Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 Adopt - Assess
1. This spreadsheet has two worksheets. Use the Analysis worksheet to record your information. To annotate who compiled the information and
the date compiled, use the Page Setup feature in File to record this information in the document's footer. This tool should be completed by IT
staff and reviewed by the HIT steering committee and other organizational unit responsible for oversight of security compliance.
2. Applications. List all information systems applications present; and add/delete/update as new applications are acquired.
3. Application Criticality. Assess and record the application criticality for each application:
Mission Critical = your organization cannot survive without this application
Critical = this application is very important to your organization and would be difficult to manage without
Important = this application is necessary for key functions, but there are alternatives to achieve the functionality without the application
Deferrable = the application is useful but the organization could operate for some period of time without it
Unknown = the
4. Store/Transmit application's
PHI? criticalityortonot
Identify whether thethis
organization
applicationneeds toand/or
Stores be determined
Transmits Protected Health Information (PHI), according to the
definition in HIPAA.
5. Data Sensitivity. Assess and record the application's data sensitivity:
Unrestricted = anyone can have access to the data processed by this application
Restricted = there are specific policies around who may have access to the data processed by this application. (For example, only a
physician who is treating a specific patient should have access to this data.)
Need to know = there are special sensitivities that would require extra security precautions. (For example, this application includes a
patient's real name for insurance purposes, even though a pseudonym has been given to the patient who is a VIP for all other applications.)
6. Unique User ID. Determine whether the application requires unique user identification for access. Distinguish between control is available,
and actually used.
7. Access Control. Identify the type of access controls used in the application:
None
Role-based = access is driven by the role the individual has been authorized to perform in your organization. (For example, Paul Smith is a
physician and has access to all data in the application.)
Date Completed:
Completed by:
Date Completed:
Completed by:
Date Completed:
Completed by: