NIST SP800-53A, Rev 1, Guide for Assessing the - About HIPAA
Assessing Your Hosting Environment for HIPAA Compliance
-
Upload
hosting -
Category
Technology
-
view
271 -
download
0
Transcript of Assessing Your Hosting Environment for HIPAA Compliance
![Page 1: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/1.jpg)
1
Assessing Your Hosting Environment for HIPAA
Compliance
#HOSTINGHIPAA
![Page 2: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/2.jpg)
• Confusion Surrounding HIPAA Audits
• What are the different assessments
• How to truly understand your provider’s
capabilities
• Strong tools for comparing providers’
control environments
• Q&A
2
SUMMARY
![Page 3: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/3.jpg)
In January 2013, the U.S. Department of Health and Human Services
(HHS) Office for Civil Rights announced a final omnibus rule that
implements a number of provisions of the Health Information
Technology for Economic and Clinical Health (HITECH) Act, enacted as
part of the American Recovery and Reinvestment Act of 2009, to
strengthen the privacy and security protections for health information
established under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/
3
OMNIBUS RULE
![Page 4: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/4.jpg)
4
HIPAA RISK ASSESSMENT SCHIZOPHRENIA
✔
![Page 5: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/5.jpg)
Standard What Is It?
Proprietary Unique risk assessment standard
created by the auditing company
HITRUST Common Security
Framework
Framework of frameworks – a bunch of
security standards merged into one
umbrella standard
HIPPA OCR Audit Protocol Official HHS audit process for HIPAA
compliance
5
HIPAA ASSESSMENTS TODAY
![Page 6: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/6.jpg)
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
6
HIPAA RISK ASSESSMENT BREAKDOWN
![Page 7: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/7.jpg)
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
7
HIPAA RISK ASSESSMENT BREAKDOWN
![Page 8: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/8.jpg)
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
8
HIPAA RISK ASSESSMENT BREAKDOWN
![Page 9: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/9.jpg)
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
9
HIPAA RISK ASSESSMENT BREAKDOWN
![Page 10: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/10.jpg)
Prescriptive Addresses
IT
Controls
Designed
for MSPs
Assessed
by 3rd Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
10
HIPAA RISK ASSESSMENT BREAKDOWN
![Page 11: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/11.jpg)
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd Party
Recognized
by HHS
Provides Safe
Harbor
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
11
HIPAA RISK ASSESSMENT BREAKDOWN
![Page 12: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/12.jpg)
• Scope of managed security services (what does the provider do and what do I have to do)
• Explicit demarcation of responsibilities
• Committing to obligations in a BAA
• Consistency of managed security services across compute platforms
• 3rd party assessment of platform and managed services against accepted prescriptive security framework
• HIPAA assessment guarantee
12
PROVIDER ASSESSMENT CHECKLIST
![Page 13: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/13.jpg)
Compliance Controls HOSTING Customer
Physical Security X
Network Security X
Platform Security X
Storage Security X
Threat Monitoring X
Policy and Governance X X
Application Security X X
Change Control X X
Incident Response X X
Transit Security X X
Risk Assessment X X
Custom App Security X
13
COMPLIANCE CONTROLS FOR HIPAA
![Page 14: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/14.jpg)
• Will the cloud service provider sign a Business Associate Agreement (BAA) with us?
• Is the cloud service provider even aware of its obligation to sign a BAA?
• Is the BAA more than three pages?
• If the BAA is more than three pages, is the cloud service provider willing to pay the legal fees necessary for excessive review?
• Does the BAA closely track the sample provisions published by the U.S. Dept. of Health & Human Services?
14
BAA CHECKLIST
![Page 15: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/15.jpg)
• Official HIPAA audit checklist from HHS
• 3rd parties are starting to build assessment services around it
• Assessments are non-binding, not regulated and provide absolutely no Safe Harbor from a breach
• No audit program in place – impossible to be certified HIPAA compliant
15
HIPAA OCR AUDIT PROTOCOL
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
![Page 16: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/16.jpg)
“HHS does not endorse or otherwise recognize
private organizations’ ‘certifications’ regarding the
Security Rule, and such certifications do not
absolve covered entities of their legal obligations
under the Security Rule. Moreover, performance of
a ‘certification’ by an external organization does
not preclude HHS from subsequently finding a
security violation.”
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html
![Page 17: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/17.jpg)
HIPAA regulations
Firewall
Antivirus
VPN
IDS
Patching
Cloud
Encryption
45 CFR 160
0
0
0
0
0
0
0
45 CFR 164
0
0
0
0
0
0
5
![Page 18: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/18.jpg)
Prescriptive Addresses
IT
Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognize
d by HHS
Provides
Safe
Harbor
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA
OCR
Yes No No Sometimes Yes No
18
FRAMEWORK COMPARISON
Prescriptive Addresses
IT
Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides
Safe Harbor
SOC 1 No Sometimes No Yes No No
SOC 2 Yes Yes Yes Yes No No
PCI DSS Yes Yes Yes Yes No Yes (CC only)
![Page 19: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/19.jpg)
• SOC 1
• Formerly SAS-70, aka SSAE-16
• Focused on financial report accuracy, not technical, no standard or minimum control set
• SOC 2
• Often confused with SSAE-16
• Officially recognized AICPA review of MSP control environment
• Mapped to the Trust Service Principles – prescriptive standard for IT service provider security and privacy controls
19
COMMON PROVIDER ASSESSMENTS
![Page 20: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/20.jpg)
• PCI DSS
• Explicitly prescriptive
• Over 220 unique IT controls
• Same purpose as HIPAA Security Rule: protect against unauthorized access to sensitive data
• Explicitly addresses service providers and cloud environments
• The most widely utilized security framework
• A decade of evolution
20
COMMON PROVIDER ASSESSMENTS
![Page 21: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/21.jpg)
21
PCI/SOC to HIPAA MAPPING
![Page 22: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/22.jpg)
• Providers can choose which portions of
infrastructure, data center locations,
services and even which controls from the
standard they will assess
• Get a responsibilities matrix written by the
3rd party
22
READ THE REPORT!
![Page 23: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/23.jpg)
Document What is it? 3rd Party
Assessment
Expect to Sign
NDA
SAQ Self assessment
questionnaire
No Yes
AOC Attestation of
Compliance
Maybe – look at
party that signed
No
ROC Report on
Compliance
Yes Absolutely
23
PCI DSS REPORTS
![Page 24: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/24.jpg)
Document What is it? 3rd Party
Assessment
Expect to Sign
NDA
SAQ Self assessment
questionnaire
No Yes
AOC Attestation of
Compliance
Maybe – look at
party that signed
No
ROC Report on
Compliance
Yes Absolutely
Control Mapping Explicit mapping
of responsibilities
Maybe – look at
issuing party
No
24
PCI DSS REPORTS
![Page 25: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/25.jpg)
Document What is it? 3rd Party
Assessment
Expect to Sign
NDA
SAQ Self assessment
questionnaire
No Yes
AOC Attestation of
Compliance
Maybe – look at
party that signed
No
ROC Report on
Compliance
Yes Absolutely
Control Mapping Explicit mapping
of responsibilities
Maybe – look at
issuing party
No
25
PCI DSS REPORTS
![Page 26: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/26.jpg)
Document What is it? 3rd Party
Assessme
nt
Expect to
Sign NDA
SOC 1 Type I Financial accuracy assessment
– policy review only, no
evidence
Yes Yes
SOC 1 Type I Financial accuracy assessment
– >=6mo effectiveness review
Yes Yes
SOC 2 Type I IT service provider controls –
policy review only, no evidence
Yes Yes
SOC 2 Type II IT service provider controls –
>=6mo effectiveness review
Yes Yes
SOC 3 Stamp used to publicly assert
that provider successfully
completed SOC 2 Type II, no
details
Yes No
26
SOC REPORTS
![Page 27: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/27.jpg)
Document What is it? 3rd Party
Assessme
nt
Expect to
Sign NDA
SOC 1 Type I Financial accuracy assessment
– policy review only, no
evidence
Yes Yes
SOC 1 Type I Financial accuracy assessment
– >=6mo effectiveness review
Yes Yes
SOC 2 Type I IT service provider controls –
policy review only, no evidence
Yes Yes
SOC 2 Type II IT service provider controls –
>=6mo effectiveness review
Yes Yes
SOC 3 Stamp used to publicly assert
that provider successfully
completed SOC 2 Type II, no
details
Yes No
27
SOC REPORTS
![Page 28: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/28.jpg)
View the on-demand
webinar here!
28
![Page 29: Assessing Your Hosting Environment for HIPAA Compliance](https://reader033.fdocuments.in/reader033/viewer/2022051315/55a74efc1a28ab5d018b45e6/html5/thumbnails/29.jpg)
29
Q&ASean Bruton | Vice President of Product Management
For more information about compliant solution packages by HOSTING, please
contact Mark Click at 302.444.6511 or [email protected].