Copyright Notice€¦ · MA, CISSP, HCISPP, CRISC, CIPP/US . 4 • CEO & Founder – Clearwater...
Transcript of Copyright Notice€¦ · MA, CISSP, HCISPP, CRISC, CIPP/US . 4 • CEO & Founder – Clearwater...
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved 3
Bona Fide Information Risk Analysis and Risk
Management
September 17, 2014
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US 615-656-4299 or 800-704-3394
[email protected] Clearwater Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput MA, CISSP, HCISPP, CRISC, CIPP/US
4
• CEO & Founder – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Industry Expertise and Focus: Healthcare Covered Entities and Business
Associates, Financial Services, Retail, Legal • Member: ACAP, AEHIS Foundation, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA,
ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance LLC | All Rights Reserved
First, My Lessons Learned
5
1. Too many BOD / C-Suites are far too disengaged from information risk management
2. Too many organizations are faking information risk management
3. Too few organizations are working to “mature” information risk management
4. Too many people “check-listing” their way to security with “Top Challenges Facing CISOs…” lists
5. Security professionals are not necessarily information risk managers
6. Too few people are trained / skilled in information risk management
7. Too few people understand risk, not to mention information risk analysis and risk management
© Clearwater Compliance LLC | All Rights Reserved
Agenda
•Problem •Actions •Results •Resources
© Clearwater Compliance LLC | All Rights Reserved
How Much Risk is There?
© Clearwater Compliance LLC | All Rights Reserved
Big Points about Risk Management • Right Way and Many Wrong Ways • First Time – Lots of Work • Not Once and Done • One of Single Biggest Audit &
Investigation Findings • Top Focus Area in Regulatory
Enforcement Actions • Risk Analysis ≠ Risk Treatment • Ongoing Effort that Requires
Process Maturity 8
© Clearwater Compliance LLC | All Rights Reserved
Healthcare – Why Bother?
9
Big Surprise!
© Clearwater Compliance LLC | All Rights Reserved 10
“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.
© Clearwater Compliance LLC | All Rights Reserved
Industry Risk Management Requirements
11
Industry Guidance or Requirement?
Citation / Documents NIST Methodology Meet Guidance or Requirement?
Healthcare Requirement • 45 CFR §164.308(a)(1)(ii)(A) and (B) • “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” • NIST SPs
YES
Retail Requirement • PCI/DSS Requirements and Security Assessment Procedures Version 3.0 • PCI/DSS Information Supplement: PCI DSS Risk Assessment Guidelines YES
Financial Services Requirement • Section 501(b) of GLBA • Safeguards Rule at 16 C.F.R. § 314 • 12 C.F.R. Part 570, Appendix A: Interagency Guidelines Establishing Standards for
Safety and Soundness
YES
Federal Agencies Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES
Education Guidance • Family Educational Rights and Privacy Act (FERPA) • FERPA contains non-binding recommendations to safeguard education records that
includes conducting a risk assessment. YES
Public Companies (SOX)
Requirement • Section 404 of the Sarbanes-Oxley Act of 2002 • Financial RA known as SOX 404 top-down risk assessment (TDRA) Under Review
FedRAMP Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES, but must be 3PAO assessors
Energy Requirement • NERC’s Reliability Standards, including the Critical Infrastructure Protection (CIP) • NERC Reliability Standard CIP-002-3, Section R1. YES (still under review)
© Clearwater Compliance LLC | All Rights Reserved
Problem We’re Trying to Solve
12
What if my sensitive information is not
complete, up-to-date and accurate?
What if my sensitive information is shared?
With whom? How?
What if my sensitive information is not there when it is needed?
PHI, PII Credit Card, Intel. Prop.
AVAILABILITY
Don’t Compromise
C-I-A!
© Clearwater Compliance LLC | All Rights Reserved
Top Reasons to Undertake Bona Fide Risk Analysis and Risk Management
13
1. Take better care of customers, patients, members, residents, employees, etc.
2. Avoid Security Incidents and/or Breaches
3. Meet Specific Regulatory & industry requirements (HIPAA/HITECH, PCI DSS)
4. Completion of Foundational Security Program Step
5. Development of Remediation Plan
6. Tremendous Educational Experience
7. Basis for Continuous Process Improvement
8. Essential for realizing IT and Business Strategy
© Clearwater Compliance LLC | All Rights Reserved
Recent FBI Healthcare Alerts: April / August 2014
14
“Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”
“…observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).”
© Clearwater Compliance LLC | All Rights Reserved
Agenda
•Problem •Actions •Results •Resources
© Clearwater Compliance LLC | All Rights Reserved
Actions 1. Think Ongoing Program, Not Project!! 2. Become familiar with the exact requirements in
the all regulatory domains (HIPAA/HITECH, PCI DSS, Financial Services, SOX, etc.)
3. Learn the terminology of risk and risk analysis; Read supplemental material
4. Be absolutely clear on what is NOT a risk analysis
5. Select the methodology you will follow and make sure it meets all requirements
6. Complete your risk analysis 7. Build and execute your risk management plan 8. Update your risk analysis at least once a year 16
© Clearwater Compliance LLC | All Rights Reserved
HHS/OCR Risk Analysis Guidance
17
Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in
the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
© Clearwater Compliance LLC | All Rights Reserved 18
Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in
the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
HHS/OCR Risk Analysis Guidance
© Clearwater Compliance LLC | All Rights Reserved
19
Owners
Assets
Controls & Safeguards
Threat Sources
Threats
• Adversarial • Accidental • Structural • Environmental
value
Risks (Loss or Harm)
wish to minimize
that exist in protecting
to reduce
may be reduced by
that may possess must be aware of
wish to or may abuse and / or damage to
that increase
Vulnerabilities
give rise to that exploit
leading to
implement
Problem: Few People Understand Risk
© Clearwater Compliance LLC | All Rights Reserved
Information Risk Depends on Impact
20
What if my sensitive information is not
complete, up-to-date and accurate?
What if my sensitive information is shared?
With whom? How?
What if my sensitive information is not there when it is needed?
AVAILABILITY
IMPACT = LOSS or
HARM … compromise of C or I or A!
PHI, PII Credit Card, Intel. Prop.
© Clearwater Compliance LLC | All Rights Reserved
Risk Equation...were it this simple…
21
f([Assets*Threats*Vulnerabilities] Controls * [Likelihood * Impact])
1NOTE: Equation above is shown for illustrative purposes only; there is no simple, closed-form equation for risk.
Risk =
Critical Point: Since all these variables change, risk analysis and risk management must become an ongoing, mature business process Your Risk Profile or Risk Posture
is constantly changing
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Methodologies • NIST SP800-30 Revision 1 Guide for Conducting Risk
Assessments • OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation), developed at Carnegie Mellon University
• ISACA's RISK IT (now part of COBIT 5) • ISO 27005:2011 Information technology -- Security
techniques -- Information security risk management • Factor Analysis of Information Risk (FAIR)
22
© Clearwater Compliance LLC | All Rights Reserved
Frame
Monitor
Respond
Assess
Clearwater Information Risk Management Life Cycle1
Privacy Assessment Security
Assessment
Today’s Topics
ePHI Discovery
Risk Response
Remediation
Risk Strategy Governance
Auditing Technical Testing
Workforce Training
Risk Analysis
23
1Adopted from NIST SP800-39
© Clearwater Compliance LLC | All Rights Reserved
NIST SP800-30, Rev 1
24
Risk Analysis
© Clearwater Compliance LLC | All Rights Reserved
1. & 2. Scope and Collect Data
25
Think: Information
Asset Inventory
© Clearwater Compliance LLC | All Rights Reserved 26
Asset Inventory List
Where is all the ePHI?
© Clearwater Compliance LLC | All Rights Reserved 27
Asset Inventory List
Seriously! …Where? How Much? What for? Who owns? Etc.
© Clearwater Compliance LLC | All Rights Reserved
3. Identify Threats & Vulnerabilities
28
Think: Threat Sources, Threat
Actions, Weaknesses
© Clearwater Compliance LLC | All Rights Reserved 29
Identify Threat Sources, Threat Actions and Vulnerabilities
© Clearwater Compliance LLC | All Rights Reserved 30
Identify Threats and Vulnerabilities
Threat Sources
Threat Actions
Vulnerabilities
Much to Consider
© Clearwater Compliance LLC | All Rights Reserved
4. Assess Current Security Measures
31
Think: Safeguards,
Countermeasures Already in Place
© Clearwater Compliance LLC | All Rights Reserved
HIPAA & HITECH Aside… FISMA Control Families
NIST Control Families
ISO 27002 Control Families
32
© Clearwater Compliance LLC | All Rights Reserved 33
Threat Action
Threat Source
Deterrent Control
Detective Control
Preventive Control
Impact
Vulnerability
Corrective Control
Compensating Control
Creates Reduces
Likelihood of
Exploits
Results in
Decreases
Reduces
May Trigger
Discovers
Reduces Likelihood
of
Protects
© Clearwater Compliance LLC | All Rights Reserved
Controls Help Address Vulnerabilities
34
Controls • Policies & Procedures • Training & Awareness • Cable lock down • Strong passwords • Encryption • Remote wipe • Data Backup
Threat Source • Burglar who may
steal Laptop with ePHI
Vulnerabilities • Device is portable • Weak password • ePHI is not encrypted • ePHI is not backed up
Threat Action • Steal Laptop
Information Asset • Laptop with ePHI
© Clearwater Compliance LLC | All Rights Reserved 35
What A Risk Analysis Process Looks Like…
© Clearwater Compliance LLC | All Rights Reserved
5. & 6. Determine Likelihood & Impact
36
Think: Probability of Bad Thing
Happening and, were it to
happen, Impact
© Clearwater Compliance LLC | All Rights Reserved
Likelihood
37 Chance that bad thing will happen?
© Clearwater Compliance LLC | All Rights Reserved
WHO SAW IT COMING? • 1987 Stock Market Crash? • Rise Of The Internet? • The Dot Bombs Coming? • The Housing Market Collapse? • The Fall Of The Berlin Wall? • 9/11 Attack? • The Rise of ISIS?
38
Do We Really Understand Likelihood?
© Clearwater Compliance LLC | All Rights Reserved
Impact
39 Harm or loss if bad thing happens?
© Clearwater Compliance LLC | All Rights Reserved
Determine Likelihood and Impact
40
Asset Threat Source / Action
Vulnerability Likelihood Impact
Laptop Burglar steals laptop No encryption High (5) High (5)
Laptop Burglar steals laptop Weak passwords High (5) High (5)
Laptop Burglar steals laptop No tracking High (5) High (5)
Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)
Laptop Careless User Drops No data backup Medium (3) High (5)
Laptop Lightning Strike hits home
No surge protection Low (1) High (5)
etc
© Clearwater Compliance LLC | All Rights Reserved
7. Determine Level of Risk
41
Think: Probability of Bad Thing
Happening and, were it to
happen, Impact
© Clearwater Compliance LLC | All Rights Reserved
Establishing a Risk Value
42
Think Likelihood * Impact
Rank Description Example 0 Not Applicable Will never happen 1 Rare May happen once every 10 years 2 Unlikely May happen once every 3 years 3 Moderate May happen once every 1 year 4 Likely May happen once every month 5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example 0 Not Applicable Does not apply 1 Insignificant Not reportable; Remediate within 1 hour 2 Minor Not reportable; Remediate within 1 business day 3 Moderate Not reportable; Remediate within 5 business days 4 Major Reportable; Less than 500 records compromised 5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25 • High = 15-24 • Medium = 8-14 • Low = 0-7
© Clearwater Compliance LLC | All Rights Reserved
Determine Level of Risk
43
Asset Threat Source / Action
Vulnerability Likelihood Impact Risk Level
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords
High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Shoulder Surfer views No privacy screen
Low (1) Medium (3) 3
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Lightning Strike No surge protection
Low (1) High (5) 5
etc
© Clearwater Compliance LLC | All Rights Reserved
Millions of Permutations Potential Risk-Controls
The Risk Analysis Dilemma Assets and Media Backup Media Desktop Disk Array
Electronic Medical Device Laptop Pager Server Smartphone Storage Area Network Tablet
Third-party service provider Etcetera…
Threat Sources ADVERSARIAL -Individual -Groups ACCIDENTAL -Ordinary user -Privileged User STRUCTURAL -IT Equipment -Environmental -Software ENVIRONMENTAL -Natural or man-made -Unusual Natural Event
-Infrastructure failure
Vulnerabilities
Anti-malware Vulnerabilities
Destruction/Disposal Vulnerabilities Dormant Accounts
Endpoint Leakage Vulnerabilities Excessive User Permissions
Insecure Network Configuration Insecure Software Development Processes
Insufficient Application Capacity Insufficient data backup Insufficient data validation Insufficient equipment redundancy
Insufficient equipment shielding Insufficient fire protection Insufficient HVAC capability
Insufficient power capacity
Insufficient power shielding
Etcetera…
NIST SP 800-53 Controls
PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…570 44
Threat Actions Burglary/Theft
Corruption or destruction of important data Data Leakage Data Loss Denial of Service Destruction of important data
Electrical damage to equipment Fire damage to equipment
Information leakage Etcetera…
© Clearwater Compliance LLC | All Rights Reserved
8. Finalize Documentation
45
Think: Best Basis for Decision
Making & Report Package for
Auditors & BOD
© Clearwater Compliance LLC | All Rights Reserved
Asset Inventory Report
46
Show that you know where all the ePHI lives!
© Clearwater Compliance LLC | All Rights Reserved 47
Risk Analysis Method HHS OCR Guidance on Risk Analysis • Scope of the Analysis - all ePHI
must be included in risk analysis • Data Collection – it must be documented
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Impact of Threat Occurrence
Determine the Level of Risk
The System Enables- • Finalize Documentation • Periodic Review and Updates
Show your work!
© Clearwater Compliance LLC | All Rights Reserved 48
What A Risk Analysis Report Looks Like…
Show you’ve identified all risks!
© Clearwater Compliance LLC | All Rights Reserved 49
Dashboard - Risk Rating Distribution
Show that you know how risks are distributed!
© Clearwater Compliance LLC | All Rights Reserved 50
What A Risk Analysis Report Looks Like…
Show You Know Your Riskiest Assets!
© Clearwater Compliance LLC | All Rights Reserved 51
Risk Response – Risk Threshold
Show you’ve set a Risk Threshold!
© Clearwater Compliance LLC | All Rights Reserved 52
Risk Response – Evaluate Alternatives
Show you’re making informed decisions!
© Clearwater Compliance LLC | All Rights Reserved 53
Risk Management Plan
Show your plan!
© Clearwater Compliance LLC | All Rights Reserved
9. Periodic Review & Updates to RA
54
Think: Journey, Not
Destination … Not a Once and
Done!
© Clearwater Compliance LLC | All Rights Reserved
Risk Management and Baseball • A professional baseball team is
more "mature" than a Little League team
• A professional team has self-perpetuating quality. They – Make good plays – Develop new players like
themselves – Find ways to make better plays – Use latest “technology”
55
© Clearwater Compliance LLC | All Rights Reserved
Attributes of a Mature Process or Practice Area
56
• Governed • Measurable • Controlled • CPI-based • Standards-based
Major League
Where Does Your Organization Need to Be?
Little League
• Proactive • Adaptable • Consistent • Predictable • Automated
Risk Management Maturity
© Clearwater Compliance LLC | All Rights Reserved
RISK MANAGEMENT IMPLEMENTATION MATURITY Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5
Engagement, Delivery & Operations
Use of Standards, Technology Tools
/ Scalability
Process, Discipline, & Repeatability
People, Skills, Knowledge &
Culture
Governance, Awareness of Benefits and
Value
Not Using
Aware but Not
Formalized Use
Using selectively
Using, repeatable
results
Sound understanding
, consistent use of tools
No PnPs, formal
practices
Some execution, no
records or docs.
Have framework & active when time permits
Some PnPs, docs; not
consistently followed
Some (ad hoc),
Insufficient resources
None
Unsure of benefits; no
executive focus
Aware of risk, but not
clear on benefits
Aware of some benefits
Incorporated into business planning and
strategic thinking
Aware of most
benefits; value
realized
Becoming a Formal
program
Embedded in decision
making, CPI
Formal PnPs and doc, widely
followed
Formal, continuous
process improvement
Regular use, outcomes consistent
Aware of benefits and
deployed across the
organization
Formal program
Robust, widely
adopted PnPs
57
KEY
RISK
MAN
AGEM
ENT
PRAC
TICE
ARE
AS
Little knowledge
Some risk skills training
in parts of organization
Good understanding across parts of organization
Knowledge across most
of organization
High degree of knowledge; refinement
Sound knowledge of
discipline and value
© Clearwater Compliance LLC | All Rights Reserved
Agenda
•Problem •Actions •Results •Resources
© Clearwater Compliance LLC | All Rights Reserved
Results… if done properly…
59
Bottom Line: You will know all your exposures and be able to make informed
decisions about them…
© Clearwater Compliance LLC | All Rights Reserved
Big Points about Risk Management • Right Way and Many Wrong Ways • First Time – Lots of Work • Not Once and Done • One of Single Biggest Audit &
Investigation Findings • Top Focus Area in Regulatory
Enforcement Actions • Risk Analysis ≠ Risk Treatment • Ongoing Effort that Requires
Process Maturity 60
© Clearwater Compliance LLC | All Rights Reserved
Agenda
•Problem •Actions •Results •Resources
© Clearwater Compliance LLC | All Rights Reserved 62
What is Your Vision for Privacy, Security and Information Risk Management?
Necessary Evil
Operational Baseline
Competitive Advantage
Marketing, Customer Service & Patient Safety Strategy
HIPAA-HITECH Compliance Project
Patient/Member Privacy & Security Program
© Clearwater Compliance LLC | All Rights Reserved 63
Supplemental Reading
1ONC Guide to Privacy and Security of Health Information
“As with any new program or regulation, there may be misinformation making the rounds. The following table distinguishes fact from fiction...“
© Clearwater Compliance LLC | All Rights Reserved
Supplemental Reading
64
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments • NIST SP800-34 Contingency Planning Guide for Federal Information Systems • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach • NIST SP800-39-final_Managing Information Security Risk • NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information
Systems and Organizations: Building Effective Security Assessment Plans • NIST SP800-115 Technical Guide to Information Security Testing and Assessment • MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05 • CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals • CMS Security Risk Assessment Fact Sheet (Updated 20131122) • NIST Risk Management Framework 2009
Remember! Security Rule is Based on
NIST!
© Clearwater Compliance LLC | All Rights Reserved 65
Download Whitepaper
Risky Business: How to Conduct a Bona Fide HIPAA Security Risk
Analysis
http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US http://www.ClearwaterCompliance.com [email protected] Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC
66
Contact