibility been assigned to check all hardware\ - \ and software \u2013 including hardware and software used for remote access\ - \ \u2013 to determine whether selected security settings are enabled?\n\n\ - Is there an analysis of current safeguards and their effectiveness relative\ - \ to the identified risks?\n\nHave all processes involving ePHI been considered,\ - \ including creating, receiving, maintaining, and transmitting it?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node8 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Implementation Specification (Required) - description: Conduct an accurate and thorough assessment of the potential risks - and vulnerabilities to the confidentiality, integrity, and availability of - ePHI held by the covered entity or business associate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node9 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node8 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Implement a Risk Management Program - description: "Implement security measures sufficient to reduce risks and vulnerabilities\ - \ to a reasonable and appropriate level to comply with \xA7164.306(a).\n\n\ - Risk management should be performed with regular frequency to examine past\ - \ decisions, reevaluate risk likelihood and impact levels, and assess the\ - \ effectiveness of past remediation efforts\n\nCreate a Risk Management policy\ - \ and program that outlines organizational risk appetite and risk tolerance,\ - \ personnel duties, responsible parties, the frequency of risk management,\ - \ and required documentation.\n\nA risk management methodology is included\ - \ in Section 4.\n\nRisk management resources are also included in Appendix\ - \ F." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node11 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node10 - name: Sample questions - description: 'Is executive leadership and/or management involved in risk management - decisions? - - - Has a risk management program been created with related policies? - - - Does the regulated entity need to engage other resources (e.g., external expertise) - to assist in risk management? - - - Do current safeguards ensure the confidentiality, integrity, and availability - of all ePHI? - - - Do current safeguards protect against reasonably anticipated uses or disclosures - of ePHI that are not permitted by the Privacy Rule? - - - Has the regulated entity used the results of risk assessment and risk management - processes to guide the selection and implementation of appropriate controls - to protect ePHI? - - - Has the regulated entity protected against all reasonably anticipated threats - or hazards to the security and integrity of ePHI? - - - Has the regulated entity assured compliance with all policies and procedures - by its workforce?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node12 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Implementation Specification (Required) - description: "Implement security measures sufficient to reduce risks and vulnerabilities\ - \ to a reasonable and appropriate level to comply with \xA7164.306(a)" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node13 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node12 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node14 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Acquire IT Systems and Services - description: 'Regulated entities should consider how cloud services and other - third-party IT system and service offerings can both assist regulated entities - in protecting ePHI while also potentially introducing new risks to ePHI. - - - Although the HIPAA Security Rule does not require purchasing any particular - technology, adequately protecting information may require additional hardware, - software, or services. Considerations for their selection should include the - following:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node15 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node14 - name: Sample questions - description: 'Will new security controls work with the existing IT architecture? - - - Have the security requirements of the organization been compared to the security - features of existing or proposed hardware and software? - - - Has a cost-benefit analysis been conducted to determine the reasonableness - of the investment given the security risks identified? - - - Has a training strategy been developed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node16 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Create and Deploy Policies and Procedures - description: 'Implement the decisions concerning the management, operational, - and technical controls selected to mitigate identified risks. - - - Create policies that clearly establish roles and responsibilities, and assign - ultimate responsibility for the implementation of each control to particular - individuals or offices. - - - Create procedures to be followed to accomplish particular security-related - tasks. - - - Establish a frequency for reviewing policy and procedures' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node17 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node16 - name: Sample questions - description: 'Has the regulated entity documented an organizational risk assessment/management - policy that outlines the duties, responsible parties, frequency, and required - documentation of the risk management program? - - - Are policies and procedures in place for security? - - - Is there a formal (documented) system security plan? - - - Is there a formal contingency plan? - - - Is there a process for communicating policies and procedures to the affected - workforce members? - - - Are policies and procedures reviewed and updated as needed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node18 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Develop and Implement a Sanction Policy - description: "Apply appropriate sanctions against workforce members who fail\ - \ to comply with the security policies and procedures of the covered entity\ - \ or business associate\n\nDevelop policies and procedures for imposing appropriate\ - \ sanctions (e.g., reprimand, termination) for noncompliance with the organization\u2019\ - s security policies.\n\nImplement sanction policy as cases arise." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node19 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node18 - name: Sample questions - description: 'Does the regulated entity have existing sanction policies and - procedures to meet the requirements of this implementation specification? - If not, can existing sanction policies be modified to include language related - to violations of these policies and procedures? - - - Is there a formal process in place to address system misuse, abuse, and fraudulent - activity? - - - Have workforce members been made aware of policies concerning sanctions for - inappropriate access, use, and disclosure of ePHI? - - - Has the need and appropriateness of a tiered structure of sanctions that accounts - for the magnitude of harm and possible types of inappropriate disclosures - been considered? - - - How will managers and workforce members be notified regarding suspect activity?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node20 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Implementation Specification (Required) - description: Apply appropriate sanctions against workforce members who fail - to comply with the security policies and procedures of the covered entity - or business associate - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node21 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node20 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node22 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Develop and Deploy the Information System Activity Review Process - description: 'Implement procedures to regularly review records of information - system activity, such as audit logs, access reports, and security incident - tracking reports. - - - Implement regular reviews of information system activity, and consider ways - to automate the review for the protection of ePHI.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node23 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node22 - name: Sample questions - description: 'Is there a policy that establishes what reviews will be conducted? - - - Are there corresponding procedures that describe the specifics of the reviews? - - - Who is responsible for the overall process and results? - - - How often will reviews take place? - - - How often will review results be analyzed? - - - Has the regulated entity considered all available capabilities to automate - the reviews? - - - Where will audit information reside (e.g., separate server)? Will it be stored - external to the organization (e.g., cloud service provider)?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node24 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Implementation Specification (Required) - description: Implement procedures to regularly review records of information - system activity, such as audit logs, access reports, and security incident - tracking reports. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node25 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node24 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node26 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Develop Appropriate Standard Operating Procedures - description: Determine the types of audit trail data and monitoring procedures - that will be needed to derive exception reports. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node27 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node26 - name: Sample questions - description: 'How will exception reports or logs be reviewed? - - - Where will monitoring reports and their reviews be documented and maintained?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node28 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1) - name: Implement the Information System Activity Review and Audit Process - description: 'Activate the necessary review process. - - - Begin auditing and logging activity.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node29 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node28 - name: Sample questions - description: 'What mechanisms will be implemented to assess the effectiveness - of the review process (measures)? - - - What is the plan to revise the review process when needed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(2) - description: 'Assigned Security Responsibility: - - HIPAA Standard: Identify the security official who is responsible for the - development and implementation of the policies and procedures required by - this subpart for the covered entity or business associate.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node31 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2) - name: Select a Security Official to be Assigned Responsibility for HIPAA Security - description: 'Identify the individual who has final responsibility for security. - - - Select an individual who is able to assess effective security to serve as - the point of contact for security policy, implementation, and monitoring.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node32 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node31 - name: Sample questions - description: 'Who in the organization: - - - Does the security official have adequate access and communications with senior - officials in the organization, such as executives, chief information officers, - chief compliance officers, and in-house counsel? - - - Who in the organization is authorized to accept risks from systems on behalf - of the organization?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node33 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2) - name: "Assign and Document the Individual\u2019s Responsibility" - description: "Document the assignment to one individual\u2019s responsibilities\ - \ in a job description.\n\nCommunicate this assigned role to the entire organization." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node34 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node33 - name: Sample questions - description: 'Is there a complete job description that accurately reflects assigned - security duties and responsibilities? - - - Have the staff members in the organization been notified as to whom to call - in the event of a security problem?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(3) - description: 'Workforce Security: - - HIPAA Standard: Implement policies and procedures to ensure that all members - of its workforce have appropriate access to electronic protected health information, - as provided under paragraph (a)(4) of this section, and to prevent those workforce - members who do not have access under paragraph (a)(4) of this section from - obtaining access to electronic protected health information.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node36 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Implement Policies and Procedures for Authorization and/or Supervision - description: Implement procedures for the authorization and/or supervision of - workforce members who work with ePHI or in locations where it might be accessed. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node37 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node36 - name: Sample questions - description: 'Have chains of command and lines of authority been established? - - - Have staff members been made aware of the identity and roles of their supervisors?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node38 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Implementation Specification (Addressable) - description: Implement procedures for the authorization and/or supervision of - workforce members who work with ePHI or in locations where it might be accessed. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node39 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node38 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node40 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Establish Clear Job Descriptions and Responsibilities - description: 'Define roles and responsibilities for all job functions. - - - Assign appropriate levels of security oversight, training, and access. - - - Identify in writing who has the business need and who has been granted permission - to view, alter, retrieve, and store ePHI and at what times, under what circumstances, - and for what purposes.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node41 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node40 - name: Sample questions - description: 'Are there written job descriptions that are correlated with appropriate - levels of access to ePHI? - - - Are these job descriptions reviewed and updated on a regular basis? - - - Have staff members been provided copies of their job descriptions and informed - of the access granted to them, as well as the conditions by which this access - can be used' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node42 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Establish Criteria and Procedures for Hiring and Assigning Tasks - description: 'Ensure that staff members have the necessary knowledge, skills, - and abilities to fulfill particular roles (e.g., positions involving access - to and use of sensitive information). - - - Ensure that these requirements are included as part of the personnel hiring - process.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node43 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node42 - name: Sample questions - description: 'Have the qualifications of candidates for specific positions been - checked against the job description? - - - Have determinations been made that candidates for specific positions are able - to perform the tasks of those positions?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node44 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Establish a Workforce Clearance Procedure - description: 'Implement procedures to determine that the access of a workforce - member to ePHI is appropriate. - - - Implement appropriate screening of persons who will have access to ePHI. - - - Implement a procedure for obtaining clearance from appropriate offices or - individuals where access is provided or terminated.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node45 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node44 - name: Sample questions - description: "Is there an implementation strategy that supports the designated\ - \ access authorities?\n\nAre applicants\u2019 employment and educational references\ - \ checked, if reasonable and appropriate?\n\nHave background checks been completed,\ - \ if reasonable and appropriate?\n\nAre there procedures for determining that\ - \ the appropriate workforce members have access to the necessary information?\n\ - \nDo procedures exist for obtaining appropriate sign-offs to grant or terminate\ - \ access to ePHI?\n\nHave clearance and supervision procedures been developed\ - \ for non-US based workforce members that are applicable to their location?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node46 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Implementation Specification (Addressable) - description: Implement procedures to determine that the access of a workforce - member to ePHI is appropriate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node47 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node46 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node48 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Establish Termination Procedures - description: "Implement procedures for terminating access to ePHI when the employment\ - \ of or other arrangement with a workforce member ends or as required by determinations\ - \ made as specified in \xA7164.308(a)(3)(ii)(B).\n\nDevelop a standard set\ - \ of procedures that should be followed to recover access control devices\ - \ (e.g., identification badges, keys, access cards) when employment ends.\n\ - \nDeactivate computer access accounts (e.g., disable user IDs and passwords)\ - \ and facility access (e.g., change facility security codes/PINs)." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node49 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node48 - name: Sample questions - description: "Are there separate procedures for voluntary termination (e.g.,\ - \ retirement, promotion, transfer, change of employment) versus involuntary\ - \ termination (e.g., termination for cause, reduction in force, involuntary\ - \ transfer, criminal or disciplinary actions), if reasonable and appropriate?\n\ - \nIs there a standard checklist for all action items that should be completed\ - \ when a workforce member leaves (e.g., return of all access devices, deactivation\ - \ of logon accounts [including remote access], and delivery of any needed\ - \ data solely under the employee\u2019s control)?\n\nDo other organizations\ - \ need to be notified to deactivate accounts that the workforce member had\ - \ access to in the performance of their employment duties?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node50 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3) - name: Implementation Specification (Addressable) - description: "Implement procedures for terminating access to ePHI when the employment\ - \ of or other arrangement with a workforce member ends or as required by determinations\ - \ made as specified in \xA7164.308(a)(3)(ii)(B)." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node51 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node50 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(4) - description: 'Information Access Management: - - HIPAA Standard: Implement policies and procedures for authorizing access to - electronic protected health information that are consistent with the applicable - requirements of subpart E of this part.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node53 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Isolate Healthcare Clearinghouse Functions - description: 'If a healthcare clearinghouse is part of a larger organization, - the clearinghouse must implement policies and procedures that protect the - ePHI of the clearinghouse from unauthorized access by the larger organization. - - - Determine whether a component of the regulated entity constitutes a healthcare - clearinghouse under the HIPAA Security Rule. - - - If no clearinghouse functions exist, document this finding. If a clearinghouse - exists within the organization, implement procedures for access that are consistent - with the HIPAA Privacy Rule.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node54 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node53 - name: Sample questions - description: 'If healthcare clearinghouse functions are performed, are policies - and procedures implemented to protect ePHI from the other functions of the - larger organization? - - - Does the healthcare clearinghouse share hardware or software with a larger - organization of which it is a part? - - - Does the healthcare clearinghouse share staff or physical space with staff - from a larger organization? - - - Has a separate network or subsystem been established for the healthcare clearinghouse, - if reasonable and appropriate? - - - Has staff of the healthcare clearinghouse been trained to safeguard ePHI from - disclosure to the larger organization, if required for compliance with the - HIPAA Privacy Rule?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node55 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Implementation Specification (Required) - description: If a healthcare clearinghouse is part of a larger organization, - the clearinghouse must implement policies and procedures that protect the - ePHI of the clearinghouse from unauthorized access by the larger organization. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node56 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node55 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node57 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Implement Policies and Procedures for Authorizing Access - description: 'Implement policies and procedures for granting access to ePHI, - such as through access to a workstation, transaction, program, process, or - other mechanism. - - - Decide and document procedures for how access to ePHI will be granted to workforce - members within the organization. - - - Select the basis for restricting access to ePHI. - - - Select an access control method (e.g., identity-based, role-based, or other - reasonable and appropriate means of access.) - - - Decide and document how access to ePHI will be granted for privileged functions. - - - Ensure that there is a list of personnel with authority to approve user requests - to access ePHI and systems with ePHI. - - - Identify authorized users with access to ePHI, including data owners and data - custodians. - - - Consider whether multiple access control methods are needed to protect ePHI - according to the results of the risk assessment. - - - Determine whether direct access to ePHI will ever be appropriate for individuals - external to the organization (e.g., business partners or patients seeking - access to their own ePHI).' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node58 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node57 - name: Sample questions - description: "Have appropriate authorization and clearance procedures, as specified\ - \ in Workforce Security (\xA7 164.308(a)(3)), been performed prior to granting\ - \ access?\n\nDo the organization\u2019s systems have the capacity to set access\ - \ controls?\n\nAre there documented job descriptions that accurately reflect\ - \ assigned duties and responsibilities and enforce segregation of duties?\n\ - \nHas the organization documented procedures that specify how authorized personnel\ - \ will be granted access to ePHI?\n\nDoes the organization grant remote access\ - \ to ePHI?\n\nWhat methods of access control are used (e.g., identity-based,\ - \ role-based, location-based, or a combination) to protect ePHI?\n\nAre there\ - \ additional access control requirements for users who will be accessing privileged\ - \ functions?\n\nHave organizational personnel been explicitly authorized to\ - \ approve user requests to access ePHI and/or systems with ePHI?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node59 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Implementation Specification (Addressable) - description: Implement policies and procedures for granting access to ePHI, - such as through access to a workstation, transaction, program, process, or - other mechanism. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node60 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node59 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node61 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Implement Policies and Procedures for Access Establishment and Modification - description: "Implement policies and procedures that \u2013 based on the covered\ - \ entity or business associate\u2019s access authorization policies \u2013\ - \ establish, document, review, and modify a user's right of access to a workstation,\ - \ transaction, program, or process.\n\nEstablish standards for granting access\ - \ to ePHI.\n\nProvide formal authorization from the appropriate authority\ - \ before granting access to ePHI.\n\nRegularly review personnel access to\ - \ ePHI to ensure that access is still authorized and needed.\n\nModify personnel\ - \ access to ePHI, as needed, based on review activities." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node62 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node61 - name: Sample questions - description: 'Are duties separated such that only the minimum necessary ePHI - is made available to each workforce member based on their job requirements? - - - Are access decisions justified, approved, logged, and retained? - - - Is personnel access to ePHI regularly reviewed to ensure that access is still - authorized and needed? - - - Are activities that review access to ePHI logged and retained, including decisions - that arise from review activities? - - - Are decisions related to the establishment and modification of workforce member - authorization to access ePHI documented?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node63 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Implementation Specification (Addressable) - description: "Implement policies and procedures that \u2013 based on the covered\ - \ entity or business associate\u2019s access authorization policies \u2013\ - \ establish, document, review, and modify a user's right of access to a workstation,\ - \ transaction, program, or process." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node64 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node63 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node65 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4) - name: Evaluate Existing Security Measures Related to Access Controls - description: 'Evaluate the security features of access controls that are already - in place or those of any planned for implementation, as appropriate. - - - Determine whether these security features involve alignment with other existing - management, operational, and technical controls, such as policy standards, - personnel procedures, the maintenance and review of audit trails, the identification - and authentication of users, and physical access controls.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node66 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node65 - name: Sample questions - description: 'Are there policies and procedures related to the security of access - controls? If so, are they updated regularly? - - - Are authentication mechanisms used to verify the identity of those accessing - systems protected from inappropriate manipulation? - - - Does management regularly review the list of access authorizations, including - remote access authorizations, to verify that the list is accurate and has - not been inappropriately altered?[1]' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(5) - description: 'Security Awareness and Training: - - HIPAA Standard: Implement a security awareness and training program for all - members of its workforce (including management).' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node68 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Conduct a Training Needs Assessment - description: 'Determine the training needs of the organization. - - - Interview and involve key personnel in assessing security training needs. - - - Use feedback and analysis of past events to help determine training needs - - - Review organizational behavior issues, past incidents, and/or breaches to - determine what training is missing or needs reinforcement, improvement, or - periodic reminders.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node69 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node68 - name: Sample questions - description: 'What awareness, training, and education programs are needed? Which - are required? - - - Is the organization monitoring current threats to determine possible areas - of training needs? - - - Are there current, relevant threats (e.g., phishing, ransomware) about which - personnel need training? - - - Do workforce members need training on any particular organization devices - (e.g., medical IoT) or technology that pose a risk to ePHI? - - - What is the current status regarding how these needs are being addressed (e.g., - how well are current efforts working)? - - - Where are the gaps between the needs and what is being done (e.g., what more - needs to be done)? - - - What are the training priorities in terms of content and audience?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node70 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Develop and Approve a Training Strategy and a Plan - description: "Address the specific HIPAA policies that require security awareness\ - \ and training in the security awareness and training program.\n\nSet organizational\ - \ expectations for protecting ePHI.\n\nIn the security awareness and training\ - \ program, outline the program\u2019s scope, goals, target audiences, learning\ - \ objectives, deployment methods, and evaluation and measurement techniques,\ - \ as well as the frequency of training" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node71 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node70 - name: Sample questions - description: 'Is there a procedure in place to ensure that everyone in the organization - receives security awareness training, including teleworkers and remote personnel? - - - What type of security training is needed to address specific technical topics - based on job responsibility? - - - When should training be scheduled to ensure that compliance deadlines are - met? - - - Has the organization considered the training needs of non-employees (e.g., - contractors, interns)? - - - Is there a need to implement information security training tailored to individual - roles?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node72 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Protection from Malicious Software, Login Monitoring, and Password Management - description: "As reasonable and appropriate, train workforce members regarding\ - \ procedures for:\n\nIncorporate information concerning workforce members\u2019\ - \ roles and responsibilities in implementing these implementation specifications\ - \ into training and awareness efforts." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node73 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node72 - name: Sample questions - description: 'Do workforce members know the importance of the timely application - of system patches to protect against malicious software and the exploitation - of vulnerabilities? - - - Are workforce members aware that login attempts may be monitored? - - - Do workforce members who monitor login attempts know to whom to report discrepancies? - - - Do workforce members understand their roles and responsibilities in selecting - a password of appropriate strength, safeguarding their password, and changing - a password when it has been compromised or is suspected of being compromised? - - - Are there policies in place that prohibit workforce members from sharing passwords - with others?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node74 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Implementation Specification (Protection from Malicious Software) - description: 'As reasonable and appropriate, train workforce members regarding - procedures for:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node75 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node74 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node76 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Implementation Specification (Log-in Monitoring) - description: 'As reasonable and appropriate, train workforce members regarding - procedures for:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node77 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node76 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node78 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Implementation Specification (Password Management) - description: 'As reasonable and appropriate, train workforce members regarding - procedures for:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node79 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node78 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node80 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Develop Appropriate Awareness and Training Content, Materials, and Methods - description: 'Select topics to be included in the training materials, and consider - current and relevant topics (e.g., phishing, email security) for the protection - of ePHI. - - - Incorporate new information from email advisories, online IT security daily - news websites, and periodicals, as reasonable and appropriate. - - - Consider using a variety of media and avenues according to what is appropriate - for the organization based on workforce size, location, level of education, - and other factors. - - - Training should be an ongoing, evolving process in response to environmental - and operational changes that affect the security of ePHI.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node81 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node80 - name: Sample questions - description: "Are the topics selected for training and awareness the most relevant\ - \ to the threats, vulnerabilities, and risks identified during the risk assessment?\n\ - \nDoes the organization periodically review the topics covered in training\ - \ and awareness in light of updates to the risk assessment and current threats?\n\ - \nHave workforce members received a copy of and do they have ready access\ - \ to the organization\u2019s security procedures and policies?\n\nDo workforce\ - \ members know whom to contact and how to handle a security incident?\n\n\ - Do workforce members understand the consequences of noncompliance with the\ - \ stated security policies?\n\nDo workforce members who travel, telework,\ - \ or work remotely know how to handle physical laptop security issues and\ - \ information security issues?\n\nHas the regulated entity researched available\ - \ training resources?\n\nIs dedicated training staff available for the delivery\ - \ of security training? If not, who will deliver the training?\n\nWhat is\ - \ the security training budget?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node82 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Implement the Training - description: 'Schedule and conduct the training outlined in the strategy and - plan. - - - Implement any reasonable technique to disseminate the security messages in - an organization, including newsletters, screensavers, video recordings, email - messages, teleconferencing sessions, staff meetings, and computer-based training.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node83 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node82 - name: Sample questions - description: 'Have all workforce members received adequate training to fulfill - their security responsibilities? - - - Are there sanctions if workforce members do not complete the required training?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node84 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Implement Security Reminders - description: 'Implement periodic security updates. - - - Provide periodic security updates to staff, business associates, and contractors. - - - Consider the benefits of ongoing communication with staff (e.g., emails, newsletters) - on training topics to achieve HIPAA compliance and protect ePHI.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node85 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node84 - name: Sample questions - description: 'What methods are available or already in use to make or keep workforce - members aware of security (e.g., posters, booklets, anti-phishing training)? - - - Is the organization making use of existing resources (e.g., from the 405(d) - program or other resources listed in Appendix F) to remind staff of important - security topics? - - - Is security refresher training performed on a periodic basis (e.g., annually)? - - - Is security awareness discussed with all new hires? - - - Are security topics reinforced during routine staff meetings?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node86 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Implementation Specification (Addressable) - description: Implement periodic security updates. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node87 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node86 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node88 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5) - name: Monitor and Evaluate the Training Plan - description: 'Keep the security awareness and training program current. - - - Solicit trainee feedback to determine whether the training and awareness are - successfully reaching the intended audience. - - - Conduct training whenever changes occur in the technology and practices as - appropriate. - - - Monitor the training program implementation to ensure that all workforce members - participate. - - - Implement corrective actions when problems arise.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node89 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node88 - name: Sample questions - description: 'Are the workforce members'' training and professional development - programs documented and monitored, if reasonable and appropriate? - - - How are new workforce members trained on security? - - - Are new non-employees (e.g., contractors, interns) trained on security?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(6) - description: 'Security Incident Procedures: - - HIPAA Standard: Implement policies and procedures to address security incidents.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node91 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) - name: Determine the Goals of Incident Response - description: "Gain an understanding as to what constitutes a true security incident.\ - \ Under the HIPAA Security Rule, a security incident is the attempted or successful\ - \ unauthorized access, use, disclosure, modification, or destruction of information\ - \ or interference with system operations in an information system (45 CFR\ - \ \xA7 164.304).\n\nEnsure that the incident response program covers all parts\ - \ of the organization in which ePHI is created, stored, processed, or transmitted.\n\ - \nDetermine how the organization will respond to a security incident.\n\n\ - Establish a reporting mechanism and a process to coordinate responses to the\ - \ security incident.\n\nProvide direct technical assistance, advise vendors\ - \ to address product-related problems, and provide liaisons to legal and criminal\ - \ investigative groups as needed." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node92 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node91 - name: Sample questions - description: 'Has the HIPAA-required security risk assessment resulted in a - list of potential physical or technological events that could lead to a breach - of security? - - - Is there a procedure in place for reporting and handling incidents? - - - Has an analysis been conducted that relates reasonably anticipated organizational - threats (that could result in a security incident) to the methods that would - be used for mitigation? - - - Have the key functions of the organization been prioritized to determine what - would need to be restored first in the event of a disruption?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node93 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) - name: Develop and Deploy an Incident Response Team or Other Reasonable and Appropriate - Response Mechanism - description: 'Determine whether the size, scope, mission, and other aspects - of the organization justify the reasonableness and appropriateness of maintaining - a standing incident response team. - - - Identify appropriate individuals to be part of a formal incident response - team if the organization has determined that implementing an incident response - team is reasonable and appropriate. - - - Consider assigning secondary personnel to be part of the incident response - team in the event that primary personnel are unavailable.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node94 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node93 - name: Sample questions - description: "Do members of the team have adequate knowledge of the organization\u2019\ - s hardware and software?\n\nDo members of the team have the authority to speak\ - \ for the organization to the media, law enforcement, and clients or business\ - \ partners?\n\nHas the incident response team received appropriate training\ - \ in incident response activities?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node95 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) - name: Develop and Implement Policy and Procedures to Respond to and Report Security - Incidents - description: 'Identify and respond to suspected or known security incidents; - mitigate, to the extent practicable, harmful effects of security incidents - that are known to the covered entity or business associate; and document security - incidents and their outcomes. - - - Ensure that an organizational incident response policy is in place that addresses - all parts of the organization in which ePHI is created, stored, processed, - or transmitted. - - - Document incident response procedures that can provide a single point of reference - to guide the day-to-day operations of the incident response team. - - - Review incident response procedures with staff who have roles and responsibilities - related to incident response; solicit suggestions for improvements; and make - changes to reflect input if reasonable and appropriate. - - - Consider conducting tests of the incident response plan. - - - Update the procedures as required based on changing organizational needs.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node96 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node95 - name: Sample questions - description: 'Has the organization determined that maintaining a staffed security - incident hotline would be reasonable and appropriate? - - - Has the organization developed processes for documenting and tracking incidents? - - - Has the organization determined reasonable and appropriate mitigation options - for security incidents? - - - Has the organization developed standardized incident report templates to record - necessary information related to incidents? - - - Has the organization determined that information captured in the reporting - templates is reasonable and appropriate to investigate an incident? - - - Has the organization determined the conditions under which information related - to a security breach will be disclosed to the media? - - - Have appropriate (internal and external) persons who should be informed of - a security breach been identified? Has a contact information list been prepared? - - - Has a written incident response plan been developed and provided to the incident - response team? - - - Has the incident response plan been tested?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node97 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) - name: Implementation Specification (Required) - description: Identify and respond to suspected or known security incidents; - mitigate, to the extent practicable, harmful effects of security incidents - that are known to the covered entity or business associate; and document security - incidents and their outcomes. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node98 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node97 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node99 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6) - name: Incorporate Post-Incident Analysis into Updates and Revisions - description: 'Measure effectiveness and update security incident response procedures - to reflect lessons learned, and identify actions to take that will improve - security controls after a security incident. - - - Incidents caused by or influenced by known risks should feed back into the - risk assessment process for a reevaluation of impact and/or likelihood. - - - Remediation and corrective action plans that arise from incidents should serve - as input to the risk assessment/management process.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node100 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node99 - name: Sample questions - description: 'Has the organization analyzed records (e.g., log files, malware) - to understand the nature, extent, and scope of the incident? - - - Does the organization reassess risk to ePHI based on findings from this analysis? - - - Does the incident response team keep adequate documentation of security incidents - and their outcomes, which may include what weaknesses were exploited and how - access to the information was gained? - - - Do records reflect the new contacts and resources identified for responding - to an incident? - - - Does the organization consider whether current procedures were adequate for - responding to a particular security incident?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(7) - description: 'Contingency Plan: - - HIPAA Standard: Establish (and implement as needed) policies and procedures - for responding to an emergency or other occurrence (for example, fire, vandalism, - system failure, and natural disaster) that damages systems that contain electronic - protected health information' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node102 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Develop a Contingency Planning Policy - description: "Define the organization\u2019s overall contingency objectives.\n\ - \nEstablish the organizational framework, roles, and responsibilities for\ - \ this area.\n\nAddress scope, resource requirements, training, testing, plan\ - \ maintenance, and backup requirements." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node103 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node102 - name: Sample questions - description: 'What critical services must be provided within specified time - frames? - - - Have cross-functional dependencies been identified to determine how a failure - in one system may negatively impact another one?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node104 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Conduct an Applications and Data Criticality Analysis - description: 'Assess the relative criticality of specific applications and data - in support of other Contingency Plan components. - - - Identify the activities and material involving ePHI that are critical to business - operations. - - - Identify the critical services or operations and the manual and automated - processes that support them involving ePHI. - - - Determine the amount of time that the organization can tolerate disruptions - to these operations, materials, or services (e.g., due to power outages). - - - Evaluate the current and available levels of redundancy and geographic distribution - of any storage service providers to identify risks to service availability - and determine restoration times. - - - Consider whether any vendor/service provider arrangements are critical to - operations and address them as appropriate to ensure availability and reliability. - - - Establish cost-effective strategies for recovering these critical services - or processes.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node105 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node104 - name: Sample questions - description: 'What hardware, software, and personnel are critical to daily operations? - - - What is the impact on desired service levels if these critical assets are - not available? - - - What, if any, support is provided by external providers (e.g., cloud service - providers, internet service providers, utilities, or contractors)? - - - What is the nature and degree of impact on the operation if any of the critical - resources or service providers are not available? - - - Has the organization identified vendors or service providers that are critical - to business operations? - - - Has the organization sufficiently addressed the availability and reliability - of these services (e.g., via service level agreements, contracts)?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node106 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Implementation Specification (Addressable) - description: Assess the relative criticality of specific applications and data - in support of other Contingency Plan components. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node107 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node106 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node108 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Identify Preventive Measures - description: 'Identify preventive measures for each defined scenario that could - result in the loss of a critical service operation involving the use of ePHI. - - - Ensure that identified preventive measures are practical and feasible in terms - of their applicability in a given environment.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node109 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node108 - name: Sample questions - description: 'What alternatives for continuing operations of the organization - are available in case of the loss of any critical function or resource? - - - What is the cost associated with the preventive measures that may be considered? - - - Are the preventive measures feasible (i.e., affordable and practical for the - environment)? - - - What plans, procedures, or agreements need to be initiated to enable the implementation - of the preventive measures if they are necessary?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node110 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Develop Recovery Strategy - description: 'Finalize the set of contingency procedures that should be invoked - for all identified impacts, including emergency mode operation. The strategy - must be adaptable to the existing operating environment and address allowable - outage times and the associated priorities identified in Key Activity 2. - - - If part of the strategy depends on external organizations for support, ensure - that formal agreements are in place with specific requirements stated.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node111 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node110 - name: Sample questions - description: 'Have procedures related to recovery from emergency or disastrous - events been documented? - - - Has a coordinator who manages, maintains, and updates the plan been designated? - - - Has an emergency call list been distributed to all workforce members? Have - recovery procedures been documented? - - - Has a determination been made regarding when the plan needs to be activated - (e.g., anticipated duration of outage, tolerances for outage or loss of capability, - impact on service delivery, etc.)?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node112 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Data Backup Plan and Disaster Recovery Plan - description: 'Establish and implement procedures to create and maintain retrievable - exact copies of ePHI. - - - Establish (and implement as needed) procedures to restore any loss of data.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node113 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node112 - name: Sample questions - description: 'Is there a formal, written contingency plan? Does it address disaster - recovery and data backup? - - - Does the disaster recovery plan address what data is to be restored and in - what order? - - - Do data backup procedures exist that include all ePHI? - - - Is the frequency of backups appropriate for the environment? - - - Are responsibilities assigned to conduct backup activities? - - - Are data backup procedures documented and available to other staff? - - - Are backup logs reviewed and data restoration tests conducted to ensure the - integrity of data backups? - - - Is at least one copy of the data backup stored offline to protect against - corruption due to ransomware or other similar attacks? - - - Are backups or images of operating systems, devices, software, and configuration - files necessary to support the confidentiality, integrity, and availability - of ePHI included in the data backup plan?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node114 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Implementation Specification (Required) - description: Establish and implement procedures to create and maintain retrievable - exact copies of ePHI. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node115 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node114 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node116 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Implementation Specification (Required) - description: Establish (and implement as needed) procedures to restore any loss - of data. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node117 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node116 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node118 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Develop and Implement an Emergency Mode Operation Plan - description: "Establish (and implement as needed) procedures to enable the continuation\ - \ of critical business processes to protect the security of ePHI while operating\ - \ in emergency mode.\n\n\u201CEmergency mode\u201D operation involves only\ - \ those critical business processes that must occur to protect the security\ - \ of ePHI during and immediately after a crisis situation." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node119 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node118 - name: Sample questions - description: 'Have procedures been developed to continue the critical functions - identified in Key Activity 2? - - - If so, have those critical functions that also involve the use of ePHI been - identified? - - - Would different staff, facilities, or systems be needed to perform those functions? - - - Has the security of ePHI in that alternative mode of operation been assured?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node120 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Implementation Specification (Required) - description: Establish (and implement as needed) procedures to enable the continuation - of critical business processes to protect the security of ePHI while operating - in emergency mode. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node121 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node120 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node122 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Testing and Revision Procedure - description: 'Implement procedures for the periodic testing and revision of - contingency plans. - - - Test the contingency plan on a predefined cycle (stated in the policy developed - under Key Activity 1), if reasonable and appropriate. - - - Train those with defined plan responsibilities in their roles. - - - If possible, involve external entities (e.g., vendors, alternative site or - service providers) in testing exercises. - - - Make key decisions regarding how the testing is to occur (e.g., tabletop exercise - versus staging a real operational scenario, including actual loss of capability). - - - Decide how to segment the type of testing based on the assessment of business - impact and the acceptability of a sustained loss of service.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node123 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node122 - name: Sample questions - description: 'How is the contingency plan to be tested? - - - Does testing lend itself to a phased approach? - - - Is it feasible to actually take down functions or services for the purposes - of testing? - - - Has the organization conducted backup recovery testing to ensure that critical - data can be recovered using existing data backups? - - - Does the backup recovery testing verify the ability to recover data and operations - based on identified testing scenarios using actual tests (i.e., not tabletop - exercises)? - - - Can testing be done during normal business hours or must it take place during - off hours? - - - Have the tests included personnel with contingency planning responsibilities? - - - Have the results of each test been documented and any problems with the test - reviewed and corrected? - - - If full testing is infeasible, has a tabletop scenario (e.g., a classroom-like - exercise) been considered? - - - How frequently will the plan be tested (e.g., annually)? - - - When should the plan be revised?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node124 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7) - name: Implementation Specification (Addressable) - description: Implement procedures for the periodic testing and revision of contingency - plans. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node125 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node124 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(a)(8) - description: "Evaluation:\nHIPAA Standard: Perform a periodic technical and\ - \ nontechnical evaluation, based initially upon the standards implemented\ - \ under this rule and subsequently, in response to environmental or operational\ - \ changes affecting the security of electronic protected health information,\ - \ that establishes the extent to which a covered entity\u2019s or business\ - \ associate\u2019s security policies and procedures meet the requirements\ - \ of this subpart." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node127 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) - name: Determine Whether Internal or External Evaluation is Most Appropriate - description: 'Decide whether the evaluation will be conducted with internal - staff resources or external consultants. - - - Engage external expertise to assist the internal evaluation team where additional - skills and expertise are determined to be reasonable and appropriate. - - - Use internal resources to supplement an external source of help because these - internal resources can provide the best institutional knowledge and history - of internal policies and practices.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node128 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node127 - name: Sample questions - description: 'Which staff has the technical experience and expertise to evaluate - the systems? - - - Are the evaluators sufficiently independent to provide objective reporting? - - - How much training will staff need on security-related technical and non-technical - issues? - - - If an outside vendor is used, what factors should be considered when selecting - the vendor, such as credentials and experience? - - - What is the budget for internal resources to assist with an evaluation? - - - What is the budget for external services to assist with an evaluation?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node129 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) - name: Develop Standards and Measurements for Reviewing All Standards and Implementation - Specifications of the Security Rule - description: "Develop and document organizational policies and procedures for\ - \ conducting evaluation.\n\nOnce security controls have been implemented in\ - \ response to the organization\u2019s risk assessment and management processes,\ - \ periodically review these implemented security measures to ensure their\ - \ continued effectiveness in protecting ePHI.\n\nConsider determining any\ - \ specific evaluation metrics and/or measurements to be captured during evaluation.\ - \ Metrics and/or measurements can assist in tracking progress over time.\n\ - \nUse an evaluation strategy and tool that considers all elements of the HIPAA\ - \ Security Rule and can be tracked, such as a questionnaire or checklist.\n\ - \nImplement tools that can provide reports on the level of compliance, integration,\ - \ or maturity of a particular security safeguard deployed to protect ePHI.\n\ - \nIf available, consider engaging corporate, legal, or regulatory compliance\ - \ staff when conducting the analysis.\n\nLeverage any existing reports or\ - \ documentation that may already be prepared by the organization addressing\ - \ the compliance, integration, or maturity of a particular security safeguard\ - \ deployed to protect ePHI." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node130 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node129 - name: Sample questions - description: 'Has the organization documented policies and procedures for conducting - the evaluation of security controls? - - - Have management, operational, and technical issues been considered? - - - Do the elements of each evaluation procedure (e.g., questions, statements, - or other components) address individual, measurable security safeguards for - ePHI? - - - Has the organization developed evaluation procedures that capture any desired - metrics or measurements? - - - Has the organization determined that the procedure must be tested in a few - areas or systems? - - - Does the evaluation tool consider all standards and implementation specifications - of the HIPAA Security Rule? - - - Does the evaluation tool address the protection of ePHI that is collected, - used, or disclosed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node131 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) - name: Conduct Evaluation - description: 'Determine in advance what departments and/or staff will participate - in the evaluation. - - - Determine what constitutes an environmental or operational change that affects - the security of ePHI. - - - Determine when evaluations are conducted in response to an environmental or - operational change that affects the security of ePHI (e.g., prior to the change, - contemporaneous with the change, after the change). - - - Secure management support for the evaluation process to ensure participation. - - - Collect and document all needed information. Collection methods may include - the use of interviews, surveys, and the outputs of automated tools, such as - access control auditing tools, system logs, and the results of penetration - testing. - - - Conduct penetration testing (where testers attempt to compromise system security - for the sole purpose of testing the effectiveness of security controls), if - reasonable and appropriate. - - - Evaluation may include reviewing organizational policies and procedures, assessing - the implementation of security controls, collecting evidence of security control - implementation, and performing physical walk- throughs.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node132 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node131 - name: Sample questions - description: 'If available, have staff members with knowledge of IT security - been consulted and included in the evaluation team? - - - Are appropriate personnel notified of planned environmental or operational - changes that could affect the security of ePHI? - - - Is a change management process in place that includes identification and communication - of environmental and operational changes that could affect the security of - ePHI? - - - If penetration testing has been determined to be reasonable and appropriate, - has specifically worded, written approval from senior management been received - for any planned penetration testing? - - - Has the process been formally communicated to those who have been assigned - roles and responsibilities in the evaluation process? - - - Has the organization explored the use of automated tools to support the evaluation - process?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node133 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) - name: Document Results - description: 'Document each evaluation finding, as well as remediation options, - recommendations, and decisions. - - - Document known gaps between identified risks, mitigating security controls, - and any acceptance of risk, including justification. - - - Develop security program priorities, and establish targets for continuous - improvement. - - - Utilize the results of evaluations to inform impactful security changes to - protect ePHI. - - - Communicate evaluation results, metrics, and/or measurements to relevant organizational - personnel.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node134 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node133 - name: Sample questions - description: 'Does the process support the development of security recommendations? - - - When determining how best to display evaluation results, have written reports - that highlight key findings and recommendations been considered? - - - If a written final report is to be circulated among key staff, have steps - been taken to ensure that it is made available only to those persons designated - to receive it? - - - Does the organization use evaluation results to enhance the protection of - ePHI rather than for the sake of compliance?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node135 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8) - name: Repeat Evaluations Periodically - description: 'Establish the frequency of evaluations, and consider the sensitivity - of the ePHI controlled by the organization as well as the organization''s - size, complexity, and environmental and/or operational changes (e.g., other - relevant laws or accreditation requirements). - - - In addition to periodic reevaluations, consider repeating evaluations when - environmental and operational changes that affect the security of ePHI are - made to the organization (e.g., if new technology is adopted or if there are - newly recognized risks to the security of ePHI).' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node136 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node135 - name: Sample questions - description: 'Do security policies specify that evaluations will be repeated - when environmental and operational changes are made that affect the security - of ePHI? - - - Do policies on the frequency of security evaluations reflect any and all relevant - federal or state laws that bear on environmental or operational changes affecting - the security of ePHI? - - - Has the organization explored the use of automated tools to support periodic - evaluations?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308 - ref_id: 164.308(b)(1) - description: "Business Associate Contracts and Other Arrangements:\nHIPAA Standard:\ - \ A covered entity may permit a business associate to create, receive, maintain,\ - \ or transmit electronic protected health information on the covered entity\u2019\ - s behalf only if the covered entity obtains satisfactory assurances, in accordance\ - \ with \xA7 164.314(a), that the business associate will appropriately safeguard\ - \ the information. A covered entity is not required to obtain such satisfactory\ - \ assurances from a business associate that is a subcontractor." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node138 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) - name: Identify Entities that are Business Associates Under the HIPAA Security - Rule - description: 'Identify the individual or department who will be responsible - for coordinating the execution of business associate agreements or other arrangements. - - - Reevaluate the list of business associates to determine who has access to - ePHI in order to assess whether the list is complete and current. - - - Identify systems covered by the contract/agreement. - - - Business associates must have a BAA in place with each of their subcontractor - business associates. Subcontractor business associates are also directly liable - for their own Security Rule violations.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node139 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node138 - name: Sample questions - description: 'Does each written and executed BAA contain sufficient language - to ensure that ePHI and any other required information types will be protected? - - - Have all organizations or vendors that provide a service or function on behalf - of the organization been identified? Such services may include: - - - Have outsourced functions that involve the use of ePHI been considered? Such - functions may include:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node140 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) - name: Establish a Process for Measuring Contract Performance and Terminating - the Contract if Security Requirements Are Not Being Met - description: 'Maintain clear lines of communication between covered entities - and business associates regarding the protection of ePHI as per the BAA or - contract. - - - Establish criteria for measuring contract performance.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node141 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node140 - name: Sample questions - description: 'What is the service being performed? - - - What is the expected outcome? - - - Is there a process for reporting security incidents related to the agreement? - - - Are additional assurances of protections for ePHI from the business associate - necessary? If so, where will such additional assurances be documented (e.g., - in the BAA, service-level agreement, or other documentation), and how will - they be met (e.g., providing documentation of implemented safeguards, audits, - certifications)?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node142 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) - name: Written Contract or Other Arrangement - description: "Document the satisfactory assurances required by this standard\ - \ through a written contract or other arrangement with the business associate\ - \ that meets the applicable requirements of \xA7164.314(a). Readers may find\ - \ useful resources in Appendix F, including OCR BAA guidance and/or templates\ - \ that include applicable language.\n\nExecute new or update existing agreements\ - \ or arrangements as appropriate.\n\nIdentify roles and responsibilities.\n\ - \nInclude security requirements in business associate contracts and agreements\ - \ to address the confidentiality, integrity, and availability of ePHI.\n\n\ - Specify any training requirements associated with the contract/agreement or\ - \ arrangement, if reasonable and appropriate." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node143 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node142 - name: Sample questions - description: 'Who is responsible for coordinating and preparing the final agreement - or arrangement? - - - Does the agreement or arrangement specify how information is to be transmitted - to and from the business associate? - - - Have security controls been specified for the business associate? - - - Are clear responsibilities identified and established regarding potentially - overlapping HIPAA obligations (e.g., if hosting ePHI in the cloud, will the - CE, BA, or both address encryption)? - - - Have appropriate organizational personnel been trained in the process of initiating - and maintaining a business associate agreement (BAA)?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node144 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1) - name: Implementation Specification (Required) - description: "Document the satisfactory assurances required by this standard\ - \ through a written contract or other arrangement with the business associate\ - \ that meets the applicable requirements of \xA7164.314(a). Readers may find\ - \ useful resources in Appendix F, including OCR BAA guidance and/or templates\ - \ that include applicable language." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node145 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node144 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 - assessable: false - depth: 1 - ref_id: '164.310' - description: "Physical Safeguards:\nDefined as the \u201Cphysical measures,\ - \ policies, and procedures to protect a covered entity\u2019s electronic information\ - \ systems and related buildings and equipment, from natural and environmental\ - \ hazards, and unauthorized intrusion.\u201D" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 - ref_id: 164.310(a) - description: 'Facility Access Controls: - - HIPAA Standard: Implement policies and procedures to limit physical access - to its electronic information systems and the facility or facilities in which - they are housed, while ensuring that properly authorized access is allowed.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node148 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Conduct an Analysis of Existing Physical Security Vulnerabilities - description: 'Inventory facilities and identify shortfalls and/or vulnerabilities - in current physical security capabilities. - - - Assign degrees of significance to each vulnerability identified and ensure - that proper access is allowed. - - - Determine which types of facilities require access controls to safeguard ePHI, - such as:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node149 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node148 - name: Sample questions - description: 'If reasonable and appropriate, do non-public areas have locks - and cameras? - - - Are computing devices protected from public access or viewing? - - - Are entrances and exits that lead to locations with ePHI secured? - - - Do policies and procedures already exist regarding access to and use of facilities - and equipment? - - - Are there possible natural or human-made disasters that could happen in the - environment? - - - Do normal physical protections exist (e.g., locks on doors, windows, and other - means of preventing unauthorized access)? - - - Are network wiring cables protected and not exposed to unauthorized personnel? - - - Is there a list of workforce members who can access the facility after hours - via the use of keys, badge access, and knowledge of the security or alarm - system?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node150 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Identify Corrective Measures - description: 'Identify and assign responsibility for the measures and activities - necessary to correct deficiencies, and ensure that proper physical access - is allowed. - - - Develop and deploy policies and procedures to ensure that repairs, upgrades, - and/or modifications are made to the appropriate physical areas of the facility - while ensuring that proper access is allowed.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node151 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node150 - name: Sample questions - description: 'Who is responsible for security? - - - Is a workforce member other than the security official responsible for facility/physical - security? - - - Are facility access control policies and procedures already in place? Do they - need to be revised? - - - What training will be needed for workforce members to understand the policies - and procedures? - - - How will decisions and actions be documented? - - - Is a property owner or external party (e.g., cloud service provider) required - to make physical changes to meet the requirements?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node152 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Develop a Facility Security Plan - description: "Implement policies and procedures to safeguard the facility and\ - \ the equipment therein from unauthorized physical access, tampering, and\ - \ theft.\n\nImplement appropriate measures to provide physical security protection\ - \ for ePHI in a regulated entity\u2019s possession.\n\nInclude documentation\ - \ of the facility inventory, physical maintenance records, and a history of\ - \ changes, upgrades, and other modifications.\n\nIdentify points of access\ - \ to the facility and existing security controls." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node153 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node152 - name: Sample questions - description: 'Is there an inventory of facilities and existing security practices? - - - What are the current procedures for securing the facilities (e.g., exterior, - interior, equipment, access controls, maintenance records)? - - - Is a workforce member other than the security official responsible for the - facility plan? - - - Is there a contingency plan already in place, under revision, or under development?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node154 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Implementation Specification (Addressable) - description: Implement policies and procedures to safeguard the facility and - the equipment therein from unauthorized physical access, tampering, and theft. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node155 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node154 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node156 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Develop Access Control and Validation Procedures - description: 'Implement procedures to control and validate a person''s access - to facilities based on their role or function, including visitor control and - control of access to software programs for testing and revision. - - - Implement procedures to provide facility access to authorized personnel and - visitors and exclude unauthorized persons.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node157 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node156 - name: Sample questions - description: 'What are the policies and procedures in place for controlling - access by staff, contractors, visitors, and probationary workforce members? - - - Do the procedures identify individuals, roles, or job functions that are authorized - to access software programs for testing and revision? - - - How many access points exist in each facility? Is there an inventory? - - - Is monitoring equipment necessary? - - - Is there a periodic review of personnel with physical access?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node158 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Implementation Specification (Addressable) - description: Implement procedures to control and validate a person's access - to facilities based on their role or function, including visitor control and - control of access to software programs for testing and revision. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node159 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node158 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node160 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Establish Contingency Operations Procedures - description: Establish (and implement as needed) procedures that allow facility - access in support of the restoration of lost data under the Disaster Recovery - Plan and Emergency Mode Operations Plan in the event of an emergency. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node161 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node160 - name: Sample questions - description: 'Are there procedures to allow facility access while restoring - lost data in the event of an emergency? - - - Who needs access to ePHI in the event of a disaster? - - - What is the backup plan for access to the facility and/or ePHI? - - - Who is responsible for the contingency plan for access to ePHI? - - - Who is responsible for implementing the contingency plan for access to ePHI - in each department or unit? - - - Will the contingency plan be appropriate in the event of all types of potential - disasters (e.g., fire, flood, earthquake, etc.)?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node162 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Implementation Specification (Addressable) - description: Establish (and implement as needed) procedures that allow facility - access in support of the restoration of lost data under the Disaster Recovery - Plan and Emergency Mode Operations Plan in the event of an emergency. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node163 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node162 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node164 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Maintain Maintenance Records - description: Implement policies and procedures to document repairs and modifications - to the physical components of a facility that are related to security (e.g., - hardware, walls, doors, and locks). - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node165 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node164 - name: Sample questions - description: 'Are policies and procedures developed and implemented that specify - how to document repairs and modifications to the physical components of a - facility that are related to security? - - - Are records of repairs to hardware, walls, doors, and locks maintained? - - - Has responsibility for maintaining these records been assigned?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node166 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a) - name: Implementation Specification (Addressable) - description: Implement policies and procedures to document repairs and modifications - to the physical components of a facility that are related to security (e.g., - hardware, walls, doors, and locks). - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node167 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node166 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 - ref_id: 164.310(b) - description: 'Workstation Use: - - HIPAA Standard: Implement policies and procedures that specify the proper - functions to be performed, the manner in which those functions are to be performed, - and the physical attributes of the surroundings of a specific workstation - or class of workstation that can access electronic protected health information.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node169 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) - name: Identify Workstation and Device Types and Functions or Uses - description: "Inventory workstations and devices that create, store, process\ - \ or transmit ePHI. Be sure to consider the multitude of computing devices\ - \ (e.g., medical equipment, medical IoT devices, tablets, smart phones, etc.).\n\ - \nDevelop policies and procedures for each type of device and identify and\ - \ accommodate their unique issues.\n\nClassify devices based on the capabilities,\ - \ connections, and allowable activities for each device used.\n\nDetermine\ - \ the proper function and manner by which specific workstations or classes\ - \ of workstations are permitted to access ePHI (e.g., applications permitting\ - \ access to ePHI that are allowed on workstations used by a hospital\u2019\ - s customer service call center or its radiology department)." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node170 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node169 - name: Sample questions - description: 'Do the policies and procedures identify devices that access ePHI - and those that do not? - - - Is there an inventory of device types and locations in the organization? - - - Who is responsible for this inventory and its maintenance? - - - What tasks are commonly performed on a given device or type of device? - - - Are all types of computing devices used as workstations identified along with - the use of these devices? - - - Are all devices that create, store, process, or transmit ePHI owned by the - regulated entity? - - - Are some devices personally owned or owned by another party? - - - Has the organization considered the use of automation to manage device inventory?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node171 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) - name: Identify the Expected Performance of Each Type of Workstation and Device - description: Develop and document policies and procedures related to the proper - use and performance of devices that create, store, process, or transmit ePHI. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node172 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node171 - name: Sample questions - description: 'How are these devices used in day-to-day operations? - - - Which devices are involved in various work activities? - - - What are key operational risks that could result in a breach of security? - - - Do the policies and procedures address the use of these devices for any personal - use? - - - Has the organization updated training and awareness content to include the - proper use and performance of these devices?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node173 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b) - name: Analyze Physical Surroundings for Physical Attributes - description: "Ensure that any risks associated with a device\u2019s surroundings\ - \ are known and analyzed for possible negative impacts.\n\nDevelop policies\ - \ and procedures that will prevent or preclude the unauthorized access of\ - \ unattended devices, limit the ability of unauthorized persons to view sensitive\ - \ information, and dispose of sensitive information as needed." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node174 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node173 - name: Sample questions - description: 'Do the policies and procedures specify where to place devices - to only allow viewing by authorized personnel? - - - Where are devices located? - - - Where does work on ePHI occur? - - - Are some devices stationary? - - - Are some devices mobile and leave the physical facility? - - - Is viewing by unauthorized individuals restricted or limited on these devices? - - - Do changes need to be made in the space configuration? - - - Do workforce members understand the security requirements for the data they - use in their day-to-day jobs? - - - Are any computing components (e.g., servers, workstations, medical devices) - kept in locations that put the confidentiality, integrity, and availability - of ePHI at risk?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 - ref_id: 164.310(c) - description: 'Workstation Security: - - HIPAA Standard: Implement physical safeguards for all workstations that access - electronic protected health information, to restrict access to authorized - users.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node176 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) - name: Identify All Methods of Physical Access to Workstations and Devices - description: 'Document the different ways that users access workstations and - other devices that create, store, process, or transmit ePHI. Be sure to consider - the multitude of computing devices (e.g., medical equipment, medical IoT devices, - tablets, smart phones, etc.). - - - Consider any mobile devices that leave the physical facility as well as remote - workers who access devices that create, store, process, or transmit ePHI.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node177 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node176 - name: Sample questions - description: 'Is there an inventory of all current device locations? - - - Are any devices located in public areas? - - - Are laptops or other computing devices used as workstations to create, access, - store, process, or transmit ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node178 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) - name: Analyze the Risks Associated with Each Type of Access - description: Determine which type of access identified in Key Activity 1 poses - the greatest threat to the security of ePHI. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node179 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node178 - name: Sample questions - description: 'Do any devices leave the facility? - - - Are any devices housed in areas that are more vulnerable to unauthorized use, - theft, or viewing of the data they contain? - - - What are the options for modifying the current access configuration to protect - ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node180 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c) - name: Identify and Implement Physical Safeguards for Workstations and Devices - description: 'Implement physical safeguards and other security measures to minimize - the possibility of inappropriate access to ePHI through computing devices. - - - If there are impediments to physically securing devices and/or the facilities - where devices are located, additional safeguards should be considered, such - as:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node181 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node180 - name: Sample questions - description: 'Are physical safeguards implemented for all devices that access - ePHI to restrict access to authorized users? - - - Are devices and other tools used in the provisioning of treatment, payment - and operations protected from unauthorized access, viewing, modification, - and/or theft within mobile healthcare environments? - - - What safeguards are in place,(e.g., locked doors, screen barriers, cameras, - guards)? - - - Are additional physical safeguards needed to protect devices with ePHI? - - - Do any devices need to be relocated to enhance physical security? - - - Are safeguards such as anti-theft devices, physical privacy screens, or other - procedures used to help prevent unauthorized audio and video recording - - - Have workforce members been trained on security? - - - Are some devices not owned by the organization? Do these ownership considerations - preclude the use of any physical security controls on the device? - - - Do the policies and procedures specify the use of additional security measures - to protect devices with ePHI, such as using privacy screens, enabling password-protected - screen savers, or logging off the device?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310 - ref_id: 164.310(d) - description: 'Device and Media Controls: - - HIPAA Standard: Implement policies and procedures that govern the receipt - and removal of hardware and electronic media that contain electronic protected - health information into and out of a facility, and the movement of these items - within the facility.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node183 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Implement Methods for the Final Disposal of ePHI - description: 'Implement policies and procedures to address the final disposition - of ePHI and/or the hardware or electronic media on which it is stored. - - - Determine and document the appropriate methods to dispose of hardware, software, - and the data itself. - - - Ensure that ePHI is properly destroyed and cannot be recreated.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node184 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node183 - name: Sample questions - description: 'What ePHI is created, stored, processed, and transmitted by the - organization? On what media is it located? - - - Is data stored on removable, reusable media (e.g., flash drives, Secure Digital - (SD) memory cards)? - - - Are policies and procedures developed and implemented that address the disposal - of ePHI and/or the hardware and media on which ePHI is stored? - - - Is there a process for destroying data on all media? - - - What are the options for disposing of data on hardware? What are the costs? - - - Prior to disposal, have media and devices containing ePHI been sanitized in - accordance with SP 800-88?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node185 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Implementation Specification (Required) - description: Implement policies and procedures to address the final disposition - of ePHI and/or the hardware or electronic media on which it is stored. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node186 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node185 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node187 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Develop and Implement Procedures for the Reuse of Electronic Media - description: 'Implement procedures for the removal of ePHI from electronic media - before the media become available for reuse. - - - Ensure that ePHI previously stored on any electronic media cannot be accessed - and reused. - - - Identify removable media and their uses. - - - Ensure that ePHI is removed from reusable media before they are used to record - new information.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node188 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node187 - name: Sample questions - description: 'Do policies and procedures already exist regarding the reuse of - electronic media (i.e., hardware and software)? - - - Have reused media been erased to the point where previous ePHI is neither - readily available nor recoverable? - - - Is one individual and/or department responsible for coordinating the disposal - of data and the reuse of the hardware and software? - - - Are workforce members appropriately trained on the security risks to ePHI - when reusing software and hardware?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node189 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Implementation Specification (Required) - description: Implement procedures for the removal of ePHI from electronic media - before the media become available for reuse. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node190 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node189 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node191 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Maintain Accountability for Hardware and Electronic Media - description: 'Maintain a record of the movements of hardware and electronic - media and any person responsible for them. - - - Ensure that ePHI is not inadvertently released or shared with any unauthorized - party. - - - Ensure that an individual is responsible for and records the receipt and removal - of hardware and software with ePHI.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node192 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node191 - name: Sample questions - description: 'Have policies and procedures been implemented that govern the - receipt and removal of hardware and electronic media that contain ePHI into - and out of a facility, and the movement of these items within the facility? - - - Has a process been implemented to maintain a record of the movements of and - persons responsible for hardware and electronic media that contain ePHI? - - - Where is data stored (i.e., what type of media)? - - - What procedures already exist to track hardware and software within the organization - (e.g., an enterprise inventory management system)? - - - If workforce members are allowed to remove electronic media that contain or - may be used to access ePHI, do procedures exist to track the media externally? - - - Who is responsible for maintaining records of hardware and software?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node193 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Implementation Specification (Addressable) - description: Maintain a record of the movements of hardware and electronic media - and any person responsible for them. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node194 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node193 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node195 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Develop Data Backup and Storage Procedures - description: 'Create a retrievable exact copy of ePHI, when needed, before movement - of equipment. - - - Ensure that an exact retrievable copy of the data is retained and protected - to maintain the integrity of ePHI during equipment relocation.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node196 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node195 - name: Sample questions - description: 'Has a process been implemented to create a retrievable, exact - copy of ePHI when needed and before the movement of equipment? - - - Are backup files maintained offsite to ensure data availability in the event - that data is lost while transporting or moving electronic media that contain - ePHI? - - - If data were to be unavailable while media are transported or moved for a - period of time, what would the business impact be?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node197 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d) - name: Implementation Specification (Addressable) - description: Create a retrievable exact copy of ePHI, when needed, before movement - of equipment. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node198 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node197 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 - assessable: false - depth: 1 - ref_id: '164.312' - description: "Technical Safeguards:\nDefined as the \u201Cthe technology and\ - \ the policy and procedures for its use that protect electronic protected\ - \ health information and control access to it.\u201D" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 - ref_id: 164.312(a) - description: "Access Control:\nHIPAA Standard: Implement technical policies\ - \ and procedures for electronic information systems that maintain electronic\ - \ protected health information to allow access only to those persons or software\ - \ programs that have been granted access rights as specified in \xA7 164.308(a)(4)." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node201 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Analyze Workloads and Operations to Identify the Access Needs of All Users - description: 'Identify an approach for access control. - - - Consider all applications and systems containing ePHI that should only be - available to authorized users, processes, and services. - - - Integrate these activities into the access granting and management process.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node202 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node201 - name: Sample questions - description: "Have all applications and systems with ePHI been identified?\n\ - \nWhat user roles are defined for those applications and systems?\n\nIs access\ - \ to systems containing ePHI only granted to authorized processes and services?\n\ - \nWhere is the ePHI supporting those applications and systems currently housed\ - \ (e.g., stand-alone computer, network storage, database)?\n\nAre data and/or\ - \ systems being accessed remotely?\n\nHave access decisions been based on\ - \ determinations from \xA7 164.308(a)(4) Information Access Management?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node203 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Identify Technical Access Control Capabilities - description: "Determine the access control capabilities of all systems with\ - \ ePHI.\n\nDetermine whether network infrastructure can limit access to systems\ - \ with ePHI (e.g., network segmentation).\n\nImplement technical access controls\ - \ to limit access to ePHI to only that which has been granted in accordance\ - \ with the regulated entity\u2019s information access management policies\ - \ and procedures (see 45 CFR 164.308(a)(4))." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node204 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node203 - name: Sample questions - description: "How are the systems accessed for viewing, modifying, or creating\ - \ data?\n\nCan identified technical access controls limit access to ePHI to\ - \ only what is authorized in accordance with the regulated entity\u2019s information\ - \ access management policies and procedures (see 45 CFR 164.308(a)(4))?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node205 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Ensure that All System Users Have Been Assigned a Unique Identifier - description: 'Assign a unique name and/or number for identifying and tracking - user identity. - - - Ensure that system activity can be traced to a specific user. - - - Ensure that the necessary data is available in the system logs to support - audit and other related business functions.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node206 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node205 - name: Sample questions - description: 'How should the identifier be established (e.g., length and content)? - - - Should the identifier be self-selected, organizationally selected, or randomly - generated? - - - Are logs associated with access events created? - - - Are these access logs regularly reviewed? - - - Can the unique user identifier be used to track user access to ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node207 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Implementation Specification (Required) - description: Assign a unique name and/or number for identifying and tracking - user identity. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node208 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node207 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node209 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Develop Access Control Policy and Procedures - description: 'Establish a formal policy for access control that will guide the - development of procedures. - - - Specify requirements for access control that are both feasible and cost-effective.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node210 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node209 - name: Sample questions - description: 'Have rules of behavior been established and communicated to system - users? - - - How will rules of behavior be enforced?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node211 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Implement Access Control Procedures Using Selected Hardware and Software - description: Implement the policy and procedures using existing or additional - hardware or software solutions. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node212 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node211 - name: Sample questions - description: 'Who will manage the access control procedures? - - - Are current users trained in access control management? - - - Will user training be needed to implement access control procedures? - - - Do the medical devices in use by the organization support user authentication? - Are there processes in place to manage this authentication?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node213 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Review and Update Access for Users and Processes - description: "Enforce the policy and procedures as a matter of ongoing operations.\n\ - \nDetermine whether any changes are needed for access control mechanisms.\n\ - \nEnsure that the modification of technical controls that affect a user\u2019\ - s access to ePHI continue to limit access to ePHI to that which has been granted\ - \ in accordance with the regulated entity\u2019s information access management\ - \ policies and procedures (see 45 CFR 164.308(a)(4)).\n\nEstablish procedures\ - \ for updating access when users require the following:" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node214 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node213 - name: Sample questions - description: 'Have new workforce members/users been given proper instructions - for protecting data and systems? - - - What are the procedures for new employee/user access to data and systems? - - - Are there procedures for reviewing and, if appropriate, modifying access authorizations - for existing users, services, and processes? - - - Do users and processes have the appropriate set of permissions to ePHI to - which they were granted access and to the appropriate systems that create, - store, process, or transmit ePHI? - - - Has the regulated entity considered the use of automation for reviewing the - access needs of users and processes?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node215 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Establish an Emergency Access Procedure - description: 'Establish (and implement as needed) procedures for obtaining necessary - electronic protected health information during an emergency. - - - Identify a method for supporting continuity of operations should the normal - access procedures be disabled or unavailable due to system problems.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node216 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node215 - name: Sample questions - description: 'Are there policies and procedures in place to provide appropriate - access to ePHI in emergency situations? - - - When should the emergency access procedure be activated? - - - Who is authorized to make the decision? - - - Who has assigned roles in the process? - - - Will systems automatically default to settings and functionalities that will - enable the emergency access procedure or will the mode be activated by the - system administrator or other authorized individual?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node217 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Implementation Specification (Required) - description: Establish (and implement as needed) procedures for obtaining necessary - electronic protected health information during an emergency. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node218 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node217 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node219 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Automatic Logoff and Encryption and Decryption - description: 'Consider whether the addressable implementation specifications - of this standard are reasonable and appropriate:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node220 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node219 - name: Sample questions - description: "Are automatic logoff features available for any of the regulated\ - \ entity\u2019s operating systems or other major applications?\n\nIf applications\ - \ have been created or developed in-house, is it reasonable and appropriate\ - \ to modify them to feature an automatic logoff capability?\n\nWhat period\ - \ of inactivity prior to automatic logoff is reasonable and appropriate for\ - \ the regulated entity?\n\nWhat encryption capabilities are available for\ - \ the regulated entity\u2019s ePHI?\n\nIs encryption appropriate for storing\ - \ and maintaining ePHI (i.e., at rest)?\n\nBased on the risk assessment, is\ - \ encryption needed to effectively protect ePHI at rest from unauthorized\ - \ access?\n\nIs email encryption necessary for the organization to protect\ - \ ePHI?\n\nAre automated confidentiality statements needed for email leaving\ - \ the organization?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node221 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Implementation Specification (Automatic Logoff) - description: 'Consider whether the addressable implementation specifications - of this standard are reasonable and appropriate:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node222 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node221 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node223 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Implementation Specification (Encryption and Decryption) - description: 'Consider whether the addressable implementation specifications - of this standard are reasonable and appropriate:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node224 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node223 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node225 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a) - name: Terminate Access if it is No Longer Required - description: 'Ensure that access to ePHI is terminated if the access is no longer - authorized. - - - Consider implementing a user recertification process to ensure that least - privilege is enforced.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node226 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node225 - name: Sample questions - description: 'Are rules being enforced to remove access by staff members who - no longer have a need to know because they have changed assignments or have - stopped working for the organization? - - - Does the organization revisit user access requirements regularly to ensure - least privilege?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 - ref_id: 164.312(b) - description: 'Audit Controls: - - HIPAA Standard: Implement hardware, software, and/or procedural mechanisms - that record and examine activity in information systems that contain or use - electronic protected health information.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node228 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) - name: Determine the Activities that Will Be Tracked or Audited - description: "Determine the appropriate scope of audit controls that will be\ - \ necessary in information systems that contain or use ePHI based on the regulated\ - \ entity\u2019s risk assessment and other organizational factors.\n\nDetermine\ - \ what activities need to be captured using the results of the risk assessment\ - \ and risk management processes." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node229 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node228 - name: Sample questions - description: 'Where is ePHI at risk in the organization? - - - What systems, applications, or processes make ePHI vulnerable to unauthorized - or inappropriate tampering, uses, or disclosures? - - - What activities will be audited (e.g., creating ePHI, accessing ePHI, modifying - ePHI, transmitting ePHI, and/or deleting files or records that contain ePHI)? - - - What should the audit record include (e.g., user responsible for the activity; - event type, date, or time)? - - - Are audit records generated for all systems/devices that create, store, process, - or transmit ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node230 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) - name: Select the Tools that Will Be Deployed for Auditing and System Activity - Reviews - description: Evaluate existing system capabilities and determine whether any - changes or upgrades are necessary. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node231 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node230 - name: Sample questions - description: 'What tools are in place? - - - What are the most appropriate monitoring tools for the organization (e.g., - third party, freeware, or operating system-provided)? - - - Are changes/upgrades to information systems reasonable and appropriate?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node232 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) - name: Develop and Deploy the Information System Activity Review/Audit Policy - description: "Document and communicate to the workforce the organization\u2019\ - s decisions on audits and reviews." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node233 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node232 - name: Sample questions - description: "Who is responsible for the overall audit process and results?\n\ - \nHow often will audits take place?\n\nHow often will audit results be analyzed?\n\ - \nWhat is the organization\u2019s sanction policy for employee violations?\n\ - \nWhere will audit information reside (e.g., separate server)?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node234 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) - name: Develop Appropriate Standard Operating Procedures - description: 'Determine the types of audit trail data and monitoring procedures - that will be needed to derive exception reports. - - - Determine the frequency of audit log reviews based on the risk assessment - and risk management processes.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node235 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node234 - name: Sample questions - description: "How will exception reports or logs be reviewed?\n\nHas the organization\ - \ considered the use of automation to assist in the monitoring and review\ - \ of system activity?\n\nAre the organization\u2019s monitoring system activity\ - \ and logs reviewed frequently enough to sufficiently protect ePHI?\n\nWhere\ - \ will monitoring reports be filed and maintained?\n\nIs there a formal process\ - \ in place to address system misuse, abuse, and fraudulent activity?\n\nHow\ - \ will managers and workforce members be notified, when appropriate, regarding\ - \ suspect activity?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node236 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b) - name: Implement the Audit/System Activity Review Process - description: 'Activate the necessary audit system. - - Begin logging and auditing procedures.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node237 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node236 - name: Sample questions - description: 'What mechanisms (e.g., metrics) will be implemented to assess - the effectiveness of the audit process? - - - What is the plan to revise the audit process when needed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 - ref_id: 164.312(c) - description: 'Integrity: - - HIPAA Standard: Implement policies and procedures to protect electronic protected - health information from improper alteration or destruction.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node239 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Identify All Users Who Have Been Authorized to Access ePHI - description: 'Identify all approved users with the ability to alter or destroy - ePHI, if reasonable and appropriate. - - - Address this Key Activity in conjunction with the identification of unauthorized - sources in Key Activity 2.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node240 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node239 - name: Sample questions - description: 'How are users authorized to access the information? - - - Is there a sound basis for why they need the access? - - - Have they been trained on how to use the information? - - - Is there an audit trail established for all accesses to the information?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node241 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Identify Any Possible Unauthorized Sources that May Be Able to Intercept - the Information and Modify It - description: 'Identify scenarios that may result in modification to the ePHI - by unauthorized sources (e.g., hackers, ransomware, insider threats, business - competitors, user errors). - - - Conduct this activity as part of a risk analysis. - - - Consider how the organization will detect unauthorized modification to ePHI' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node242 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node241 - name: Sample questions - description: 'What are likely sources that could jeopardize information integrity? - - - What can be done to protect the integrity of the information when it is residing - in a system (at rest)? - - - What procedures and policies can be established to decrease or prevent alteration - of the information during transmission? - - - What options exist to detect the unauthorized modification of ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node243 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Develop the Integrity Policy and Requirements - description: Establish a formal written set of integrity requirements based - on the results of the analysis completed in Key Activities 1 and 2. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node244 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node243 - name: Sample questions - description: 'Have the requirements been discussed and agreed to by identified - key personnel involved in the processes that are affected? - - - Have the requirements been documented? - - - Has a written policy been developed and communicated to personnel?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node245 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Implement Procedures to Address These Requirements - description: 'Identify and implement methods that will be used to protect ePHI - from unauthorized modification. - - - Identify and implement tools and techniques to be developed or procured that - support the assurance of integrity.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node246 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node245 - name: Sample questions - description: 'Are current audit, logging, and access control techniques sufficient - to address the integrity of ePHI? - - - If not, what additional techniques (e.g., quality control process, transaction - and output reconstruction) can be utilized to check the integrity of ePHI? - - - Are technical solutions in place to prevent and detect the malicious alteration - or destruction of ePHI (e.g., anti-malware, anti-ransomware, file integrity - monitoring solutions)? - - - Can the additional training of users decrease instances attributable to human - errors?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node247 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Implement a Mechanism to Authenticate ePHI - description: 'Implement electronic mechanisms to corroborate that ePHI has not - been altered or destroyed in an unauthorized manner. - - - Consider possible mechanisms for integrity verification, such as:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node248 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node247 - name: Sample questions - description: 'Are the uses of both electronic and non-electronic mechanisms - necessary for the protection of ePHI? - - - Are appropriate electronic authentication tools available? - - - Are available electronic authentication tools interoperable with other applications - and system components? - - - If ePHI is detected as altered by unauthorized users or improperly altered - by authorized users, is a process in place to respond? - - - Is this response process tied to organizational incident management processes?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node249 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Implementation Specification (Addressable) - description: Implement electronic mechanisms to corroborate that ePHI has not - been altered or destroyed in an unauthorized manner. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node250 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node249 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node251 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c) - name: Establish a Monitoring Process to Assess How the Implemented Process is - Working - description: 'Review existing processes to determine whether objectives are - being addressed. - - - Continually reassess integrity processes as technology and operational environments - change to determine whether they need to be revised.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node252 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node251 - name: Sample questions - description: 'Are there reported instances of information integrity problems? - Have they decreased since integrity procedures were implemented? - - - Does the process, as implemented, provide a higher level of assurance that - information integrity is being maintained?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 - ref_id: 164.312(d) - description: 'Person or Entity Authentication: - - HIPAA Standard: Implement procedures to verify that a person or entity seeking - access to electronic protected health information is the one claimed.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node254 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) - name: Determine Authentication Applicability to Current Systems/Applications - description: "Identify the methods available for authentication. Under the HIPAA\ - \ Security Rule, authentication is the corroboration that a person is the\ - \ one claimed (45 CFR \xA7 164.304).\n\nIdentify points of electronic access\ - \ that require or should require authentication. Ensure that the regulated\ - \ entity\u2019s risk analysis properly assesses risks for such access points\ - \ (e.g., risks of unauthorized access from within the enterprise could be\ - \ different than those of remote unauthorized access).\n\nAuthentication requires\ - \ establishing the validity of a transmission source and/or verifying an individual\u2019\ - s claim that they have been authorized for specific access privileges to information\ - \ and information systems." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node255 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node254 - name: Sample questions - description: 'What authentication methods are available? - - - What are the advantages and disadvantages of each method? - - - Can risks of unauthorized access be sufficiently reduced for each point of - electronic access with available authentication methods? - - - What will it cost to implement the available methods in the environment? - - - Are there trained staff who can maintain the system or should outsourced support - be considered? - - - Are passwords being used? If so, are they unique to the individual? - - - Is MFA being used? If so, how and where is it implemented?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node256 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) - name: Evaluate Available Authentication Options - description: 'Weigh the relative advantages and disadvantages of commonly used - authentication approaches. - - - There are three commonly used authentication approaches available: - - - MFA utilizes two or more authentication approaches to enforce stronger authentication. - - - Consider implementing MFA solutions when the risk to ePHI is sufficiently - high.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node257 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node256 - name: Sample questions - description: 'What are the strengths and weaknesses of each available option? - - - Which can be best supported with assigned resources (e.g., budget/staffing)? - - - What level of authentication is appropriate for each access to ePHI based - on the assessment of risk? - - - Has the organization identified all instances of access to ePHI (including - by services, vendors, or application programming interfaces [APIs]) and considered - appropriate authentication requirements based on the risk assessment? - - - Has the organization considered MFA for access to ePHI that poses high risk - (e.g., remote access, access to privileged functions)? - - - Has the organization researched available MFA options and made a selection - based on risk to ePHI? - - - Is outside vendor support required to implement the process? - - - Are there password-less authentication options (e.g., biometric authentication) - available that can sufficiently address the risk to ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node258 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d) - name: Select and Implement Authentication Options - description: 'Consider the results of the analysis conducted under Key Activity - 2, and select appropriate authentication methods based on the results of the - risk assessment and risk management processes. - - - Implement the methods selected in organizational operations and activities.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node259 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node258 - name: Sample questions - description: "Has the organization\u2019s selection of authentication methods\ - \ been made based on the results of the risk assessment?\n\nIf passwords are\ - \ being used as an authentication element, are they of sufficient length and\ - \ strength to protect ePHI? Is this enforced by technical policies?\n\nHas\ - \ necessary user and support staff training been completed?\n\nHave a formal\ - \ authentication policy and procedures been established and communicated?\n\ - \nHas necessary testing been completed to ensure that the authentication system\ - \ is working as prescribed?\n\nDo the procedures include ongoing system maintenance\ - \ and updates?\n\nIs the process implemented in such a way that it does not\ - \ compromise the authentication information (e.g., password file encryption,\ - \ etc.)?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312 - ref_id: 164.312(e)(1) - description: 'Transmission Security: - - HIPAA Standard: Implement technical security measures to guard against unauthorized - access to electronic protected health information that is being transmitted - over an electronic communications network.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node261 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - name: Identify Any Possible Unauthorized Sources that May Be Able to Intercept - and/or Modify the Information - description: 'Identify all pathways by which ePHI will be transmitted into, - within, and outside of the organization. - - - Identify scenarios (e.g., telehealth, claims processing) that may result in - access to or modification of the ePHI by unauthorized sources during transmission - (e.g., hackers, disgruntled workforce members, business competitors). - - - Identify scenarios and pathways that may put ePHI at a high level of risk.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node262 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node261 - name: Sample questions - description: 'Have all pathways by which ePHI will be transmitted (e.g., file - transfers, email, web portals, mobile apps, communications with servers or - databases containing ePHI, online tracking) been identified? - - - Has a risk assessment been used to determine transmission pathways and scenarios - that may pose high risk to ePHI? - - - What measures exist to protect ePHI in transmission? - - - Have appropriate protection mechanisms been identified for all scenarios and - pathways by which ePHI is transmitted? - - - Is there an auditing process in place to verify that ePHI has been protected - against unauthorized access during transmission? - - - Are there trained staff members to monitor transmissions?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node263 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - name: Develop and Implement Transmission Security Policy and Procedures - description: 'Establish a formal written set of requirements for transmitting - ePHI. - - - Identify methods of transmission that will be used to safeguard ePHI. - - - Identify tools and techniques that will be used to support the transmission - security policy. - - - Implement procedures for transmitting ePHI using hardware and/or software, - if needed.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node264 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node263 - name: Sample questions - description: 'Have the requirements been discussed and agreed to by identified - key personnel involved in transmitting ePHI? - - - Has a written policy been developed and communicated to system users?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node265 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - name: Implement Integrity Controls - description: Implement security measures to ensure that electronically transmitted - ePHI is not improperly modified without detection until disposed of. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node266 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node265 - name: Sample questions - description: 'What security measures are currently used to protect ePHI during - transmission? - - - What measures are planned to protect ePHI in transmission? - - - Is there assurance that information is not altered during transmission?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node267 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - name: Implementation Specification (Addressable) - description: Implement security measures to ensure that electronically transmitted - ePHI is not improperly modified without detection until disposed of. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node268 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node267 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node269 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - name: Implement Encryption - description: Implement a mechanism to encrypt ePHI whenever appropriate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node270 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node269 - name: Sample questions - description: 'Is encryption reasonable and appropriate to protect ePHI in transmission? - - - Based on the risk assessment, is encryption needed to effectively protect - the information from unauthorized access during transmission? - - - Has the organization considered the use of email encryption and automated - confidentiality statements when emailing outside of the organization? - - - Is encryption feasible and cost-effective in this environment? - - - What encryption algorithms and mechanisms are available? - - - Are available encryption algorithms and mechanisms of sufficient strength - to protect electronically transmitted ePHI? - - - Is electronic transmission hardware/software configured so that the strength - of encryption used in transmitting ePHI cannot be weakened? - - - Have all applications used on devices that support the provisioning of health - services been assessed to verify that strong transmission security is implemented? - - - Does the covered entity have the appropriate staff to maintain a process for - encrypting ePHI during transmission? - - - Are workforce members skilled in the use of encryption?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node271 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1) - name: Implementation Specification (Addressable) - description: Implement a mechanism to encrypt ePHI whenever appropriate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node272 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node271 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314 - assessable: false - depth: 1 - ref_id: '164.314' - description: 'Organizational Requirements: - - Includes standards for business associate contracts and other arrangements - between a covered entity and a business associate and between a business associate - and a subcontractor, as well as requirements for group health plans.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314 - ref_id: 164.314(a) - description: "Business Associate Contracts or Other Arrangements:\nHIPAA Standard:\ - \ (i) The contract or other arrangement between the covered entity and its\ - \ business associate required by \xA7 164.308(b)(3) must meet the requirements\ - \ of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.\ - \ (ii) A covered entity is in compliance with paragraph (a)(1) of this section\ - \ if it has another arrangement in place that meets the requirements of \xA7\ - \ 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii)\ - \ of this section apply to the contract or other arrangement between a business\ - \ associate and a subcontractor required by \xA7 164.308(b)(4) in the same\ - \ manner as such requirements apply to contracts or other arrangements between\ - \ a covered entity and business associate." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node275 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Contract Must Provide that Business Associates Will Comply with the Applicable - Requirements of the Security Rule - description: 'Contracts between covered entities and business associates must - provide that business associates will implement administrative, physical, - and technical safeguards that reasonably and appropriately protect the confidentiality, - integrity, and availability of the ePHI that the business associate creates, - receives, maintains, or transmits on behalf of the covered entity. - - - Readers may find useful resources in Appendix F, including OCR BAA guidance - and templates that include applicable language.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node276 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node275 - name: Sample questions - description: Does the written agreement between the covered entity and the business - associate address the applicable functions related to creating, receiving, - maintaining, and transmitting ePHI that the business associate is to perform - on behalf of the covered entity? - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node277 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Implementation Specification (Required) - description: Contracts between covered entities and business associates must - provide that business associates will implement administrative, physical, - and technical safeguards that reasonably and appropriately protect the confidentiality, - integrity, and availability of the ePHI that the business associate creates, - receives, maintains, or transmits on behalf of the covered entity. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node278 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node277 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node279 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Contract Must Provide that the Business Associates Enter into Contracts - with Subcontractors to Ensure the Protection of ePHI - description: "In accordance with \xA7 164.308(b)(2), ensure that any subcontractors\ - \ that create, receive, maintain, or transmit ePHI on behalf of the business\ - \ associate agree to comply with the applicable requirements of this subpart\ - \ by entering into a contract or other arrangement that complies with this\ - \ section." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node280 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node279 - name: Sample questions - description: "Has the business associate identified all of its subcontractors\ - \ that will create, receive, maintain, or transmit ePHI?\n\nHas the business\ - \ associate ensured that contracts in accordance with \xA7 164.314 are in\ - \ place with its subcontractors identified in the previous question?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node281 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Implementation Specification (Required) - description: "In accordance with \xA7 164.308(b)(2), ensure that any subcontractors\ - \ that create, receive, maintain, or transmit ePHI on behalf of the business\ - \ associate agree to comply with the applicable requirements of this subpart\ - \ by entering into a contract or other arrangement that complies with this\ - \ section." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node282 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node281 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node283 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Contract Must Provide that Business Associates will Report Security Incidents - description: "Report to the covered entity any security incident of which it\ - \ becomes aware, including breaches of unsecured PHI as required by \xA7 164.410.\n\ - \nMaintain clear lines of communication between covered entities and business\ - \ associates regarding the protection of ePHI as per the BAA or contract.\n\ - \nEstablish a reporting mechanism and a process for the business associate\ - \ to use in the event of a security incident or breach." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node284 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node283 - name: Sample questions - description: 'Is there a procedure in place for reporting security incidents, - including breaches of unsecured PHI by business associates? - - - Have key business associate staff been identified as points of contact in - the event of a security incident or breach? - - - Does the contract include clear time frames and responsibilities regarding - the investigation and reporting of security incidents and breaches?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node285 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Implementation Specification (Required) - description: "Report to the covered entity any security incident of which it\ - \ becomes aware, including breaches of unsecured PHI as required by \xA7 164.410." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node286 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node285 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node287 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Other Arrangements - description: "The covered entity complies with paragraph (a)(1) of this section\ - \ if it has another arrangement in place that meets the requirements of \xA7\ - \ 164.504(e)(3)." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node288 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node287 - name: Sample questions - description: 'Has the covered entity made a good faith attempt to obtain satisfactory - assurances that the security standards required by this section are met? - - - Are attempts to obtain satisfactory assurances and the reasons that assurances - cannot be obtained documented?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node289 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Implementation Specification (Required) - description: "The covered entity complies with paragraph (a)(1) of this section\ - \ if it has another arrangement in place that meets the requirements of \xA7\ - \ 164.504(e)(3)." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node290 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node289 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node291 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Business Associate Contracts with Subcontractors - description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this - section apply to the contract or other arrangement between a business associate - and a subcontractor in the same manner as such requirements apply to contracts - or other arrangements between a covered entity and business associate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node292 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node291 - name: Sample questions - description: Do business associate contracts or other arrangements between the - business associate and its subcontractors include appropriate language to - comply with paragraphs (a)(2)(i) and (a)(2)(ii) of this section? - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node293 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a) - name: Implementation Specification (Required) - description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this - section apply to the contract or other arrangement between a business associate - and a subcontractor in the same manner as such requirements apply to contracts - or other arrangements between a covered entity and business associate. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node294 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node293 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314 - ref_id: 164.314(b) - description: "Requirements for Group Health Plans:\nHIPAA Standard: Except when\ - \ the only electronic protected health information disclosed to a plan sponsor\ - \ is disclosed pursuant to \xA7 164.504(f)(1)(ii) or (iii), or as authorized\ - \ under \xA7 164.508, a group health plan must ensure that its plan documents\ - \ provide that the plan sponsor will reasonably and appropriately safeguard\ - \ electronic protected health information created, received, maintained, or\ - \ transmitted to or by the plan sponsor on behalf of the group health plan." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node296 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: "Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor\u2019\ - s Security of ePHI" - description: Amend the plan documents to incorporate provisions to require the - plan sponsor to implement administrative, technical, and physical safeguards - that will reasonably and appropriately protect the confidentiality, integrity, - and availability of ePHI that it creates, receives, maintains, or transmits - on behalf of the group health plan. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node297 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node296 - name: Sample questions - description: 'Does the plan sponsor fall under the exception described in the - standard? - - - Do the plan documents require the plan sponsor to reasonably and appropriately - safeguard ePHI?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node298 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: Implementation Specification (Required) - description: Amend the plan documents to incorporate provisions to require the - plan sponsor to implement administrative, technical, and physical safeguards - that will reasonably and appropriately protect the confidentiality, integrity, - and availability of ePHI that it creates, receives, maintains, or transmits - on behalf of the group health plan. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node299 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node298 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node300 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: Amend Plan Documents of the Group Health Plan to Address Adequate Separation - description: "Amend the plan documents to incorporate provisions to require\ - \ the plan sponsor to ensure that the adequate separation between the group\ - \ health plan and plan sponsor required by \xA7164.504(f)(2)(iii) is supported\ - \ by reasonable and appropriate security measures." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node301 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node300 - name: Sample questions - description: "Do plan documents address the obligation to keep ePHI secure with\ - \ respect to the plan sponsor\u2019s workforce members, classes of workforce\ - \ members, or other persons who will be given access to ePHI?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node302 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: Implementation Specification (Required) - description: "Amend the plan documents to incorporate provisions to require\ - \ the plan sponsor to ensure that the adequate separation between the group\ - \ health plan and plan sponsor required by \xA7164.504(f)(2)(iii) is supported\ - \ by reasonable and appropriate security measures." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node303 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node302 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node304 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: "Amend Plan Documents of the Group Health Plan to Address the Security\ - \ of ePHI Supplied to the Plan Sponsors\u2019 Agents and Subcontractors" - description: Amend plan documents to incorporate provisions to require the plan - sponsor to report any security incident of which it becomes aware to the group - health plan. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node305 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node304 - name: Sample questions - description: Do the plan documents of the group health plan address the issue - of subcontractors and other agents of the plan sponsor implementing reasonable - and appropriate security measures? - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node306 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: Implementation Specification (Required) - description: Amend plan documents to incorporate provisions to require the plan - sponsor to ensure that any agent to whom it provides ePHI agrees to implement - reasonable and appropriate security measures to protect the ePHI. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node307 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node306 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node308 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: Amend Plan Documents of Group Health Plans to Address the Reporting of - Security Incidents - description: 'Amend plan documents to incorporate provisions to require the - plan sponsor to report any security incident of which it becomes aware to - the group health plan. - - - Establish a specific policy for security incident reporting. - - - Establish a reporting mechanism and a process for the plan sponsor to use - in the event of a security incident.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node309 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node308 - name: Sample questions - description: 'Is there a procedure in place for security incident reporting? - - - Are procedures in place for responding to security incidents?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node310 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b) - name: Implementation Specification (Required) - description: Amend plan documents to incorporate provisions to require the plan - sponsor to report any security incident of which it becomes aware to the group - health plan. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node311 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node310 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316 - assessable: false - depth: 1 - ref_id: '164.316' - description: 'Policies and Procedures and Documentation Requirements: - - Requires the implementation of reasonable and appropriate policies and procedures - to comply with the standards, implementation specifications, and other requirements - of the Security Rule; the maintenance of written (may be electronic) documentation - and/or records that include the policies, procedures, actions, activities, - or assessments required by the Security Rule; and retention, availability, - and update requirements related to the documentation.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316 - ref_id: 164.316(a) - description: "Policies and Procedures:\nHIPAA Standard: Implement reasonable\ - \ and appropriate policies and procedures to comply with the standards, implementation\ - \ specifications, or other requirements of this subpart, taking into account\ - \ those factors specified in \xA7 164.306(b)(2)(i), (ii), (iii), and (iv).\ - \ This standard is not to be construed to permit or excuse an action that\ - \ violates any other standard, implementation specification, or other requirements\ - \ of this subpart. A covered entity or business associate may change its policies\ - \ and procedures at any time, provided that the changes are documented and\ - \ are implemented in accordance with this subpart." - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node314 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a) - name: Create and Deploy Policies and Procedures - description: 'Implement reasonable and appropriate policies and procedures to - comply with the standards, implementation specifications, and other requirements - of the HIPAA Security Rule. - - - Consider the importance of documenting processes and procedures for demonstrating - the adequate implementation of recognized security practices. - - - Periodically evaluate written policies and procedures to verify that:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node315 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node314 - name: Sample questions - description: 'Are reasonable and appropriate policies and procedures to comply - with each of the standards, applicable implementation specifications, and - other requirements of the HIPAA Security Rule in place? - - - Are policies and procedures reasonable and appropriate given:' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node316 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a) - name: Update the Documentation of the Policy and Procedures - description: Change policies and procedures as is reasonable and appropriate - at any time, provided that the changes are documented and implemented in accordance - with the requirements of the HIPAA Security Rule. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node317 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node316 - name: Sample questions - description: 'Is a process in place for periodically reevaluating the policies - and procedures and updating them as necessary? - - - Should HIPAA documentation be updated in response to periodic evaluations, - following security incidents, and/or after acquisitions of new technology - or new procedures? - - - As policies and procedures are changed, are new versions made available and - are workforce members appropriately trained?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316 - ref_id: 164.316(b) - description: 'Documentation: - - HIPAA Standard: (i) Maintain the policies and procedures implemented to comply - with this subpart in written (which may be electronic) form; and (ii) if an - action, activity or assessment is required by this subpart to be documented, - maintain a written (which may be electronic) record of the action, activity, - or assessment.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node319 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Draft, Maintain, and Update Required Documentation - description: 'Document decisions concerning the management, operational, and - technical controls selected to mitigate identified risks. - - - Written documentation may be incorporated into existing manuals, policies, - and other documents or be created specifically for the purpose of demonstrating - compliance with the HIPAA Security Rule. - - - Consider the importance of documenting the processes and procedures for demonstrating - the adequate implementation of recognized security practices. - - - Use feedback from risk assessments and contingency plan tests to help determine - when to update documentation.' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node320 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node319 - name: Sample questions - description: 'Are all required policies and procedures documented? - - - Should HIPAA Security Rule documentation be maintained by the individual responsible - for HIPAA Security Rule implementation? - - - Should HIPAA Security Rule documentation be updated in response to periodic - evaluations, following security incidents, and/or after acquisitions of new - technology or new procedures? - - - Have dates of creation and validity periods been included in all documentation? - - - Has appropriate management reviewed and approved all documentation? - - - Are actions, activities, and assessments required by the Security Rule documented - as appropriate?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node321 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Retain Documentation for at Least Six Years - description: Retain documentation required by paragraph (b)(1) of this section - for six years from the date of its creation or the date when it last was in - effect, whichever is later. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node322 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node321 - name: Sample questions - description: "Have documentation retention requirements under HIPAA been aligned\ - \ with the organization\u2019s other data retention policies?" - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node323 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Implementation Specification (Required) - description: Retain documentation required by paragraph (b)(1) of this section - for six years from the date of its creation or the date when it last was in - effect, whichever is later. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node324 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node323 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node325 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Ensure that Documentation is Available to Those Responsible for Implementation - description: Make documentation available to those persons responsible for implementing - the procedures to which the documentation pertains. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node326 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node325 - name: Sample questions - description: 'Is the location of the documentation known to all staff who need - to access it? - - - Is availability of the documentation made known as part of education, training, - and awareness activities?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node327 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Implementation Specification (Required) - description: Make documentation available to those persons responsible for implementing - the procedures to which the documentation pertains. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node328 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node327 - name: Sample questions - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node329 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Update Documentation as Required - description: Review documentation periodically and update as needed in response - to environmental or operational changes that affect the security of the ePHI. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node330 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node329 - name: Sample questions - description: 'Is there a version control procedure that allows for the verification - of the timeliness of policies and procedures, if reasonable and appropriate? - - - Is there a process for soliciting input on updates of policies and procedures - from staff, if reasonable and appropriate? - - - Are policies and procedures updated in response to environmental or operational - changes that affect the security of ePHI? - - - When were the policies and procedures last updated or reviewed?' - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node331 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b) - name: Implementation Specification (Required) - description: Review documentation periodically and update as needed in response - to environmental or operational changes that affect the security of the ePHI. - - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node332 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node331 - name: Sample questions