copyright notice...2015/11/20 · 3. train all members of your workforce (45 cfr 164.530(b) and 45...

© Clearwater Compliance | All Rights Reserved

1

Copyright Notice

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


2

Legal Disclaimer

Legal Disclaimer. This information does not constitute legal recommendations and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.


3

WelcomeWelcome to today’s Live Event… we will begin shortly…

Please feel free to use the “Question” area to pose any ‘burning’ questions you may have in advance…

“So you know your risks, now what?”


4

‘So you know your risks, now what?’How to Conduct Bona Fide Security Risk Response


5

• VP of Product Innovation for Clearwater Compliance, LLC

• 30 + years in Healthcare in the provider, payer and healthcare quality improvement industries

• 20 + years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Optum

• MPA - Healthcare Policy and Administration

Jon Stone, MPA, CRISC, HCISPP, PMP

Jon Stone, MPA, CRISC, HCISPP, PMP

Vice President of Product Innovation

[email protected]

615-210-9612

http://clearwatercompliance.com/our-team/jon-stone-vice-president/

mailto:[email protected]


6

Some Ground Rules

1. Slide materials… will be provided

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode

5. Please complete Exit Survey when you leave session

6. Recorded version and final slides within 48 hours


7

How This Webinar Fits In

• Information Risk Management Essentials (survey course)

• Bona Fide Risk Analysis and Risk Management (survey course)

• How to Establish Your Risk Management Program (deeper dive)

• How to Conduct Bona Fide Security Risk Analysis (deeper dive)

• How to Conduct Bona Fide Security Risk Response (deeper dive)

• How to Mature Your Risk Management Program (deeper dive)

Register For Upcoming Live Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

You are Here!



8

How This Webinar Fits In…

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR §

164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

4. Complete a HIPAA Security Risk Analysis & Risk Management (45 CFR §164.308(a)(1)(ii)(A) and (B))

5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))

6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))

7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e)

and 45 CFR §164.308(b))

8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR

§164.400)

9. Assess your current Insurance Coverage (e.g., Cyber Liability, D&O, P&C)

10. Document and act upon a remediation plan

You are Here!


9

Top 8 Reasons To Undertake Risk Analysis And Risk Response

Bottom Line: You will know all your exposures and be able to make informed decisions about them…

1. Take better care of customers, patients, members, residents, etc.

2. Avoid Security Incidents and/or Breaches

3. Meet Specific Regulatory & Industry Requirements (HIPAA/HITECH, PCS DSS)

4. Completion of Foundational Security Program

5. Development of Remediation Plan

6. Tremendous Educational Experience

7. Basis for Continuous Process Improvement

8. Essential for realizing IT and Business Strategy


10

Clearwater Information Risk Management Life Cycle


11

• Regulations and Standards

• Risk Foundation

• Options for effective risk response

• Evaluating alternatives to reduce risks

• How to make sure risk responses get implemented

• Resources

Outline


12

Must Do!

• Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. - 45 C.F.R. §164.308(a)(1)(i)(A)

• Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). - 45 C.F.R. §164.308(a)(1)(i)(B)

• “The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” – SEC Press release, 2007

• “PCI DSS 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP800-30” – PCI DSS 2.0)


13

Meaningful Use

...and implement security updates as neccessary and correct identified security deficiencies as part of its risk management process

Stage 2


14

Moving From Audit To Enforcement – Risk Analysis

“9. Please submit a copy of XXX most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XXX within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.”


15

Moving From Audit To Enforcement – Risk Response“10. Please provide evidence of XXXsecurity measures that are in place to reduce the risks to ePHI identified in the risk analysis (i.e. risk management plan and accompanying evidence).

Please be sure to submit a copy of a risk management plan(s) associated with each risk analysis requested above. These risk management plans should describe the security measures implemented by XXX to sufficiently reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level to comply with 164.308(a)(1)(ii).

Please ensure the risk management plan states the dates of implementation and/or estimated dates of completion for each security measure. Provide evidence of implementation where applicable (i.e. screenshots, business associate agreements, photographs, etc.)”


16

Outline


• Risk Foundation




• Resources


17

Risk Response Fundamentals

• All Risks Need a Response• Not All Risks Must Be Mitigated• Risk Response Requires Setting

Your Risk Threshold• Risk Response Requires Real Risk

Analysis• Risk Response is Informed

Decision Making – What’s New?


Risk Response Workflow

Framing Risk Response

Documentation

Risk Threshold

Risk TreatmentApprove

Alternatives

Implementation Planning

Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics

Evaluate Alternatives

Risk Action Plan

Risk Reconciliation


19

Risk Tolerance

Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organization and is a key element of the organizational risk frame.

An important risk management activity and also part of risk framing, is the determination of risk tolerance.


20

• Organizations that deal with critical and/or sensitive information, personally identifiable information, or classified information, the emphasis is often on preventing unauthorized disclosure.

• Organizations driven by a combination of culture and the nature of their missions and business functions, the emphasis is on maintaining the availability of information systems to drive growth or sales.

No two organization are alike…

Determining Your Risk Threshold

DefiningThe values, beliefs, and norms of organizations are examined in order to understand how risk trade offs are made.

AssessingA risk assessment identifies the kinds and levels of risk to which organizations may be exposed. This assessment considers both the likelihood and impact of undesired events.

CultureThe cultural willingness to accept

certain types of loss within organizations.

LeadershipSubjective risk related actions of

senior leaders/executives.


21

Select your Risk Threshold based on your overall tolerance for uncertainty that is acceptable to the organization.

Risk Threshold




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


23

1. Scope of the Analysis - all ePHI must be included in risk analysis

2. Data Collection – it must be documented

3. Identify and Document Potential Threats and Vulnerabilities

4. Assess Current Security Measures

5. Determine the Likelihood of Threat Occurrence

6. Determine the Potential Impact of Threat Occurrence

7. Determine the Level of Risk

8. Finalize Documentation

9. Periodic Review and Updates

HHS OCR Guidance On Risk Analysis

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


24

Establishing A Risk Value

Think Likelihood * Impact

Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week

Imp

act

Like

liho

od

Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 500 records compromised5 Disastrous Reportable; Greater than 500 records compromised

• Critical = 25

• High = 15-24

• Medium = 8-14

• Low = 0-7

Rat

ing


25

Communicate Risk Analysis Results

QuantifyEstimated most probable loss magnitude, high-end loss potential

Map to StrategyTie risks to strategy and

company objectives

Think BroadlyDon’t forget significant reputational, legal or regulatory considerations

Inform and EducateInclude the key components of

risk (likelihood and impact)

Report the results of Risk Analysis in terms and formats useful to support business and risk management decisions


26

NIST SP 800-39, pg. 43

NIST SP 800-39, pg. 42

NIST SP 800-39, pg. 43

NIST SP 800-39, pg. 44

NIST Risk Response Process

Risk Response Identification

Risk Response Implementation

Risk Response Decision


Begins with determining your Risk Threshold NIST SP 800-39 pg. 2

01

02

03

04


27

Outline


• Risk Foundation




• Resources


28

Risk Response Identification

01

Risk AcceptanceRisk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. NIST SP 800-39, pg. 42

04

Risk AvoidanceRisk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk. NIST SP 800-39, pg. 42

02

Risk MitigationRisk mitigation, or risk reduction, is the

appropriate risk response for that portion of risk that cannot be accepted, avoided,

shared, or transferred. [Adding or enhancing controls or safeguards] NIST SP

800-39, pg. 42

03

Risk TransferRisk transfer shifts the risk liability from one organization to another

organization (e.g., using insurance to transfer risk from particular

organizations to insurance companies). NIST SP 800-39, pg. 43

Also known as Risk Treatment


29

• Controls or safeguards must be implemented to secure information from threats and ensure confidentiality, integrity & availability through:

• Deterrent controls

• Preventive controls

• Detective controls

• Corrective controls

• Compensating controls

• Compliance regulations/standards often require specific named controls

Controls Or Safeguards


30

ThreatAction

Threat Source

DeterrentControl

DetectiveControl

PreventiveControl

Impact

Vulnerability

Corrective Control

Compensating Control

CreatesReduces

Likelihoodof

Exploits

Results in

Decreases

Reduces

May Trigger

Discovers

ReducesLikelihood

of

Protects


Control Type Everyday Example Security Example

Preventative

Security Guard Employee supervision

Guard Dog Physical access monitoring

Lighting On-site generator

Locks Two-factor authentication

Deterrent

Fence Physically secured demarcation points

Alarms Anti-virus software

Motion Sensors Network disconnect of idle or malicious connections

Bank vault Two-man rule

Detective

Video Monitoring Snooping detective software

Meta Data Central monitoring of anti-virus and personal firewall logs

Key Logger Logging of information access

Identity User permissions reviews

Corrective

Jail Controls around user-installed software

Fines Accounts lock after too many failed logins

Penalties Network traffic throttling

Access Testing of password strengths

Compensating

Insurance Tracking of backup media

Extra Keys Data backup

Archives Encryption of disks (full disk, file based, etc.)

Auditors Segregation of duties


32

FISMA Control Families

NIST Control Families

ISO 27002 Control Families

Options for Control Choices


33

Outline


• Risk Foundation




• Resources




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


35


Effectiveness - the expected effectiveness in achieving desired risk response

Build in additional Controls

Increase the strength of a control

Feasibility - the anticipated feasibility of implementation

Don’t forget mission, legal, technical, operationalconsiderations

Cost


36

Evaluate Alternatives - Risk Avoidance Example

Risk avoidance is the risk response technique that entails eliminating hazards, activities and

exposures that place an organization's valuable assets at risk.


37

Evaluate a course of action to reduce a risk

Evaluate Alternatives – Mitigation Example




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


39

Risk Response Decision

DocumentDocument the investment of resources

ApproveSelect a course of action

Residual Risk RatingDocument Residual Risk

Decide on the appropriate course of action for responding to risk


40

Residual risk is the projected portion of the risk that is left after risk treatment has been applied

Residual Risk and Approval


41

Outline


• Risk Foundation




• Resources




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


43

Essential Implementation Elements

MonitoringPlans for monitoring the effectiveness of risk response measures

EvidenceAttachments, Notes, Design Documents, Testing Artifacts, Deployment Plans

PlanningTimeline for

implementation of risk response measures

AccountabilityIndividuals responsible

for the selected risk response measures


44

Initiate Risk Response Activities as projects



45

• Specifications of effectiveness criteria

• Control Objectives

• Indicators and thresholds against which the effectiveness of the control can be measured

Plan For Monitoring Effectives


46

Action Plan Fundamentals

NotesDocumentation of accomplishments, next steps and risks/issues/barriers

Search and FilteringView and sorting for Urgent, Past Due, On the Horizon activities

DatesDue Dates, Interim Dates,

Completion Dates

ResponsibilityOwnership and Accountability

DescriptionConcise and well

described requirements that minimize confusion


47

Moving From Audit To Enforcement – Risk Response

Please ensure the risk management plan states the dates of implementation and/or estimated dates of completion for each security measure. Provide evidence of implementation where applicable (i.e. screenshots, business associate agreements, photographs, etc.)”


48

Manage from a Risk Action Plan (Risk Management Plan)

Risk Action Plan


49Maintain documentation

Risk Action Plan


50

Log Accomplishments, Next Steps and Barriers to drive progress

Risk Action Plan


51

What Comes After Risk Response?


52

Monitor Operational Alignment With Risk Tolerance Threshold

• Key Goals:• Verify Compliance (compliance monitoring)• Determine the ongoing effectiveness of risk response • Identifying risk impacting changes to organizational information systems and

environment of operation:

• Monitoring is the “check” portion of the Plan/Do/Check/Act Deming Cycle

• Requires automated data collection and reporting, as well as thoughtful & deliberate manual reviews

• Monitoring should be architected into control & reporting solutions vs. “bolting on” after the fact.

• Vital that this be considered a continuous process – NIST800-137• “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of

information security, vulnerabilities, and threats to support organizational risk management decisions” –NIST800-137, p vi




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


54

Outline


• Risk Foundation




• Resources


55

Supplemental Reading

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and

Organizations

• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

• NIST SP800-115 Technical Guide to Information Security Testing and Assessment

• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05

• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals

• CMS Security Risk Assessment Fact Sheet (Updated 20131122)

• NIST Risk Management Framework 2009

Remember! Security Rule is Based on

NIST!

http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf

http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

http://clearwatercompliance.com/wp-content/uploads/SP800-53-Security-and-Privacy-Controls-for-Federal-Information-Systems-and-Organizations_Rev4.pdf

http://abouthipaa.com/wp-content/uploads/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf

http://abouthipaa.com/wp-content/uploads/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/MU_Stage-2_Hospital-Core_7_Protect-Electronic-Health-Info_2012-11-051.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/CMS_MU_Stage1vsStage2CompTablesforHospitals.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/CMS_SecurityRiskAssessment_FactSheet_Updated20131122.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-Risk-Management-Framework-2009.pdf


56

Download Whitepaper

Risky Business: How to Conduct a Bona Fide HIPAA Security Risk

Analysishttp://clearwatercompliance.com/hipaa-

risk-analysis-essentials-lp/

http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/


57

Methodology and Software …• Proactive• Adaptable• Consistent• Predictable• Measurable• Standards-based

Science & Engineering

Risk Analysis and Risk Management Maturity

Arts & Crafts


58

Clearwater WorkShop™ Process

• Analyze Findings • Document Observations• Develop Recommendations• Present and Sign Off

Written Report

• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys

Preparation

• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS

Onsite Discovery/Assessment

Software SubscriptionPlus WorkShop™

• 2.5-hours training for as many staff as you wish

• Ongoing technical support• IRM | Analysis™ - 2 or 3-year

subscription, paid annually.• Ongoing software updates.• Ongoing Community engagement.• Professional consulting services to

complete the risk analysis process, end-to-end.

• Risk Analysis Report with Findings, Observations and Recommendations.

• Fully-populated IRM | Analysis™ software application.

Our goal at Clearwater is to help your organization become as self-sufficient as you would like to be, as quickly as you would like to be.

01

02

03


59

What Differentiates Clearwater

Proven Model

Thought-, Methodology-Leadership | Full range of

solutions to 500+ customers across US

Raving fan references

Deep Experience

Highly credentialed consultants30+ OCR/CMS/OIG audits and

investigations. | Millions of Lives Under Our Processes, Safeguards

and Protection

Market

RecognitionInvaluable Insights from Executives, Colleagues,

Attorneys and Regulators | Critically Acclaimed Solutions

#11, March 2015

Prevention | Confidence | Assurance


60

Get More Info…

Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/liv

e-educational-webinars/

View pre-recorded Webinars like this one at:http://clearwatercompliance.com/on-

demand-webinars/


http://clearwatercompliance.com/on-demand-webinars/


61

Other Upcoming Clearwater Events

Visit ClearwaterCompliance.com for more info!

December 8, 2015Complimentary

WebinarHow to Mature Your

Information Risk Management

Program


WebinarHow to Implement a

Strong, Proactive HIPAA Business Associate Risk

Management Plan December 17, 2015Complimentary

WebinarHow to Develop your

HIPAA-HITECH Policies & Procedures


WebinarHow to Calculate the

Cost of a Data Breach and How to Get the Budget for Your HIPAA-HITECH

Compliance Program

http://www.clearwatercompliance.com/


62


63

WWW.CLEARWATERCOMPLIANCE.COM

106 WINDWARD PTHENDERSONVILLE, TN 37075-5108

(800) 704-3394

http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance