How to Conduct a Bona Fide HIPAA Security Risk Analysis

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 1

How to Conduct a Bona Fide HIPAA Security Risk Analysis

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…


Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394

[email protected] Clearwater Compliance LLC

How to Conduct a Bona Fide HIPAA Security Risk Analysis

December 18, 2012

http://www.linkedin.com/in/BobChaput



© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS

3

• CEO & Founder – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Industry Expertise and Focus: Healthcare Covered Entities and Business

Associates, Financial Services, Retail, Legal • Member: IAPP, ISC2, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, SIM

Chambers, Boards


http://hipaasecurityassessment.com/




Our Passion

4

… And, keeping those same

organizations off the Wall of

Shame…!

…we’re helping

organizations

safeguard the very

personal and private

healthcare information

of millions of fellow

Americans…

We’re excited about

what we do

because…


Mega Session Objective

Help You Understand and

Address This Very

Specific HIPAA / Security

Foundational

Requirement …

Separate Fact from Fiction 6


Poll #1 – How Many Webinars?

7


Session Objectives

8

1. Understand & Review Regulatory Requirements, Potential Liabilities and HHS/OCR Final Guidance

2. Understand Risk Analysis & Management Essentials

3. Learn how to Complete a Risk Analysis


2. Security

45 CFR

164.308(a)(1)(ii)(A)

Three Dimensions of HIPAA Security Business Risk Management

1. Compliance 45 CFR 164.308(a)(8)

9

3. Test &

Audit 45 CFR 164.308(a)(8) &

OCR Audit Protocol


Related Webinars to View

• The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis

• How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule

10

http://abouthipaa.com/hipaa-webinars/the-critical-difference-hipaa-security-evaluation-v-hipaa-security-risk-analysis/




http://abouthipaa.com/hipaa-webinars/how-to-assess-your-hipaa-hitech-security-compliance-program/




HITECH meets HIPAA … at Meaningful Use

11

Risk Analysis

45 CFR 164.308(a)(1)(ii)(A)

HIPAA Security

Final Rule Meaningful Use

Final Rule


Risk Analysis Implementation Spec

12

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management

Process

(1)(i) Standard: Security management process. Implement policies

and procedures to prevent, detect, contain, and correct security

violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and

thorough assessment of the potential risks and vulnerabilities to

the confidentiality, integrity, and availability of electronic

protected health information held by the covered entity.


Risk Analysis is Not Going Away


HHS/OCR Final Guidance

14

Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in

the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§

164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and

document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI.

(See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of

potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of

potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat

occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R.

§ 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update

and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

http://abouthipaa.com/about-hipaa/resources/


Risk Management Guidance

15

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments

• NIST SP800-34 Contingency Planning Guide for Federal Information Systems

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk

• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations

• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf



http://abouthipaa.com/wp-content/uploads/SP800-34-rev1errata-Nov11-2010_ContingencyPlanningGuideforFederalInformationSystems.pdf





http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf




http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf






http://abouthipaa.com/wp-content/uploads/10.-NIST-SP800-53-rev3-final_updated-errata_05-01-2010.pdf




http://abouthipaa.com/wp-content/uploads/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf






Failure to Comply Key Concerns

OCR Investigations

CMS Audits / FCA

OCR Audits


Poll #2 (OCR Audit)

17


Risk Analysis Audit Protocols

18

Audit Procedures Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate

assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an

assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment

process or methodology considers the elements in the criteria and has been updated or maintained to

reflect changes in the covered entity's environment. Determine if the covered entity risk assessment has

been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain,

process, or transmit ePHI.

Established Performance Criteria §164.308(a)(1): Security Management Process

§164.308(a)(1)(ii)(A) - Conduct an accurate and thorough

assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health

information held by the covered entity.

Key Activity Conduct Risk Assessment

Audit Procedures 1. Inquire of management as to whether formal or informal policies or

practices exist to conduct an accurate assessment of potential risks and

vulnerabilities to the confidentiality, integrity, and availability of ePHI.

2. Obtain and review relevant documentation and evaluate the content

relative to the specified criteria for an assessment of potential risks and

vulnerabilities of ePHI.

3. Evidence of covered entity risk assessment process or methodology

considers the elements in the criteria and has been updated or

maintained to reflect changes in the covered entity's environment.

4. Determine if the covered entity risk assessment has been conducted on a

periodic basis.

5. Determine if the covered entity has identified all systems that contain,

process, or transmit ePHI.


OCR Corrective Action Plans

CAP Requirement MEEI CVS

Rite-Aid

BCBS TN

Mass General Hospital

Phoenix Cardiac Surgery

UCLA

AK DHSS

Establish a Comprehensive Information Security Program x

Designate an accountable Security Owner x x Develop and maintain privacy and security policies and procedures to comply with Federal standards x x x x x x x Distribute and update policies and procedures x x x x x x x Procedures to include responding to security incidents x x x x x x x Implement training with certifications and sanctions for non-compliance x x x x x x x Conduct a Risk Analysis and a Risk Management Process x x x x x x x x Design and Implement Reasonable Administrative, Physical and Technical Safeguards to control risks x x x x x x x x

Develop and use reasonable steps to select and retain service providers x Evaluate and adjust Security Program in light of testing and monitoring and material changes to the environment x x x x x x x x Obtain assessments from qualified objective independent 3rd party x x x x x x x x Retain required documentation x x x x x x x x


Session Objectives

20

1. Understand & Review Regulatory Requirements, Potential Liabilities and HHS/OCR Final Guidance




21

Risk Analysis Myths1

1ONC Guide to Privacy and Security of

Health Information

“As with any new program

or regulation, there may

be misinformation making

the rounds. The following

table distinguishes fact

from fiction...“

http://abouthipaa.com/wp-content/uploads/ONC_privacy-and-security-guide_May-2012.pdf








HIPAA Security Risk Analysis Myths and Facts Myth Fact

The security risk analysis is optional for small providers.

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive HER incentive payments must conduct a risk analysis.

Simply installing a certified EHR fulfills the security risk analysis MU requirement.

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

My EHR vendor took care of everything I need to do about privacy and security.

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security

aspects of the EHR product. However, EHR vendors are not responsible for making their Products compliant with

HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools such as the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology’s (ONC) risk analysis tool. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

1ONC Guide to Privacy and Security of Health Information

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf







A checklist will suffice for the risk analysis requirement.

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

There is a specific risk analysis method that I must follow.

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

My security risk analysis only needs to look at my EHR.

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy___security_frame-work/1173





http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy___security_frame-work/1173









Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires addressing any deficiencies identified during the risk analysis during the reporting period.

Each year, I’ll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.








25

CMS Meaningful Use Attestation Audits https://www.cms.gov/Regulations-and-

Guidance/Legislation/EHRIncentivePrograms/Attesta

tion.html#10

Will CMS conduct audits?

“Any provider attesting to receive an EHR incentive

payment for either the Medicare EHR Incentive

Program or the Medicaid EHR Incentive Program

potentially may be subject to an audit.”

“…If you attest prior to actually meeting the

meaningful use security requirement, you could

increase your business liability for federal law

violations and making a FALSE CLAIM.”

(emphasis added)

https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html









Thinking Like a Risk Analyst

Threat

(Actor) CAN EXPLOIT Vulnerability

(Weakness) AND CAUSE

Impact

(Cost)

Security Risk exists when….

Risk Analysis is the identification and rank-ordering of

risks through the assessment of Controls in place to

detect and block the threat, to detect and fix a

vulnerability, or to respond to incidents (impacts) when

all else fails. 26

…in protecting an asset….


Thinking Like a Risk Manager

Avoid / Transfer Risks

Accept Risks

Mitigate / Transfer Risks

Risk Identification

Ris

k

Tre

atm

en

t

Risks of all types & sizes exist

27

Risk Management is making informed decisions on how to treat risks.


What A Risk Analysis Is Not • A network vulnerability scan

• A penetration test

• A configuration audit

• A network diagram review

• A questionnaire

• Information system activity review

28

ALL IMPORTANT BUT DO NOT COMPRISE A RISK ANALYSIS


What A Risk Analysis Is…

29 1NIST SP800-30

A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image,

reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an

information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls

planned or in place1.


30

Poll #3 – Bona Fide Risk Analysis?


2. What do we need to do to

treat or manage risks?

Risk Analysis and Risk Management

1. What is our exposure of

our information assets

(e.g., ePHI)?

31

Both Are Required in MU and HIPAA


Controls Help Address Vulnerabilities

32

Controls • Policies & Procedures

• Training & Awareness

• Cable lock down

• Strong passwords

• Encryption

• Remote wipe

• Data Backup

Threat Source • Burglar who may steal

Laptop with ePHI

Vulnerabilities • Device is portable

• Weak password

• ePHI is not encrypted

• ePHI is not backed up

Threat Action • Steal Laptop

Information Asset • Laptop with ePHI


Risk = f([Assets+Threats+Vulnerabilities+Controls] * [Likelihood * Impact])

33

Risks • Financial

• Political

• Clinical

• Legal

• Regulatory

• Operational

• Reputational

Likelihood • Not Applicable

• Rare

• Unlikely

• Moderate

• Likely

• Almost Certain

Impact • Not Applicable

• Insignificant

• Minor

• Moderate

• Major

• Disastrous

Based on threat,

vulnerabilities and current controls in

place

Based on size, sensitivity

and effort or cost of

remediation


Establishing a Risk Value

34

Risk = Likelihood * Impact

Rank Description Example

0 Not Applicable Will never happen

1 Rare May happen once every 10 years

2 Unlikely May happen once every 3 years

3 Moderate May happen once every 1 year

4 Likely May happen once every month

5 Almost Certain May happen once every week

Impact

Likelihood

Rank Description Example

0 Not Applicable Does not apply

1 Insignificant Not reportable; Remediate within 1 hour

2 Minor Not reportable; Remediate within 1 business day

3 Moderate Not reportable; Remediate within 5 business days

4 Major Reportable; Less than 500 records compromised

5 Disastrous Reportable; Greater than 500 records compromised

• Critical = 25

• High = 15-24

• Medium = 8-14

• Low = 0-7


Session Objectives

35

1. Understand Review Regulatory Requirements, Potential Liabilities and HHS/OCR Final Guidance




Risk Analysis

36

Inventory Information Assets that Store ePHI

Understand Significant Threats and Vulnerabilities

Determine if You Have the Right

Controls in Place

Determine Your Likelihood of Harm

and Risk Rating

Create Compliance Documentation and

Management Reports


NIST SP800-30, Rev 3

37


Clearwater HIPAA Security Risk Analysis™

38

Educate | Assess | Respond Monitor| Document

https://HIPAASecurityRiskAnalysis.com/

https://hipaasecurityriskanalysis.com/




Asset Inventory List


What A Risk Analysis Process Looks Like…


Risk Rating Report


High Value - High Impact

Risk Analysis WorkShop™ Process I. PREPARATION

A. Plan / Gather / Schedule B. Read Ahead / Review Materials C. Provide SaaS Subscription/Train D. Complete Asset inventory

II. ONSITE ASSESSMENT A. Discover B. Educate & Equip C. Identify Threats D. Review Controls

III. WRITTEN REPORT A. Populate SaaS B. Follow Up C. Analyze & Report D. Presentation and Sign Off 42


Key WorkShop™ Deliverables 1. Preparation for Mandatory Audits

2. Objective, Independent 3rd Party Analysis

3. Solid Educational Foundation

4. Completion of 45 CFR 164.308(a)(1)(ii)(A) - Risk

Analysis

5. Complete Foundational Security Program Step

6. Preliminary Remediation Plan

7. Risk Analysis / Remediation Report

8. Fully Populated SaaS tool Ongoing Management 43

Demonstrate

Good Faith Effort


Three Ways to Work Together

I. Software Subscription Only

– Subscribe to our Software-as-a-Service (SaaS) Applications and use your internal staff members to complete the work.

Fishing Equipment



II. Software Subscription + N Days of Consulting

– Subscribe to our Software-as-a-Service (SaaS) Applications and engage Clearwater experts to advise, guide and review work.

+ Fishing Lessons



III. Software Subscription + WorkShop to Complete Risk Analysis

– Subscribe to our Software-as-a-Service (SaaS) Applications and engage Clearwater to drive completion of work.

+ Fishing Charter


Summary and Next Steps

47

Risk Analysis is a Critical, Foundational Step

Consider Assessing the Forest as Well

Completing a Risk Analysis is key to HIPAA compliance

But, is not your only requirement…

Stay Business Risk Management-Focused

Don’t Call The Geek Squad

Large or Small: Get Help (Tools, Experts, etc)

Consider tools and templates


Register For Upcoming Live HIPAA-HITECH Webinars at:

http://abouthipaa.com/webinars/upcoming-live-webinars/

48

Get more info…

View pre-recorded Webinars like this one at:

http://abouthipaa.com/webinars/on-demand-webinars/


Clearwater HIPAA Audit Prep BootCamp™

Take Your HIPAA

Compliance

Program to a

Better Place,

Faster

February 21, 2013 | Washington DC March 21, 2013 | San Diego CA

February 12-19-26, 2013 | New Virtual BootCamp™ Clearwater HIPAA Audit Prep BootCamp™

http://www.clearwatercompliance.com/bootcamp


http://clearwatercompliance.com/shop/clearwater-hipaa-audit-prep-bootcamp/




https://attendee.gototraining.com/r/8200088797602842880







50

Mary Chaput, MBA, CIPP/US

CFO & Chief Compliance Officer

Clearwater Compliance

Bob Chaput, CISSP, CIPP/US CHP, CHSS

CEO

Clearwater Compliance

Expert Instructors

James C. Pyles

Principal

Powers Pyles Sutter & Verville PC

Jacquelyn Starnes

Director, Internal Audit

Hospice Compassus

http://clearwatercompliance.com/products-and-services/professional-services-and-consulting/clearwater-hipaa-audit-prep-bootcamp/bootcamp-instructors/




Poll #4 – Best Medium for You?

51


Bob Chaput, CISSP, CIPP/US

http://www.ClearwaterCompliance.com [email protected]

Phone: 800-704-3394 or 615-656-4299

Clearwater Compliance LLC

52

Contact


http://www.clearwatercompliance.com/

mailto:[email protected]


http://www.linkedin.com/in/bobchaput

http://twitter.com/AboutHIPAA

http://abouthipaa.com/feed/rss/

http://www.vimeo.com/hipaahitechexpert

http://www.slideshare.net/rchaput

http://abouthipaali.org/


Additional Information

53

How to Conduct a Bona Fide HIPAA Security Risk Analysis

Documents

Transcript of How to Conduct a Bona Fide HIPAA Security Risk Analysis