coming to terms with new privacy regulations · 9/19/2019 · 1. slide materials – link in chat...
TRANSCRIPT
© Clearwater Compliance | All Rights Reserved
Coming to Terms with New Privacy RegulationsA Clearwater Web EventSeptember 19, 2019
2
© Clearwater Compliance | All Rights Reserved
Webinar Logistics
1. Slide materials – Link In Chat Box (Should have also received in reminder email earlier today)
2. All attendees are in “Listen Only Mode”3. Please ask content related questions in “Q&A” 4. In case of technical issues, check “Chat”5. Please complete Exit Survey when you leave session 6. Recorded version, final slides and Certificate of Attendance
will be shared with you within 48 hours
© Clearwater Compliance | All Rights Reserved
Founded in Nashville in 2009, colleagues in 20+ states, growing rapidly
Portfolio company of Altaris Capital Partners, a healthcare PE firm with $3B under management
Leading provider of cyber risk management and HIPAA compliance software and solutions for healthcare
Approximately 400 customers, including 60 IDNs, many with enterprise programs
100% success rate when deliverables submitted to the Office For Civil Rights (OCR)
© Clearwater Compliance | All Rights Reserved
Introduction to Clearwater
4
© Clearwater Compliance | All Rights Reserved
• 30 years’ experience in Information Systems. • 20+ years’ experience in Information Security.• 10+ years’ experience in Healthcare IT Project Management.• Former VP Information Systems, Alpha-Omega Chemical Company.• Certified Information Systems Security Professional (CISSP), Healthcare Information Security and Privacy
Professional (HCISPP), Project Management Professional (PMP).• BS Information Technology Management, MBA Information Technology Management, Doctor of Philosophy in
Information Technology with a specialization in Information Assurance and Cybersecurity. Focus: Medical Device Cybersecurity.
George W. Jackson, Jr. | MBA, Ph.D., CRISC, HCISPP, CISSP, PMP
Senior Principal Consultant, Clearwater
Today’s Presenter
https://www.linkedin.com/in/georgewjacksonjr/
The Changing Landscape of Privacy Laws in the U.S.
More States, Higher Stakes, More Complexity
6
© Clearwater Compliance | All Rights Reserved
State Data Security Laws have DOUBLED since 2016
Source: http://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx
7
© Clearwater Compliance | All Rights Reserved
The State of the Union in U.S. Privacy Laws
Per the IAPP State Comprehensive Privacy Law Comparison:
• California,
• Nevada and
• Maine
have signed statues.
Source: https://iapp.org/news/a/us-state-comprehensive-privacy-law-comparison/
8
© Clearwater Compliance | All Rights Reserved
An Outcry for U.S. Federal Privacy Legislation
9
© Clearwater Compliance | All Rights Reserved
A Plea for U.S. Federal Privacy Legislation
FIFTY-ONE CHIEF EXECUTIVES belonging to an association of CEOs known as the Business Roundtable, sent a letter to congressional leaders seeking “a comprehensive consumer data privacy law” to provide “strong, consistent protections for American consumers.”
The NIST Privacy Framework
A Privacy Risk Management Solution
11
© Clearwater Compliance | All Rights Reserved
Why is the NIST Privacy Framework Needed?
• To enable innovation and increase the ability to create trustworthy systems
• The Privacy Framework is designed to be an Enterprise Risk Management Tool
• Integrates privacy practices into the organizational processes that result in effective solutions
• Tailored to the needs of the organization
12
© Clearwater Compliance | All Rights Reserved
Why is the NIST Privacy Framework Needed?
Improves privacy risk management for organizations delivering:
• Products or services • Any sector of the economy• Regardless of their focus or size.
Provides a common taxonomy that is neither country nor region specific. Promotes international cooperation and collaboration on privacy.
The NIST Privacy Framework
Development and Implementation
14
© Clearwater Compliance | All Rights Reserved
The Privacy Framework Development Process
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
15
© Clearwater Compliance | All Rights Reserved
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
16
© Clearwater Compliance | All Rights Reserved
Accountability is the Key to Implementation
The Privacy Framework supports accountability throughout the Enterprise
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
17
© Clearwater Compliance | All Rights Reserved
Carry Privacy Beyond the Organization
The NIST Privacy Framework is designed to be extensible.Given the complex and interconnected nature of 3rd party relationships, supply chain risk management (SCRM) is critical. The Privacy Framework addresses privacy risks related to external parties.
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
18
© Clearwater Compliance | All Rights Reserved
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
19
© Clearwater Compliance | All Rights Reserved
Implementing the Privacy Framework: The Core
The Core provides a set of activities to achieve specific privacy outcomes. The Core resents outcomes helpful in managing privacy risk. The Core has three components:• Functions • Categories and• Subcategories
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
20
© Clearwater Compliance | All Rights Reserved
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
21
© Clearwater Compliance | All Rights Reserved
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
22
© Clearwater Compliance | All Rights Reserved
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
23
© Clearwater Compliance | All Rights Reserved
Source: Preliminary Draft NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. September 6, 2019
24
© Clearwater Compliance | All Rights Reserved
Subcategories further divide a category into
specific outcomes of technical and/or
management activities.
Implementing the Privacy Framework – Subcategories
25
© Clearwater Compliance | All Rights Reserved
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
26
© Clearwater Compliance | All Rights Reserved
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
27
© Clearwater Compliance | All Rights Reserved
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
28
© Clearwater Compliance | All Rights Reserved
Privacy Framework Implementation Tier 1: Partial
Privacy Risk Management Process – Organizational privacy risk management practices are not formalized.
Integrated Privacy Risk Management Program – There is limited awareness of privacy risk at the organizational level.
Ecosystem Relationships – There is limited understanding of an organization’s role in the larger ecosystem.
Workforce – Some personnel may have a limited understanding of privacy risks.
29
© Clearwater Compliance | All Rights Reserved
Privacy Framework Implementation Tier 2: Risk Informed
Privacy Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy.
Integrated Privacy Risk Management Program – There is an awareness of privacy risk at the organizational level, but an organization-wide approach to managing privacy risk has not been established.
Ecosystem Relationships – There is some understanding of an organization’s role in the larger ecosystem.
Workforce – There are personnel with specific privacy responsibilities, but they may have non-privacy responsibilities as well.
30
© Clearwater Compliance | All Rights Reserved
Privacy Framework Implementation Tier 3: Repeatable
Privacy Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy.
Integrated Privacy Risk Management Program – There is an organization-wide approach to manage privacy risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed.
Ecosystem Relationships – Understands its role in the larger ecosystem and actively contributes to the broader community.
Workforce – Dedicated privacy personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
31
© Clearwater Compliance | All Rights Reserved
Privacy Framework Implementation Tier 4: Adaptive
Privacy Risk Management Process – The organization adapts its privacy practices based on lessons learned from privacy breaches and events, and identification of new privacy risks.
Integrated Privacy Risk Management Program – There is an organization-wide approach to managing privacy risk that uses risk-informed policies, processes, and procedures.
Ecosystem Relationships – Understands its role in the larger ecosystem and proactively contributes to the broader community.
Workforce – The organization has specialized privacy skillsets throughout the organizational structure.
32
© Clearwater Compliance | All Rights Reserved
Key Privacy Risk Management Practices
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
The Road Ahead
NIST Privacy Framework Future Directions
34
© Clearwater Compliance | All Rights Reserved
NIST Privacy Framework: Potential Future Directions
Mechanisms to Provide Confidence: Mechanisms (e.g., conformity assessment activities, assessments, or audits) to enhance an organization’s implementation of the Privacy Framework.
Emerging Technologies: Understanding how emerging technologies such as the internet of things [IoT], and artificial intelligence [AI]) impact the development of tools, standards and practices related to managing privacy.
35
© Clearwater Compliance | All Rights Reserved
NIST Privacy Framework: Potential Future Directions
Privacy Risk Assessment: Methods for conducting effective privacy risk assessments, uniform concepts of privacy risk factors and more in-depth guidance for assessing privacy risks.
Privacy Workforce: Further development of a knowledgeable and skilled privacy workforce.
36
© Clearwater Compliance | All Rights Reserved
NIST Privacy Framework: Potential Future Directions
Re-identification Risk: Effective data de-identification and managing residual re-identification risks.
Technical Standards: While there are emerging privacy standards in a variety of standards development organizations there are fewer technical and testing methodology standards in privacy.
Next Steps
38
© Clearwater Compliance | All Rights Reserved
Adopt the Framework
The NIST Privacy Framework is a voluntary tool • Designed for organizations to
better identify, assess, manage, and communicate about privacy risks
• To enjoy the benefits of innovative technologies with greater confidence and trust.
39
© Clearwater Compliance | All Rights Reserved
Privacy Framework Resources
https://www.nist.gov/privacy-framework
Visit the NIST Privacy Framework Website:• Download the
Preliminary Draft• Review past
Workshops• Review Other
Resources and Related Programs
40
© Clearwater Compliance | All Rights Reserved
Source: NIST Presentation-NIST Privacy Framework Ready, Set, Comment on the Preliminary Draft September 17, 2019
41
© Clearwater Compliance | All Rights Reserved
Upcoming Educational Events
Learn More & Register at:https://clearwatercompliance.com/upcoming-educational-events/
42
© Clearwater Compliance | All Rights Reserved
Thank you & Question's
George Jackson [email protected]
Thank you for taking the time to complete the exit survey. We look forward to your input as we appreciate and utilize the feedback received.
43
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
© Clearwater Compliance | All Rights Reserved
www.ClearwaterCompliance.com
800.704.3394
LinkedIn | linkedin.com/company/clearwater-compliance-llc/
Twitter | @clearwaterhipaa