copyright notice · 2020-03-16 · pager server smartphone storage area network ... burglar/ thief...

© Clearwater Compliance LLC | All Rights Reserved

Copyright NoticeCopyright Notice. All materials contained within this document are

protected by United States copyright law and may not be

reproduced, distributed, transmitted, displayed, published, or

broadcast without the prior, express written permission of Clearwater

Compliance LLC. You may not alter or remove any copyright or

other notice from copies of this content.

For reprint permission and information, please direct your inquiry to

[email protected]

mailto:[email protected]


Legal DisclaimerLegal Disclaimer. This information does not constitute legal advice and is for

educational purposes only. This information is based on current federal law and

subject to change based on changes in federal law or subsequent interpretative

guidance. Since this information is based on federal law, it must be modified to

reflect state law where that state law is more stringent than the federal law or other

state law exceptions apply. This information is intended to be a general information

resource regarding the matters covered, and may not be tailored to your specific

circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND

ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR

OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational

reference in any of the following materials should not be assumed as an

endorsement by Clearwater Compliance LLC.

3© Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Risk Analysis™ Guided Tour

(800)[email protected]


• VP of Product Innovation for Clearwater Compliance, LLC

• +30 years in Healthcare in the provider, payer and healthcare quality improvement industries

• +20 years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Optum

• MPA - Healthcare Policy and Administration

Jon Stone, MPA, CRISC, HCISPP, PMP

Jon Stone, MPA, CRISC, HCISPP, PMP

Vice President of Product [email protected]

615-210-9612

http://clearwatercompliance.com/our-team/jon-stone-vice-president/

mailto:[email protected]

© 2013-14 Clearwater Compliance LLC | All Rights Reserved

Meeting LogisticsControl Panel

Instructions for asking a question;

• All attendees on mute • Type in questions or comments in the

GoToMeeting Question Control Panel


You will learn…

• Regulatory background

• Product features

• Software walkthrough

• Product benefits


Three Pillars of HIPAA-HITECH Compliance…

Pri

vacy

Sec

uri

ty

Bre

ach

Noti

fica

tion

……

HITECH

HIPAA

Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs

Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense”

Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation

Specs

OMNIBUS FINAL RULE


Stage 1 and Stage 2 Meaningful Use

require completion of a HIPAA Security

Risk Analysis

Completing a formal Security Risk

Analysis is required by the HIPAA Security

Rule and must follow HHS/OCR

guidelines


Security violations can be devastating to an

organization’s reputation and finances


You don’t know your risks…

Without the benefit of a HIPAA compliant

Risk Analysis approach…

You are probably making privacy and security

investments in a vacuum, without facts and data to

facilitate informed decision making…

You are at high risk in the

face of increasing

enforcement actions


The threat landscape is

constantly changing

Organizations are struggling to

identify threats…


Organizations don’t know

their vulnerabilities

Are critical systems encrypted?

Are passwords strong enough?

Are we prepared for disaster?

Are our employees trained?


All this uncertainty means we

don’t know our risks…

Regulatory Risks

Financial risks

Legal risks

Risks to our reputations

Risks to operations and care


Frame

Monitor

RespondAssess

HIPAA Business Risk Management Life Cycle

Privacy Assessment

Security Assessment

Risk Analysis

ePHI Discovery

Risk Response

Remediation

Risk StrategyGovernance

AuditingTechnical Testing

WorkforceTraining


What do the regulations require?

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process

(1)(i) Standard: Security management process. Implement policies and

procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

45 C.F.R. §164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and non-

technical evaluation, based initially upon the standards

implemented under this rule and subsequently, in response to

environmental or operational changes…

(A) Risk analysis (Required). Conduct an accurate and thorough

assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health

information…


The Health and Human Services Office for Civil Rights Recommends

Regardless of the Risk analysis methodology employed…

You include the following key components


1.Scope of the Analysis - all ePHI must be included in risk analysis

2.Data Collection – it must be documented

3.Identify and Document Potential Threats and Vulnerabilities

4.Assess Current Security Measures

5.Determine the Likelihood of Threat Occurrence

6.Determine the Potential Impact of Threat Occurrence

7.Determine the Level of Risk

8.Finalize Documentation

9.Periodic Review and Updates

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final

• NIST SP800-30 - Guide for Conducting Risk Assessments

• NIST SP800-53 - Security and Privacy Controls for Federal Information Systems and Organizations


There is a lot of confusion out there…

What a Risk Analysis is not


There is a lot of confusion out there…

What a Risk Analysis is not

• A network vulnerability scan

• A penetration test

• A configuration audit

• A network diagram review

• Information system activity review

• A questionnaire


Risk Analysis Is…


Risk Analysis Is…

1NIST SP800-30

…the process of identifying, prioritizing,

and estimating risks to organizational

operations… resulting from the operation

of an information system…• Risk management incorporates threat and

vulnerability analyses,

• Considers mitigations provided by security

controls planned or in place1.


The Risk Analysis Dilemma

Assets and Media

Backup Media

Desktop

Disk Array

Electronic Medical Device

Laptop

Pager

Server

Smartphone

Storage Area Network

Tablet

Third-party service provider

Etcetera…

NIST SP 800-53 ControlsPS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

Hundreds and hundreds

Approximately 330,000,000 Permutations

Vulnerabilities

Anti-malware Vulnerabilities

Destruction/Disposal Vulnerabilities

Dormant Accounts

Endpoint Leakage Vulnerabilities

Excessive User Permissions

Insecure Network Configuration

Insecure Software Development Processes

Insufficient Application Capacity

Insufficient data backup

Insufficient data validation

Insufficient equipment redundancy

Insufficient equipment shielding

Insufficient fire protection

Insufficient HVAC capability

Insufficient power capacity

Insufficient power shielding

Etcetera…

Threat Actions

Burglary/Theft

Corruption or destruction of important data

Data Leakage

Data Loss

Denial of Service

Destruction of important data

Electrical damage to equipment

Fire damage to equipment

Information leakage

Etcetera…

Threat Agent

Burglar/ Thief

Electrical Incident

Entropy

Fire

Flood

Inclement weather

Malware

Network Connectivity Outage

Power Outage/Interruption

Etcetera…


The Unique Clearwater Risk Algorithm™



HHS OCR Guidance on Risk Analysis says;

• Scope of the Analysis - all ePHI must be included in

the Risk Analysis

• Data Collection – it must be documented




• Identify and Document Potential Threats and

Vulnerabilities




• Assess Current Security Measures




• Determine the Likelihood of Threat Occurrence




• Determine the Potential Impact of Threat Occurrence




• Determine the Level of Risk




• Finalize Documentation

• Periodic Review and Update

• Compile your compliance documentation

in one place

• Enable periodic reviews and updates

unlike any other spreadsheet, word

document or software available


Software Demonstration

https://www.hipaasecurityriskanalysis.com/login

https://www.hipaasecurityriskanalysis.com/login


Support Unlimited support during normal business hours

Phone and email support

Training 60-90 minutes of live web based training

Extensive free self-service training

User Provisioning Easy self service capabilities to add unlimited numbers of users

Add additional business entities and perform multiple concurrent

assessments for an additional reasonable price


Ease of Access Available 7x24 from an internet connection

No software download required

Supports all common browsers

Business Continuity Customer data is backed up every 15 minutes

Returned to operations in under two hours

Protection Strong firewalls

All data sent or received uses TLS 1.1 encryption

Passwords are stored using strong encryption


Clearwater HIPAA Risk Analysis™- Benefits


Clearwater HIPAA Risk Analysis™- Benefits

• Be Confident Your Security Risk Analysis is by the Book

• One-of-a-Kind Cloud Based Proprietary Software

• Record Where Your Sensitive Data Lives

• Learn Recommended Controls

• Measure Your Progress Against a Baseline

• Operationalize Compliance Through a Mature, Repeatable and Sustainable process

• Make Sound Decisions and Justify Investment Dollars

• De-Mystify a Complex Process


Need help with resources or expertise?


Clearwater Customer Community• Where Clearwater customers go to get

additional value and benefits

Customer Council Meetings• Complimentary educational content• A place for customers interact and learn from

each other

Customer Forum• A place for software customers to privately post questions and

chat with peers


Questions?

https://www.hipaasecurityassessment.com/



Healthcare Information

Privacy, Security,

Compliance and Risk

Management Solutions

from Clearwater

Compliance LLC have

earned the exclusive

endorsement of the

American Hospital

Association.

Legal Disclaimer

AHA Solutions, Inc., a subsidiary of the American Hospital Association (AHA), is compensated for the use of the AHA marks and for its assistance in marketing

endorsed products and services. By agreement, pricing of endorsed products and services may not be increased by the providers to reflect fees paid to the AHA.

For more than 100 years, the American Hospital Association (AHA) has

been a powerful symbol of quality. By consistently applying a formal due

diligence process, AHA Solutions, Inc., an AHA member service,

identifies products and services that foster operational excellence in our

nation’s hospitals.


Or Click Here

If you are interested in a Free Trial please contact us;

(800) 704 - 3394

[email protected]

http://clearwatercompliance.com/contact-2/



mailto:[email protected]?subject=Risk Analysis Software Inquiry


Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

Get more info…

View pre-recorded Webinars like this one at:

http://clearwatercompliance.com/on-demand-webinars/

http://clearwatercompliance.com/live-educational-webinars/

http://clearwatercompliance.com/on-demand-webinars/

copyright notice · 2020-03-16 · pager server smartphone storage area network ... burglar/ thief...

Documents