Copyright Noticeclearwatercompliance.com/wp-content/uploads/2014/05/... · 2020-03-16 · Legal...

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


Legal Disclaimer Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

3 © Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Risk Analysis™ Guided Tour

(800)704-3394 [email protected]


• 25+ years in Healthcare in the provider, payer and healthcare quality improvement fields

• Innovator | Strategic Program Manager | Consultant | Executive

• 15+ years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix.

• PMP, MPA - Healthcare Policy and Administration

Jon Stone, MPA, PMP

Jon Stone, MPA, PMP

615-210-9612 [email protected]

http://clearwatercompliance.com/our-team/jon-stone-vice-president/

mailto:[email protected]?subject=Risk%20Analysis%20Product%20Inquiry


• 25+ years in Information Systems in a broad range of industries, including healthcare, financial services, education, and manufacturing

• 10+ years specific experience in Information Systems Security

• Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM)

• MBA from Vanderbilt University with a Management Information Systems Concentration

Gary Ridner, MBA, CISSP, CISM

Gary Ridner, MBA, CISSP, CISM [email protected]



Mike Neal, Principal Consultant

• 15+ years experience in information technology and security in a variety of industries, including healthcare, financial services, education , government and manufacturing

• 10+ years in customer-facing consulting engagements, helping determine business needs and developing strategic technology solutions and services

• Recent experience as Services Architect and Assessment Practice Lead

• Significant expertise in performing HIPAA Risk Analysis, Meaningful Use Risk Analysis, Security Assessments, Compliance Assessments and Managed Care

Mike Neal, Principal Consultant [email protected]



Lee Painter, CISSP, C|EH

• 15+ years in Information Assurance and Computer Network Defense

• 15+ years training customers on the need to understand and adopt best practices

• Experience as an Information Systems Security Officer for the Department of Homeland Security

• Passionate Security Professional with a drive to provide not just knowledge but understanding

• Certified Information Systems Security Professional(CISSP)

• Certified Ethical Hacker(C|EH) Lee Painter, CISSP, C│EH [email protected]



You will learn…

• Regulatory background • Product features • Software walkthrough • Product benefits


Three Pillars of HIPAA-HITECH Compliance…

Priv

acy

Secu

rity

Bre

ach

Not

ifica

tion

… …

HITECH

HIPAA

Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation Specs

Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”

Implementation Specs

Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation

Specs

OMNIBUS FINAL RULE


Stage 1 and Stage 2 Meaningful Use require completion of a HIPAA Security Risk Analysis

Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines


Security violations can be devastating to an organization’s reputation and finances


You don’t know your risks…

Without the benefit of a HIPAA compliant Risk Analysis approach…

You are probably making privacy and security investments in a vacuum, without facts and data to facilitate informed decision making…

You are at high risk in the face of increasing enforcement actions


The threat landscape is constantly changing

Organizations are struggling to identify threats…


Organizations don’t know their vulnerabilities

Are critical systems encrypted?

Are passwords strong enough?

Are we prepared for disaster? Are our employees trained?


All this uncertainty means we don’t know our risks…

Regulatory Risks

Financial risks

Legal risks

Risks to our reputations

Risks to operations and care


Frame

Monitor

Respond

Assess

HIPAA Business Risk Management Life Cycle Privacy

Assessment Security

Assessment

Risk Analysis

ePHI Discovery

Risk Response

Remediation

Risk Strategy Governance

Auditing Technical Testing

Workforce Training


What do the regulations require?

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications:

45 C.F.R. §164.308(a)(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes…

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information…


The Health and Human Services Office for Civil Rights Recommends

Regardless of the Risk analysis methodology employed…

You include the following key components


1.Scope of the Analysis - all ePHI must be included in risk analysis 2.Data Collection – it must be documented 3.Identify and Document Potential Threats and Vulnerabilities 4.Assess Current Security Measures 5.Determine the Likelihood of Threat Occurrence 6.Determine the Potential Impact of Threat Occurrence 7.Determine the Level of Risk 8.Finalize Documentation 9.Periodic Review and Updates

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final

• NIST SP800-30 - Guide for Conducting Risk Assessments

• NIST SP800-53 - Recommended controls for Federal Information Systems and Organizations


There is a lot of confusion out there… What a Risk Analysis is not


There is a lot of confusion out there… What a Risk Analysis is not

• A network vulnerability scan • A penetration test • A configuration audit • A network diagram review • Information system activity review • A questionnaire


Risk Analysis Is…


Risk Analysis Is…

1NIST SP800-30

…the process of identifying, prioritizing, and estimating risks to organizational operations… resulting from the operation of an information system… • Risk management incorporates threat and vulnerability analyses, • Considers mitigations provided by security controls planned or in place1.


The Risk Analysis Dilemma Assets and Media Backup Media Desktop Disk Array Electronic Medical Device Laptop Pager Server Smartphone Storage Area Network Tablet Third-party service provider Etcetera…

NIST SP 800-53 Controls PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access. PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency]. AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems. AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems. AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Hundreds and hundreds

Approximately 330,000,000 Permutations

Vulnerabilities Anti-malware Vulnerabilities Destruction/Disposal Vulnerabilities Dormant Accounts Endpoint Leakage Vulnerabilities Excessive User Permissions Insecure Network Configuration Insecure Software Development Processes

Insufficient Application Capacity Insufficient data backup Insufficient data validation Insufficient equipment redundancy Insufficient equipment shielding Insufficient fire protection Insufficient HVAC capability Insufficient power capacity Insufficient power shielding Etcetera…

Threat Actions Burglary/Theft Corruption or destruction of important data Data Leakage Data Loss Denial of Service Destruction of important data Electrical damage to equipment Fire damage to equipment Information leakage Etcetera…

Threat Agent Burglar/ Thief Electrical Incident Entropy Fire Flood Inclement weather Malware Network Connectivity Outage Power Outage/Interruption Etcetera…


The Unique Clearwater Risk Algorithm™



HHS OCR Guidance on Risk Analysis says; • Scope of the Analysis - all ePHI must be included in

the Risk Analysis • Data Collection – it must be documented



HHS OCR Guidance on Risk Analysis says; • Identify and Document Potential Threats and

Vulnerabilities



HHS OCR Guidance on Risk Analysis says; • Assess Current Security Measures



HHS OCR Guidance on Risk Analysis says; • Determine the Likelihood of Threat Occurrence



HHS OCR Guidance on Risk Analysis says; • Determine the Potential Impact of Threat Occurrence



HHS OCR Guidance on Risk Analysis says; • Determine the Level of Risk



HHS OCR Guidance on Risk Analysis says; • Finalize Documentation • Periodic Review and Update

• Compile your compliance documentation in one place

• Enable periodic reviews and updates unlike any other spreadsheet, word document or software available


Software Demonstration

https://www.hipaasecurityriskanalysis.com/login


Support • Unlimited support during normal business hours • Phone and email support Training • 60-90 minutes of live web based training • Extensive free self-service training User Provisioning • Easy self service capabilities to add unlimited numbers of users • Add additional business entities and perform multiple concurrent

assessments for an additional reasonable price


Ease of Access • Available 7x24 from an internet connection • No software download required • Supports all common browsers Business Continuity • Customer data is backed up every 15 minutes • Returned to operations in under two hours Protection • Strong firewalls • All data sent or received uses TLS 1.1 encryption • Passwords are stored using strong encryption


Clearwater HIPAA Risk Analysis™- Benefits


Clearwater HIPAA Risk Analysis™- Benefits

• Be Confident Your Security Risk Analysis is by the Book • One-of-a-Kind Cloud Based Proprietary Software • Record Where Your Sensitive Data Lives • Learn Recommended Controls • Measure Your Progress Against a Baseline • Operationalize Compliance Through a Mature, Repeatable

and Sustainable process • Make Sound Decisions and Justify Investment Dollars • De-Mystify a Complex Process


Need help with resources or expertise?


Clearwater Customer Community • Where Clearwater customers go to get

additional value and benefits

Customer Council Meetings • Complimentary educational content • A place for customers interact and learn from

each other

Customer Forum • A place for software customers to privately post questions and

chat with peers


Questions?

https://www.hipaasecurityassessment.com/


Or Click Here

If you are interested in a Free Trial please contact us;

(800) 704 - 3394 [email protected]

http://clearwatercompliance.com/contact-2/

https://www.hipaasecurityassessment.com/

mailto:[email protected]?subject=Risk%20Analysis%20Software%20Inquiry


Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

Get more info…

View pre-recorded Webinars like this one at:

http://clearwatercompliance.com/on-demand-webinars/













Copyright Noticeclearwatercompliance.com/wp-content/uploads/2014/05/... · 2020-03-16 · Legal...

Documents

Transcript of Copyright Noticeclearwatercompliance.com/wp-content/uploads/2014/05/... · 2020-03-16 · Legal...