bos hipaa bootcamp - module 9 - how to complete the hipaa ...€¦ · –explain the difference...

7/29/2014

©Clearwater Compliance LLC 1

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to [email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

7/29/2014



• “… what we’re seeing over and over again is the failure to do a thorough risk analysis…”

• “… risk analysis will be one of the areas of focus… [in the 2014 OCR audits]”

‐‐ September 23, 2013 | HIMSS Media Health Privacy & Security Forum


Instructional Module 9:

How to Complete the HIPAA

Security Rule Risk Analysis

and Technical Testing

Requirements 4

7/29/2014



Module 9. Overview

5

1. “How to Complete the HIPAA Security Rule Risk Analysis and Technical Testing Requirements”

2. Instructional Module Duration = 45 minutes

3. Learning Objectives Addressed In This Module–Understand the explicit HIPAA Security Rule requirements for Ongoing Assessments

– Explain the difference between compliance and security

– Cite the specific HIPAA regulatory requirements and HHS/OCR Guidance for “technical evaluation”, “non‐technical evaluation” and risk analysis

–Define fundamental risk terminology – Explain why risk analysis is a core foundational step–Describe the fundamentals of a Risk Analysis


Policy defines an

organization’s values & expected behaviors; establishes “good faith” intent

Peoplemust include

talented privacy & security & technical staff, engaged and supportive

management and trained/aware colleagues

following PnPs.

Procedures or

processes – documented ‐provide the actions required to deliver on organization’s values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,

intrusion detection, incident management tools, etc.)

BalancedCompliance

Program

Four Critical Dimensions

Clearwater Compliance Compass™6

7/29/2014



9 Actions to Take Now

7

4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR

§ 164.308(a)(8))

6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))

7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))

8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR

§164.530 and 45 CFR §164.400)

9. Document and act upon a remediation plan

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

Demonstrate Good Faith Effort!

© Clearwater Compliance LLC | All Rights Reserved8

Some OCR Corrective Action Plans

Corrective Action Plan (CAP) Requirement

$150KAP

DERM

$1.2M

AHP

$1.7M

WLP

$400K

ISU

$50K

HONI

$1.5M

MEEI

$2.3M

CVS

$1.0M

Rite‐Aid

$1.5MBCBS TN

$1.0M

MGH

$100K

PHX

$865K

UCLA

$1.7MAK

DHSS

Establish a Comprehensive Information Security Program x x x

Designate an accountable Security Owner x xDevelop Privacy and Security policies and procedures x x x x x x x x

Document authorized access to ePHI xDistribute and update policies and procedures x x x x x x x

Document Process for responding to security incidents X x x x x x x x x xImplement training and sanctions for non‐compliance x x x x x x x

Conduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x x xImplement Reasonable Safeguards to control risks x x x x x x x x x xRegularly review records of information system activity x

Implement reasonable steps to select service providers x

Testing and monitor security controls following changes x x x x x x x xObtain assessments from qualified independent 3rd party x x x x x x x x

Retain required documentation x x x x x x x x x x

$13.5+M

7/29/2014



Mega Session Objective

Help You Understand and Address TWO Very Specific AND Different HIPAA-Security Rule Assessment Requirements…

9


All Three (3) are Required!

10

7/29/2014



Other Helpful Resources

• HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

Blog Post

Recorded Webinars at http://abouthipaa.com/webinars/on-demand-

webinars/

• How To Conduct a Bona Fide HIPAA Security Risk Analysis

• How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule

• What Business Associates Need to Know about HIPAA


Session Objectives

1. Understand Compliance Assessment Essentials

2. Review specific HIPAA Security Assessment Regulations

3. Learn how to Complete HIPAA Security Assessments

12

7/29/2014



Assessments and AuditsAre Central to Compliance

• Establishing great policies and procedures is not enough…

• Training the Workforce is not enough…

• Deploying leading reasonable and appropriate safeguards is not enough…

13

Regular assessments are crucial in establishing and maintaining effective compliance


Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program

Ongoing Support and Guidance

• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments• Remediation Plans• Policies & Procedures

Review• Business Associate

Management• Training Update

Think Program, Not Project!

Start Year 1 Year 2• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate Management• Training

• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments • Remediation Plans• Policies & Procedures Review• Business Associate Management• Training Update

Assessments NOT Once and Done

7/29/2014



Types of Assessments

1. Compliance Assessments (Security Evaluation ‐ Non‐Technical, at 45 CFR §164.308(a)(8))

– Where do we stand?

– How well are we achieving ongoing compliance?

2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))– What is the exposure to information assets (e.g., ePHI)?

– What do we need to do to mitigate risks?

3. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))

– How effective are the safeguards we have implemented?

– Are the safeguards working?

4. Risk‐of‐Harm Breach Risk Assessment (Breach‐related, in HITECH parlance)

– Have we caused legal, reputational, etc harm?

– Is there low probability of compromise of PHI?

Each Assessment Has Its Role and Proper Time 15


Session Objectives




16

7/29/2014



Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

17

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

NOT SUFFICIENT TO CALL THE ‘GEEK SQUAD’ TO RUN A VULNERABILITY

SCAN OR PENETRATION TEST…


2. Security45 CFR

164.308(a)(1)(ii)(A)

Three Dimensions of HIPAA Security Business Risk Management

1. Compliance45 CFR 164.308(a)(8)

18

3. Test & Audit

45 CFR 164.308(a)(8) & OCR Audit Protocol

7/29/2014



Session Objectives




19


2. Security45 CFR

164.308(a)(1)(ii)(A)



20

3. Test & Audit


7/29/2014



Risk Analysis

2. What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised?

21Identify, Rate and Prioritize All Risks


Problem(We’re(Trying(to(Solve(

14

What if my Protected Health Information is not complete, up-to-date and accurate?

What if my Protected Health Information is shared? With whom?

How?

What if my Protected Health Information is not there when it is needed?

My PHI / ePHI CO

NFIDEN

TIAL

ITY

INTEGRITY

AVAILABILITY

Don’t(Compromise(

C7I7A!(


Problem(We’re(Trying(to(Solve(

14

What if my Protected Health Information is not complete, up-to-date and accurate?

What if my Protected Health Information is shared? With whom?

How?

What if my Protected Health Information is not there when it is needed?

My PHI / ePHI CO

NFIDEN

TIAL

ITY

INTEGRITY

AVAILABILITY

Don’t(Compromise(

C7I7A!(

1. What is our exposure of our information assets (e.g., ePHI)?


Thinking Like a Risk Analyst

Threat (Actor)

CAN EXPLOITVulnerability (Weakness)

AND CAUSE

Impact (Cost)

Security Risk exists when….

22

…in controls, protecting an asset….

Risk Analysis IS the process of identifying, prioritizing, and estimating risks … considers

mitigations provided by security controls planned or in place1

1NIST SP800-30

7/29/2014



Number Of Vulnerabilities Increase Radically With Emergence Of Wireless, Mobile, Cloud, BYOD

Exploding and InterconnectedDigital Universe

33% of all new business software spending will be Software as a Service

1 billion workers will be

remote or mobile

1 trillion connected objects (cars, appliances, cameras)

1B Mobile Internet users 30% growth of 3G

devices

Embracing New Technologies, Adopting New Business Models

Mobility

Cloud / Virtualization

Social Business

Bring Your Own IT

Employees, customers, contractors, outsourcers

30 billion RFID tags (products, passports, buildings, animals)

23


Controls or Safeguards

24

Once one understands Risks (each Asset‐Threat‐Vulnerability triple) to Information…

• Controls or safeguards must be in place to secure information from threats and ensure confidentiality, integrity & availability through: – Deterrent controls

– Preventive controls

– Detective controls

– Corrective controls

– Compensating controls

• Compliance regulations/standards often require specific named controls

Warning: RA is not just checking controls!

7/29/2014



HIPAA & HITECH Aside…FISMA Control Families

NIST Control Families

ISO 27002 Control Families

25


Controls Help Address Vulnerabilities

26

Controls• Policies & Procedures

• Training & Awareness

• Cable lock down

• Strong passwords

• Encryption

• Remote wipe

• Data Backup

Threat Source• Burglar who may steal Laptop with ePHI

Vulnerabilities• Device is portable

• Weak password

• ePHI is not encrypted

• ePHI is not backed up

Threat Action• Steal Laptop

Information Asset• Laptop with ePHI

7/29/2014



What A Risk Analysis Is…

27

1NIST SP800-30

A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to

organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …,

resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers

mitigations provided by security controls planned or in place1.


…from HHS/OCR Final Guidance

28

• HHS / OCR Required by HITECH Act to provide guidance

• July 14, 2010 “Guidance on Risk Analysis Requirements”

• Not a news flash

• Required since April 2005

• Nine (9) Essential Elements

7/29/2014



Regardless of the risk analysis methodology employed…1. Scope of the Analysis ‐ all ePHI that an organization creates, receives, maintains, or transmits

must be included in the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection ‐ The data on ePHI gathered using these methods must be documented. (See 45

C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities ‐Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

…from HHS/OCR Final Guidance

4. Assess Current Security Measures ‐ Organizations should assess and document the security measures an entity

uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence ‐ The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence ‐ The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk ‐ The level of risk could be determined, for example, by analyzing the values assigned to

the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation ‐ The Security Rule requires the risk analysis to be documented but does not require a specific

format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment ‐ The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

29


Determine Likelihood and Impact

30

Asset Threat Source / Action

Vulnerability Likelihood Impact

Laptop Burglar stealslaptop

No encryption High (5) High (5)

Laptop Burglar steals laptop

Weak passwords High (5) High (5)

Laptop Burglar stealslaptop

No tracking High (5) High (5)

Laptop “Shoulder Surfer” views

No privacy screen Low (1) Medium (3)

Laptop Careless User Drops No data backup Medium (3) High (5)

Laptop Lightning Strike hits home

No surge protection

Low (1) High (5)

etc

7/29/2014



Actions to Conduct Bona Fide Risk Analysis & Risk Management

1. Become familiar with what the exact requirements are in the Security Rule and the HHS OCR Final Guidance on Risk Analysis

2. Learn the terminology of risk and risk analysis; Read supplemental material

3. Be absolutely clear on what is NOT a risk analysis

4. Select the methodology you will follow and study it carefully

5. Complete your risk analysis6. Build and execute your risk

management plan7. Update your risk analysis at least

once a year


!

Frame!!

!

Monitor!!

!!

Respond!!!

!

Assess!!!

Clearwater!HIPAA!Business!Risk!Management!Life!Cycle!

Privacy(Assessment(

Security(Assessment(

Today’s(Topics(

ePHI(Discovery(

Risk(Response(

Remedia; on(

Risk(Strategy(Governance(

Audi; ng(Technical(Tes; ng(

Workforce(Training(

Risk(Analysis(


!

Frame!!

!

Monitor!!

!!

Respond!!!

!

Assess!!!

Clearwater!HIPAA!Business!Risk!Management!Life!Cycle!

Privacy(Assessment(

Security(Assessment(

Today’s(Topics(

ePHI(Discovery(

Risk(Response(

Remedia; on(

Risk(Strategy(Governance(

Audi; ng(Technical(Tes; ng(

Workforce(Training(

Risk(Analysis(


Owners

Assets

Controls & Safeguards

Threat Sources

Threats

• Adversarial• Accidental• Structural• Environmental

value

Risks

wish to minimize

that exist in

to reduce

may be reduced by

that may possess

may be aware of

wish to abuse and / or damage

to

that increase

Vulnerabilities

give rise to

that exploitleading to

implement

Understand Risk

7/29/2014



Choose Risk Analysis Methodology

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University

• ISACA's RISK IT (now part of COBIT 5)

• ISO 27005:2011 Information technology ‐‐Security techniques ‐‐ Information security risk management

• Factor Analysis of Information Risk (FAIR)

• NIST SP800‐30 Revision 1 Guide for Conducting Risk Assessments

33


Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final

34

• NIST SP800‐30 Revision 1 Guide for Conducting Risk Assessments

• NIST SP800‐34 Contingency Planning Guide for Federal Information Systems

• NIST SP800‐37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800‐39‐final_Managing Information Security Risk

• NIST SP800‐53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations

• NIST SP800‐53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

7/29/2014



What a Real Risk Analysis Looks Like


Risk Rating Report

7/29/2014



YES NO DON’T KNOW

Bona Fide Risk Analysis?

Pause & Quick Poll

• Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?


2. Security45 CFR

164.308(a)(1)(ii)(A)



38

3. Test & Audit


7/29/2014



• External Network Vulnerability Assessment & Penetration Testing

• Internal Network Vulnerability Assessment & Penetration Testing

• Web Application Assessment

• Wireless Security Assessment

• Security Awareness Assessment

• Sensitive Data Discovery Scans

39

ALL IMPORTANT – AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS

HIPAA Security Technical Evaluation


Reference NIST SP 800‐53A

40

http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-SP800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_SAPs.pdf

“Security control assessments are not about checklists, simple pass‐fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800‐53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”

7/29/2014



Resource

41

“The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly.


Reference NIST SP 800‐115

42

http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf

• Basis of Technical Evaluations

– Pen Testing

– Vulnerability Scans

– Post Testing Activities

7/29/2014



YES NO DON’T KNOW

Technical Evaluation?

Pause & Quick Poll

• Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR §164.308(a)(8))?


2. Security45 CFR

164.308(a)(1)(ii)(A)



44

3. Test & Audit


7/29/2014



Supplemental Materials9‐1. NIST SP800‐66

9‐2. NIST SP800‐115

9‐3. NIST SP800‐53A

9‐4. Federal Risk Authorization Management Program (FedRAMP) Security Assessment Plan template (Word)

9‐5. ONC Guide to Privacy and Security of Health Information

9‐6. Clearwater HIPAA Risk Analysis Report Example w examples (PDF)

9‐7. HIPAA Risk Analysis Buyer's Guide Checklist ‐What to Look for in a HIPAA Risk Analysis Firm_V3.0 (PDF)

45


Questions?

46

bos hipaa bootcamp - module 9 - how to complete the hipaa ...€¦ · –explain the difference...

Documents