copyright notice...2013/08/16  · bas (now includes their subcontractors) are directly liable...

37
8/16/2013 ©Clearwater Compliance LLC | All Rights Reserved | 1 © Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected] © Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. While all information in this document and its presentation in a webinar is believed to be correct at the time of writing, this document and this webinar are for educational purposes only and does not purport to provide legal advice. If you require legal advice, you should consult with an attorney. The information provided here is for reference use only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Clearwater Compliance LLC. The listing of an organization does not imply any sort of endorsement and Clearwater Compliance LLC takes no responsibility for the publications of third parties. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC. This document is for Education and Awareness Use Only.

Upload: others

Post on 12-Jun-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 1

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are

protected by United States copyright law and may not be

reproduced, distributed, transmitted, displayed, published, or

broadcast without the prior, express written permission of Clearwater

Compliance LLC. You may not alter or remove any copyright or

other notice from copies of this content.

For reprint permission and information, please direct your inquiry to

[email protected]

© Clearwater Compliance LLC | All Rights Reserved

Legal Disclaimer

2

Legal Disclaimer. While all information in this document and its presentation in a

webinar is believed to be correct at the time of writing, this document and this

webinar are for educational purposes only and does not purport to provide

legal advice. If you require legal advice, you should consult with an attorney. The

information provided here is for reference use only and does not constitute the

rendering of legal, financial, or other professional advice or recommendations by

Clearwater Compliance LLC. The listing of an organization does not imply any sort

of endorsement and Clearwater Compliance LLC takes no responsibility for the

publications of third parties.

The existence of a link or organizational reference in any of the following materials

should not be assumed as an endorsement by Clearwater Compliance LLC.

This document is for Education and Awareness Use Only.

Page 2: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 2

© Clearwater Compliance LLC | All Rights Reserved

© Clearwater Compliance LLC | All Rights Reserved

The Critical Difference - HIPAA Security Compliance Evaluation vs.

HIPAA Security Risk Analysis

August 16, 2013

4

Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394

[email protected] Clearwater Compliance LLC

Page 3: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 3

© Clearwater Compliance LLC | All Rights Reserved

About HIPAA-HITECH Compliance

1. We are not attorneys!

2. The Omnibus has arrived!

3. Lots of different interpretations!

So there!

5

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS

6

• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal

• Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards

http://www.linkedin.com/in/BobChaput

Page 4: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 4

© Clearwater Compliance LLC | All Rights Reserved 7

Stages of Behavior Change1

1Prochaska and DiClemente

Action

Pre-Contemplation

Contemplation

Maintenance

Preparation

Where is your organization on its

HIPAA-HITECH compliance

journey?

IGNORANCE

DENIAL

The Transtheoretical Model (TTM) of Behavior Change assesses an individual's readiness to act on a new healthier behavior, and provides strategies, or processes of change to guide the individual through the stages of change to Action and Maintenance.

© Clearwater Compliance LLC | All Rights Reserved

Poll #1 – Where is your organization on its HIPAA-HITECH compliance journey?

8

Page 5: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 5

© Clearwater Compliance LLC | All Rights Reserved

Poll #2 – What type of organization?

9

© Clearwater Compliance LLC | All Rights Reserved

Our Passion

10

… And, keeping those same

organizations off the Wall of

Shame…!

…we’re helping

organizations

safeguard the very

personal and

private healthcare

information of

millions of fellow

Americans…

We’re excited

about what we do

because…

Page 6: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 6

© Clearwater Compliance LLC | All Rights Reserved

Clearwater Executive Brief http://clearwatercompliance.com/about/our-firm-hipaa-compliance/

• Since 2010

• 350+ Customers

• Compliance

Assessments | Risk

Analyses | Technical

Testing | Policies &

Procedures | Training |

Remediation | Executive

Coaching | BootCamps

• ~16 Audits &

Investigations currently

• >100 Audits in past

• Raving Fan customers!

SaaS Platforms for

Operationalizing Your

Compliance Programs

Here’s What We Do For a Living…

© Clearwater Compliance LLC | All Rights Reserved

Mega Session Objective

Help You Understand

and Address Two Very

Specific AND Different

HIPAA-Security

Assessment

Requirements…

12

Page 7: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 7

© Clearwater Compliance LLC | All Rights Reserved

Both are Required!

13

© Clearwater Compliance LLC | All Rights Reserved

Bottom Line Up Front: Security Evaluation vs. Risk Analysis

14

What’s similar: • Both required by HIPAA Security Final Rule

• Both have been required since April 2005

• Both need “periodic” updates

• Both are somewhat complex

• Both help determine gaps

• Both robustly audited in OCR Audit Protocol

• Both are important and necessary

• Both help you become compliant with the HIPAA Security Rule

What’s Different: • One is compliance-focused; one is exposure-focused

• One is an overall compliance assessment; one is a risk assessment

• One is Forest-level; one is Trees/Weeds-level

• One is “named” in Meaningful Use Stage I Objectives

• One has specific ‘Final Guidance’ from OCR on how to perform

NO CHANGES T0 THESE ASSESSMENTS!

Page 8: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 8

© Clearwater Compliance LLC | All Rights Reserved 15

Other Helpful Resources

• HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

Blog Post

Recorded Webinars at http://abouthipaa.com/webinars/on-demand-

webinars/

• How To Conduct a Bona Fide HIPAA Security Risk Analysis

• How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule

• What Business Associates Need to Know about HIPAA

© Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Compliance

Assessment Essentials

2. Review specific HIPAA

Security Assessment

Regulations

3. Learn how to Assess Your

Compliance

16

Page 9: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 9

© Clearwater Compliance LLC | All Rights Reserved

Three Pillars of HIPAA-HITECH Compliance…

17

Pri

vacy

Sec

uri

ty

Bre

ach

No

tifi

cati

on

… …

HITECH

HIPAA

Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation

Specs

Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”

Implementation Specs

Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation

Specs

OMNIBUS FINAL RULE

© Clearwater Compliance LLC | All Rights Reserved 18

Top 8 Reasons Executives Need HIPAA-HITECH Assessments: Omnibus Arrived!

1. Significant Breach Notification Rule changes More incidents likely reportable; need to update Policies & Procedures (PnPs) and develop “compromise assessment” process

2. Many Privacy & Security Rule Changes significant updates needed to PnPs

3. BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their BA that are “agents” requiring greater monitoring by the CE/BA Agreements must be modified with focus on indemnification and federal common law of agency

4. HIPAA enforcement dramatically moving to penalty-based Required HHS investigations and maximum penalties in certain situations/Penalties put more emphasis on progress of compliance programs

5. Expanded Patients’ rights Requests for eCopies of any PHI stored electronically (and fewer days to respond to requests)/Certain requests for restrictions must now be honored & documentation maintained/More flexibility regarding requests for decedents health information

6. New marketing rules around authorization for subsidized treatment communications PnPs and forms need to be updated

7. Totality of HIPAA Changes all Notices of Privacy Practices must be revised.

8. Compliance with new requirements is required without delay lots of work to complete by September 23, 2013.

NO CHANGES TO SECURITY ASSESSMENTS!

Page 10: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 10

© Clearwater Compliance LLC | All Rights Reserved

Assessments and Audits Are Central to Compliance

• Establishing good policy and procedures is not enough…

• Comprehensive business processes are not enough…

• Deploying leading technology solutions and systems controls is not enough…

19

Regular assessments are crucial in establishing and maintaining effective compliance

© Clearwater Compliance LLC | All Rights Reserved 20

Systematic, Sustainable Programmatic Approach:

Reenergize and operationalize your HIPAA-HITECH Compliance Program

Ongoing Support and Guidance

• Re-Inventory PHI & ePHI

• Re-Inventory BAs

• Re-Assessments

• Remediation Plans

• Policies & Procedures

Review

• Business Associate

Management

• Training Update

Think Program, Not Project!

Start Year 1 Year 2 • Oversight

• Inventory PHI & ePHI

• Inventory BAs

• Assessments

• Remediation Plans

• Policies & Procedures

• Business Associate Management

• Training

• Re-Inventory PHI & ePHI

• Re-Inventory BAs

• Re-Assessments

• Remediation Plans

• Policies & Procedures Review

• Business Associate Management

• Training Update

How to Do It Right

Page 11: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 11

© Clearwater Compliance LLC | All Rights Reserved

Types of Assessments 1. Compliance Assessments (Security Evaluation, at 45

CFR §164.308(a)(8))

– Where do we stand?

– How well are we achieving ongoing compliance?

2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))

– What is the exposure to information assets (e.g., PHI)?

– What do we need to do to mitigate risks?

3. Risk-of-Harm Compromise Assessment (Breach-related, in HITECH parlance)

– Have we caused legal, reputational, etc harm?

– Is there low probability of compromise of PHI?

– What notifications are required?

Each Assessment Has Its Role and Proper Time 21

© Clearwater Compliance LLC | All Rights Reserved

7 Actions to Take Now

22 Demonstrate Good Faith Effort!

3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

4. Complete a HIPAA Security Evaluation (= compliance

assessment) (45 CFR § 164.308(a)(8))

5. Complete Privacy Rule and Breach Rule compliance

assessments (45 CFR §164.530 and 45 CFR §164.400)

6. Implement a Strong, Proactive Business Associate /

Subcontractor Management Program (45 CFR §164.502(e) and 45 CFR

§164.308(b))

7. Document and act upon a remediation plan

1. Set Privacy and Security Risk Management &

Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA

Privacy and Security and Breach Notification

Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

Page 12: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 12

© Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Compliance

Assessment Essentials

2. Review specific HIPAA

Security Assessment

Regulations

3. Learn how to Assess Your

Compliance

23

© Clearwater Compliance LLC | All Rights Reserved

Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and non-technical

evaluation, based initially upon the standards implemented under this rule

and subsequently, in response to environmental or operational changes

affecting the security of electronic protected health information, which

establishes the extent to which an entity's security policies and

procedures meet the requirements of this subpart.

24

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process

(1)(i) Standard: Security management process. Implement policies and

procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough

assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health

information held by the covered entity.

NOT SUFFICIENT TO CALL THE ‘GEEK SQUAD’ TO RUN A VULNERABILITY

SCAN OR PENETRATION TEST…

Page 13: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 13

© Clearwater Compliance LLC | All Rights Reserved

2. Security

45 CFR

164.308(a)(1)(ii)(A)

Three Dimensions of HIPAA Security Business Risk Management

1. Compliance 45 CFR 164.308(a)(8)

25

3. Test & Audit

45 CFR 164.308(a)(8) &

OCR Audit Program

Protocol

© Clearwater Compliance LLC | All Rights Reserved

OCR Audit Protocol1

45 CFR 164.308(a)(8) Evaluation

OCR Audit Key Activities 1. Determine Whether Internal or

External Evaluation Is Most

Appropriate.

2. Develop Standards and

Measurements for Reviewing All

Standards and Implementation

Specifications of the Security

Rule.

3. Conduct Evaluation.

4. Document Results.

5. Repeat Evaluations Periodically.

26

1http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

Page 14: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 14

© Clearwater Compliance LLC | All Rights Reserved

OCR Audit Protocol1 45 CFR 164.308(a)(1)(ii)(A) Risk Analysis

OCR Audit Key Procedures 1. Inquire of management as to whether

formal or informal policies or practices

exist to conduct an accurate assessment of

potential risks and vulnerabilities to the

confidentiality, integrity, and availability of

ePHI.

2. Obtain and review relevant

documentation and evaluate the content

relative to the specified criteria for an

assessment of potential risks and

vulnerabilities of ePHI.

27

3. Evidence of covered entity risk assessment process or methodology

considers the elements in the criteria and has been updated or maintained

to reflect changes in the covered entity's environment.

4. Determine if the covered entity risk assessment has been conducted on a

periodic basis.

5. Determine if the covered entity has identified all systems that contain,

process, or transmit ePHI. 1http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

© Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Compliance

Assessment Essentials

2. Review specific HIPAA

Security Assessment

Regulations

3. Learn how to Assess Your

Compliance

28

Page 15: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 15

© Clearwater Compliance LLC | All Rights Reserved

3 Dimensions of HIPAA Security Evaluation

1. Is it documented? • Policies, Procedures and

Documentation

29

3. Is it Reasonable and

Appropriate? • Comply with the implementation

specification

2. Are you doing it? • Using, Applying, Practicing,

Enforcing

© Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Security Assessment™

30

Educate | Assess | Plan Remediate | Document

Page 16: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 16

© Clearwater Compliance LLC | All Rights Reserved

1. Serves as Assessment Wizard and

Advisory Guide

2. Auto-creates Remediation Plan and

Provides Management Tool

31

Why this Tool?

3. Dynamically Updates Executive Dashboard

4. Established Baseline Score for Progress Monitoring

5. Serves as “Living Compliance Manual” and

6. Creates “Single Source of the Truth” and Document

Repository

7. Establishes Step 1 in Roadmap to Compliance

https://www.hipaasecurityassessment.com

© Clearwater Compliance LLC | All Rights Reserved

Poll #3 Security Evaluation?

32

Page 17: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 17

© Clearwater Compliance LLC | All Rights Reserved

CMS Meaningful Use Attestation Audits

33

Will CMS conduct audits?1

“Any provider attesting to receive an

EHR incentive payment for either the

Medicare EHR Incentive Program or the

Medicaid EHR Incentive Program

potentially may be subject to an audit.”

“…If you attest prior to actually

meeting the meaningful use security

requirement (HIPAA Security Risk

Analysis), you could increase your

business liability for federal law

violations and making a false claim.”

1 https://www.cms.gov/Regulations-and-

Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10

© Clearwater Compliance LLC | All Rights Reserved

Risk Analysis and Risk Management

1. What is our exposure

of our information

assets (e.g., ePHI)?

34

2. What do we need to do

to treat or manage

risks?

Both Are Required in MU and HIPAA

Page 18: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 18

© Clearwater Compliance LLC | All Rights Reserved

Thinking Like a Risk Analyst

Threat

(Actor) CAN EXPLOIT

Vulnerability

(Weakness) AND CAUSE

Impact

(Cost)

Security Risk exists when….

Risk Analysis is the identification and rank-

ordering of risks through the assessment of

Controls in place to detect and block the threat,

to detect and fix a vulnerability, or to respond to

incidents (impacts) when all else fails.

35

…in protecting an asset….

© Clearwater Compliance LLC | All Rights Reserved

Controls Help Address Vulnerabilities

36

Controls • Policies & Procedures

• Training & Awareness

• Cable lock down

• Strong passwords

• Encryption

• Remote wipe

• Data Backup

Threat Source • Burglar who may

steal Laptop with ePHI

Vulnerabilities • Device is portable

• Weak password

• ePHI is not encrypted

• ePHI is not backed up

Threat Action • Steal Laptop

Information Asset • Laptop with ePHI

Page 19: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 19

© Clearwater Compliance LLC | All Rights Reserved

What A Risk Analysis Is Not

• A network vulnerability scan

• A penetration test

• A configuration audit

• A network diagram review

• A questionnaire

• Information system activity review

37

ALL IMPORTANT BUT NOT A RISK ANALYSIS

© Clearwater Compliance LLC | All Rights Reserved

What A Risk Analysis Is…

38

1NIST SP800-30

A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to

organizational operations (including mission, functions, image, reputation), organizational

assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers

mitigations provided by security controls planned or in place1.

Page 20: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 20

© Clearwater Compliance LLC | All Rights Reserved

Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits

must be included in the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45

C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

…from HHS/OCR Final Guidance

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity

uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into

account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the

“criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to

the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific

format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In

order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

39

© Clearwater Compliance LLC | All Rights Reserved

Risk Management Guidance Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final

40

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments

• NIST SP800-34 Contingency Planning Guide for Federal Information Systems

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk

• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations

• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

Page 21: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 21

© Clearwater Compliance LLC | All Rights Reserved 41

Inventory Information Assets that Store ePHI

Understand Significant Threats and Vulnerabilities

Determine if You Have the Right

Controls in Place

Determine Your Likelihood of Harm

and Risk Rating

Create Compliance Documentation and

Management Reports

© Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Security Risk Analysis™

42

Educate | Assess | Respond Monitor| Document

https://www.HIPAASecurityRiskAnalysis.com/

Page 22: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 22

© Clearwater Compliance LLC | All Rights Reserved

Mature methodology

By-the-regulations/guidance

Highlights security control deficiencies

Permanently records / updates

Perpetual Information Asset Inventory and Risk Analysis repository

Clearwater HIPAA Risk Analysis™ - Features

© Clearwater Compliance LLC | All Rights Reserved 44

The Unique Clearwater Risk Algorithm

Page 23: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 23

© Clearwater Compliance LLC | All Rights Reserved 45

Risk Rating Report

© Clearwater Compliance LLC | All Rights Reserved

Poll #4 Risk Analysis?

46

Page 24: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 24

© Clearwater Compliance LLC | All Rights Reserved

Provides a “by-the-book” approach

Transforms risk management from “arts & crafts” to a mature, repeatable and sustainable process

Facilitates informed risk management decision making

Captures a baseline security risk profile and measures progress

Becomes a “living, breathing tool” for ongoing risk management

Empowers organizations to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A)

Benefits of the Clearwater HIPAA Risk Analysis™ Software

© Clearwater Compliance LLC | All Rights Reserved

High Value - High Impact

Assessment WorkShop™ Process

I. PREPARATION A. Plan / Gather / Schedule B. Read Ahead / Review Materials C. Provide SaaS Subscription/Train D. Administer Surveys

II. ONSITE ASSESSMENT A. Facilitate B. Educate & Equip C. Evaluate D. Populate SaaS

III. WRITTEN REPORT A. Findings B. Observations C. Recommendations D. Presentation and Sign Off

48

Page 25: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 25

© Clearwater Compliance LLC | All Rights Reserved

2. Security

45 CFR

164.308(a)(1)(ii)(A)

Three Dimensions of HIPAA Security Business Risk Management

1. Compliance 45 CFR 164.308(a)(8)

49

3. Test &

Audit 45 CFR 164.308(a)(8) &

OCR Audit Protocol

© Clearwater Compliance LLC | All Rights Reserved 50

Three Industry-Leading SaaS Solutions

… to address all regulatory requirements

& OPERATIONALIZE YOUR COMPLIANCE PROGRAM

Page 26: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 26

© Clearwater Compliance LLC | All Rights Reserved 51

Inve

stm

en

t

Assurance

Three Ways to Engage… to meet your budget and assurance requirements

© Clearwater Compliance LLC | All Rights Reserved

Summary: Security Evaluation vs. Risk Analysis

52

What’s similar: • Both required by HIPAA Security Final Rule

• Both have been required since April 2005

• Both need “periodic” updates

• Both are somewhat complex

• Both help determine gaps

• Both help you become compliant with HIPAA Security

• Both are important and necessary

What’s Different: • One is compliance-focused; one is exposure-focused

• One is “macro” level; the other more “micro”

• One is an overall compliance assessment; one is a risk assessment

• One is Forest-level; one is Trees/Weeds-level

• One is “named” in Meaningful Use Stage I Objectives

• One has specific ‘Final Guidance’ from OCR on how to perform

Page 27: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 27

© Clearwater Compliance LLC | All Rights Reserved

Summary and Next Steps

53

1.Assess the Forest First, Then Get Into

the Trees/Weeds

2.Stay Business Risk Management-

Focused

3.Large or Small: Get Help (Tools, Experts,

etc)

…Simply Makes Good Business

Sense…

© Clearwater Compliance LLC | All Rights Reserved

AboutHIPAA.com Risk Analysis Resources:

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/

54

Two Helpful Resources

Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-

resources/hipaa-risk-analysis-buyers-guide-checklist/

Page 28: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 28

© Clearwater Compliance LLC | All Rights Reserved

Register For Upcoming Live HIPAA-HITECH Webinars at:

http://abouthipaa.com/webinars/upcoming-live-webinars/

55

Help Yourself …Get more info…

View pre-recorded Webinars at: http://abouthipaa.com/webinars/on-

demand-webinars/

© Clearwater Compliance LLC | All Rights Reserved

Take Action Now!

http://clearwatercompliance.com/wp-

content/uploads/2013/03/Clearwater-HIPAA-Security-

Assessment-Software_Data-Sheet-FINAL-022013.pdf

http://clearwatercompliance.com/wp-

content/uploads/2013/03/Clearwater-HIPAA-Risk-

Analysis-Software_Data-Sheet-FINAL-022013.pdf

http://clearwatercompliance.com/contact-2/…

http://clearwatercompliance.com/2013/06/risk-analysis-

information-asset-quick-inventory-video/

Page 29: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 29

© Clearwater Compliance LLC | All Rights Reserved

57

Clearwater HIPAA BootCamp™ Events

Take Your HIPAA

Compliance

Program to a

Better Place,

Faster

September 12 | Live HIPAA BootCamp™ | Philadelphia November 6, 13, 20 | HIPAA Virtual BootCamp™

2014 Plans-Live: January 16 – Austin | March 17 – Detroit | April 24 - San Francisco | July 24 – Boston | October 16 -

Los Angeles

© Clearwater Compliance LLC | All Rights Reserved 58

Gregory J. Ehardt, JD, LL.M.

HIPAA/Assistant Compliance

Officer - HCA Adjunct Professor

Office of General Counsel

Idaho State University

Bob Chaput, CISSP, CIPP/US CHP,

CHSS

CEO

Clearwater Compliance

Expert Instructors

James C. Pyles, Esq.

Principal

Powers Pyles Sutter & Verville PC

Mary Chaput, MBA, CIPP/US, CHP

CFO & Chief Compliance Officer

Clearwater Compliance

Meredith Phillips, MHSA, CHC, CHPC Chief

Information Privacy & Security Officer

Henry Ford Health System

David Finn, CISA, CISM, CRISC

Health IT Officer

Symantec Corporation

Page 30: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 30

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, CISSP, CIPP/US

http://www.ClearwaterCompliance.com [email protected]

Phone: 800-704-3394 or 615-656-4299

Clearwater Compliance LLC

59

Contact

© Clearwater Compliance LLC | All Rights Reserved

Additional Information

60

Page 31: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 31

© Clearwater Compliance LLC | All Rights Reserved

Key WorkShop™ Deliverables 1. Preparation for Mandatory Audits

2. Objective, Independent 3rd Party Review

3. Solid Educational Foundation

4. Completion of Regulatory Requirements

5. Revitalize Security Compliance Program

6. Baseline/Benchmark Score

7. Preliminary Remediation Plan

8. Findings, Observation & Recommendations Report

61 Demonstrate Good Faith Effort

© Clearwater Compliance LLC | All Rights Reserved

Systematic, Sustainable Programmatic Approach:

Reenergize and operationalize your HIPAA-HITECH Compliance Program

Must Operationalize Compliance

Evaluation 45 CFR 164.308(a)(8)

Risk Analysis 45 CFR 164.308(a)(1)(ii)(A)

Risk Treatment 45 CFR 164.308(a)(1)(ii)(B)

Test &

Audit 45 CFR 164.308(a)(8)

Security Rule Compliance a MUST for BAs

Page 32: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 32

© Clearwater Compliance LLC | All Rights Reserved

Why Now? – What We’re Hearing

“Our business partners (health plans) are demanding we become compliant…” – large

national care management company (BA)

“We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric

Practice (CE)

“We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA)

“With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE)

“We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research

consortium (BA)

“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)

63

© Clearwater Compliance LLC | All Rights Reserved

“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium

"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a

comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization

What Our Customers Say…

64

“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization

“…the process of going through the self-assessment WorkShop™ was a great shared learning experience

and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm

“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and

resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs

Page 33: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 33

© Clearwater Compliance LLC | All Rights Reserved

The Risk Analysis Dilemma Assets and Media

Backup Media

Desktop

Disk Array

Electronic Medical Device

Laptop

Pager

Server

Smartphone

Storage Area Network

Tablet

Third-party service provider

Etcetera…

Threat Sources

ADVERSARIAL

-Individual

-Groups

ACCIDENTAL

-Ordinary user

-Privileged User

STRUCTURAL

-IT Equipment

-Environmental

-Software

ENVIRONMENTAL

-Natural or man-made

-Unusual Natural Event

-Infrastructure failure

Vulnerabilities Anti-malware Vulnerabilities

Destruction/Disposal Vulnerabilities

Dormant Accounts

Endpoint Leakage Vulnerabilities

Excessive User Permissions Insecure Network Configuration

Insecure Software Development Processes

Insufficient Application Capacity

Insufficient data backup

Insufficient data validation

Insufficient equipment redundancy Insufficient equipment shielding

Insufficient fire protection

Insufficient HVAC capability

Insufficient power capacity

Insufficient power shielding

Etcetera…

NIST SP 800-53 Controls PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access. PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency]. AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems. AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems. AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems. AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…570

Over 174 million Permutations

Potential Risk-Controls

65

Threat Actions

Burglary/Theft

Corruption or destruction of important data

Data Leakage

Data Loss

Denial of Service

Destruction of important data

Electrical damage to equipment

Fire damage to equipment

Information leakage

Etcetera…

© Clearwater Compliance LLC | All Rights Reserved

Risk Treatment • Identify and evaluate options for the treatment of

risks:

1. Avoid

2. Accept

3. Mitigate

4. Transfer

• Not all Risks need “mitigation”

• All Risks need “treatment”

66

Page 34: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 34

© Clearwater Compliance LLC | All Rights Reserved

Risk Management

Avoid / Transfer Risks

Accept Risks

Mitigate / Transfer Risks

Risk Identification

Ris

k T

rea

tmen

t

Risks of all types & sizes exist

67

© Clearwater Compliance LLC | All Rights Reserved

Dashboard

8/16/2013 68 Clearwater Compliance LLC

Page 35: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 35

© Clearwater Compliance LLC | All Rights Reserved

Preliminary Remediation Plan HIPAA Compliance Tasks

8/16/2013 69 Clearwater Compliance LLC

© Clearwater Compliance LLC | All Rights Reserved

Preliminary Remediation Plan Task Completion To-Dos

70

Page 36: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 36

© Clearwater Compliance LLC | All Rights Reserved

Preliminary Remediation Plan Add or Edit a To-Do

8/16/2013 71 Clearwater Compliance LLC

© Clearwater Compliance LLC | All Rights Reserved

Assessment Wizard – Safeguard Level

8/16/2013 72 Clearwater Compliance LLC

Page 37: Copyright Notice...2013/08/16  · BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their A that are agents requiring greater

8/16/2013

©Clearwater Compliance LLC | All Rights Reserved | 37

© Clearwater Compliance LLC | All Rights Reserved

Assessment Wizard – Standard Level

8/16/2013 73 Clearwater Compliance LLC

© Clearwater Compliance LLC | All Rights Reserved

OCR Audit Protocols Risk Analysis

74

OCR Audit Protocol Procedures:

1. Inquire of management as to whether formal or informal

policies or practices exist to conduct an accurate

assessment of potential risks and vulnerabilities to the

confidentiality, integrity, and availability of ePHI.

2. Obtain and review relevant documentation and evaluate

the content relative to the specified criteria for an

assessment of potential risks and vulnerabilities of ePHI.

3. Evidence of covered entity risk assessment process or

methodology considers the elements in the criteria and

has been updated or maintained to reflect changes in the

covered entity's environment.

4. Determine if the covered entity risk assessment has been

conducted on a periodic basis.

5. Determine if the covered entity has identified all systems

that contain, process, or transmit ePHI.