bos hipaa bootcamp - module 9 - how to complete the hipaa ...€¦ · –explain the difference...
TRANSCRIPT
7/29/2014
©Clearwater Compliance LLC 1
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
7/29/2014
©Clearwater Compliance LLC 2
© Clearwater Compliance LLC | All Rights Reserved
• “… what we’re seeing over and over again is the failure to do a thorough risk analysis…”
• “… risk analysis will be one of the areas of focus… [in the 2014 OCR audits]”
‐‐ September 23, 2013 | HIMSS Media Health Privacy & Security Forum
© Clearwater Compliance LLC | All Rights Reserved
Instructional Module 9:
How to Complete the HIPAA
Security Rule Risk Analysis
and Technical Testing
Requirements 4
7/29/2014
©Clearwater Compliance LLC 3
© Clearwater Compliance LLC | All Rights Reserved
Module 9. Overview
5
1. “How to Complete the HIPAA Security Rule Risk Analysis and Technical Testing Requirements”
2. Instructional Module Duration = 45 minutes
3. Learning Objectives Addressed In This Module–Understand the explicit HIPAA Security Rule requirements for Ongoing Assessments
– Explain the difference between compliance and security
– Cite the specific HIPAA regulatory requirements and HHS/OCR Guidance for “technical evaluation”, “non‐technical evaluation” and risk analysis
–Define fundamental risk terminology – Explain why risk analysis is a core foundational step–Describe the fundamentals of a Risk Analysis
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an
organization’s values & expected behaviors; establishes “good faith” intent
Peoplemust include
talented privacy & security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or
processes – documented ‐provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,
intrusion detection, incident management tools, etc.)
BalancedCompliance
Program
Four Critical Dimensions
Clearwater Compliance Compass™6
7/29/2014
©Clearwater Compliance LLC 4
© Clearwater Compliance LLC | All Rights Reserved
9 Actions to Take Now
7
4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR
§ 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR
§164.530 and 45 CFR §164.400)
9. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved8
Some OCR Corrective Action Plans
Corrective Action Plan (CAP) Requirement
$150KAP
DERM
$1.2M
AHP
$1.7M
WLP
$400K
ISU
$50K
HONI
$1.5M
MEEI
$2.3M
CVS
$1.0M
Rite‐Aid
$1.5MBCBS TN
$1.0M
MGH
$100K
PHX
$865K
UCLA
$1.7MAK
DHSS
Establish a Comprehensive Information Security Program x x x
Designate an accountable Security Owner x xDevelop Privacy and Security policies and procedures x x x x x x x x
Document authorized access to ePHI xDistribute and update policies and procedures x x x x x x x
Document Process for responding to security incidents X x x x x x x x x xImplement training and sanctions for non‐compliance x x x x x x x
Conduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x x xImplement Reasonable Safeguards to control risks x x x x x x x x x xRegularly review records of information system activity x
Implement reasonable steps to select service providers x
Testing and monitor security controls following changes x x x x x x x xObtain assessments from qualified independent 3rd party x x x x x x x x
Retain required documentation x x x x x x x x x x
$13.5+M
7/29/2014
©Clearwater Compliance LLC 5
© Clearwater Compliance LLC | All Rights Reserved
Mega Session Objective
Help You Understand and Address TWO Very Specific AND Different HIPAA-Security Rule Assessment Requirements…
9
© Clearwater Compliance LLC | All Rights Reserved
All Three (3) are Required!
10
7/29/2014
©Clearwater Compliance LLC 6
© Clearwater Compliance LLC | All Rights Reserved11
Other Helpful Resources
• HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis
Blog Post
Recorded Webinars at http://abouthipaa.com/webinars/on-demand-
webinars/
• How To Conduct a Bona Fide HIPAA Security Risk Analysis
• How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule
• What Business Associates Need to Know about HIPAA
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Understand Compliance Assessment Essentials
2. Review specific HIPAA Security Assessment Regulations
3. Learn how to Complete HIPAA Security Assessments
12
7/29/2014
©Clearwater Compliance LLC 7
© Clearwater Compliance LLC | All Rights Reserved
Assessments and AuditsAre Central to Compliance
• Establishing great policies and procedures is not enough…
• Training the Workforce is not enough…
• Deploying leading reasonable and appropriate safeguards is not enough…
13
Regular assessments are crucial in establishing and maintaining effective compliance
© Clearwater Compliance LLC | All Rights Reserved14
Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program
Ongoing Support and Guidance
• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments• Remediation Plans• Policies & Procedures
Review• Business Associate
Management• Training Update
Think Program, Not Project!
Start Year 1 Year 2• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate Management• Training
• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments • Remediation Plans• Policies & Procedures Review• Business Associate Management• Training Update
Assessments NOT Once and Done
7/29/2014
©Clearwater Compliance LLC 8
© Clearwater Compliance LLC | All Rights Reserved
Types of Assessments
1. Compliance Assessments (Security Evaluation ‐ Non‐Technical, at 45 CFR §164.308(a)(8))
– Where do we stand?
– How well are we achieving ongoing compliance?
2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))– What is the exposure to information assets (e.g., ePHI)?
– What do we need to do to mitigate risks?
3. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))
– How effective are the safeguards we have implemented?
– Are the safeguards working?
4. Risk‐of‐Harm Breach Risk Assessment (Breach‐related, in HITECH parlance)
– Have we caused legal, reputational, etc harm?
– Is there low probability of compromise of PHI?
Each Assessment Has Its Role and Proper Time 15
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Understand Compliance Assessment Essentials
2. Review specific HIPAA Security Assessment Regulations
3. Learn how to Complete HIPAA Security Assessments
16
7/29/2014
©Clearwater Compliance LLC 9
© Clearwater Compliance LLC | All Rights Reserved
Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
17
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
NOT SUFFICIENT TO CALL THE ‘GEEK SQUAD’ TO RUN A VULNERABILITY
SCAN OR PENETRATION TEST…
© Clearwater Compliance LLC | All Rights Reserved
2. Security45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance45 CFR 164.308(a)(8)
18
3. Test & Audit
45 CFR 164.308(a)(8) & OCR Audit Protocol
7/29/2014
©Clearwater Compliance LLC 10
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Understand Compliance Assessment Essentials
2. Review specific HIPAA Security Assessment Regulations
3. Learn how to Complete HIPAA Security Assessments
19
© Clearwater Compliance LLC | All Rights Reserved
2. Security45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance45 CFR 164.308(a)(8)
20
3. Test & Audit
45 CFR 164.308(a)(8) & OCR Audit Protocol
7/29/2014
©Clearwater Compliance LLC 11
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis
2. What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised?
21Identify, Rate and Prioritize All Risks
© Clearwater Compliance LLC | All Rights Reserved
Problem(We’re(Trying(to(Solve(
14
What if my Protected Health Information is not complete, up-to-date and accurate?
What if my Protected Health Information is shared? With whom?
How?
What if my Protected Health Information is not there when it is needed?
My PHI / ePHI CO
NFIDEN
TIAL
ITY
INTEGRITY
AVAILABILITY
Don’t(Compromise(
C7I7A!(
© Clearwater Compliance LLC | All Rights Reserved
Problem(We’re(Trying(to(Solve(
14
What if my Protected Health Information is not complete, up-to-date and accurate?
What if my Protected Health Information is shared? With whom?
How?
What if my Protected Health Information is not there when it is needed?
My PHI / ePHI CO
NFIDEN
TIAL
ITY
INTEGRITY
AVAILABILITY
Don’t(Compromise(
C7I7A!(
1. What is our exposure of our information assets (e.g., ePHI)?
© Clearwater Compliance LLC | All Rights Reserved
Thinking Like a Risk Analyst
Threat (Actor)
CAN EXPLOITVulnerability (Weakness)
AND CAUSE
Impact (Cost)
Security Risk exists when….
22
…in controls, protecting an asset….
Risk Analysis IS the process of identifying, prioritizing, and estimating risks … considers
mitigations provided by security controls planned or in place1
1NIST SP800-30
7/29/2014
©Clearwater Compliance LLC 12
© Clearwater Compliance LLC | All Rights Reserved
Number Of Vulnerabilities Increase Radically With Emergence Of Wireless, Mobile, Cloud, BYOD
Exploding and InterconnectedDigital Universe
33% of all new business software spending will be Software as a Service
1 billion workers will be
remote or mobile
1 trillion connected objects (cars, appliances, cameras)
1B Mobile Internet users 30% growth of 3G
devices
Embracing New Technologies, Adopting New Business Models
Mobility
Cloud / Virtualization
Social Business
Bring Your Own IT
Employees, customers, contractors, outsourcers
30 billion RFID tags (products, passports, buildings, animals)
23
© Clearwater Compliance LLC | All Rights Reserved
Controls or Safeguards
24
Once one understands Risks (each Asset‐Threat‐Vulnerability triple) to Information…
• Controls or safeguards must be in place to secure information from threats and ensure confidentiality, integrity & availability through: – Deterrent controls
– Preventive controls
– Detective controls
– Corrective controls
– Compensating controls
• Compliance regulations/standards often require specific named controls
Warning: RA is not just checking controls!
7/29/2014
©Clearwater Compliance LLC 13
© Clearwater Compliance LLC | All Rights Reserved
HIPAA & HITECH Aside…FISMA Control Families
NIST Control Families
ISO 27002 Control Families
25
© Clearwater Compliance LLC | All Rights Reserved
Controls Help Address Vulnerabilities
26
Controls• Policies & Procedures
• Training & Awareness
• Cable lock down
• Strong passwords
• Encryption
• Remote wipe
• Data Backup
Threat Source• Burglar who may steal Laptop with ePHI
Vulnerabilities• Device is portable
• Weak password
• ePHI is not encrypted
• ePHI is not backed up
Threat Action• Steal Laptop
Information Asset• Laptop with ePHI
7/29/2014
©Clearwater Compliance LLC 14
© Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is…
27
1NIST SP800-30
A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to
organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …,
resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers
mitigations provided by security controls planned or in place1.
© Clearwater Compliance LLC | All Rights Reserved
…from HHS/OCR Final Guidance
28
• HHS / OCR Required by HITECH Act to provide guidance
• July 14, 2010 “Guidance on Risk Analysis Requirements”
• Not a news flash
• Required since April 2005
• Nine (9) Essential Elements
7/29/2014
©Clearwater Compliance LLC 15
© Clearwater Compliance LLC | All Rights Reserved
Regardless of the risk analysis methodology employed…1. Scope of the Analysis ‐ all ePHI that an organization creates, receives, maintains, or transmits
must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection ‐ The data on ePHI gathered using these methods must be documented. (See 45
C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities ‐Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
…from HHS/OCR Final Guidance
4. Assess Current Security Measures ‐ Organizations should assess and document the security measures an entity
uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence ‐ The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence ‐ The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk ‐ The level of risk could be determined, for example, by analyzing the values assigned to
the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation ‐ The Security Rule requires the risk analysis to be documented but does not require a specific
format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment ‐ The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
29
© Clearwater Compliance LLC | All Rights Reserved
Determine Likelihood and Impact
30
Asset Threat Source / Action
Vulnerability Likelihood Impact
Laptop Burglar stealslaptop
No encryption High (5) High (5)
Laptop Burglar steals laptop
Weak passwords High (5) High (5)
Laptop Burglar stealslaptop
No tracking High (5) High (5)
Laptop “Shoulder Surfer” views
No privacy screen Low (1) Medium (3)
Laptop Careless User Drops No data backup Medium (3) High (5)
Laptop Lightning Strike hits home
No surge protection
Low (1) High (5)
etc
7/29/2014
©Clearwater Compliance LLC 16
© Clearwater Compliance LLC | All Rights Reserved
Actions to Conduct Bona Fide Risk Analysis & Risk Management
1. Become familiar with what the exact requirements are in the Security Rule and the HHS OCR Final Guidance on Risk Analysis
2. Learn the terminology of risk and risk analysis; Read supplemental material
3. Be absolutely clear on what is NOT a risk analysis
4. Select the methodology you will follow and study it carefully
5. Complete your risk analysis6. Build and execute your risk
management plan7. Update your risk analysis at least
once a year
© Clearwater Compliance LLC | All Rights Reserved
!
Frame!!
!
Monitor!!
!!
Respond!!!
!
Assess!!!
Clearwater!HIPAA!Business!Risk!Management!Life!Cycle!
Privacy(Assessment(
Security(Assessment(
Today’s(Topics(
ePHI(Discovery(
Risk(Response(
Remedia; on(
Risk(Strategy(Governance(
Audi; ng(Technical(Tes; ng(
Workforce(Training(
Risk(Analysis(
© Clearwater Compliance LLC | All Rights Reserved
!
Frame!!
!
Monitor!!
!!
Respond!!!
!
Assess!!!
Clearwater!HIPAA!Business!Risk!Management!Life!Cycle!
Privacy(Assessment(
Security(Assessment(
Today’s(Topics(
ePHI(Discovery(
Risk(Response(
Remedia; on(
Risk(Strategy(Governance(
Audi; ng(Technical(Tes; ng(
Workforce(Training(
Risk(Analysis(
© Clearwater Compliance LLC | All Rights Reserved32
Owners
Assets
Controls & Safeguards
Threat Sources
Threats
• Adversarial• Accidental• Structural• Environmental
value
Risks
wish to minimize
that exist in
to reduce
may be reduced by
that may possess
may be aware of
wish to abuse and / or damage
to
that increase
Vulnerabilities
give rise to
that exploitleading to
implement
Understand Risk
7/29/2014
©Clearwater Compliance LLC 17
© Clearwater Compliance LLC | All Rights Reserved
Choose Risk Analysis Methodology
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University
• ISACA's RISK IT (now part of COBIT 5)
• ISO 27005:2011 Information technology ‐‐Security techniques ‐‐ Information security risk management
• Factor Analysis of Information Risk (FAIR)
• NIST SP800‐30 Revision 1 Guide for Conducting Risk Assessments
33
© Clearwater Compliance LLC | All Rights Reserved
Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final
34
• NIST SP800‐30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800‐34 Contingency Planning Guide for Federal Information Systems
• NIST SP800‐37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800‐39‐final_Managing Information Security Risk
• NIST SP800‐53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations
• NIST SP800‐53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
7/29/2014
©Clearwater Compliance LLC 18
© Clearwater Compliance LLC | All Rights Reserved35
What a Real Risk Analysis Looks Like
© Clearwater Compliance LLC | All Rights Reserved36
Risk Rating Report
7/29/2014
©Clearwater Compliance LLC 19
© Clearwater Compliance LLC | All Rights Reserved37
YES NO DON’T KNOW
Bona Fide Risk Analysis?
Pause & Quick Poll
• Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?
© Clearwater Compliance LLC | All Rights Reserved
2. Security45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance45 CFR 164.308(a)(8)
38
3. Test & Audit
45 CFR 164.308(a)(8) & OCR Audit Protocol
7/29/2014
©Clearwater Compliance LLC 20
© Clearwater Compliance LLC | All Rights Reserved
• External Network Vulnerability Assessment & Penetration Testing
• Internal Network Vulnerability Assessment & Penetration Testing
• Web Application Assessment
• Wireless Security Assessment
• Security Awareness Assessment
• Sensitive Data Discovery Scans
39
ALL IMPORTANT – AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS
HIPAA Security Technical Evaluation
© Clearwater Compliance LLC | All Rights Reserved
Reference NIST SP 800‐53A
40
http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-SP800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_SAPs.pdf
“Security control assessments are not about checklists, simple pass‐fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800‐53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”
7/29/2014
©Clearwater Compliance LLC 21
© Clearwater Compliance LLC | All Rights Reserved
Resource
41
“The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly.
© Clearwater Compliance LLC | All Rights Reserved
Reference NIST SP 800‐115
42
http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf
• Basis of Technical Evaluations
– Pen Testing
– Vulnerability Scans
– Post Testing Activities
7/29/2014
©Clearwater Compliance LLC 22
© Clearwater Compliance LLC | All Rights Reserved43
YES NO DON’T KNOW
Technical Evaluation?
Pause & Quick Poll
• Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR §164.308(a)(8))?
© Clearwater Compliance LLC | All Rights Reserved
2. Security45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance45 CFR 164.308(a)(8)
44
3. Test & Audit
45 CFR 164.308(a)(8) & OCR Audit Protocol
7/29/2014
©Clearwater Compliance LLC 23
© Clearwater Compliance LLC | All Rights Reserved
Supplemental Materials9‐1. NIST SP800‐66
9‐2. NIST SP800‐115
9‐3. NIST SP800‐53A
9‐4. Federal Risk Authorization Management Program (FedRAMP) Security Assessment Plan template (Word)
9‐5. ONC Guide to Privacy and Security of Health Information
9‐6. Clearwater HIPAA Risk Analysis Report Example w examples (PDF)
9‐7. HIPAA Risk Analysis Buyer's Guide Checklist ‐What to Look for in a HIPAA Risk Analysis Firm_V3.0 (PDF)
45
© Clearwater Compliance LLC | All Rights Reserved
Questions?
46