Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved 1

"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." - Hippocratic Oath, 4th Century, B.C.E.

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance

First HIPAA Security Risk Analyst

© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved

How to Conduct a Meaningful Use / HIPAA

Security Risk Analysis

April 17, 2012

2

Bob Chaput, MA, CISSP, CHP, CHSS, MCSE615-656-4299 or [email protected] Compliance LLC

http://www.linkedin.com/in/BobChaput


© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Bob ChaputCISSP, MA, CHP, CHSS, MCSE

3

• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Legal

• Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards


http://hipaasecurityassessment.com/




About HIPAA-HITECH Compliance

1.We are not attorneys!

2.HIPAA and HITECH is dynamic!

3.Lots of different interpretations!

So there! 4


3. Complete a Risk Analysis per 45 CFR §164.308(a)(1)(ii)(A) to assess risk and determine the CE’s security posture and initiate a corrective action plan.

4. Complete an assessment of compliance with the Privacy Rule using per 45 CFR §164.530 Administrative Requirements as a guide.

5. Document and act upon a corrective action plan for Security Rule compliance, Privacy Rule compliance, and overall Risk Management per 45 CFR §164.308(a)(1)(ii)(B).

5 Actions to Take Now

5

1. Formally establish and charter a Privacy and Security Risk Management Council and establish a Security Management Process per 45 CFR §164.308(a)(1).

2. Complete an Evaluation per 45 CFR §164.308(a)(8) to assess Security Rule “black letter” compliance and to understand the complete regulation; the Security Rule is the ultimate checklist.

Demonstrate Good Faith Effort


Session Objectives

1.Review Regulatory Requirements and HHS/OCR Final Guidance

2.Understand Risk Analysis Essentials

3.Learn how to Complete a Risk Analysis

6


HITECH meets HIPAA …at Meaningful Use

7

HIPAA Security Final RuleMeaningful

Use Final Rule

Risk Analysis

45 CFR 164.308(a)(1)(ii)

(A)


Security45 CFR 164.308(a)(1)

(ii)(A)

Two Dimensions of HIPAA Security Business Risk Management

Compliance45 CFR 164.308(a)(8)

8

Overall Business Risk Management Program;Not “an IT project”


Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

9

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.


EP Meaningful Use - CoreEligible Professionals 15 Core Objectives1. Computerized provider order entry (CPOE)2. E-Prescribing (eRx)3. Report ambulatory clinical quality measures to

CMS/States4. Implement one clinical decision support rule5. Provide patients with an electronic copy of their health

information, upon request6. Provide clinical summaries for patients for each office

visit7. Drug-drug and drug-allergy interaction checks8. Record demographics9. Maintain an up-to-date problem list of current and

active diagnoses10. Maintain active medication list11. Maintain active medication allergy list12. Record and chart changes in vital signs13. Record smoking status for patients 13 years or older14. Capability to exchange key clinical information among

providers of care and patient-authorized entities electronically

15. Protect electronic health information


EH & CAH Meaningful Use EHs and CAHs 14 Core Objectives1. Use CPOE for medication orders directly entered by any licensed healthcare professional who

can enter orders into the medical record per State, local, and professional guidelines. 2. Implement drug-drug and drug-allergy interaction checks. 3. Maintain an up-to-date problem list of current and active diagnoses4. Maintain active medication list. 5. Maintain active medication allergy list. 6. Record specific set of demographics7. Record and chart specific changes in the certain vital8. Record smoking for patients 13 years old or older9. Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals,

the States. 10. Implement one clinical decision support rule related to a high priority hospital condition along

with the ability to track compliance with that rule. 11. Provide patients with an electronic copy of their health information (including diagnostic test

results, problem list, medication lists, medication allergies, discharge summary, procedures), upon request.

12. Provide patients with an electronic copy of their discharge instructions at time of discharge, upon request.

13. Capability to exchange key clinical information (for example, problem list, medication list, medication allergies, and diagnostic test results), among providers of care and patient authorized entities electronically.

14.Protect electronic health information


Regardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits

must be included in the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

…from HHS/OCR Final Guidance

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

12

http://abouthipaa.com/about-hipaa/resources/


Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final

13

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT

• NIST SP800-34 Contingency Planning Guide for Federal Information Systems

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk • NIST SP800-53 Revision 3 Final, Recommended controls for Fe

deral Information Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Cont

rols in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf



http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1-ipd.pdf


http://abouthipaa.com/wp-content/uploads/SP800-34-rev1errata-Nov11-2010_ContingencyPlanningGuideforFederalInformationSystems.pdf


http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf



http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

http://abouthipaa.com/wp-content/uploads/10.-NIST-SP800-53-rev3-final_updated-errata_05-01-2010.pdf


http://abouthipaa.com/wp-content/uploads/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf




Session Objectives




14

© 2010-12 Clearwater Compliance LLC | All Rights Reserved15

Risk Analysis is Not Easy


What A Risk Analysis Is Not

• A network vulnerability scan• A penetration test• A configuration audit• A network diagram review• A questionnaire• Information system activity review

16

A Risk Analysis IS the process of identifying, prioritizing, and estimating

risks to organizational operations (including mission, functions, image,

reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk

management, incorporates threat and vulnerability analyses, and considers

mitigations provided by security controls planned or in place.


NOT Risk Management

17


Risk Analysis and Risk Management

1.What is our exposure of our information assets (e.g., ePHI)?

18

2.What do we need to do to treat or manage risks?

Both Are Required in MU and HIPAA


Risk Management

ApproachAsset

Inventory Risk Analysis Risk Treatment

Documentation

Security Risk Management Process


Risk = Impact * Likelihood

What is Risk?

Goal = Understand What Risks Exist and Into What Category They Fall

20

Overall Risk Value

Impact

HIGH Medium High Critical

MEDIUM Low Medium High

LOW Low Low Medium

LOW MEDIUM HIGH

Likelihood


Risk Analysis “Algebra”


1. Adversarial• Individual-Outsider, -Insider,

Group-Ad hoc,-Established…2. Accidental

• Ordinary User, Privileged User

3. Structural• IT Equipment, Environmental

Controls, Software4. Environmental

• Natural or man-made disaster (fire, flood, hurricane), Unusual natural event, Infrastructure failure/outage (telecomm, power)

Threat Sources

… An adapted definition of threat Source, from NIST SP *00-30, is “The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability...” 22


1. Lack of strong password2. Lack of personal firewall3. Lack of data backup4. Lack of policies5. Failure to follow policies6. Lack of training7. Lack of encryption on

laptops with ePHI…8. …and on and on …

Vulnerabilities

NIST Special Publication (SP) 800-30 as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.”

23


Controls Help Address Vulnerabilities

24

Controls• Policies & Procedures• Training & Awareness• Cable lock down• Strong passwords• Encryption• Remote wipe• Data Backup

Threat Source • Burglar who may

steal Laptop with ePHI

Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed upInformation Asset

• Laptop with ePHI


Risk = f([Assets+Threats+Vulnerabilities+Controls] * [Likelihood * Impact])

25

Risks• Financial• Political• Legal• Regulatory• Operational impact• Reputational

Likelihood • Not Applicable• Rare• Unlikely• Moderate• Likely• Almost Certain

Impact• Not Applicable• Insignificant• Minor• Moderate• Major• Disastrous

Based on threat,

vulnerabilities and current controls in

place

Based on size, sensitivity

and effort or cost of

remediation


Establishing a Risk Value

26

Risk = Likelihood * Impact

Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week

Impact

Likelihood

Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 1,000 records compromised5 Disastrous Reportable; Greater than 1,000 records compromised

• Critical = 25• High = 15-24• Medium = 8-14• Low = 0-7


Simplified Risk Analysis Example

27

Asset Threat VulnerabilityLikelihood

(1-5) Impact

(1-5)Risk

( L * I)

Laptop Theft Device is portable 4 3 12

Weak password 2 4 8

ePHI is not encrypted 3 5 15

ePHI is not backed up 1 2 2


The Process

28

Risk Approach

Asset Inventory Risk Analysis Risk

TreatmentDocu-

mentation


Criteria For Accepting Risks

Example:• Acceptable level of risk: 14• Value of risk A: 9 – no treatment is needed• Value of risk B: 17 – risk treatment is needed

29

Score Range: 0-25 Risk Values

Critical = 25 High = 15-24 Medium = 8-14 Low = 0-7


Risk Treatment

• Risk Management = making informed decisions about treating risks1. Avoid2. Accept3. Mitigate4. Transfer5. Share

• Not all Risks need “mitigation”• All Risks need “treatment”

30


Risk Management

Avoid / Transfer Risks

Accept Risks

Mitigate / Transfer Risks

Risk Identification

Risk Treatm

ent

Risks of all types & sizes exist

31


Risk Mitigation Example

32

Asset Threat Vulnerability Likelihood (1-5)

Impact (1-5)

Risk ( L * I)

Laptop Theft Device is portable 4 3 12

ePHI is not encrypted 3 5 15

Asset Threat Vulnerability New Control Likelihood (1-5)

Impact (1-5)

Residual Risk

( L * I)

Laptop Theft Device is portable

Cable lock down

1 3 3

ePHI is not encrypted

Full Disk Encryption

1 5 5

Before

After


Session Objectives




33


The Process

34

Risk Approach


TreatmentDocu-

mentation


The Risk Analysis DilemmaAssets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…

Threat SourcesADVERSARIAL-Individual-GroupsACCIDENTAL-Ordinary user-Privileged UserSTRUCTURAL-IT Equipment-Environmental-SoftwareENVIRONMENTAL-Natural or man-made-Unusual Natural Event-Infrastructure failure

VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant Accounts

Endpoint Leakage VulnerabilitiesExcessive User Permissions

Insecure Network ConfigurationInsecure Software Development Processes

Insufficient Application CapacityInsufficient data backup

Insufficient data validationInsufficient equipment redundancy

Insufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…

NIST SP 800-53 Controls

PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…570

Over 10 million Permutations Potential Risk-Controls

35

Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…


36

Software Design Basis • HHS / OCR Final Guidance on Risk Analysis• NIST SP800-30 Revision 1 Guide for Conducting Risk

Assessments – DRAFT

• NIST SP800-34 Contingency Planning Guide for Federal Information Systems

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk

• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations

• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans



















Clearwater HIPAA Security Risk Analysis™

37

Educate | Assess | Respond Monitor| Document

https://HIPAASecurityRiskAnalysis.com/

https://hipaasecurityriskanalysis.com/





How Risk Analysis Software Helps You

38

Risk Approach


TreatmentDocu-

mentation

• Produces and houses all essential documentation

• Provides “living, breathing risk management repository”

• Enables easier, future incremental analyses

• Approach rigorously based on OCR & NIST Guidance

• Semi-quantitative

• Comprehensive

• Flexible for Setting Risk Appetite

• Comprehensive documentation

• Captures essential documentation

• Identifies underlying media

• Creates database for deletes / adds / changes

• Includes 9 essential elements

• Serves as ‘wizard’ to guide detailed process

• Assures consistency, repeatability

• Ratings facilitate dynamic risk ranking

• Reporting facilitates informed decision making

• “Notes” facilitate critical documentation re: Risk treatment decisions



Asset Inventory List


Risk Questionnaire Form


Risk Rating Report


Sample Export – Asset Inventory


High Value – High ImpactRisk Analysis WorkShop™ Process

I. PREPARATIONA. Plan / GatherB. Read AheadC. Complete QuickScreen™

43

II. ONSITE SESSIONA. FacilitateB. EducateC. Evaluate

III. CONSULTATIONA. E-mailB. TelephoneC. Web Meetings


Summary and Next Steps

44

Risk Analysis is a Critical, Foundational Step Consider Assessing the Forest as Well Completing a Risk Analysis is key to HIPAA

compliance But, is not your only requirement…

Stay Business Risk Management-Focused Don’t Call The Geek Squad Large or Small: Get Help (Tools, Experts, etc) Consider tools and templates

http://clearwatercompliance.com/hipaa-compliance-software/hipaa-it-security-risk-analysis-toolkit/


June 25, 2012 | Chicago, ILClearwater HIPAA Audit Prep BootCamp™

Take Your HIPAA

Compliance Program to a Better Place,

Faster

http://www.clearwatercompliance.com/bootcamp



Jim Mathis, JD, CHC, CHPHealthcare Industry AttorneyHIPAA Consultant

Bob Chaput, CISSP, CHP, CHSS, MCSECEOClearwater Compliance

Expert Instructors

James C. PylesPrincipalPowers Pyles Sutter & Verville PC

http://clearwatercompliance.com/products-and-services/professional-services-and-consulting/clearwater-hipaa-audit-prep-bootcamp/bootcamp-instructors/



http://clearwatercompliance.com/products-and-services/professional-services-and-consulting/clearwater-hipaa-audit-prep-bootcamp/bootcamp-instructors/


Get Smart!

“On Demand” HIPAA HITECH RESOURCES, IF NEEDED: 1.http://AboutHIPAA.com/about-hipaa/resources/ 2.http://AboutHIPAA.com/webinars/

47

http://abouthipaa.com/about-hipaa/resources/

http://abouthipaa.com/webinars/

http://abouthipaa.com/

http://clearwatercompliance.com/bootcamp/


Bob Chaput, CISSP

http://www.ClearwaterCompliance.com [email protected]

Phone: 800-704-3394 or 615-656-4299

Clearwater Compliance LLC

48

Contact


http://www.clearwatercompliance.com/

mailto:[email protected]

http://www.linkedin.com/in/bobchaput

http://twitter.com/AboutHIPAA

http://abouthipaa.com/feed/rss/

http://www.vimeo.com/hipaahitechexpert

http://www.slideshare.net/rchaput


http://abouthipaali.org/


Additional Information

49


Why Now? – What We’re Hearing

“Our business partners (health plans) are demanding we become compliant…” – large national care management company (BA)

“We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric Practice (CE)

“We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA)

“With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE)

“We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research consortium (BA)

“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)

50


“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium

"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization

What Our Customers Say…

51

“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization

“…the process of going through the self-assessment WorkShop™ was a great shared learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm

“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs

http://hipaasecurityassessment.com/hipaa-compliance-software/hipaa-hitech-security-assessment-toolkit/

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or...

Documents

Transcript of Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or...