legal disclaimer - cybersecurity and hipaa compliance
TRANSCRIPT
© Clearwater Compliance | All Rights Reserved
1
Legal Disclaimer
The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
October 13, 2016
Harnessing the Power of the NIST | Your Practical Guide to Effective Cyber Risk Management
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or 800-704-3394
© Clearwater Compliance | All Rights Reserved
3
MA, CISSP, HCISPP, CRISC, CIPP/US
Bob Chaput
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Healthcare Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates• Member: ACAP, CHIME/AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
ISACA, HCCA• CHIME Foundation Member• AEHIS Advisory Board Member
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
4
Some Ground Rules1. Slide materials
A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you
leave session6. Recorded version and final slides within 48
hours
© Clearwater Compliance | All Rights Reserved
5
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
6
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
© Clearwater Compliance | All Rights Reserved
7
01
03
02
Three Cyber Risk Management Agenda Items About Which I Am Very Passionate…
TacticallyAssisting in Establishing,
Implementing and Maturing Cybersecurity
Program
OperationallyAssisting in Completing Bona
Fide, Comprehensive Cybersecurity Risk Analysis
and Risk Response
StrategicallyAssisting in Making
Cybersecurity a Meaningful C-Suite / Board Agenda item
© Clearwater Compliance | All Rights Reserved
8
Best Choose
Many Organizations Struggle to Establish,
Implement and Mature their Cyber Risk
Management Programs …
The Single Biggest Decision Your Organization will Make Regarding Cyber Risk Management is…… How Your Organization will Conduct Cyber Risk Management …
© Clearwater Compliance | All Rights Reserved
9
Learning Outcomes… Practical Actionable Steps To:
Implement the NIST IRM Process: Framing, Assessing, Responding to and Monitoring Risk
Mature your IRM program to proactively protect your organization’s sensitive information
Ultimately, make higher quality decisions about information /
cyber risks by adopting the NIST approach
Leverage the NIST Cybersecurity Framework to
better manage and reduce cybersecurity risk
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials &
the recorded webinar
© Clearwater Compliance | All Rights Reserved
10
Pause and Quick Poll
Poll #1 – Is this the first Clearwater Compliance webinar you have attended?
© Clearwater Compliance | All Rights Reserved
11
Pause and Quick Poll
Poll #2 - What type of organization do you represent?
Hospital / Health System
BAHybrid
Don’t Know
Other CE
© Clearwater Compliance | All Rights Reserved
12
Clearwater Supports the NIST Approach
Framework + Maturity Model+ Process
NIST SP800-39
IRM|Maturity™IRM|Pro™IRM|Capability™
© Clearwater Compliance | All Rights Reserved
13
Benefits of NIST Approach: From Chaos to Order | Process | Discipline
Tactical
Technical
Spot-Welding
Strategic
Business
Architectural
Start the Conversation | Change the Conversation
© Clearwater Compliance | All Rights Reserved
14
Discussion Flow1. NIST Cybersecurity Framework
1. Problem We’re Trying to Solve2. NIST Cybersecurity Framework (NIST CSF)3. How to Adopt the NIST CSF
2. NIST Risk Management Process1. Framing Risk2. Assessing Risk3. Responding to Risk4. Monitoring Risk
3. Maturing Your Risk Management Program1. Maturity Models and IRMCAM™2. How to Access and Use IRMCAM™
© Clearwater Compliance | All Rights Reserved
15
Changing Landscape Driving Cybersecurity
Data Aggregation & Amount of
Valuable Data
Number of Connected
People
Cybersecurity risk management program must keep pace with the evolving threat landscape.
Shadow IT
© Clearwater Compliance | All Rights Reserved
16
What is the Risk Problem We’re Trying to Solve?
What if my Sensitive Information is not
complete, up-to-date and accurate?
What if my Sensitive Information is shared?
What if my Sensitive Information is not there when it is needed?
AVAILABILITY
Don’t Compromise
C-I-A!
ePHI, PIIPCI Data,
MNPI, Trade Secrets, Business Plans,
Software Code, Etc.
© Clearwater Compliance | All Rights Reserved
17
Clearwater Supports the NIST Approach+ Maturity Model+ Process
NIST SP800-39
IRM|Maturity™IRM|Pro™IRM|Capability™
Framework
© Clearwater Compliance | All Rights Reserved
18
Sidebar: Framework Versus Process
• Framework … Tends to set overall architecture Provides structure and guidance Think: WHAT
• Process … Tends to be specific and repeatable Provides well defined set of steps Think: HOW
• Framework: Clinical Research• Process: Detailed Steps
© Clearwater Compliance | All Rights Reserved
19
Feb 12, 2013Executive Order 13636
“Improving Critical Infrastructure Cybersecurity”
© Clearwater Compliance | All Rights Reserved
20
Critical Infrastructure Sectors1
• Chemical Sector• Commercial Facilities Sector ***• Communications Sector• Critical Manufacturing Sector• Dams Sector• Defense Industrial Base Sector• Emergency Services Sector• Energy Sector• Financial Services Sector• Food and Agriculture Sector• Government Facilities Sector• Healthcare and Public Health Sector• Information Technology Sector• Nuclear Reactors, Materials, and Waste Sector• Sector-Specific Agencies• Transportation Systems Sector• Water and Wastewater Systems Sector
1 http://www.dhs.gov/critical-infrastructure-sectors
© Clearwater Compliance | All Rights Reserved
21
NIST CSF Overview• Provides standard measurement that
organizations can use to measure risk and improve security
• Calls for senior management and Board understanding of cyber risk
• Currently voluntary, but likely the de-facto standard in event of a breach
• Common language, not “government speak”• Maps to COBIT, ISO, NIST SP800-53, HIPAA
Security Rule, etc.• Includes steps for “Establishing or Improving a
Cybersecurity Program”• Framework, not a risk management Process• Framework, not a Maturity Model
Creates a Common Language for Cybersecurity
© Clearwater Compliance | All Rights Reserved
22
5 Core Functions
& 22 Categories & 98 Sub-Categories
What assets need protection?
What safeguards are available?
What techniques can identify incidents?
What techniques can contain impacts of incidents?
What techniques can restore capabilities?
© Clearwater Compliance | All Rights Reserved
23
Harness Power of Five Internationally Recognized Standards
COBIT 51 CCS CSC2 IEC624433 ISO 270014 NIST 800-535
IdentifyFive Key
Processes of Enterprise IT
Management, including RISK
IT
SANS Top 20 Critical
Security Controls
Concepts
IACS Security Program
Security Technologies
Secure Development
Information security
management system (ISMS)
ClausesControlsControl
Objectives
18 ControlFamilies
Security and Privacy
ManagerialTechnicalPhysical
Protect
Detect
Respond
Recover1Control Objectives for Information and Related Technology (COBIT)2Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC)3ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program and ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels4ISO/IEC 27001, Information technology --Security techniques --Information security management systems --Requirements:5NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014)
© Clearwater Compliance | All Rights Reserved
24
This Just In
1. Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;
2. Update technical assistance that is provided to covered entities and business associates to address technical security concerns;
3. Revise the current enforcement program to include following up on the implementation of corrective actions;
4. Establish performance measures for the OCR audit program; and
5. Establish and implement policies and procedures for sharing the results of investigations and audits between OCR and CMS to help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act.
© Clearwater Compliance | All Rights Reserved
25
NIST CSF Adoption• DoD abandons DIACAP in favor of the NIST risk management framework March 18, 2014 |
By David Perera
• A Different Kind of “Virus”: FDA Follows NIST Framework in Cybersecurity Guidance for Medical Devices October 8th, 2014 | By Cynthia Larose
• OCR Crosswalk Connects HIPAA Security Rule, NIST Framework February 24, 2016 By Elizabeth Snell
• Post-market Management of Cybersecurity in Medical Devices January 22, 2016
• Analytic Report: Executive Order 13636 Cybersecurity Incentives Study June 12, 2013
• Federal Agency Adoption = 82%
• HHS Cybersecurity Task Force – too early too call; how not?
© Clearwater Compliance | All Rights Reserved
26
HHS Action is Underway
HHS Moving Closer & Closer to NIST CSFhttp://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf
© Clearwater Compliance | All Rights Reserved
27
Seven Steps To Implementing the NIST CSFStep 1: Prioritize
and Scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze and
Prioritize Gaps
Step 7: Implement Action Plan
Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved.
Completing Current Profile May Serve As A Great Starting Point
© Clearwater Compliance | All Rights Reserved
28
Dashboards and Trends Facilitate CPI
Current Profile = 2.72 between Tier 2: Risk Informed - Tier 3: Repeatable
© Clearwater Compliance | All Rights Reserved
29
Why Should I Care if Not Mandated, Only Voluntary?
1. Leverage a key “free of charge” ingredient for a successful information / cyber risk management program (Framework + Process + Maturity Model)
2. Harness the power of NIST and five international open standards (not something closed, made up!)
3. Change the conversation on cybersecurity and information risk management using an understandable tool helps in determining appropriate spending
4. Utilize “no prerequisites” / “not-one-size fits all” approach5. Hedge possibility that NIST CSF becomes a legal standard of due care, if
not mandated framework6. Take the Gartner bet: “By 2020, more than 50% of organizations will use
the NIST Cybersecurity Framework, up from the current 30% in 2015.”7. Help safeguard our national digital assets!
© Clearwater Compliance | All Rights Reserved
30
Voluntary, So Not Really Enforceable… However!...
RICHARD RAYSMAN and JOHN ROGERS, The NIST Cybersecurity Framework, Practical Law The Journal | Transactions & Business | June 2015
• “In the event of a cybersecurity incident, an organization that has implemented the Framework can also:• Have concrete documentation that it implemented a recognized industry
standard in assessing, designing and improving its cybersecurity program.• Argue that it followed NIST’s recommendations, perhaps avoiding a
determination by regulators or courts that it was negligent in its cybersecurity efforts in the event of a breach or an investigation.”
© Clearwater Compliance | All Rights Reserved
31
Voluntary, So Not Really Enforceable… However!...
• Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan. 2014.
“The Cybersecurity Framework is likely to become the liability floor, much like Sarbanes-Oxley has become.”
• Jon W. Burd, Cybersecurity Developments: Does the NIST “Voluntary” Framework Portend New Requirements for Contractors? Fall 2013 | Government Contracts Issue Update, Wiley Rein, LLP.
“The framework is intended to complement existing business and cybersecurity operations for organizations with formal existing plans and policies, or to serve as a template for organizations that create new programs.”
“For government contractors, in particular, one “incentive” agencies could adopt—either through formal rulemaking or on an ad hoc basis—is a preference for framework participants in competitions for federal information technology (IT) or cyber-related contracts.”
© Clearwater Compliance | All Rights Reserved
32
Polling Question
Poll #3 - Has your organization selected an overall framework for managing cyber / information security risks?
© Clearwater Compliance | All Rights Reserved
33
Discussion Flow
1. NIST Cybersecurity Framework1. Problem We’re Trying to Solve2. NIST Cybersecurity Framework (NIST CSF)3. How to Adopt the NIST CSF
2. NIST Risk Management Process1. Framing Risk2. Assessing Risk3. Responding to Risk4. Monitoring Risk
3. Maturing Your Risk Management Program1. Maturity Models and IRMCAM™2. How to Access and Use IRMCAM™
© Clearwater Compliance | All Rights Reserved
34
Clearwater Supports the NIST Approach
Framework + Maturity Model+ Process
NIST SP800-39
IRM|Maturity™IRM|Pro™IRM|Capability™
© Clearwater Compliance | All Rights Reserved
35
To Solve the Cyber Risk Problem
1. What is our exposure of our information assets (e.g., ePHI)?
2. What decisions do we need we need to make to treat or manage risks?
Both Are Required in Federal Regulations AND Serve As the Basis for any Respectable Information Security Program in Any Industry!
Risk Response
Risk Assessment
© Clearwater Compliance | All Rights Reserved
36
And, then there were 41…10 so far in 2016
© Clearwater Compliance | All Rights Reserved
37
Information Risk Management Definition1
“Risk management is a comprehensive process that requires organizations to:
(i) frame risk (i.e., establish the context for risk-based decisions);
(ii) assess risk;
(iii) respond to risk once determined; and
(iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.
Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.1”
1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
© Clearwater Compliance | All Rights Reserved
38
NIST Risk Management Process1
1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
© Clearwater Compliance | All Rights Reserved
391Adopted from NIST SP800-39 - http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
Clearwater Information Risk Management Life Cycle1
© Clearwater Compliance | All Rights Reserved
40
Polling Question
Poll #4 - Has your organization chosen an information risk management process such as that described in NIST SP800-39?
© Clearwater Compliance | All Rights Reserved
41
NIST Risk Framing Process
Set Forth Risk Assumptions
Enumerate Priorities & Tradeoffs
Establish Risk Appetite
Document Risk Constraints
01
02
03
04
Scope, Sequence, Rigor, Thoroughness, Outcomes IRM Strategy
© Clearwater Compliance | All Rights Reserved
42
Risk Threshold (a.k.a., Risk Appetite)
20
15
10
0
25
5
Our Risk Appetite or Threshold is 12 We Will (Initially) Accept All Risks Below 12. We Will Avoid, Mitigate and/or Transfer All Risks 12 or Above.
HIGH
MEDIUM
LOW
CRITICAL
© Clearwater Compliance | All Rights Reserved
43
Risk Framing Fundamentals• Executives and BOD Must Be Engaged• Risk Framing Sets the Stage for Overall Risk
Management Program• Basic Assumptions Must Be Made: Scope,
Information Assets, Threats, Vulnerabilities, Likelihood, Impact
• Business and Risk Management Constraints Must Be Defined
• Risk Tolerance or Appetite Must Be Set• Must Consider Five Key Practice Areas• Risk Framing Informs All Other Steps• Critical Output: Risk Management Strategy and
Framework
© Clearwater Compliance | All Rights Reserved
44
NIST Risk Assessment Process
Finalize Information Asset Inventory
Determine Risk Level
Determine Likelihood & Impact
Identify Threats & Vulnerabilities
01
02
03
04
What Are All the Possible Ways in Which We May Compromise Sensitive Information?
© Clearwater Compliance | All Rights Reserved
• Adversarial• Accidental• Structural• Environmental
Owners
Assets
Controls & Safeguards
Threat Sources
Threats
value
Risks (Loss or Harm)
wish to minimize
that exist in protecting
to reduce
may be reduced by
that may possess
may be aware of
wish to or may abuse, harm and / or damage
that increase
Vulnerabilities
give rise to
that exploitleading to
implement
“Speaking Risk”
give rise to
© Clearwater Compliance | All Rights Reserved
46
HIPAA and OCR Require Tier 3 “Information Systems” Risk Management1
1NIST SP800-39-final_Managing Information Security Risk
© Clearwater Compliance | All Rights Reserved
47
Determine Level of Risk
Asset Threat Source / Action Vulnerability Likelihood Impact Risk Level
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3) 3
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Lightning Strike No surge protection
Low (1) High (5) 5
etc
© Clearwater Compliance | All Rights Reserved
48
• Must be possible to have loss or harm• Must have asset-threat-vulnerability to
have risk• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like speed is a
derived value = distance / time)• Fundamental nature of Risk is universal• Risk assessment informs all other steps• Not “once and done”• Critical Output: Risk Register
Risk Assessment Fundamentals
© Clearwater Compliance | All Rights Reserved
49
What A Risk Analysis Report Looks Like…Show you’ve identified all risks!
Generally, Avoid, Mitigate or Transfer
Generally, Accept
© Clearwater Compliance | All Rights Reserved
50
Polling Question
Poll #5 - Has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register that will meet OCR requirements?
© Clearwater Compliance | All Rights Reserved
51
NIST Risk Response Process
Identify Risk Responses
Implement Risk Response
Make Risk Response Decision
Evaluate Alternatives
01
02
03
04
What decisions do we need we need to make to treat or manage risks?
© Clearwater Compliance | All Rights Reserved
52
Decide on Response or Treatment
© Clearwater Compliance | All Rights Reserved
53
Risk Response Plan
Must show that identified risks will be treated!
© Clearwater Compliance | All Rights Reserved
54
• Real Risk Response Requires Real Risk Analysis
• All Risks Need a Response• Not All Risks Must Be Mitigated• Risk Response Requires Setting Your Risk
Appetite• Risk Response Requires Real Risk Framing• Risk Management is Informed Decision
Making – What’s New?• Risk Response Informs All Other Steps• Critical Output: Risk Management Plan
Risk Response Fundamentals
© Clearwater Compliance | All Rights Reserved
55
NIST Risk Monitoring Process
Set Risk Monitoring Strategy
Monitor Organizational Environment and Systems
01
02
How Do I Ensure I am Doing the Right Things and That They’re Working?
© Clearwater Compliance | All Rights Reserved
56
• Three Key Considerations: Compliance, Effectiveness & Change
• Informs All Other Process Steps: Frame, Assess, Respond
• Need to Balance Investment With Value Derived… Of Course
• Needs to Occur At All Tiers: Board, Executive Team, Systems Owners
• Think Plan-Do-Check-Act• Risk Monitoring Informs All Other
Steps• Critical Output: Risk Monitoring Plan
Risk Monitoring Fundamentals
© Clearwater Compliance | All Rights Reserved
57
Discussion Flow1. NIST Cybersecurity Framework
1. Problem We’re Trying to Solve2. NIST Cybersecurity Framework (NIST CSF)3. How to Adopt the NIST CSF
2. NIST Risk Management Process1. Framing Risk2. Assessing Risk3. Responding to Risk4. Monitoring Risk
3. Maturing Your Risk Management Program1. Maturity Models and IRMCAM™2. How to Access and Use IRMCAM™
© Clearwater Compliance | All Rights Reserved
58
Clearwater Supports the NIST Approach
Framework + Maturity Model+ Process
NIST SP800-39
IRM|Maturity™IRM|Pro™IRM|Capability™
© Clearwater Compliance | All Rights Reserved
59
Risk Management and Baseball
• Is Little League good enough?• How good does your team have to
play? • How mature does your Information
Risk Management Process need to be?
• Are you making conscious, informed decisions about your required level of maturity?
© Clearwater Compliance | All Rights Reserved
60
INFORMATION RISK MANAGEMENT MATURITY LEVEL Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5
Governance, Awareness of
Benefits and Value
People, Skills, Knowledge & Culture
Process, Discipline, & Repeatability
Use of Standards,Technology Tools /
Scalability
Engagement, Delivery & Operations
Have framework & active when time permits
Some (ad hoc), Insufficient resources
None Becoming a Formal program
Embedded in decision making,
CPIFormal program
KEY
RISK
MAN
AGEM
ENT
CAPA
BILI
TIES
Unsure of benefits; no
executive focus
Aware of risk, but not clear on
benefits
Aware of some benefits
Incorporated into business planning
and strategic thinking
Aware of most benefits; value
realized
Aware of benefits and
deployed across the organization
Little knowledgeSome risk skills training in parts of organization
Good understanding across parts of organization
Knowledge across most of organization
High degree of knowledge; refinement
Sound knowledge of discipline and
value
No PnPs, formal practices
Some execution, no
records or docs.
Some PnPs, docs; not consistently
followed
Formal PnPs and doc, widely
followed
Formal, continuous
process improvement
Robust, widely adopted PnPs
Not Using Aware but Not Formalized Use Using selectively
Using, repeatable
results
Sound understanding,
consistent use of tools
Regular use, outcomes consistent
© Clearwater Compliance | All Rights Reserved
61
Information Risk Management Capability Advancement Model™ (IRMCAM™)?
• Like baseball teams, mature risk-aware organizations are different from immature risk-aware organizations
• IRMCAM™ strives to capture and describe these differences
• IRMCAM™ strives to create organizations that are “mature”, or more mature than before applying IRMCAM™
• Describes six levels of Risk Management process maturity
• Includes lots of detail about each level – we will look at some of it
Not One Size Fits All
© Clearwater Compliance | All Rights Reserved
62
Assessing PracticesIn each capability area, we present a series of practices that, if implemented, would serve as evidence of progress in establishing and improving that capability. Consideration of these practices may also translate into an action plan for improvement. We rate each practice on a six-point rating scale using the Deming "plan-do-check-act" cycle:• Not started adopted, implemented or achieved (0% or
maturity 0)• Planning to adopt, implement or achieve (20% or
maturity 1)• Planning and doing (40% or maturity 2)• Planning, doing and checking (60% or maturity 3)• Planning, doing, checking, acting (80% or maturity 4)• Planning, doing, checking, acting & optimizing (100% or
maturity 5)
Please Use It / Provide Feedbackhttp://www.surveygizmo.com/s3/2162655/Clearwater-IRMCAM-Assessment-V5-3
© Clearwater Compliance | All Rights Reserved
63
Polling Question
Poll #6 - Has your organization chosen maturity model to help your information risk management process continuously improve?
© Clearwater Compliance | All Rights Reserved
64
Clearwater Supports the NIST Approach
Framework + Maturity Model+ Process
NIST SP800-39
IRM|Maturity™IRM|Pro™IRM|Capability™
© Clearwater Compliance | All Rights Reserved
65
Getting Started – Cyber Risk Management
I. Strategically Complete an IRM Program Maturity Assessment
II. Tactically Complete NIST CSF Current Profile
III. Operationally Complete Risk Assessment
© Clearwater Compliance | All Rights Reserved
66
Download Whitepaper
Harnessing the Power of NIST
Your Practical Guide to Effective Information Risk
Management
https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-
of-the-nist-framework/
© Clearwater Compliance | All Rights Reserved
67
NIST CSF and Related Resources• Framework for Improving Critical Infrastructure Cybersecurity
(NIST Cybersecurity Framework)
• Cybersecurity Framework Industry Resources
• Cybersecurity Framework Frequently Asked Questions
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management (Clearwater White Paper)
• Information Risk Management Capability Advancement Model™ (IRMCAM™) (Clearwater White Paper)
• GAO Report to the Committee on Health, Education, Labor and Pensions | Electronic Health Information | HHS Needs to Strengthen Security and Privacy Guidance and Oversight
© Clearwater Compliance | All Rights Reserved
68
IRM|Capability™
Upload Documentation
Dashboards
Upload and store all cyber security documentation
Readily available for progress and management reporting
Reports
Display period to period Current State | Future State progress
Against all NIST CSF Core Functions, Categories and Sub
Categories
Current Profile
Automated expert remediation Plan
Recommendations
Managed accountability and due dates
Assign Work
IRM|Capability™
IRM|Capability™
Determine Current Profile and Address NIST CSF Gaps
All inclusive, best in breed software for completing a NIST CSF Current Profile: All 5 Functions, 22 Categories, 98 Sub Categories are assessed
Exclusively Endorsed by AHA
© Clearwater Compliance | All Rights Reserved
69
Industry-leading HIPAA compliance software:
Gap AssessmentAgainst all HIPAA Security Standards
Audit SimulationAgainst HHS Audit protocols
Automated expert remediation planRecommendations
Managed accountability and due datesAssign Work
Dashboards & ReportsDisplay period-to-period compliance progress
Understand significant threats and vulnerabilitiesInsight
Determine if you have the right controls in placeControls
View critical risks on intuitive dashboards and reportsRisk Rating
Automate the management of risk information across complex enterprises
Manage Complexity
Plan a course of action to reduce critical risks Plan and Evaluate
Against all HIPAA Privacy standardsGap Assessment
Compliance w/Breach Notification under HITECHBreach Preparation
Audit SimulationAgainst HHS Audit protocols
Automated expert remediation planRecommendations
Dashboards & ReportsDisplay period-to-period compliance progress
All Exclusively Endorsed by AHA
© Clearwater Compliance | All Rights Reserved
70
Clearwater HIPAA and Cybersecurity BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017
© Clearwater Compliance | All Rights Reserved
71
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
October 13, 2016 Complimentary
WebinarHow to Adopt
the NIST Cybersecurity
Framework (CSF) October 27, 2016
Complimentary Webinar
HIPAA 101
November 2, 2016Complimentary
Webinar
OCR’s Phase 2 Audits and How Best to Prepare November 9, 2016
Complimentary Webinar
How to Implement a Strong Proactive
Business Risk Management
Program
© Clearwater Compliance | All Rights Reserved
72
1. You Cannot Check-List Your Way to Cyber Risk Management Success
2. Adopt a Framework + Process + Maturity Model; We Recommend NIST
3. Embrace a Maturity Model Approach
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Take Advantage of Resources Provided
Key Points to Remember
© Clearwater Compliance | All Rights Reserved
73
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/UShttp://[email protected]
Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC
Contact
Exit Survey, Please
© Clearwater Compliance | All Rights Reserved
74
What About HITRUST versus NIST?References / Articles for Your Own Due Diligence
• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security
• An Open Letter to the HITRUST Alliance (PartI) (Part II) (Part III)
• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt
• Should Business Associates Be HiTrust Certified?
• HITRUST, CSF and Mandatory Certification
• A Simpler and Better Alternative to the HITRUST Mandate For Third Party Risk Management In Healthcare
• 20+ Due Diligence Questions about the HITRUST Certification
• Research HITRUST Board companies on: HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page
We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”
As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on
the HHS Wall of Shame, with responsibility for 122MM of
156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for
complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.
© Clearwater Compliance | All Rights Reserved
75
“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an
external organization does not preclude HHS from subsequently finding a security violation.”
HHS FAQ on 3rd Party Certifications
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html
Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.