copyright noticeclearwatercompliance.com/wp-content/uploads/2014/05/... · 2020-03-16 · legal...
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
3 © Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™ Guided Tour
(800)704-3394 [email protected]
© Clearwater Compliance LLC | All Rights Reserved
• 25+ years in Healthcare in the provider, payer and healthcare quality improvement fields
• Innovator | Strategic Program Manager | Consultant | Executive
• 15+ years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix.
• PMP, MPA - Healthcare Policy and Administration
Jon Stone, MPA, PMP
Jon Stone, MPA, PMP
615-210-9612 [email protected]
© Clearwater Compliance LLC | All Rights Reserved
• 25+ years in Information Systems in a broad range of industries, including healthcare, financial services, education, and manufacturing
• 10+ years specific experience in Information Systems Security
• Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM)
• MBA from Vanderbilt University with a Management Information Systems Concentration
Gary Ridner, MBA, CISSP, CISM
Gary Ridner, MBA, CISSP, CISM [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Mike Neal, Principal Consultant
• 15+ years experience in information technology and security in a variety of industries, including healthcare, financial services, education , government and manufacturing
• 10+ years in customer-facing consulting engagements, helping determine business needs and developing strategic technology solutions and services
• Recent experience as Services Architect and Assessment Practice Lead
• Significant expertise in performing HIPAA Risk Analysis, Meaningful Use Risk Analysis, Security Assessments, Compliance Assessments and Managed Care
Mike Neal, Principal Consultant [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Lee Painter, CISSP, C|EH
• 15+ years in Information Assurance and Computer Network Defense
• 15+ years training customers on the need to understand and adopt best practices
• Experience as an Information Systems Security Officer for the Department of Homeland Security
• Passionate Security Professional with a drive to provide not just knowledge but understanding
• Certified Information Systems Security Professional(CISSP)
• Certified Ethical Hacker(C|EH) Lee Painter, CISSP, C│EH [email protected]
© Clearwater Compliance LLC | All Rights Reserved
You will learn…
• Regulatory background • Product features • Software walkthrough • Product benefits
© Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
Priv
acy
Secu
rity
Bre
ach
Not
ifica
tion
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved
Stage 1 and Stage 2 Meaningful Use require completion of a HIPAA Security Risk Analysis
Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines
© Clearwater Compliance LLC | All Rights Reserved
Security violations can be devastating to an organization’s reputation and finances
© Clearwater Compliance LLC | All Rights Reserved
You don’t know your risks…
Without the benefit of a HIPAA compliant Risk Analysis approach…
You are probably making privacy and security investments in a vacuum, without facts and data to facilitate informed decision making…
You are at high risk in the face of increasing enforcement actions
© Clearwater Compliance LLC | All Rights Reserved
The threat landscape is constantly changing
Organizations are struggling to identify threats…
© Clearwater Compliance LLC | All Rights Reserved
Organizations don’t know their vulnerabilities
Are critical systems encrypted?
Are passwords strong enough?
Are we prepared for disaster? Are our employees trained?
© Clearwater Compliance LLC | All Rights Reserved
All this uncertainty means we don’t know our risks…
Regulatory Risks
Financial risks
Legal risks
Risks to our reputations
Risks to operations and care
© Clearwater Compliance LLC | All Rights Reserved
Frame
Monitor
Respond
Assess
HIPAA Business Risk Management Life Cycle Privacy
Assessment Security
Assessment
Risk Analysis
ePHI Discovery
Risk Response
Remediation
Risk Strategy Governance
Auditing Technical Testing
Workforce Training
© Clearwater Compliance LLC | All Rights Reserved
What do the regulations require?
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications:
45 C.F.R. §164.308(a)(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes…
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information…
© Clearwater Compliance LLC | All Rights Reserved
The Health and Human Services Office for Civil Rights Recommends
Regardless of the Risk analysis methodology employed…
You include the following key components
© Clearwater Compliance LLC | All Rights Reserved
1.Scope of the Analysis - all ePHI must be included in risk analysis 2.Data Collection – it must be documented 3.Identify and Document Potential Threats and Vulnerabilities 4.Assess Current Security Measures 5.Determine the Likelihood of Threat Occurrence 6.Determine the Potential Impact of Threat Occurrence 7.Determine the Level of Risk 8.Finalize Documentation 9.Periodic Review and Updates
20 © Clearwater Compliance LLC | All Rights Reserved
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final
• NIST SP800-30 - Guide for Conducting Risk Assessments
• NIST SP800-53 - Recommended controls for Federal Information Systems and Organizations
© Clearwater Compliance LLC | All Rights Reserved
There is a lot of confusion out there… What a Risk Analysis is not
© Clearwater Compliance LLC | All Rights Reserved
There is a lot of confusion out there… What a Risk Analysis is not
• A network vulnerability scan • A penetration test • A configuration audit • A network diagram review • Information system activity review • A questionnaire
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Is…
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Is…
1NIST SP800-30
…the process of identifying, prioritizing, and estimating risks to organizational operations… resulting from the operation of an information system… • Risk management incorporates threat and vulnerability analyses, • Considers mitigations provided by security controls planned or in place1.
© Clearwater Compliance LLC | All Rights Reserved
The Risk Analysis Dilemma Assets and Media Backup Media Desktop Disk Array Electronic Medical Device Laptop Pager Server Smartphone Storage Area Network Tablet Third-party service provider Etcetera…
NIST SP 800-53 Controls PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access. PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency]. AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems. AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems. AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Hundreds and hundreds
Approximately 330,000,000 Permutations
Vulnerabilities Anti-malware Vulnerabilities Destruction/Disposal Vulnerabilities Dormant Accounts Endpoint Leakage Vulnerabilities Excessive User Permissions Insecure Network Configuration Insecure Software Development Processes
Insufficient Application Capacity Insufficient data backup Insufficient data validation Insufficient equipment redundancy Insufficient equipment shielding Insufficient fire protection Insufficient HVAC capability Insufficient power capacity Insufficient power shielding Etcetera…
Threat Actions Burglary/Theft Corruption or destruction of important data Data Leakage Data Loss Denial of Service Destruction of important data Electrical damage to equipment Fire damage to equipment Information leakage Etcetera…
Threat Agent Burglar/ Thief Electrical Incident Entropy Fire Flood Inclement weather Malware Network Connectivity Outage Power Outage/Interruption Etcetera…
© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
27 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Scope of the Analysis - all ePHI must be included in
the Risk Analysis • Data Collection – it must be documented
28 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Identify and Document Potential Threats and
Vulnerabilities
29 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Assess Current Security Measures
30 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Determine the Likelihood of Threat Occurrence
31 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Determine the Potential Impact of Threat Occurrence
32 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Determine the Level of Risk
33 © Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says; • Finalize Documentation • Periodic Review and Update
• Compile your compliance documentation in one place
• Enable periodic reviews and updates unlike any other spreadsheet, word document or software available
© Clearwater Compliance LLC | All Rights Reserved
Software Demonstration
© Clearwater Compliance LLC | All Rights Reserved
Support • Unlimited support during normal business hours • Phone and email support Training • 60-90 minutes of live web based training • Extensive free self-service training User Provisioning • Easy self service capabilities to add unlimited numbers of users • Add additional business entities and perform multiple concurrent
assessments for an additional reasonable price
© Clearwater Compliance LLC | All Rights Reserved
Ease of Access • Available 7x24 from an internet connection • No software download required • Supports all common browsers Business Continuity • Customer data is backed up every 15 minutes • Returned to operations in under two hours Protection • Strong firewalls • All data sent or received uses TLS 1.1 encryption • Passwords are stored using strong encryption
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™- Benefits
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™- Benefits
• Be Confident Your Security Risk Analysis is by the Book • One-of-a-Kind Cloud Based Proprietary Software • Record Where Your Sensitive Data Lives • Learn Recommended Controls • Measure Your Progress Against a Baseline • Operationalize Compliance Through a Mature, Repeatable
and Sustainable process • Make Sound Decisions and Justify Investment Dollars • De-Mystify a Complex Process
© Clearwater Compliance LLC | All Rights Reserved
Need help with resources or expertise?
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Customer Community • Where Clearwater customers go to get
additional value and benefits
Customer Council Meetings • Complimentary educational content • A place for customers interact and learn from
each other
Customer Forum • A place for software customers to privately post questions and
chat with peers
© Clearwater Compliance LLC | All Rights Reserved
Questions?
© Clearwater Compliance LLC | All Rights Reserved
Or Click Here
If you are interested in a Free Trial please contact us;
(800) 704 - 3394 [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
Get more info…
View pre-recorded Webinars like this one at:
http://clearwatercompliance.com/on-demand-webinars/