copyright notice · 2020-03-16 · pager server smartphone storage area network ... burglar/ thief...
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved
Copyright NoticeCopyright Notice. All materials contained within this document are
protected by United States copyright law and may not be
reproduced, distributed, transmitted, displayed, published, or
broadcast without the prior, express written permission of Clearwater
Compliance LLC. You may not alter or remove any copyright or
other notice from copies of this content.
For reprint permission and information, please direct your inquiry to
© Clearwater Compliance LLC | All Rights Reserved
Legal DisclaimerLegal Disclaimer. This information does not constitute legal advice and is for
educational purposes only. This information is based on current federal law and
subject to change based on changes in federal law or subsequent interpretative
guidance. Since this information is based on federal law, it must be modified to
reflect state law where that state law is more stringent than the federal law or other
state law exceptions apply. This information is intended to be a general information
resource regarding the matters covered, and may not be tailored to your specific
circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND
ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR
OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational
reference in any of the following materials should not be assumed as an
endorsement by Clearwater Compliance LLC.
3© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™ Guided Tour
(800)[email protected]
4© Clearwater Compliance LLC | All Rights Reserved
• VP of Product Innovation for Clearwater Compliance, LLC
• +30 years in Healthcare in the provider, payer and healthcare quality improvement industries
• +20 years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Optum
• MPA - Healthcare Policy and Administration
Jon Stone, MPA, CRISC, HCISPP, PMP
Jon Stone, MPA, CRISC, HCISPP, PMP
Vice President of Product [email protected]
615-210-9612
© 2013-14 Clearwater Compliance LLC | All Rights Reserved
Meeting LogisticsControl Panel
Instructions for asking a question;
• All attendees on mute • Type in questions or comments in the
GoToMeeting Question Control Panel
© Clearwater Compliance LLC | All Rights Reserved
You will learn…
• Regulatory background
• Product features
• Software walkthrough
• Product benefits
© Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
Pri
vacy
Sec
uri
ty
Bre
ach
Noti
fica
tion
……
HITECH
HIPAA
Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs
Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense”
Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation
Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved
Stage 1 and Stage 2 Meaningful Use
require completion of a HIPAA Security
Risk Analysis
Completing a formal Security Risk
Analysis is required by the HIPAA Security
Rule and must follow HHS/OCR
guidelines
© Clearwater Compliance LLC | All Rights Reserved
Security violations can be devastating to an
organization’s reputation and finances
© Clearwater Compliance LLC | All Rights Reserved
You don’t know your risks…
Without the benefit of a HIPAA compliant
Risk Analysis approach…
You are probably making privacy and security
investments in a vacuum, without facts and data to
facilitate informed decision making…
You are at high risk in the
face of increasing
enforcement actions
© Clearwater Compliance LLC | All Rights Reserved
The threat landscape is
constantly changing
Organizations are struggling to
identify threats…
© Clearwater Compliance LLC | All Rights Reserved
Organizations don’t know
their vulnerabilities
Are critical systems encrypted?
Are passwords strong enough?
Are we prepared for disaster?
Are our employees trained?
© Clearwater Compliance LLC | All Rights Reserved
All this uncertainty means we
don’t know our risks…
Regulatory Risks
Financial risks
Legal risks
Risks to our reputations
Risks to operations and care
© Clearwater Compliance LLC | All Rights Reserved
Frame
Monitor
RespondAssess
HIPAA Business Risk Management Life Cycle
Privacy Assessment
Security Assessment
Risk Analysis
ePHI Discovery
Risk Response
Remediation
Risk StrategyGovernance
AuditingTechnical Testing
WorkforceTraining
© Clearwater Compliance LLC | All Rights Reserved
What do the regulations require?
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process
(1)(i) Standard: Security management process. Implement policies and
procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-
technical evaluation, based initially upon the standards
implemented under this rule and subsequently, in response to
environmental or operational changes…
(A) Risk analysis (Required). Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health
information…
© Clearwater Compliance LLC | All Rights Reserved
The Health and Human Services Office for Civil Rights Recommends
Regardless of the Risk analysis methodology employed…
You include the following key components
© Clearwater Compliance LLC | All Rights Reserved
1.Scope of the Analysis - all ePHI must be included in risk analysis
2.Data Collection – it must be documented
3.Identify and Document Potential Threats and Vulnerabilities
4.Assess Current Security Measures
5.Determine the Likelihood of Threat Occurrence
6.Determine the Potential Impact of Threat Occurrence
7.Determine the Level of Risk
8.Finalize Documentation
9.Periodic Review and Updates
18© Clearwater Compliance LLC | All Rights Reserved
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final
• NIST SP800-30 - Guide for Conducting Risk Assessments
• NIST SP800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
© Clearwater Compliance LLC | All Rights Reserved
There is a lot of confusion out there…
What a Risk Analysis is not
© Clearwater Compliance LLC | All Rights Reserved
There is a lot of confusion out there…
What a Risk Analysis is not
• A network vulnerability scan
• A penetration test
• A configuration audit
• A network diagram review
• Information system activity review
• A questionnaire
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Is…
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Is…
1NIST SP800-30
…the process of identifying, prioritizing,
and estimating risks to organizational
operations… resulting from the operation
of an information system…• Risk management incorporates threat and
vulnerability analyses,
• Considers mitigations provided by security
controls planned or in place1.
© Clearwater Compliance LLC | All Rights Reserved
The Risk Analysis Dilemma
Assets and Media
Backup Media
Desktop
Disk Array
Electronic Medical Device
Laptop
Pager
Server
Smartphone
Storage Area Network
Tablet
Third-party service provider
Etcetera…
NIST SP 800-53 ControlsPS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
Hundreds and hundreds
Approximately 330,000,000 Permutations
Vulnerabilities
Anti-malware Vulnerabilities
Destruction/Disposal Vulnerabilities
Dormant Accounts
Endpoint Leakage Vulnerabilities
Excessive User Permissions
Insecure Network Configuration
Insecure Software Development Processes
Insufficient Application Capacity
Insufficient data backup
Insufficient data validation
Insufficient equipment redundancy
Insufficient equipment shielding
Insufficient fire protection
Insufficient HVAC capability
Insufficient power capacity
Insufficient power shielding
Etcetera…
Threat Actions
Burglary/Theft
Corruption or destruction of important data
Data Leakage
Data Loss
Denial of Service
Destruction of important data
Electrical damage to equipment
Fire damage to equipment
Information leakage
Etcetera…
Threat Agent
Burglar/ Thief
Electrical Incident
Entropy
Fire
Flood
Inclement weather
Malware
Network Connectivity Outage
Power Outage/Interruption
Etcetera…
© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
25© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Scope of the Analysis - all ePHI must be included in
the Risk Analysis
• Data Collection – it must be documented
26© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Identify and Document Potential Threats and
Vulnerabilities
27© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Assess Current Security Measures
28© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Determine the Likelihood of Threat Occurrence
29© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Determine the Potential Impact of Threat Occurrence
30© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Determine the Level of Risk
31© Clearwater Compliance LLC | All Rights Reserved
The Unique Clearwater Risk Algorithm™
HHS OCR Guidance on Risk Analysis says;
• Finalize Documentation
• Periodic Review and Update
• Compile your compliance documentation
in one place
• Enable periodic reviews and updates
unlike any other spreadsheet, word
document or software available
© Clearwater Compliance LLC | All Rights Reserved
Software Demonstration
© Clearwater Compliance LLC | All Rights Reserved
Support Unlimited support during normal business hours
Phone and email support
Training 60-90 minutes of live web based training
Extensive free self-service training
User Provisioning Easy self service capabilities to add unlimited numbers of users
Add additional business entities and perform multiple concurrent
assessments for an additional reasonable price
© Clearwater Compliance LLC | All Rights Reserved
Ease of Access Available 7x24 from an internet connection
No software download required
Supports all common browsers
Business Continuity Customer data is backed up every 15 minutes
Returned to operations in under two hours
Protection Strong firewalls
All data sent or received uses TLS 1.1 encryption
Passwords are stored using strong encryption
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™- Benefits
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™- Benefits
• Be Confident Your Security Risk Analysis is by the Book
• One-of-a-Kind Cloud Based Proprietary Software
• Record Where Your Sensitive Data Lives
• Learn Recommended Controls
• Measure Your Progress Against a Baseline
• Operationalize Compliance Through a Mature, Repeatable and Sustainable process
• Make Sound Decisions and Justify Investment Dollars
• De-Mystify a Complex Process
© Clearwater Compliance LLC | All Rights Reserved
Need help with resources or expertise?
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Customer Community• Where Clearwater customers go to get
additional value and benefits
Customer Council Meetings• Complimentary educational content• A place for customers interact and learn from
each other
Customer Forum• A place for software customers to privately post questions and
chat with peers
© Clearwater Compliance LLC | All Rights Reserved
Questions?
© Clearwater Compliance LLC | All Rights Reserved
Healthcare Information
Privacy, Security,
Compliance and Risk
Management Solutions
from Clearwater
Compliance LLC have
earned the exclusive
endorsement of the
American Hospital
Association.
Legal Disclaimer
AHA Solutions, Inc., a subsidiary of the American Hospital Association (AHA), is compensated for the use of the AHA marks and for its assistance in marketing
endorsed products and services. By agreement, pricing of endorsed products and services may not be increased by the providers to reflect fees paid to the AHA.
For more than 100 years, the American Hospital Association (AHA) has
been a powerful symbol of quality. By consistently applying a formal due
diligence process, AHA Solutions, Inc., an AHA member service,
identifies products and services that foster operational excellence in our
nation’s hospitals.
© Clearwater Compliance LLC | All Rights Reserved
Or Click Here
If you are interested in a Free Trial please contact us;
(800) 704 - 3394
© Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
Get more info…
View pre-recorded Webinars like this one at:
http://clearwatercompliance.com/on-demand-webinars/