Clearwater Compliance IRM | Analysis Guided Tour...2016/12/13 · #11 –2015 & 2016 6 Clearwater...
Transcript of Clearwater Compliance IRM | Analysis Guided Tour...2016/12/13 · #11 –2015 & 2016 6 Clearwater...
Clearwater Compliance IRM | Analysis™Guided Tour
2
• VP of Product Innovation for Clearwater
Compliance, LLC
• 30 + years in Healthcare in the provider, payer
and healthcare quality improvement industries
• 20 + years of strategic leadership for
compliance and Healthcare information
technology projects involving the most
sensitive ePHI for companies such as CIGNA,
Healthways and Optum
• MPA - Healthcare Policy and Administration
Jon Stone, MPA, CRISC, HCISPP, PMP
Jon Stone, MPA, CRISC, HCISPP, PMPVice President of Product Innovation
3
Some Ground Rules
1. Slide materials
A. Check GoToWebinar Control panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode
5. Please complete Exit Survey, when you leave session
6. Recorded version and final slides within 48 hours
4
Our Passion
We’re excited about what we do
because…
…we’re helping
organizations improve
patient safety and the
quality of care by
safeguarding the very
personal and private
healthcare information of
millions of fellow
Americans…
… And, keeping those
same organizations off
the Wall of Shame…!
5
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
6
Clearwater Information Risk Management Life Cycle
7
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process
(1)(i) Standard: Security management process. Implement policies and
procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-
technical evaluation, based initially upon the standards
implemented under this rule and subsequently, in response to
environmental or operational changes…
(A) Risk analysis (Required). Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health
information…
What do the regulations require?
8
1.Scope of the Analysis - all ePHI must be included in risk analysis
2.Data Collection – it must be documented
3.Identify and Document Potential Threats and Vulnerabilities
4.Assess Current Security Measures
5.Determine the Likelihood of Threat Occurrence
6.Determine the Potential Impact of Threat Occurrence
7.Determine the Level of Risk
8.Finalize Documentation
9.Periodic Review and Updates
9
Assets and Media
Backup Media
Desktop
Disk Array
Electronic Medical Device
Laptop
Pager
Server
Smartphone
Storage Area Network
Tablet
Third-party service provider
Etcetera…
NIST SP 800-53 ControlsPS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
Hundreds and hundreds
Hundreds of Millions or Permutations
Vulnerabilities
Anti-malware Vulnerabilities
Destruction/Disposal Vulnerabilities
Dormant Accounts
Endpoint Leakage Vulnerabilities
Excessive User Permissions
Insecure Network Configuration
Insecure Software Development Processes
Insufficient Application Capacity
Insufficient data backup
Insufficient data validation
Insufficient equipment redundancy
Insufficient equipment shielding
Insufficient fire protection
Insufficient HVAC capability
Insufficient power capacity
Insufficient power shielding
Etcetera…
Threat Actions
Burglary/Theft
Corruption or destruction of important data
Data Leakage
Data Loss
Denial of Service
Destruction of important data
Electrical damage to equipment
Fire damage to equipment
Information leakage
Etcetera…
Threat Agent
Burglar/ Thief
Electrical Incident
Entropy
Fire
Flood
Inclement weather
Malware
Network Connectivity Outage
Power Outage/Interruption
Etcetera…
The Risk Analysis Dilemma
10
The Unique Clearwater Risk Algorithm™
How do I perform Risk Analysis for a
complex enterprise?
13
Entity Hierarchy capability provides major benefits
for organizations struggling with multiple
distributed assets
• Accelerates and Facilitates the
Enterprise Risk Management Program
• Analyze Once / Report Many
• Distribute and Contain Compliance
Risk
14
Entity Hierarchy – Business Value
Provide only the information
requested
Gain 10 and 20-fold risk analysis
productivity
Ensure visibility into all facilities
Saves risk response and reporting
effort
Methodology, process and
IRM|Pro™ meet OCR requirements
Surgery Center
Community Hospital
Medical ClinicTeaching Hospital
Technology CompanyAdministrative
Controls
• Assets• Scenarios• Ratings• Responses
Management of Complex Entity Relationships
Enterprise
Summary Reporting
Cascade Risk Components (Asset, Controls, Ratings)
Acquired Entity
Insurance Plan
Western Data Center
Eastern Data Center
Sleep Center
Tennessee
California
Technology Company
© Clearwater Compliance LLC | All Rights Reserved
Productivity Gains –Case Study
Together, we analyzed 63
Assets and media for their
hospitals, health plan, clinics,
etc… Data was entered for 6
locations and replicated to
139 locations.
17
Productivity Gains - Results
We were able to produce 145 separate Risk
Analyses for Meaningful Use across their enterprise.
Only 4% of the data was actually entered
by the users of the software. 96%
percent of the risk analysis
documentation as required by NIST was
populated by automation features in the
IRM|Analysis™.
18
Productivity Gains -Automated Ongoing Maintenance
We watch the horizonCustomers receive alerts to
updated threats and vulnerabilities so you can maintain your risk profile
You don’t start overA risk analysis can be performed in a
fraction of the time using your baseline
Automatic SnapshotsAutomated version history makes sure you have a fully-documented annual risk analysis.
Populate data rapidlyUpdated Risk Registry Information, Both analysis and response data can be instantly cascaded to distributed entities
20
IRM | Analysis™ Software
Understand significant
threats and vulnerabilities
Insight
Determine if you have
the right controls in place
Controls
View critical risks on
intuitive dashboards and
reports
Risk RatingAutomate the
management of risk
information across
complex enterprises
Manage Complexity
Plan a course of action to
reduce critical risks
Plan and Evaluate
Manage the
implementation of
effective safeguards
Implementation
Free Trial!
WWW.CLEARWATERCOMPLIANCE.COM
106 WINDWARD PT
HENDERSONVILLE,
TN 37075-5108
(800) 704-3394
http://www.linkedin.com/in/bobchaput/
@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance
22
• VP of Product Innovation for Clearwater
Compliance, LLC
• 30 + years in Healthcare in the provider, payer
and healthcare quality improvement industries
• 20 + years of strategic leadership for
compliance and Healthcare information
technology projects involving the most
sensitive ePHI for companies such as CIGNA,
Healthways and Optum
• MPA - Healthcare Policy and Administration
Jon Stone, MPA, CRISC, HCISPP, PMP
Jon Stone, MPA, CRISC, HCISPP, PMPVice President of Product Innovation