Hipaa risk analysis-webinar
-
Upload
ajithsisa -
Category
Technology
-
view
151 -
download
0
description
Transcript of Hipaa risk analysis-webinar
![Page 1: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/1.jpg)
About SISA:
SISA is a California based information security governance risk and compliance
company. With over 500 customers in 22 countries, SISA offers holistic security with
its specialized security team, world class training and . Our competency centers
include services, training and products. SMART is an demand GRC solution from
SISA. SISA operates as SISA Information Security WLL in EMEA and SISA
Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com
Webinar Topic: HIPAA Risk Analysis
(or Risk Assessment)
Starts at 9 am PDT (or 12pm EDT)
![Page 2: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/2.jpg)
Internal
SISA – Info Security GRC
Consulting
• HIPAA Compliance
• Risk Assessment (IS-RA)
• P2PE Validation Services (P2PE)
• PCI QSA Validation Services (PCI-DSS)
• PCI ASV Scanning Services (PCI-DSS)
• PA QSA Validation Services (PA-DSS)
• PCI Assurance Services (SAQ)
• Privacy and Standards Compliance (ISO 27001, GLBA, DPA, COBIT, FISMA, BS 25999)
• Application Pen Test and Code Review
• Network VA and Pen Test
• Forensics
Training
•Certified Information Security Risk Assessor Workshop
•Certified Payment Card Industry Security Implementer
Products
•SMART Risk Assessment
•SMART Compliance Management
•SMART Data Discovery
•SMART Action Management
•SMART Document Management
![Page 3: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/3.jpg)
Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized
Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA
• CEO of SISA Information Security Inc
• Two decades of information security experience and specialist on formal
risk assessment methodologies (in over 20 methodologies).
• Conducted around 125 workshops in over 13 countries on topics
ranging from Risk Assessment, HIPAA, PCI and ISO..
• Author of the Certified Information Security Risk Assessor Program
(training dedicated towards formal methodologies)
• PCI DSS Special Interest Group Proposer and Lead for Risk
Assessment.
• Principal architect of SISA flagship product SMART.
LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
![Page 4: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/4.jpg)
Agenda
• Background
• Definition
• Formal Risk Analysis Process
• Questions
• Summary
![Page 5: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/5.jpg)
• Formal risk analysis (or risk assessment)
- Essential component of HIPAA compliance
- Can help organizations identify their most critical
exposures vulnerabilities and — more importantly —
safeguard overall privacy and security
- Forms a basis for determining how risks should be
managed
• Add value by ensuring that resources are directed at the
areas that are most important to management and
governance.
Background
![Page 6: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/6.jpg)
Background
• Risk exposure decreases significantly when an
organization knows exactly where PHI resides and
how it is handled.
• A formal Risk Analysis examines the risks and
controls related to three critical areas: People,
Process and Technology.
• Recent OCR pilot audits identified 2/3rds of the
organization did not have accurate and
complete risk assessments.
![Page 7: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/7.jpg)
What is Risk Analysis ?
• Risk Analysis is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile – its strengths and weaknesses, its vulnerabilities
and exposures.
“IF YOU CAN’T MEASURE IT
…YOU CAN’T MANAGE IT!”
![Page 8: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/8.jpg)
Common Misconceptions • Vulnerability Assessment = Risk Analysis
• Risk Analysis = Audit
• Risk Analysis does not require any specific skill
• Risk Analysis is black or white.
• We already know the risk so why conduct formal Risk
Analysis?
• Risk Analysis has no business value and is required only
for compliance purposes just before the audit
• Risk Analysis does not require formal approach. Let me
devise my own.
![Page 9: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/9.jpg)
Common Risk Analysis Flow
Risk Treatment
Risk Analysis: Risk Identification
Risk Analysis: Risk Estimation and
Evaluation
General Description of ISRA
smart-ra.com
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
![Page 10: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/10.jpg)
Scope
Physical Location – building, room, etc. Data Center Business Process Business Division
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
![Page 11: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/11.jpg)
Asset Review
Admin Processes Clinical Processes Electronic Health Records System Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Threat
Asset
![Page 12: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/12.jpg)
Threat Review
smart-ra.com
Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Asset
Threat
![Page 13: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/13.jpg)
Vulnerability Review
Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability
Risk Profiling
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Vulnerabilities
![Page 14: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/14.jpg)
Risk Profiling
Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account
Revised Risk Score = Risk Score after
•Evaluating Existing Controls •Applying New Controls Vulnerabilities
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Risk Profiling
![Page 15: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/15.jpg)
Risk Treatment Plan
Vulnerabilities
Threat
Scope
Results Documentation
Risk Profiling
Asset
Risk Treatment Plan
Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer
Take Approval if Tolerate/Terminate
![Page 16: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/16.jpg)
Results Documentation
smart-ra.com
Vulnerabilities
Threat
Scope
Risk Profiling
Risk Treatment Plan
Asset
Results Documentation
Document A-T-V Combination with the associated Risk
Calculation of Risk
RTP
Action Taken
![Page 17: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/17.jpg)
Certified Information Security Risk Assessor Program
• Two days Hands-on workshop on formal risk
assessment methodologies particularly NIST,
OCTAVE and ISO 27005.
• Relevant specially for the HIPAA, FFIEC and PCI
DSS compliance.
• July 11-12, 2013 @ Santa Clara, California. Further
details are available on www.sisainfosec.com.
![Page 18: Hipaa risk analysis-webinar](https://reader034.fdocuments.net/reader034/viewer/2022051612/54c02fb54a795913548b468d/html5/thumbnails/18.jpg)
Questions
Email: [email protected]
About SISA:
SISA is a California based information security governance risk and compliance
company. With over 500 customers in 22 countries, SISA offers holistic security with
its specialized security team, world class training and . Our competency centers
include services, training and products. SMART is an demand GRC solution from
SISA. SISA operates as SISA Information Security WLL in EMEA and SISA
Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com