Clearwater Compliance IRM | Analysis™Guided Tour

2

• VP of Product Innovation for Clearwater

Compliance, LLC

• 30 + years in Healthcare in the provider, payer

and healthcare quality improvement industries

• 20 + years of strategic leadership for

compliance and Healthcare information

technology projects involving the most

sensitive ePHI for companies such as CIGNA,

Healthways and Optum

• MPA - Healthcare Policy and Administration

Jon Stone, MPA, CRISC, HCISPP, PMP

Jon Stone, MPA, CRISC, HCISPP, PMPVice President of Product Innovation

Jon.Stone@ClearwaterCompliance.com615-210-9612

3

Some Ground Rules

1. Slide materials

A. Check GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode

5. Please complete Exit Survey, when you leave session

6. Recorded version and final slides within 48 hours

4

Our Passion

We’re excited about what we do

because…

…we’re helping

organizations improve

patient safety and the

quality of care by

safeguarding the very

personal and private

healthcare information of

millions of fellow

Americans…

… And, keeping those

same organizations off

the Wall of Shame…!

5

Awards and Recognition

2015 & 2016

Exclusive

Industry Resource Provider

Software Used by NSA/CAEs

Sole Source Provider

#11 – 2015 & 2016

6

Clearwater Information Risk Management Life Cycle

7

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process

(1)(i) Standard: Security management process. Implement policies and

procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

45 C.F.R. §164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and non-

technical evaluation, based initially upon the standards

implemented under this rule and subsequently, in response to

environmental or operational changes…

(A) Risk analysis (Required). Conduct an accurate and thorough

assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health

information…

What do the regulations require?

8

1.Scope of the Analysis - all ePHI must be included in risk analysis

2.Data Collection – it must be documented

3.Identify and Document Potential Threats and Vulnerabilities

4.Assess Current Security Measures

5.Determine the Likelihood of Threat Occurrence

6.Determine the Potential Impact of Threat Occurrence

7.Determine the Level of Risk

8.Finalize Documentation

9.Periodic Review and Updates

9

Assets and Media

Backup Media

Desktop

Disk Array

Electronic Medical Device

Laptop

Pager

Server

Smartphone

Storage Area Network

Tablet

Third-party service provider

Etcetera…

NIST SP 800-53 ControlsPS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

Hundreds and hundreds

Hundreds of Millions or Permutations

Vulnerabilities

Anti-malware Vulnerabilities

Destruction/Disposal Vulnerabilities

Dormant Accounts

Endpoint Leakage Vulnerabilities

Excessive User Permissions

Insecure Network Configuration

Insecure Software Development Processes

Insufficient Application Capacity

Insufficient data backup

Insufficient data validation

Insufficient equipment redundancy

Insufficient equipment shielding

Insufficient fire protection

Insufficient HVAC capability

Insufficient power capacity

Insufficient power shielding

Etcetera…

Threat Actions

Burglary/Theft

Corruption or destruction of important data

Data Leakage

Data Loss

Denial of Service

Destruction of important data

Electrical damage to equipment

Fire damage to equipment

Information leakage

Etcetera…

Threat Agent

Burglar/ Thief

Electrical Incident

Entropy

Fire

Flood

Inclement weather

Malware

Network Connectivity Outage

Power Outage/Interruption

Etcetera…

The Risk Analysis Dilemma

10

The Unique Clearwater Risk Algorithm™

11

Software Demonstration

How do I perform Risk Analysis for a

complex enterprise?

13

Entity Hierarchy capability provides major benefits

for organizations struggling with multiple

distributed assets

• Accelerates and Facilitates the

Enterprise Risk Management Program

• Analyze Once / Report Many

• Distribute and Contain Compliance

Risk

14

Entity Hierarchy – Business Value

Provide only the information

requested

Gain 10 and 20-fold risk analysis

productivity

Ensure visibility into all facilities

Saves risk response and reporting

effort

Methodology, process and

IRM|Pro™ meet OCR requirements

Surgery Center

Community Hospital

Medical ClinicTeaching Hospital

Technology CompanyAdministrative

Controls

• Assets• Scenarios• Ratings• Responses

Management of Complex Entity Relationships

Enterprise

Summary Reporting

Cascade Risk Components (Asset, Controls, Ratings)

Acquired Entity

Insurance Plan

Western Data Center

Eastern Data Center

Sleep Center

Tennessee

California

Technology Company

© Clearwater Compliance LLC | All Rights Reserved

Productivity Gains –Case Study

Together, we analyzed 63

Assets and media for their

hospitals, health plan, clinics,

etc… Data was entered for 6

locations and replicated to

139 locations.

17

Productivity Gains - Results

We were able to produce 145 separate Risk

Analyses for Meaningful Use across their enterprise.

Only 4% of the data was actually entered

by the users of the software. 96%

percent of the risk analysis

documentation as required by NIST was

populated by automation features in the

IRM|Analysis™.

18

Productivity Gains -Automated Ongoing Maintenance

We watch the horizonCustomers receive alerts to

updated threats and vulnerabilities so you can maintain your risk profile

You don’t start overA risk analysis can be performed in a

fraction of the time using your baseline

Automatic SnapshotsAutomated version history makes sure you have a fully-documented annual risk analysis.

Populate data rapidlyUpdated Risk Registry Information, Both analysis and response data can be instantly cascaded to distributed entities

19

Questions?

20

IRM | Analysis™ Software

Understand significant

threats and vulnerabilities

Insight

Determine if you have

the right controls in place

Controls

View critical risks on

intuitive dashboards and

reports

Risk RatingAutomate the

management of risk

information across

complex enterprises

Manage Complexity

Plan a course of action to

reduce critical risks

Plan and Evaluate

Manage the

implementation of

effective safeguards

Implementation

Free Trial!

WWW.CLEARWATERCOMPLIANCE.COM

106 WINDWARD PT

HENDERSONVILLE,

TN 37075-5108

(800) 704-3394

http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance

22

• VP of Product Innovation for Clearwater

Compliance, LLC

• 30 + years in Healthcare in the provider, payer

and healthcare quality improvement industries

• 20 + years of strategic leadership for

compliance and Healthcare information

technology projects involving the most

sensitive ePHI for companies such as CIGNA,

Healthways and Optum

• MPA - Healthcare Policy and Administration

Jon Stone, MPA, CRISC, HCISPP, PMP

Jon Stone, MPA, CRISC, HCISPP, PMPVice President of Product Innovation

Jon.Stone@ClearwaterCompliance.com615-210-9612