© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Risk Analysis™

1

Jon Stone, MPA, PMP615-210-9612Jon.Stone@ClearwaterCompliance.com

2

25+ years in Healthcare in the provider, payer and healthcare quality improvement fieldsInnovator | Strategic Program Manager | Consultant | Executive15+ years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix.PMP, MPA - Healthcare Policy and Administration

Jon Stone, MPA, PMP

Jon Stone, MPA, PMP615-210-9612Jon.Stone@ClearwaterCompliance.com

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

45 C.F.R. §164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

Security Evaluation v. Risk Analysis

3

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Security45 CFR 164.308(a)(1)

(ii)(A)

Two Dimensions of HIPAA

Security Business Risk Management

Compliance45 CFR 164.308(a)(8)

4

Overall Business Risk Management Program;Not “an IT project”

© 2011-2012 Clearwater Compliance LLC | All Rights Reserved

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Regardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits

must be included in the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

…from HHS/OCR Final Guidance

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

5

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final

6

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT

• NIST SP800-34 Contingency Planning Guide for Federal Information Systems

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk • NIST SP800-53 Revision 3 Final, Recommended controls for Fe

deral Information Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Cont

rols in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

What A Risk Analysis Is Not

• A network vulnerability scan• A penetration test• A configuration audit• A network diagram review• A questionnaire• Information system activity review

7

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

What A Risk Analysis Is…

8

1NIST SP800-30

A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to

organizational operations (including mission, functions, image, reputation), organizational

assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers

mitigations provided by security controls planned or in place1.

© 2010-12 Clearwater Compliance LLC | All Rights Reserved9

Inventory Information Assets that Store ePHI

Understand Significant Threats and Vulnerabilities

Determine if You Have the Right

Controls in Place

Determine Your Likelihood of Harm

and Risk Rating

Create Compliance Documentation and

Management Reports

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Delivers mature methodology with the unique Clearwater Risk Algorithm™ for healthcare.Records a complete repository about information assets and the associated threats, vulnerabilities and risk rating Strictly follows HHS/OCR guidance and NIST risk assessment processesHighlights security control deficiencies Permanently records and updates your current security risk profile Perpetual Information Asset Inventory and Risk Analysis repository

Clearwater HIPAA Risk Analysis™ - Features

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

The Risk Analysis Dilemma

Assets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…

NIST SP 800-53 Controls

PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…569

Approximately 170,000,000 Permutations

11

VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant AccountsEndpoint Leakage VulnerabilitiesExcessive User PermissionsInsecure Network ConfigurationInsecure Software Development Processes

Insufficient Application CapacityInsufficient data backup

Insufficient data validationInsufficient equipment redundancyInsufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…

Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…

Threat AgentBurglar/ ThiefElectrical IncidentEntropyFire

FloodInclement weather

MalwareNetwork Connectivity OutagePower Outage/InterruptionEtcetera…

© 2010-12 Clearwater Compliance LLC | All Rights Reserved12

The Unique Clearwater Risk Algorithm

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Software Demonstration

13

Click Here to Go To Website

© 2010-12 Clearwater Compliance LLC | All Rights Reserved14

Risk Rating Report

© 2010-12 Clearwater Compliance LLC | All Rights Reserved15

For more assistance

Call 1-800-704-3394 for support Don’t forget the FAQs For release notes and video FAQs go to

http://clearwatercompliance.com/hipaa/blog/

Email info@clearwatercompliance.com

© 2010-12 Clearwater Compliance LLC | All Rights Reserved16

Questions?

© 2011-2012 Clearwater Compliance LLC | All Rights Reserved 17

Need help with resources or expertise?