To:

Cc:
Bcc:
Subject: Fw: HIPAA Risk Assessment Results; Medtronic project

From: Michael Via/Fairfax/IBM

To: Claudia Corino/San Jose/IBM@IBMUS
Cc: Deepak S Nagpal/India/IBM@IBMIN, Swati Jain8/India/IBM@IBMIN
Date: 09/08/2016 11:16 AM
Subject: HIPAA Risk Assessment Results; Medtronic project

Hi Claudia,

As you know, the Medtronic project has been undergoing a HIPAA risk assessment to identify
the applicable HIPAA security controls that still need to be implemented on the project. The
assessment is now complete and the results are in. The results are presented in four categories:
applicable controls, controls not applicable, controls implemented, and non-implemented
controls. Importantly, there are 19 non-implemented controls that we must close within a 90-day
Mitigation Period commencing yesterday. These non-implemented controls (a.k.a. gaps) are the
ones that remain after a limited subset of HIPAA controls were initially implemented a few years
ago as part of the project's DS&P Delivery Risk Assessment (DRA). The DRA attempts to
achieve a limited level of HIPAA compliance early on with full compliance expected once the
IBM HIPAA Program Office fully engages the project later on.

The DS&P team will be driving this mostly 'behind the scenes' effort, though there may be some
Executive approvals and team-wide directives required. There is significant re-use of existing
DS&P security artifacts, so we are not starting from scratch but, importantly, these controls
apply to the entire project (all work numbers, systems, and personnel) and not just to those
systems and personnel exposed to ePHI (e.g., Siebel, Oracle, etc.). We were hoping that a
HIPAA "exception" could be granted for the rest of the team, however, project-wide
implementation is required as a result of the client not providing identification of the locations of
ePHI. Should the client respond in the coming days with those locations then I reco that we
contact the HPO again and request a reduced scope. In fact, now would be a good time to
check back with MDT's Mat Sturgill on whether he has any updates, if you think they might be
agreeable. Otherwise, we'll get started closing the gaps, and I'll brief our progress at least
monthly during the DS&P Management Reviews or more frequently if desired. Pls let me know if
you have any questions. Thank you.
Medtronic Mitigation Spreadsheet.xlsx

Regards,

Mike

Michael Via, PMP®

CISSP, ITILv3
Senior Managing Consultant
DS&P SE/HIPAA Focal
Cyber & Biometric Services/Applications Development and Innovation
IBM Global Business Services | Public Sector (Federal)

Mobile: 1-703-401-9010
E-mail: mvia@us.ibm.com

2300 Dulles Station Boulevard

Herndon, VA 20171
United States