copyright notice...2013/08/16 · bas (now includes their subcontractors) are directly liable...
TRANSCRIPT
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 1
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are
protected by United States copyright law and may not be
reproduced, distributed, transmitted, displayed, published, or
broadcast without the prior, express written permission of Clearwater
Compliance LLC. You may not alter or remove any copyright or
other notice from copies of this content.
For reprint permission and information, please direct your inquiry to
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. While all information in this document and its presentation in a
webinar is believed to be correct at the time of writing, this document and this
webinar are for educational purposes only and does not purport to provide
legal advice. If you require legal advice, you should consult with an attorney. The
information provided here is for reference use only and does not constitute the
rendering of legal, financial, or other professional advice or recommendations by
Clearwater Compliance LLC. The listing of an organization does not imply any sort
of endorsement and Clearwater Compliance LLC takes no responsibility for the
publications of third parties.
The existence of a link or organizational reference in any of the following materials
should not be assumed as an endorsement by Clearwater Compliance LLC.
This document is for Education and Awareness Use Only.
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 2
© Clearwater Compliance LLC | All Rights Reserved
© Clearwater Compliance LLC | All Rights Reserved
The Critical Difference - HIPAA Security Compliance Evaluation vs.
HIPAA Security Risk Analysis
August 16, 2013
4
Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394
[email protected] Clearwater Compliance LLC
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 3
© Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. The Omnibus has arrived!
3. Lots of different interpretations!
So there!
5
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS
6
• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal
• Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards
http://www.linkedin.com/in/BobChaput
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 4
© Clearwater Compliance LLC | All Rights Reserved 7
Stages of Behavior Change1
1Prochaska and DiClemente
Action
Pre-Contemplation
Contemplation
Maintenance
Preparation
Where is your organization on its
HIPAA-HITECH compliance
journey?
IGNORANCE
DENIAL
The Transtheoretical Model (TTM) of Behavior Change assesses an individual's readiness to act on a new healthier behavior, and provides strategies, or processes of change to guide the individual through the stages of change to Action and Maintenance.
© Clearwater Compliance LLC | All Rights Reserved
Poll #1 – Where is your organization on its HIPAA-HITECH compliance journey?
8
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 5
© Clearwater Compliance LLC | All Rights Reserved
Poll #2 – What type of organization?
9
© Clearwater Compliance LLC | All Rights Reserved
Our Passion
10
… And, keeping those same
organizations off the Wall of
Shame…!
…we’re helping
organizations
safeguard the very
personal and
private healthcare
information of
millions of fellow
Americans…
We’re excited
about what we do
because…
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 6
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Executive Brief http://clearwatercompliance.com/about/our-firm-hipaa-compliance/
• Since 2010
• 350+ Customers
• Compliance
Assessments | Risk
Analyses | Technical
Testing | Policies &
Procedures | Training |
Remediation | Executive
Coaching | BootCamps
• ~16 Audits &
Investigations currently
• >100 Audits in past
• Raving Fan customers!
SaaS Platforms for
Operationalizing Your
Compliance Programs
Here’s What We Do For a Living…
© Clearwater Compliance LLC | All Rights Reserved
Mega Session Objective
Help You Understand
and Address Two Very
Specific AND Different
HIPAA-Security
Assessment
Requirements…
12
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 7
© Clearwater Compliance LLC | All Rights Reserved
Both are Required!
13
© Clearwater Compliance LLC | All Rights Reserved
Bottom Line Up Front: Security Evaluation vs. Risk Analysis
14
What’s similar: • Both required by HIPAA Security Final Rule
• Both have been required since April 2005
• Both need “periodic” updates
• Both are somewhat complex
• Both help determine gaps
• Both robustly audited in OCR Audit Protocol
• Both are important and necessary
• Both help you become compliant with the HIPAA Security Rule
What’s Different: • One is compliance-focused; one is exposure-focused
• One is an overall compliance assessment; one is a risk assessment
• One is Forest-level; one is Trees/Weeds-level
• One is “named” in Meaningful Use Stage I Objectives
• One has specific ‘Final Guidance’ from OCR on how to perform
NO CHANGES T0 THESE ASSESSMENTS!
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 8
© Clearwater Compliance LLC | All Rights Reserved 15
Other Helpful Resources
• HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis
Blog Post
Recorded Webinars at http://abouthipaa.com/webinars/on-demand-
webinars/
• How To Conduct a Bona Fide HIPAA Security Risk Analysis
• How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule
• What Business Associates Need to Know about HIPAA
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Understand Compliance
Assessment Essentials
2. Review specific HIPAA
Security Assessment
Regulations
3. Learn how to Assess Your
Compliance
16
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 9
© Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
17
Pri
vacy
Sec
uri
ty
Bre
ach
No
tifi
cati
on
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved 18
Top 8 Reasons Executives Need HIPAA-HITECH Assessments: Omnibus Arrived!
1. Significant Breach Notification Rule changes More incidents likely reportable; need to update Policies & Procedures (PnPs) and develop “compromise assessment” process
2. Many Privacy & Security Rule Changes significant updates needed to PnPs
3. BAs (now includes their subcontractors) are directly liable Covered Entities are liable for the acts of their BA that are “agents” requiring greater monitoring by the CE/BA Agreements must be modified with focus on indemnification and federal common law of agency
4. HIPAA enforcement dramatically moving to penalty-based Required HHS investigations and maximum penalties in certain situations/Penalties put more emphasis on progress of compliance programs
5. Expanded Patients’ rights Requests for eCopies of any PHI stored electronically (and fewer days to respond to requests)/Certain requests for restrictions must now be honored & documentation maintained/More flexibility regarding requests for decedents health information
6. New marketing rules around authorization for subsidized treatment communications PnPs and forms need to be updated
7. Totality of HIPAA Changes all Notices of Privacy Practices must be revised.
8. Compliance with new requirements is required without delay lots of work to complete by September 23, 2013.
NO CHANGES TO SECURITY ASSESSMENTS!
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 10
© Clearwater Compliance LLC | All Rights Reserved
Assessments and Audits Are Central to Compliance
• Establishing good policy and procedures is not enough…
• Comprehensive business processes are not enough…
• Deploying leading technology solutions and systems controls is not enough…
19
Regular assessments are crucial in establishing and maintaining effective compliance
© Clearwater Compliance LLC | All Rights Reserved 20
Systematic, Sustainable Programmatic Approach:
Reenergize and operationalize your HIPAA-HITECH Compliance Program
Ongoing Support and Guidance
• Re-Inventory PHI & ePHI
• Re-Inventory BAs
• Re-Assessments
• Remediation Plans
• Policies & Procedures
Review
• Business Associate
Management
• Training Update
Think Program, Not Project!
Start Year 1 Year 2 • Oversight
• Inventory PHI & ePHI
• Inventory BAs
• Assessments
• Remediation Plans
• Policies & Procedures
• Business Associate Management
• Training
• Re-Inventory PHI & ePHI
• Re-Inventory BAs
• Re-Assessments
• Remediation Plans
• Policies & Procedures Review
• Business Associate Management
• Training Update
How to Do It Right
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 11
© Clearwater Compliance LLC | All Rights Reserved
Types of Assessments 1. Compliance Assessments (Security Evaluation, at 45
CFR §164.308(a)(8))
– Where do we stand?
– How well are we achieving ongoing compliance?
2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))
– What is the exposure to information assets (e.g., PHI)?
– What do we need to do to mitigate risks?
3. Risk-of-Harm Compromise Assessment (Breach-related, in HITECH parlance)
– Have we caused legal, reputational, etc harm?
– Is there low probability of compromise of PHI?
– What notifications are required?
Each Assessment Has Its Role and Proper Time 21
© Clearwater Compliance LLC | All Rights Reserved
7 Actions to Take Now
22 Demonstrate Good Faith Effort!
3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
4. Complete a HIPAA Security Evaluation (= compliance
assessment) (45 CFR § 164.308(a)(8))
5. Complete Privacy Rule and Breach Rule compliance
assessments (45 CFR §164.530 and 45 CFR §164.400)
6. Implement a Strong, Proactive Business Associate /
Subcontractor Management Program (45 CFR §164.502(e) and 45 CFR
§164.308(b))
7. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management &
Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA
Privacy and Security and Breach Notification
Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 12
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Understand Compliance
Assessment Essentials
2. Review specific HIPAA
Security Assessment
Regulations
3. Learn how to Assess Your
Compliance
23
© Clearwater Compliance LLC | All Rights Reserved
Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-technical
evaluation, based initially upon the standards implemented under this rule
and subsequently, in response to environmental or operational changes
affecting the security of electronic protected health information, which
establishes the extent to which an entity's security policies and
procedures meet the requirements of this subpart.
24
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process
(1)(i) Standard: Security management process. Implement policies and
procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health
information held by the covered entity.
NOT SUFFICIENT TO CALL THE ‘GEEK SQUAD’ TO RUN A VULNERABILITY
SCAN OR PENETRATION TEST…
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 13
© Clearwater Compliance LLC | All Rights Reserved
2. Security
45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance 45 CFR 164.308(a)(8)
25
3. Test & Audit
45 CFR 164.308(a)(8) &
OCR Audit Program
Protocol
© Clearwater Compliance LLC | All Rights Reserved
OCR Audit Protocol1
45 CFR 164.308(a)(8) Evaluation
OCR Audit Key Activities 1. Determine Whether Internal or
External Evaluation Is Most
Appropriate.
2. Develop Standards and
Measurements for Reviewing All
Standards and Implementation
Specifications of the Security
Rule.
3. Conduct Evaluation.
4. Document Results.
5. Repeat Evaluations Periodically.
26
1http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 14
© Clearwater Compliance LLC | All Rights Reserved
OCR Audit Protocol1 45 CFR 164.308(a)(1)(ii)(A) Risk Analysis
OCR Audit Key Procedures 1. Inquire of management as to whether
formal or informal policies or practices
exist to conduct an accurate assessment of
potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
ePHI.
2. Obtain and review relevant
documentation and evaluate the content
relative to the specified criteria for an
assessment of potential risks and
vulnerabilities of ePHI.
27
3. Evidence of covered entity risk assessment process or methodology
considers the elements in the criteria and has been updated or maintained
to reflect changes in the covered entity's environment.
4. Determine if the covered entity risk assessment has been conducted on a
periodic basis.
5. Determine if the covered entity has identified all systems that contain,
process, or transmit ePHI. 1http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Understand Compliance
Assessment Essentials
2. Review specific HIPAA
Security Assessment
Regulations
3. Learn how to Assess Your
Compliance
28
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 15
© Clearwater Compliance LLC | All Rights Reserved
3 Dimensions of HIPAA Security Evaluation
1. Is it documented? • Policies, Procedures and
Documentation
29
3. Is it Reasonable and
Appropriate? • Comply with the implementation
specification
2. Are you doing it? • Using, Applying, Practicing,
Enforcing
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Assessment™
30
Educate | Assess | Plan Remediate | Document
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 16
© Clearwater Compliance LLC | All Rights Reserved
1. Serves as Assessment Wizard and
Advisory Guide
2. Auto-creates Remediation Plan and
Provides Management Tool
31
Why this Tool?
3. Dynamically Updates Executive Dashboard
4. Established Baseline Score for Progress Monitoring
5. Serves as “Living Compliance Manual” and
6. Creates “Single Source of the Truth” and Document
Repository
7. Establishes Step 1 in Roadmap to Compliance
https://www.hipaasecurityassessment.com
© Clearwater Compliance LLC | All Rights Reserved
Poll #3 Security Evaluation?
32
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 17
© Clearwater Compliance LLC | All Rights Reserved
CMS Meaningful Use Attestation Audits
33
Will CMS conduct audits?1
“Any provider attesting to receive an
EHR incentive payment for either the
Medicare EHR Incentive Program or the
Medicaid EHR Incentive Program
potentially may be subject to an audit.”
“…If you attest prior to actually
meeting the meaningful use security
requirement (HIPAA Security Risk
Analysis), you could increase your
business liability for federal law
violations and making a false claim.”
1 https://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis and Risk Management
1. What is our exposure
of our information
assets (e.g., ePHI)?
34
2. What do we need to do
to treat or manage
risks?
Both Are Required in MU and HIPAA
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 18
© Clearwater Compliance LLC | All Rights Reserved
Thinking Like a Risk Analyst
Threat
(Actor) CAN EXPLOIT
Vulnerability
(Weakness) AND CAUSE
Impact
(Cost)
Security Risk exists when….
Risk Analysis is the identification and rank-
ordering of risks through the assessment of
Controls in place to detect and block the threat,
to detect and fix a vulnerability, or to respond to
incidents (impacts) when all else fails.
35
…in protecting an asset….
© Clearwater Compliance LLC | All Rights Reserved
Controls Help Address Vulnerabilities
36
Controls • Policies & Procedures
• Training & Awareness
• Cable lock down
• Strong passwords
• Encryption
• Remote wipe
• Data Backup
Threat Source • Burglar who may
steal Laptop with ePHI
Vulnerabilities • Device is portable
• Weak password
• ePHI is not encrypted
• ePHI is not backed up
Threat Action • Steal Laptop
Information Asset • Laptop with ePHI
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 19
© Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is Not
• A network vulnerability scan
• A penetration test
• A configuration audit
• A network diagram review
• A questionnaire
• Information system activity review
37
ALL IMPORTANT BUT NOT A RISK ANALYSIS
© Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is…
38
1NIST SP800-30
A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to
organizational operations (including mission, functions, image, reputation), organizational
assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers
mitigations provided by security controls planned or in place1.
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 20
© Clearwater Compliance LLC | All Rights Reserved
Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits
must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45
C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
…from HHS/OCR Final Guidance
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity
uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into
account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the
“criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to
the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific
format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In
order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
39
© Clearwater Compliance LLC | All Rights Reserved
Risk Management Guidance Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final
40
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 21
© Clearwater Compliance LLC | All Rights Reserved 41
Inventory Information Assets that Store ePHI
Understand Significant Threats and Vulnerabilities
Determine if You Have the Right
Controls in Place
Determine Your Likelihood of Harm
and Risk Rating
Create Compliance Documentation and
Management Reports
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Risk Analysis™
42
Educate | Assess | Respond Monitor| Document
https://www.HIPAASecurityRiskAnalysis.com/
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 22
© Clearwater Compliance LLC | All Rights Reserved
Mature methodology
By-the-regulations/guidance
Highlights security control deficiencies
Permanently records / updates
Perpetual Information Asset Inventory and Risk Analysis repository
Clearwater HIPAA Risk Analysis™ - Features
© Clearwater Compliance LLC | All Rights Reserved 44
The Unique Clearwater Risk Algorithm
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 23
© Clearwater Compliance LLC | All Rights Reserved 45
Risk Rating Report
© Clearwater Compliance LLC | All Rights Reserved
Poll #4 Risk Analysis?
46
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 24
© Clearwater Compliance LLC | All Rights Reserved
Provides a “by-the-book” approach
Transforms risk management from “arts & crafts” to a mature, repeatable and sustainable process
Facilitates informed risk management decision making
Captures a baseline security risk profile and measures progress
Becomes a “living, breathing tool” for ongoing risk management
Empowers organizations to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A)
Benefits of the Clearwater HIPAA Risk Analysis™ Software
© Clearwater Compliance LLC | All Rights Reserved
High Value - High Impact
Assessment WorkShop™ Process
I. PREPARATION A. Plan / Gather / Schedule B. Read Ahead / Review Materials C. Provide SaaS Subscription/Train D. Administer Surveys
II. ONSITE ASSESSMENT A. Facilitate B. Educate & Equip C. Evaluate D. Populate SaaS
III. WRITTEN REPORT A. Findings B. Observations C. Recommendations D. Presentation and Sign Off
48
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 25
© Clearwater Compliance LLC | All Rights Reserved
2. Security
45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance 45 CFR 164.308(a)(8)
49
3. Test &
Audit 45 CFR 164.308(a)(8) &
OCR Audit Protocol
© Clearwater Compliance LLC | All Rights Reserved 50
Three Industry-Leading SaaS Solutions
… to address all regulatory requirements
& OPERATIONALIZE YOUR COMPLIANCE PROGRAM
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 26
© Clearwater Compliance LLC | All Rights Reserved 51
Inve
stm
en
t
Assurance
Three Ways to Engage… to meet your budget and assurance requirements
© Clearwater Compliance LLC | All Rights Reserved
Summary: Security Evaluation vs. Risk Analysis
52
What’s similar: • Both required by HIPAA Security Final Rule
• Both have been required since April 2005
• Both need “periodic” updates
• Both are somewhat complex
• Both help determine gaps
• Both help you become compliant with HIPAA Security
• Both are important and necessary
What’s Different: • One is compliance-focused; one is exposure-focused
• One is “macro” level; the other more “micro”
• One is an overall compliance assessment; one is a risk assessment
• One is Forest-level; one is Trees/Weeds-level
• One is “named” in Meaningful Use Stage I Objectives
• One has specific ‘Final Guidance’ from OCR on how to perform
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 27
© Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
53
1.Assess the Forest First, Then Get Into
the Trees/Weeds
2.Stay Business Risk Management-
Focused
3.Large or Small: Get Help (Tools, Experts,
etc)
…Simply Makes Good Business
Sense…
© Clearwater Compliance LLC | All Rights Reserved
AboutHIPAA.com Risk Analysis Resources:
http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/
54
Two Helpful Resources
Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-
resources/hipaa-risk-analysis-buyers-guide-checklist/
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 28
© Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://abouthipaa.com/webinars/upcoming-live-webinars/
55
Help Yourself …Get more info…
View pre-recorded Webinars at: http://abouthipaa.com/webinars/on-
demand-webinars/
© Clearwater Compliance LLC | All Rights Reserved
Take Action Now!
http://clearwatercompliance.com/wp-
content/uploads/2013/03/Clearwater-HIPAA-Security-
Assessment-Software_Data-Sheet-FINAL-022013.pdf
http://clearwatercompliance.com/wp-
content/uploads/2013/03/Clearwater-HIPAA-Risk-
Analysis-Software_Data-Sheet-FINAL-022013.pdf
http://clearwatercompliance.com/contact-2/…
http://clearwatercompliance.com/2013/06/risk-analysis-
information-asset-quick-inventory-video/
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 29
© Clearwater Compliance LLC | All Rights Reserved
57
Clearwater HIPAA BootCamp™ Events
Take Your HIPAA
Compliance
Program to a
Better Place,
Faster
September 12 | Live HIPAA BootCamp™ | Philadelphia November 6, 13, 20 | HIPAA Virtual BootCamp™
2014 Plans-Live: January 16 – Austin | March 17 – Detroit | April 24 - San Francisco | July 24 – Boston | October 16 -
Los Angeles
© Clearwater Compliance LLC | All Rights Reserved 58
Gregory J. Ehardt, JD, LL.M.
HIPAA/Assistant Compliance
Officer - HCA Adjunct Professor
Office of General Counsel
Idaho State University
Bob Chaput, CISSP, CIPP/US CHP,
CHSS
CEO
Clearwater Compliance
Expert Instructors
James C. Pyles, Esq.
Principal
Powers Pyles Sutter & Verville PC
Mary Chaput, MBA, CIPP/US, CHP
CFO & Chief Compliance Officer
Clearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief
Information Privacy & Security Officer
Henry Ford Health System
David Finn, CISA, CISM, CRISC
Health IT Officer
Symantec Corporation
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 30
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, CIPP/US
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
59
Contact
© Clearwater Compliance LLC | All Rights Reserved
Additional Information
60
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 31
© Clearwater Compliance LLC | All Rights Reserved
Key WorkShop™ Deliverables 1. Preparation for Mandatory Audits
2. Objective, Independent 3rd Party Review
3. Solid Educational Foundation
4. Completion of Regulatory Requirements
5. Revitalize Security Compliance Program
6. Baseline/Benchmark Score
7. Preliminary Remediation Plan
8. Findings, Observation & Recommendations Report
61 Demonstrate Good Faith Effort
© Clearwater Compliance LLC | All Rights Reserved
Systematic, Sustainable Programmatic Approach:
Reenergize and operationalize your HIPAA-HITECH Compliance Program
Must Operationalize Compliance
Evaluation 45 CFR 164.308(a)(8)
Risk Analysis 45 CFR 164.308(a)(1)(ii)(A)
Risk Treatment 45 CFR 164.308(a)(1)(ii)(B)
Test &
Audit 45 CFR 164.308(a)(8)
Security Rule Compliance a MUST for BAs
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 32
© Clearwater Compliance LLC | All Rights Reserved
Why Now? – What We’re Hearing
“Our business partners (health plans) are demanding we become compliant…” – large
national care management company (BA)
“We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric
Practice (CE)
“We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA)
“With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE)
“We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research
consortium (BA)
“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)
63
© Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a
comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
64
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared learning experience
and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and
resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 33
© Clearwater Compliance LLC | All Rights Reserved
The Risk Analysis Dilemma Assets and Media
Backup Media
Desktop
Disk Array
Electronic Medical Device
Laptop
Pager
Server
Smartphone
Storage Area Network
Tablet
Third-party service provider
Etcetera…
Threat Sources
ADVERSARIAL
-Individual
-Groups
ACCIDENTAL
-Ordinary user
-Privileged User
STRUCTURAL
-IT Equipment
-Environmental
-Software
ENVIRONMENTAL
-Natural or man-made
-Unusual Natural Event
-Infrastructure failure
Vulnerabilities Anti-malware Vulnerabilities
Destruction/Disposal Vulnerabilities
Dormant Accounts
Endpoint Leakage Vulnerabilities
Excessive User Permissions Insecure Network Configuration
Insecure Software Development Processes
Insufficient Application Capacity
Insufficient data backup
Insufficient data validation
Insufficient equipment redundancy Insufficient equipment shielding
Insufficient fire protection
Insufficient HVAC capability
Insufficient power capacity
Insufficient power shielding
Etcetera…
NIST SP 800-53 Controls PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access. PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency]. AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems. AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems. AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems. AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…570
Over 174 million Permutations
Potential Risk-Controls
65
Threat Actions
Burglary/Theft
Corruption or destruction of important data
Data Leakage
Data Loss
Denial of Service
Destruction of important data
Electrical damage to equipment
Fire damage to equipment
Information leakage
Etcetera…
© Clearwater Compliance LLC | All Rights Reserved
Risk Treatment • Identify and evaluate options for the treatment of
risks:
1. Avoid
2. Accept
3. Mitigate
4. Transfer
• Not all Risks need “mitigation”
• All Risks need “treatment”
66
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 34
© Clearwater Compliance LLC | All Rights Reserved
Risk Management
Avoid / Transfer Risks
Accept Risks
Mitigate / Transfer Risks
Risk Identification
Ris
k T
rea
tmen
t
Risks of all types & sizes exist
67
© Clearwater Compliance LLC | All Rights Reserved
Dashboard
8/16/2013 68 Clearwater Compliance LLC
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 35
© Clearwater Compliance LLC | All Rights Reserved
Preliminary Remediation Plan HIPAA Compliance Tasks
8/16/2013 69 Clearwater Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
Preliminary Remediation Plan Task Completion To-Dos
70
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 36
© Clearwater Compliance LLC | All Rights Reserved
Preliminary Remediation Plan Add or Edit a To-Do
8/16/2013 71 Clearwater Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
Assessment Wizard – Safeguard Level
8/16/2013 72 Clearwater Compliance LLC
8/16/2013
©Clearwater Compliance LLC | All Rights Reserved | 37
© Clearwater Compliance LLC | All Rights Reserved
Assessment Wizard – Standard Level
8/16/2013 73 Clearwater Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
OCR Audit Protocols Risk Analysis
74
OCR Audit Protocol Procedures:
1. Inquire of management as to whether formal or informal
policies or practices exist to conduct an accurate
assessment of potential risks and vulnerabilities to the
confidentiality, integrity, and availability of ePHI.
2. Obtain and review relevant documentation and evaluate
the content relative to the specified criteria for an
assessment of potential risks and vulnerabilities of ePHI.
3. Evidence of covered entity risk assessment process or
methodology considers the elements in the criteria and
has been updated or maintained to reflect changes in the
covered entity's environment.
4. Determine if the covered entity risk assessment has been
conducted on a periodic basis.
5. Determine if the covered entity has identified all systems
that contain, process, or transmit ePHI.