copyright notice...2016/01/26 · provider of application hosting to help organizations become...
TRANSCRIPT
© Clearwater Compliance | All Rights Reserved
1
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance | All Rights Reserved
2
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
3
January 26, 2016
Demystifying HIPAA and the Cloud
© Clearwater Compliance | All Rights Reserved
4
Your Presenters Bob Chaput, CEO | Clearwater Compliance MA, CISSP, HCISPP, CRISC, CIPP/US • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • MA, BA - Mathematics • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc.) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal • Member: HCCA, AHA, IAPP, ISC2, CHIME/AEHIS, HIMSS, ISSA, ISACA
Kris Kelso, CEO & Founder | Atlas Health Technologies • 16+ Years Healthcare Technology Experience, including infrastructure and
software design • Advisor to hospitals, physician groups, and healthcare investors
© Clearwater Compliance | All Rights Reserved
5
Some Ground Rules
1. Slide materials A. Check “Handouts” area on GoToWebinar
Control to download materials now
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode 5. Please complete Exit Survey, when you
leave session 6. Recorded version and final slides within 48
hours
© Clearwater Compliance | All Rights Reserved
6
We are not attorneys! Ensure Competent Counsel
The Omnibus has arrived! Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
© Clearwater Compliance | All Rights Reserved
7
Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be
This empowering philosophy underpins everything we do. Commitment to educational resources for our
audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-
leadership to better serve you
© Clearwater Compliance | All Rights Reserved
8
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
9
Clearwater Awards and Recognition
#11 – 2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
© Clearwater Compliance | All Rights Reserved
10
About Atlas Health
Provider of application hosting to help organizations become HIPAA-compliant Our platform automates many of the required technical safeguards mandated by HIPAA: • Disk and Network Encryption • Access Control Logging and Monitoring • Intrusion Detection & Prevention • Data Replication / Failover • Security Patching • Scheduled Backups
© Clearwater Compliance | All Rights Reserved
11
How many Clearwater Compliance webinars have you attended before?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
12
Do you believe "the cloud" is inherently more risky than managing one's own IT infrastructure & application portfolio?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
13
Do you believe that the HIPAA regulations preclude use of "the cloud"?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
14
Learning Outcomes… Attendees Will Be Able To:
• Understand the difference between three types of Cloud Computing
• Evaluate which solution is right for the technology being implemented
• Identify the hidden costs in technology deployment, and how to properly cost-compare the options
• Evaluate software and cloud vendors’ adherence to HIPAA regulations
• Explain two critical requirements for managing cloud service providers
© Clearwater Compliance | All Rights Reserved
15
Agenda
• Cloud Computing Explained • Which Solution is Right • Hidden Costs to Identify • HIPAA and Cloud Computing
© Clearwater Compliance | All Rights Reserved
16
Cloud Computing Explained
“Cloud Computing” simply refers to computing resources that you use or consume, but that you do not own, and which are not physically located in your building / facility.
© Clearwater Compliance | All Rights Reserved
17
Examples from Other Industries
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Is your organization using cloud services / software today?
© Clearwater Compliance | All Rights Reserved
19
Three “Flavors” of Cloud Computing
Infrastructure-as-a-Service (IaaS) Software-as-a-Service
(SaaS)
Platform-as-a-Service (PaaS)
© Clearwater Compliance | All Rights Reserved
20
Cloud Service Providers
Infrastructure (IaaS) Software (SaaS) Platform (PaaS)
© Clearwater Compliance | All Rights Reserved
21
The Cloud Computing “Stack” Software • End-user Application • Business Logic • Integrations / Interfaces
Platform • Operating System (Windows, Linux, Unix) • Database Engine (MySQL, Oracle, Postgres) • Security (Firewalls, Intrusion Detection, Backup Systems)
Infrastructure • Secure Data Center • Physical Resources - Computers, Disks, Network Equipment • Power, Cooling, Fire Suppression
© Clearwater Compliance | All Rights Reserved
22
Agenda
• Cloud Computing Explained • Which Solution is Correct • Hidden Costs to Identify • HIPAA and Cloud Computing
© Clearwater Compliance | All Rights Reserved
23
Pros and Cons Pros Cons
SaaS • Full stack support from one vendor • All security patching and updates are done
for you • Little to no IT staff required
• No control over software updates / changes
• Limited customization options
PaaS • Minimal IT staff required • You can focus on the software, rather than
the underlying compute environment • Only software-level management is required
by the customer
• Software must be supported by platform • Operating System and Database choices
may be limited • Some technical expertise required to
deploy software IaaS • Complete control over the computing
environment, with exception of the physical hardware
• Ultimate flexibility
• Full responsibility for most aspects of security, stability, and maintenance
• Wide range of expertise required
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Does your organization have dedicated IT staff?
© Clearwater Compliance | All Rights Reserved
25
Which Type is Right for Me?
If You… SaaS PaaS IaaS Want complete control of the system architecture X Have security and technology experts on staff X Write your own software X X Purchased an application, but need a place to host / run it X X Need Control over Customizations X X Run multiple versions of the same application / system X X Have developers, but not system administrators X Have no IT Staff X X Want all upgrades / enhancements / fixes done for you X Want to consume software, but not build or manage it X
© Clearwater Compliance | All Rights Reserved
26
Agenda
• Cloud Computing Explained • Which Solution is Right • Hidden Costs to Identify • HIPAA and Cloud Computing
© Clearwater Compliance | All Rights Reserved
27
Cost Comparisons
Infrastructure
Facility
Power / Cooling
Hardware
Maintenance Staff
Platform
Infrastructure
OS / DB Licenses
Automation Tools
System Administration Staff
Software
Platform
Software Development
Patching / Bug Fix
Support Staff
© Clearwater Compliance | All Rights Reserved
28
Agenda
• Cloud Computing Explained • Which Solution is Right • Hidden Costs to Identify • HIPAA and Cloud Computing
© Clearwater Compliance | All Rights Reserved
29
HIPAA and The Cloud
What does HIPAA have to say about these options??
© Clearwater Compliance | All Rights Reserved
30
Service Responsibilities versus HIPAA Accountability
Responsibility SaaS PaaS IaaS
Physical Security (Data Center, Hardware) Vendor Vendor Vendor
Hardware Maintenance (Availability) Vendor Vendor Vendor
Network Security (Firewalls, Intrusion Detection) Vendor Vendor Customer
System Monitoring / Uptime Vendor Vendor Customer
Data Encryption at Rest Vendor Vendor Customer
Data Replication Vendor Vendor Customer
Data Backups Vendor Vendor Customer
Security Patching (Operating System, Database) Vendor Vendor Customer
Software-level Security (bug fixes, enforcing strong passwords) Vendor Customer Customer
User Account Administration Customer Customer Customer
Not an exhaustive list of responsibilities
© Clearwater Compliance | All Rights Reserved
31
Industry-leading HIPAA / Cyber Security SaaS: Suite
Gap Assessment Against all HIPAA Security Standards
Audit Simulation Against HHS Audit protocols
Automated expert remediation plan Recommendations
Managed accountability and due dates Assign Work
Dashboards & Reports Display period-to-period compliance progress
Understand significant threats and vulnerabilities Insight
Determine if you have the right controls in place Controls
View critical risks on intuitive dashboards and reports Risk Rating
Automate the management of risk information across complex enterprises
Manage Complexity
Plan a course of action to reduce critical risks Plan and Evaluate
Against all HIPAA Privacy standards Gap Assessment
Compliance w/Breach Notification under HITECH Breach Preparation
Audit Simulation Against HHS Audit protocols
Automated expert remediation plan Recommendations
Dashboards & Reports Display period-to-period compliance progress
© Clearwater Compliance | All Rights Reserved
32
Two Key Recommendations for Managing Cloud Services
1. Implement strong, proactive business associate management program that includes all cloud service providers. ((45 CFR §164.502(e) and 45 CFR §164.308(b))
2. Ensure that all cloud-based services
are included in rigorous, bona fide risk assessment and risk response program. (45 CFR §164.308(a)(1)(ii)(A) and (B))
© Clearwater Compliance | All Rights Reserved
33
HIPAA Responsibilities of Cloud Providers § 164.302 Applicability. A covered entity and business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic protected health information. § 164.306 Security standards: General rules. (a) General requirements. Covered entities and business associates must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.
© Clearwater Compliance | All Rights Reserved
34
Chain of Trust…It Never Ends
Sub BA of the Sub BA
Sub BA
BA
CE Utopia Regional Hospital
H. Itech Law Firm
L. E. Gall, Esg. (Contracted
Attorney)
Atlas Health
AWS
Secure Backup Pros
Billing-R-Us
CollectPay .com
© Clearwater Compliance | All Rights Reserved
35
HIPAA Responsibilities § 164.308 Administrative safeguards. (b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information. (3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).
© Clearwater Compliance | All Rights Reserved
36
Implement a Strong, Proactive BA Management Program
Inventory all Vendors or Business Associates
Determine the Business Owners of Vendor
Relationships
Document the Services Being Provided,
Information Shared & Data Flows
Verify the Minimum Necessary Information is
being Shared
Identify and Communicate with
Vendor Security (and Privacy) Officers
Rank Order Vendors According to Risk
Centralize the Contracting of Legal Requirements
Review current BA Agreements to ensure Omnibus Compliance
Share Notice of Privacy Practices and Confirm BA
Uses and Disclosures
How to Implement a Strong, Proactive HIPAA Business Associate Risk Management Plan
© Clearwater Compliance | All Rights Reserved
37
The Security Rule 22 Standards and 50+ Implementation Specifications:
Not all requirements are created equal.
Get Risk Analysis
Done; then do Risk
Management
© Clearwater Compliance | All Rights Reserved
38
SaaS, IaaS, PaaS Must Be Included in Your Risk Analysis
SaaS, IaaS & PaaS should be
treated as another
“media type”… another
“home” of sensitive
information
© Clearwater Compliance | All Rights Reserved
39
Still: Asset – Threat – Vulnerabilities “triples” to Consider
© Clearwater Compliance | All Rights Reserved
40
HIPAA / Cloud Bottom Line
• Nothing In HIPAA Precludes Use Of The Cloud
• Using The Cloud Is A Business Decision, Taking Into Account Risk Management Costs
• Include Cloud-based Information Assets (SaaS, IaaS, PaaS) In Risk Management Program, Like All Other Assets
• Include SaaS, IaaS, PaaS In Your Strong, Proactive Business Associate Management Program
© Clearwater Compliance | All Rights Reserved
41
Evaluating Cloud Vendors / Services 1. Will they sign a BAA? 2. Do they have strong governance and management in
place? 3. Do they have a HIPAA Privacy, Security and Breach
Notification policies and procedures in place? 4. Have they provided appropriate training? 5. Have they completed all three (3) HIPAA Security Rule
assessment requirements? 6. Do they have cyber liability insurance? 7. Do they have a plan of action and milestones to become
and remain compliant?
© Clearwater Compliance | All Rights Reserved
42
Summary
• Three types of cloud computing – each layer building on the previous
• Which you choose depends on the technology you are deploying, and how much flexibility and responsibility you want (it’s a tradeoff)
• When comparing costs, be sure to factor in the hidden costs at each level
• HIPAA Compliance applies at every level in the stack – all vendors need to sign a BAA
© Clearwater Compliance | All Rights Reserved
43
Resources - Readings
1. AWS Enterprise Accelerator – Compliance Standardized Architecture for NIST 800-53 on the AWS Cloud (PDF)
2. HHS / OCR SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Word)
3. Business Associates References in HIPAA-HITECH (PDF) 4. Clearwater Whitepaper: HIPAA Privacy Rule for Business
Associates (PDF) 5. Clearwater Whitepaper: HIPAA Security Rule for Business
Associates (PDF) 6. Clearwater Whitepaper: HIPAA Primer for Business
Associates (PDF)
© Clearwater Compliance | All Rights Reserved
44
Download Whitepaper
Harnessing the Power of NIST
Your Practical Guide to Effective Information Risk Management
https://clearwatercompliance.com/thought-
leadership/white-papers/harnessing-the-power-of-the-nist-framework/
© Clearwater Compliance | All Rights Reserved
45
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• February 11th, 18th, 25th 2016 • May 5th, 12th, 19th 2016
© Clearwater Compliance | All Rights Reserved
46
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
February 11,18,25 2016
Virtual HIPAA Compliance Program
BootCamp™
February 17,2016 Complimentary Web
Series Clearwater Peer
Academy Feat. Ferris State University
February 3, 2016 Complimentary
Webinar HIPAA-HITECH 101
February 10, 2016 Complimentary
Webinar How to Conduct a NIST-based Risk
Assessment to Comply with HIPAA and Other
Regulations
© Clearwater Compliance | All Rights Reserved
47
Your Presenters
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US http://www.ClearwaterCompliance.com [email protected] Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC
Exit Survey, Please
Kris Kelso | Atlas Health http://www.atlashealth.com [email protected] Phone: 615-854-7001
Questions?