Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or...
description
Transcript of Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or...
![Page 1: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/1.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved 1
"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." - Hippocratic Oath, 4th Century, B.C.E.
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance
First HIPAA Security Risk Analyst
![Page 2: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/2.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved
How to Conduct a Meaningful Use / HIPAA
Security Risk Analysis
April 17, 2012
2
Bob Chaput, MA, CISSP, CHP, CHSS, MCSE615-656-4299 or [email protected] Compliance LLC
![Page 3: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/3.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob ChaputCISSP, MA, CHP, CHSS, MCSE
3
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Legal
• Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards
http://www.linkedin.com/in/BobChaput
![Page 4: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/4.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1.We are not attorneys!
2.HIPAA and HITECH is dynamic!
3.Lots of different interpretations!
So there! 4
![Page 5: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/5.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
3. Complete a Risk Analysis per 45 CFR §164.308(a)(1)(ii)(A) to assess risk and determine the CE’s security posture and initiate a corrective action plan.
4. Complete an assessment of compliance with the Privacy Rule using per 45 CFR §164.530 Administrative Requirements as a guide.
5. Document and act upon a corrective action plan for Security Rule compliance, Privacy Rule compliance, and overall Risk Management per 45 CFR §164.308(a)(1)(ii)(B).
5 Actions to Take Now
5
1. Formally establish and charter a Privacy and Security Risk Management Council and establish a Security Management Process per 45 CFR §164.308(a)(1).
2. Complete an Evaluation per 45 CFR §164.308(a)(8) to assess Security Rule “black letter” compliance and to understand the complete regulation; the Security Rule is the ultimate checklist.
Demonstrate Good Faith Effort
![Page 6: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/6.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1.Review Regulatory Requirements and HHS/OCR Final Guidance
2.Understand Risk Analysis Essentials
3.Learn how to Complete a Risk Analysis
6
![Page 7: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/7.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HITECH meets HIPAA …at Meaningful Use
7
HIPAA Security Final RuleMeaningful
Use Final Rule
Risk Analysis
45 CFR 164.308(a)(1)(ii)
(A)
![Page 8: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/8.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Security45 CFR 164.308(a)(1)
(ii)(A)
Two Dimensions of HIPAA Security Business Risk Management
Compliance45 CFR 164.308(a)(8)
8
Overall Business Risk Management Program;Not “an IT project”
![Page 9: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/9.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
9
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
![Page 10: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/10.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
EP Meaningful Use - CoreEligible Professionals 15 Core Objectives1. Computerized provider order entry (CPOE)2. E-Prescribing (eRx)3. Report ambulatory clinical quality measures to
CMS/States4. Implement one clinical decision support rule5. Provide patients with an electronic copy of their health
information, upon request6. Provide clinical summaries for patients for each office
visit7. Drug-drug and drug-allergy interaction checks8. Record demographics9. Maintain an up-to-date problem list of current and
active diagnoses10. Maintain active medication list11. Maintain active medication allergy list12. Record and chart changes in vital signs13. Record smoking status for patients 13 years or older14. Capability to exchange key clinical information among
providers of care and patient-authorized entities electronically
15. Protect electronic health information
![Page 11: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/11.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
EH & CAH Meaningful Use EHs and CAHs 14 Core Objectives1. Use CPOE for medication orders directly entered by any licensed healthcare professional who
can enter orders into the medical record per State, local, and professional guidelines. 2. Implement drug-drug and drug-allergy interaction checks. 3. Maintain an up-to-date problem list of current and active diagnoses4. Maintain active medication list. 5. Maintain active medication allergy list. 6. Record specific set of demographics7. Record and chart specific changes in the certain vital8. Record smoking for patients 13 years old or older9. Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals,
the States. 10. Implement one clinical decision support rule related to a high priority hospital condition along
with the ability to track compliance with that rule. 11. Provide patients with an electronic copy of their health information (including diagnostic test
results, problem list, medication lists, medication allergies, discharge summary, procedures), upon request.
12. Provide patients with an electronic copy of their discharge instructions at time of discharge, upon request.
13. Capability to exchange key clinical information (for example, problem list, medication list, medication allergies, and diagnostic test results), among providers of care and patient authorized entities electronically.
14.Protect electronic health information
![Page 12: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/12.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Regardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits
must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
…from HHS/OCR Final Guidance
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
12
![Page 13: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/13.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final
13
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk • NIST SP800-53 Revision 3 Final, Recommended controls for Fe
deral Information Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Cont
rols in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
![Page 14: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/14.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1.Review Regulatory Requirements and HHS/OCR Final Guidance
2.Understand Risk Analysis Essentials
3.Learn how to Complete a Risk Analysis
14
![Page 15: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/15.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved15
Risk Analysis is Not Easy
![Page 16: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/16.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is Not
• A network vulnerability scan• A penetration test• A configuration audit• A network diagram review• A questionnaire• Information system activity review
16
A Risk Analysis IS the process of identifying, prioritizing, and estimating
risks to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk
management, incorporates threat and vulnerability analyses, and considers
mitigations provided by security controls planned or in place.
![Page 17: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/17.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
NOT Risk Management
17
![Page 18: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/18.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis and Risk Management
1.What is our exposure of our information assets (e.g., ePHI)?
18
2.What do we need to do to treat or manage risks?
Both Are Required in MU and HIPAA
![Page 19: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/19.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved19
Risk Management
ApproachAsset
Inventory Risk Analysis Risk Treatment
Documentation
Security Risk Management Process
![Page 20: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/20.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk = Impact * Likelihood
What is Risk?
Goal = Understand What Risks Exist and Into What Category They Fall
20
Overall Risk Value
Impact
HIGH Medium High Critical
MEDIUM Low Medium High
LOW Low Low Medium
LOW MEDIUM HIGH
Likelihood
![Page 21: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/21.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved21
Risk Analysis “Algebra”
![Page 22: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/22.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Adversarial• Individual-Outsider, -Insider,
Group-Ad hoc,-Established…2. Accidental
• Ordinary User, Privileged User
3. Structural• IT Equipment, Environmental
Controls, Software4. Environmental
• Natural or man-made disaster (fire, flood, hurricane), Unusual natural event, Infrastructure failure/outage (telecomm, power)
Threat Sources
… An adapted definition of threat Source, from NIST SP *00-30, is “The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability...” 22
![Page 23: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/23.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Lack of strong password2. Lack of personal firewall3. Lack of data backup4. Lack of policies5. Failure to follow policies6. Lack of training7. Lack of encryption on
laptops with ePHI…8. …and on and on …
Vulnerabilities
NIST Special Publication (SP) 800-30 as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.”
23
![Page 24: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/24.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Controls Help Address Vulnerabilities
24
Controls• Policies & Procedures• Training & Awareness• Cable lock down• Strong passwords• Encryption• Remote wipe• Data Backup
Threat Source • Burglar who may
steal Laptop with ePHI
Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed upInformation Asset
• Laptop with ePHI
![Page 25: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/25.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk = f([Assets+Threats+Vulnerabilities+Controls] * [Likelihood * Impact])
25
Risks• Financial• Political• Legal• Regulatory• Operational impact• Reputational
Likelihood • Not Applicable• Rare• Unlikely• Moderate• Likely• Almost Certain
Impact• Not Applicable• Insignificant• Minor• Moderate• Major• Disastrous
Based on threat,
vulnerabilities and current controls in
place
Based on size, sensitivity
and effort or cost of
remediation
![Page 26: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/26.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Establishing a Risk Value
26
Risk = Likelihood * Impact
Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 1,000 records compromised5 Disastrous Reportable; Greater than 1,000 records compromised
• Critical = 25• High = 15-24• Medium = 8-14• Low = 0-7
![Page 27: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/27.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Simplified Risk Analysis Example
27
Asset Threat VulnerabilityLikelihood
(1-5) Impact
(1-5)Risk
( L * I)
Laptop Theft Device is portable 4 3 12
Weak password 2 4 8
ePHI is not encrypted 3 5 15
ePHI is not backed up 1 2 2
![Page 28: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/28.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Process
28
Risk Approach
Asset Inventory Risk Analysis Risk
TreatmentDocu-
mentation
![Page 29: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/29.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Criteria For Accepting Risks
Example:• Acceptable level of risk: 14• Value of risk A: 9 – no treatment is needed• Value of risk B: 17 – risk treatment is needed
29
Score Range: 0-25 Risk Values
Critical = 25 High = 15-24 Medium = 8-14 Low = 0-7
![Page 30: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/30.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Treatment
• Risk Management = making informed decisions about treating risks1. Avoid2. Accept3. Mitigate4. Transfer5. Share
• Not all Risks need “mitigation”• All Risks need “treatment”
30
![Page 31: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/31.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Management
Avoid / Transfer Risks
Accept Risks
Mitigate / Transfer Risks
Risk Identification
Risk Treatm
ent
Risks of all types & sizes exist
31
![Page 32: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/32.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Mitigation Example
32
Asset Threat Vulnerability Likelihood (1-5)
Impact (1-5)
Risk ( L * I)
Laptop Theft Device is portable 4 3 12
ePHI is not encrypted 3 5 15
Asset Threat Vulnerability New Control Likelihood (1-5)
Impact (1-5)
Residual Risk
( L * I)
Laptop Theft Device is portable
Cable lock down
1 3 3
ePHI is not encrypted
Full Disk Encryption
1 5 5
Before
After
![Page 33: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/33.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1.Review Regulatory Requirements and HHS/OCR Final Guidance
2.Understand Risk Analysis Essentials
3.Learn how to Complete a Risk Analysis
33
![Page 34: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/34.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Process
34
Risk Approach
Asset Inventory Risk Analysis Risk
TreatmentDocu-
mentation
![Page 35: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/35.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Risk Analysis DilemmaAssets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…
Threat SourcesADVERSARIAL-Individual-GroupsACCIDENTAL-Ordinary user-Privileged UserSTRUCTURAL-IT Equipment-Environmental-SoftwareENVIRONMENTAL-Natural or man-made-Unusual Natural Event-Infrastructure failure
VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant Accounts
Endpoint Leakage VulnerabilitiesExcessive User Permissions
Insecure Network ConfigurationInsecure Software Development Processes
Insufficient Application CapacityInsufficient data backup
Insufficient data validationInsufficient equipment redundancy
Insufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…
NIST SP 800-53 Controls
PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…570
Over 10 million Permutations Potential Risk-Controls
35
Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…
![Page 36: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/36.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
36
Software Design Basis • HHS / OCR Final Guidance on Risk Analysis• NIST SP800-30 Revision 1 Guide for Conducting Risk
Assessments – DRAFT
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
![Page 37: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/37.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Risk Analysis™
37
Educate | Assess | Respond Monitor| Document
https://HIPAASecurityRiskAnalysis.com/
![Page 38: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/38.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How Risk Analysis Software Helps You
38
Risk Approach
Asset Inventory Risk Analysis Risk
TreatmentDocu-
mentation
• Produces and houses all essential documentation
• Provides “living, breathing risk management repository”
• Enables easier, future incremental analyses
• Approach rigorously based on OCR & NIST Guidance
• Semi-quantitative
• Comprehensive
• Flexible for Setting Risk Appetite
• Comprehensive documentation
• Captures essential documentation
• Identifies underlying media
• Creates database for deletes / adds / changes
• Includes 9 essential elements
• Serves as ‘wizard’ to guide detailed process
• Assures consistency, repeatability
• Ratings facilitate dynamic risk ranking
• Reporting facilitates informed decision making
• “Notes” facilitate critical documentation re: Risk treatment decisions
![Page 39: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/39.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved39
Asset Inventory List
![Page 40: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/40.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved40
Risk Questionnaire Form
![Page 41: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/41.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved41
Risk Rating Report
![Page 42: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/42.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved42
Sample Export – Asset Inventory
![Page 43: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/43.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
High Value – High ImpactRisk Analysis WorkShop™ Process
I. PREPARATIONA. Plan / GatherB. Read AheadC. Complete QuickScreen™
43
II. ONSITE SESSIONA. FacilitateB. EducateC. Evaluate
III. CONSULTATIONA. E-mailB. TelephoneC. Web Meetings
![Page 44: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/44.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
44
Risk Analysis is a Critical, Foundational Step Consider Assessing the Forest as Well Completing a Risk Analysis is key to HIPAA
compliance But, is not your only requirement…
Stay Business Risk Management-Focused Don’t Call The Geek Squad Large or Small: Get Help (Tools, Experts, etc) Consider tools and templates
![Page 45: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/45.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
June 25, 2012 | Chicago, ILClearwater HIPAA Audit Prep BootCamp™
Take Your HIPAA
Compliance Program to a Better Place,
Faster
![Page 46: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/46.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved46
Jim Mathis, JD, CHC, CHPHealthcare Industry AttorneyHIPAA Consultant
Bob Chaput, CISSP, CHP, CHSS, MCSECEOClearwater Compliance
Expert Instructors
James C. PylesPrincipalPowers Pyles Sutter & Verville PC
![Page 47: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/47.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Get Smart!
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED: 1.http://AboutHIPAA.com/about-hipaa/resources/ 2.http://AboutHIPAA.com/webinars/
47
![Page 48: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/48.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
48
Contact
![Page 49: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/49.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Information
49
![Page 50: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/50.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Why Now? – What We’re Hearing
“Our business partners (health plans) are demanding we become compliant…” – large national care management company (BA)
“We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric Practice (CE)
“We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA)
“With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE)
“We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research consortium (BA)
“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)
50
![Page 51: Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance](https://reader036.fdocuments.in/reader036/viewer/2022070501/5681695c550346895de10dc7/html5/thumbnails/51.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
51
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs