Specifications include, but are not limited to: 3. Risk analysis solution/methodology must address all of the elements outlined in the HHS/OCR guidance on risk analysis requirement under the HIPAA Security Rule. 4. Risk analysis solution/methodology must meet the requirements of the OCR audit protocol on risk analysis. 5. Risk analysis solution/methodology must calculate a risk rating for each risk to enable prioritization for risk remediation decisions and readily and visibly highlight security and control deficiencies and risk ratings by media and information assets. 6. Risk analysis solution/methodology must ensure that all relevant threat sources and agents that may exploit vulnerabilities are considered for each asset/media type as required by NIST. 7. The HIPAA Risk Analysis must be conducted in accordance with the National Institute of Standards and Technology (NIST), International Standards Organization (ISO). Proposer shall perform the following: a. Penetration testing - internal/external networks b. Vulnerability Assessment c. Physical assessment of technical infrastructure at all locations d. A systematic and thorough identification and evaluation of UConn Health’s information assets (data, information systems, and information processing facilities) which create, receive, maintain, or transmit electronic ePHI e. Identification of the potential risks to those identified information assets (to include potential costs of privacy or security breaches and other information security threats), and associated with how the the data is collected, used, managed, stored, maintained, disclosed, and disposed of f. Evaluation of existing privacy and security measures and the effectiveness of those measures g. Identification of potential gaps or deficiencies in maintenance, protection, and utilization of the information assets Assessment to include: h. Internal/external networks (including penetration tests) i. Internet/intranet vulnerability test j. Internet, Extranet and Intranet applications k. Wireless networks, including, but not limited to, secure and guest Wi-Fi access points. l. Servers and data storage. m. Workstations and peripheral endpoints n. Firewall diagnostics o. Virtual Private Network and remote access infrastructure p. Mobile devices q. Denial of service tests r. Social engineering tests s. Security architecture and configuration review t. Other items identified by the Proposer as recommended or necessary for a Risk Analysis