legal disclaimer - clearwater · 5/26/2016 · the evaluation standard § 164.308(a)(8) requires...

© Clearwater Compliance | All Rights Reserved

1

Legal Disclaimer

The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

The Critical Difference - HIPAA Security Compliance Evaluation vs.

HIPAA Security Risk Analysis

May 26, 2016


3

MA, CISSP, HCISPP, CRISC, CIPP/USBob Chaput

• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Healthcare Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities

and Business Associates• Member: ACAP, CHIME/AEHIS, CAHP, IAPP, ISC2, HIMSS,

ISSA, ISACA, HCCA

http://www.linkedin.com/in/BobChaput

http://hipaasecurityassessment.com/



4

Some Ground Rules

1. Slide materialsA. Check your Inbox and / or “Handouts” area on

GoToWebinar Control to download materials now

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you

leave session6. Recorded version and final slides within 48

hours


5

Pause and Quick Poll

Business Associate

Other Covered

EntityHospital or

Health System Don’t Know

Hybrid

What type of organization do you represent?


6

Our Passion

We’re excited about what we do because…

…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!


7

Connect the Dots! Cyber Risk Management & Patient Safety

Timely Care

Access toCare

Quality and Safe Care

AvailabilityIntegrityConfidentiality

https://clearwatercompliance.com/industry-insights/white-papers/





8

Awards and Recognition

2015 & 2016

Exclusive

Industry Resource Provider

Software Used by NSA/CAEs

Sole Source Provider

#11 – 2015 & 2016


9

We are not attorneys! Ensure Competent Counsel

The Omnibus has arrived!Welcome Aboard, BAs!

Lots of different interpretations! Please, Ask Lots of Questions!

But FIRST!


10

How many Clearwater Compliance webinars have you attended before?



11

We Treat Compliance and Cyber Risks as Business Risks

Cyber and Compliance Risk Management is Not ”an IT Problem”

Damage to

Brand

Financial

Third Party

LiabilityCyber

Compliance

Business Interruption

Patient Safety

Competition

Talent Acquisition


12

Mega Session Objective 1:

Help you understand and address three very specific AND different HIPAA Security Rule assessment requirements…


13

Mega Session Objective 2:

Explain Why Security Opinions (e.g., SSAE Soc2) or

“Certifications” (e.g., HITRUST) Have ABSOLUTELY NOTHING to do

with HIPAA Compliance


14

OCR FAQ on 3rd Party CertificationsAre we required to “certify” our organization’s compliance with the standards of the Security Rule?

http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html

Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.

It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered

entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a

security violation.

http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html


15

03

01

02

Discussion Flow

Review specific HIPAA Security Assessment Regulations

Understand HIPAA Security Rule

Assessment Essentials

Learn how to Complete These

Assessments


16

Three Pillars of HIPAA-HITECH Compliance…

HITECH

HIPAA

Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs

Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs

OMNIBUS FINAL RULE

View HIPAA 101 On DemandView HIPAA Security Rule

https://clearwatercompliance.com/hipaa-education/on-demand-videos/hipaa-hitech-101/

http://www.ecfr.gov/cgi-bin/text-idx?SID=7a7c310319054bf890b10409f2bdf581&mc=true&node=sp45.1.164.c&rgn=div6


17

Assessments and Audits Are Central to Compliance & Security

• Establishing good policy and procedures is not enough…

• Comprehensive business processes are not enough…

• Deploying leading technology solutions and systems controls is not enough…

Regular assessments are crucial in establishing and maintaining effective compliance |Regular assessments are controls


18

Types of Assessments1. Compliance Assessments (Security Evaluation - Non-Technical, at 45 CFR §164.308(a)(8))

• Where do we stand?• How well are we achieving ongoing compliance?

2. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))• How effective are the safeguards we have implemented? • Are the safeguards working?

3. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))• What is the exposure to information assets (e.g., ePHI)? • What do we need to do to mitigate risks?

4. Risk-of-Harm Breach Risk Assessment (Breach-related, in HITECH parlance)• Have we caused legal, reputational, etc harm?• Is there low probability of compromise of PHI?

Each Assessment Has Its Role and Proper Time


19

All Three Are Required!


2020

“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. §164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.

Evidence of Risk Analysis is Always Requested


2121

“B) Risk Assessment1) Please provide complete copies of any security risk analyses that were performed to comply with 45 C.F.R. §164.308(a)(l)(ii)(A) prior to the security breach incident.”

Evidence of Risk Analysis is Always Requested


22

02

Discussion Flow

Review specific HIPAA Security Assessment Regulations


23

45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

Security Evaluation v. Risk Analysis

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

http://www.ecfr.gov/cgi-bin/text-idx?SID=5bb7212bb16582292cd5ed176523ec51&mc=true&node=sp45.1.164.c&rgn=div6

http://www.ecfr.gov/cgi-bin/text-idx?SID=5bb7212bb16582292cd5ed176523ec51&mc=true&node=sp45.1.164.c&rgn=div6


24

New Audit Protocol is Here• “Still validating contact information”• “Definitely this summer”• “A total of between 200 and 250

organizations - including both covered entities and business associates 10-25 ‘full scale’ onsite audits” http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178

• "We've done a lot of work to try to make it much more comprehensive”• "For example, time and again we see that entities are not doing a

security risk assessment that are enterprise-wide ... that take into account all the electronic protected health information that is in their environments.”

May 18, 2016 Interview

http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178




25

Phase 2 OCR Audits• Only documentation submitted on time is reviewed• All documentation must be current as of the date of

the request• Auditors will not be able to contact the entity for

clarifications or ask for additional information• Critical that documentation accurately reflects the

program• OCR wants a diverse pool of CEs and BAs to audit –

varying size, geographical location, what they do etc…

2016 Covered Entity Desk Audit Scope• Security—Risk Analysis and risk

management• Breach—Content and timeliness of breach

notifications• Privacy—Notice of Privacy Practices and

Access2016 Business Associate Desk Audit Scope• Security—Risk Analysis and risk

management• Breach—Breach reporting to covered entities

One Shot! | Fast Turn-Around Best Be Super Ready


26

03

Discussion Flow

Learn how to Complete These

Assessments


27

Three Dimensions of HIPAA Security Rule Business Risk Management

TEST & AUDIT

45 CFR §164.308(a)(1)(ii)(A)

Risk Analysis

45 CFR §164.308(a)(8)Non-Technical

Compliance Assessment

45 CFR §164.308(a)(8) Technical Testing &

Audits


28

Security Evaluation| 2016 Audit Protocol | 1.Audit Type

Section Key Activity Established Performance Criteria

Audit Inquiry

Security §164.308(a) (8)

Evaluation §164.308(a)(8): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate’s security policies and procedures meet the requirements of this subpart.

Does the entity have policies and procedures in place to perform periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes or newly recognized risk affecting the security of ePHI?

Does the entity perform periodic technical and nontechnical evaluation in response to environmental or operational changes or newly recognized risk affecting the security of ePHI?


29



Audit Inquiry

Security §164.308(a) (8)


Determine if such policies and procedures identifies how the evaluation of findings, remediation options and recommendations, and remediation decisions are documented; specifies that evaluations will be repeated on a periodic basis and/or when environmental and operations changes are made and/or newly recognized risk affects the security of ePHI; and identifies the frequency of when to evaluate and update the current policy and procedures.


30



Audit Inquiry

Security §164.308(a) (8)


Elements to review may include but are not limited to:• Workforce members’ roles and responsibilities in

the technical and nontechnical evaluation• Management involvement in the process and

approval of technical and nontechnical evaluation• Coordination of technical and nontechnical

evaluation among departments• Specification of how technical and nontechnical

evaluation will be conducted• How technical and nontechnical evaluation findings

will be addressed


31


Section Key Activity

Established Performance Criteria

Audit Inquiry

Security §164.308(a) (8)


Evaluate and determine if the such evaluation appropriately evaluates ePHI security measures; addresses evaluation findings associated with noncompliant security measures; identifies and measures risks associated with noncompliant security measures; and that evaluation findings are reviewed and certified by appropriate management.

Obtain and review documentation of plans related to risk management or mitigation efforts in response to evaluations conducted due to a major technology change which affected the security of ePHI. Evaluate and determine if the identified risks associated with noncompliant security measures are addressed in a plan related to risk management or mitigation efforts.


People Are Not Trained and / orNot Following PnPs

Thinking Like a Compliance AnalystPolicies & Procedures (PNPs)

DO NOT EXIST or ARE INCOMPLETEOr OUT OF DATE

Compliance Risk exists when….

Clearwater’s Methodology is Based on OCR Investigation Process and Audit Protocol

Reasonable & Appropriate ActionsAre Not Taken and / or

Safeguards Are Not Implemented


33

3 Dimensions of HIPAA Non-Technical Security Evaluationa.k.a. Compliance Gap Assessment a.k.a. Mock Audit

Is it documented?Policies, Procedures and Documentation

Are you doing it?Using, Applying, Practicing, Enforcing

Is it Reasonable and Appropriate?Comply with the implementation specification

1

2

3

Think: Performance Audit≠

Risk Analysis


34

Use 2012 OCR Audit Document Request List

Are you prepared to quickly assemble and submit all

necessary policies, procedures and documentation?

http://abouthipaa.com/wp-content/uploads/Documentation_request_list_OCR-audit-notification.pdf

http://abouthipaa.com/wp-content/uploads/Documentation_request_list_OCR-audit-notification.pdf


35

For Example, Self-Audit of Sanction Standards

(1) Standard. A covered entity or business associate must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.

(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity or business associate must document the sanctions that are applied, if any.

Administrative Requirements §164.530 (e)

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

Administrative safeguards.§ 164.308 (a)(1)(ii)


36

Demonstrate Complete Coverage

Must rigorously cover every • Area

• Standard• Implementation

Spec or Requirement


37

Examine Three Critical Self-Audit Questions

Enforcing them?

Reasonable and Appropriate?

Policies/Procedures?



Has Your Organization Completed a HIPAA “Non-technical” Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) ?


39


TEST & AUDIT

45 CFR §164.308(a)(1)(ii)(A)

Risk Analysis




Audits


40

HIPAA Security Technical Evaluation

• External Vulnerability Assessment & Pen Testing• Internal Vulnerability Assessment & Pen Testing• Web Application Assessment• Wireless Security Assessment• Security Awareness Assessment• Sensitive Data Discovery Scans

Think: Test of Efficacy and Effectiveness of Controls≠

Risk Analysis


41

References

41

http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-SP800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_SAPs.pdf

http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf




http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf



Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § 164.308(a)(8))?


43


TEST & AUDIT

45 CFR §164.308(a)(1)(ii)(A)

Risk Analysis




Audits


44

Risk Analysis | 2016 Audit Protocol | 1.Audit Type


Audit Inquiry

Security §164.308(a)(1)(ii)(A)

Security Management Process -- Risk Analysis

§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?

Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?


45



Audit Inquiry




Determine how the entity has implemented the requirements.

Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.


46



Audit Inquiry




Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted.

Evaluate and determine whether the risk analysis or other documentation contains:• A defined scope that identifies all of its systems that

create, transmit, maintain, or transmit ePHI• Details of identified threats and vulnerabilities• Assessment of current security measures• Impact and likelihood analysis• Risk rating


47



Audit Inquiry




Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any.

Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.


48



Audit Inquiry




If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any.

If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.


49

Risk Analysis

Identify, Rate and Prioritize All Risks

1. What is our exposure of our information assets (e.g. ePHI)?

2. What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised?


VULNERABILITY IN PROTECTING AN ASSET

Thinking Like a Risk AnalystTHREAT (Actor)

Security Risk exists when and only when….

IMPACT (LOSS OF OR HARM to ASSETS)

MUST HAVE A “TRIPLE” TO HAVE RISK =

ASSET – THREAT –VULNERABILITY!

Clearwater’s Methodology is Based on HHS/OCR Guidance and NIST SP800-30


51

Risk Analysis IS:

…the process of identifying, prioritizing, and estimating risks

to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses,

and considers mitigations provided by security controls planned or in place1.

1NIST SP800-30


52

Controls Help Address Vulnerabilities

Controls• Policies & Procedures

• Training & Awareness

• Cable lock down

• Strong passwords

• Encryption• Remote wipe

• Data Backup

Threat Source• Burglar who may steal

Laptop with ePHI

Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up

Threat Action• Steal Laptop

Information Asset• Laptop with ePHI


53

HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule1

1. Include all Sensitive Information in Scope of the Analysis 2. Collect and Document Data About All Information Assets3. Identify and Document Potential Threats and Vulnerabilities4. Assess Current Security Measures5. Determine the Likelihood of Threat Occurrence6. Determine the Potential Impact of Threat Occurrence7. Determine the Level of Risk8. Finalize Documentation 9. Periodically Review and Update the Risk Assessment

1 http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf




54

Consider Asset-Threat-Vulnerability Triples Determine Level of Risk for Each

54

Asset Threat Source / Action Vulnerability

Laptop Burglar steals laptop No encryption

Laptop Burglar steals laptop Weak passwords

Laptop Burglar steals laptop No tracking

Laptop Shoulder Surfer views No privacy screen

Laptop Careless User Drops No data backup

Laptop Lightning Strike No surge protection

etc

Likelihood

High (5)

High (5)

High (5)

Low (1)

Medium (3)

Low (1)

Impact Risk Level

High (5) 25

High (5) 25

High (5) 25

Medium (3) 3

High (5) 15

High (5) 5


55

Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final

55

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal

Information Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information

Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal

Information Systems and Organizations: Building Effective Security Assessment Plans

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf

http://abouthipaa.com/wp-content/uploads/SP800-34-rev1errata-Nov11-2010_ContingencyPlanningGuideforFederalInformationSystems.pdf

http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

http://abouthipaa.com/wp-content/uploads/10.-NIST-SP800-53-rev3-final_updated-errata_05-01-2010.pdf

http://abouthipaa.com/wp-content/uploads/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf


56

Risk Analysis Method - HHS OCR Guidance on Risk Analysis• Scope of the Analysis - all ePHI must be included in risk analysis• Data Collection – it must be documented

Identify and Document Potential Threats and Vulnerabilities

Assess Current Security Measures

Determine the Likelihood of Threat Occurrence

Determine the Impact of Threat Occurrence

Determine the Level of Risk

The System Enables-• Finalize Documentation• Periodic Review and Updates

Show your work!

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


57

Risk Register

Publish Your Risk Register

Generally, Avoid, Mitigate or Transfer

Generally, Accept


58

Not a Once & Done

“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. §164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.


59

Really?

You Must Get Specific on Media, Threat Sources, Threat Actions, Vulnerabilities, etc.


60

Recent OCR Follow Up We’ve Seen

"OCR has determined that the risk analysis submitted by your organization as part of its October xx,

2015 response does not meet the requirement set forth at 45 CFR § 164.308(a)(1)(ii)(A). Please review

OCR’s guidance on the Security Rule’s risk analysis requirement located at

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html.

For additional information, you may also wish to consult the National Institute of Standards and

Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments,” located at

http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf”

Recommend You Must Follow OCR Guidance and NIST SP800-30

http://www.ecfr.gov/cgi-bin/text-idx?SID=e2091bf747d776049b8cafc869203407&mc=true&node=se45.1.164_1308&rgn=div8

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html

http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf



Has Your Organization Completed a bona fide, comprehensive HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?


62


TEST & AUDIT

45 CFR §164.308(a)(1)(ii)(A)

Risk Analysis




Audits


63

Download Whitepaper

Harnessing the Power of NIST

Your Practical Guide to Effective Information Risk Management

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-

nist-framework/

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-nist-framework/


64

Other Helpful Resources:

Recorded Webinars at https://clearwatercompliance.com/on-demand-webinars/

o How To Conduct a Bona Fide HIPAA Security Risk Analysis

o How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule

o What Business Associates Need to Know about HIPAA

Blog Post

HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

https://clearwatercompliance.com/on-demand-webinars/

http://abouthipaa.com/hipaa-webinars/how-to-conduct-a-bona-fide-hipaa-security-risk-analysis/

http://abouthipaa.com/hipaa-webinars/on-demand-webinars/how-to-conduct-a-hipaa-security-compliance-self-audit-2/

http://abouthipaa.com/hipaa-webinars/on-demand-webinars/business-associates/what-business-associates-and-subcontractors-need-to-know-about-hipaa-2/

http://abouthipaa.com/hipaa-compliance-guides/hipaa-audit-tips-dont-confuse-hipaa-security-evaluation-and-risk-analysis/


65

Industry-leading HIPAA compliance software: Suite

Gap AssessmentAgainst all HIPAA Security Standards

Audit SimulationAgainst HHS Audit protocols

Automated expert remediation planRecommendations

Managed accountability and due datesAssign Work

Dashboards & ReportsDisplay period-to-period compliance progress

Understand significant threats and vulnerabilitiesInsight

Determine if you have the right controls in placeControls

View critical risks on intuitive dashboards and reportsRisk Rating

Automate the management of risk information across complex enterprises

Manage Complexity

Plan a course of action to reduce critical risks Plan and Evaluate

Against all HIPAA Privacy standardsGap Assessment

Compliance w/Breach Notification under HITECHBreach Preparation

Audit SimulationAgainst HHS Audit protocols

Automated expert remediation planRecommendations

Dashboards & ReportsDisplay period-to-period compliance progress


66

Clearwater’s Customer Engagement Model

Clearwater teaches Customer how to perform gap assessments and risk analyses AND to measure information risk management maturity levels to establish continuous process improvement.

“We do it with you” “We train you to do it”“We do it for you”

Clearwater provides content, strategy, leadership, tools, software and resources to complete program evaluations, policies, procedures, gap assessments, risk analyses, risk response plans, etc. Customer reviews recommendations.

Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations.

Customer RoleClearwater’s Role

Our goal at Clearwater is to help Your Organization become as self-sufficient as you would like to be, as quickly as you would like to be.


67

Clearwater HIPAA and Cybersecurity BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn up to 10.8 CPE Credits!

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.

Join us for our next virtual, web-based events…Three, 3hr sessions:

• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017





68

Other Upcoming Clearwater Events

Visit https://clearwatercompliance.com/webinars/for more info!

June 9, 2016Complimentary

WebinarHow to Conduct a

HIPAA Security Compliance Self Audit


Software Guided TourIRM|Analysis™


WebinarHow to Develop your

HIPAA Policies and Procedures


Software Guided TourIRM|Analysis™: Risk

Response Module

https://clearwatercompliance.com/live-educational-webinars/


69

Why Our Customers Say They Choose Us

01Our Credibility

03

Our Customers

02

Our Capability

04Our Commitment

Case studies, testimonials and references from 100s of hospitals and health systems across the USA

American Hospital Association exclusively endorsement and numerous other industry recognitions

Dedication to the healthcare industry and education to

support organizations building their own competencies

Unique, risk-based business approach to compliance and

cyber risks; not “an IT problem”


70

Clearwater’s Net Promoter Score1

Strong Customer Satisfaction Drives Strong and Lasting Relationships

• Net Promoter Scores are a quick topline view of how businesses are performing2

• Strong Customer Satisfaction creates partnership opportunities and a win-win relationship

1 Net Promoter Industry Benchmarks2 Industry Leaders Net Promoter Scores

2

http://insurancenewsnet.com/oarticle/2014/03/10/satmetrix-releases-2014-net-promoter-industry-benchmarks-a-471724.html


71

Summary and Next Steps1. There are two kinds of risk to assess:

1. Compliance Risk2. Security Risk

2. Both can trigger huge Financial Risk3. Stay Business Risk Management and

Patient/Member/Customer-Focused4. Not ‘once and done’!5. Large or Small: Get Help (Tools, Experts, etc)6. Don’t Fall For SOC2 or HITRUST “Checklists” They

Don’t Help with Compliance / They Don’t Help With Security

…Simply Makes Good Business Sense…


72

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/UShttp://[email protected]

Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC

Contact

Exit Survey, Please


http://www.clearwatercompliance.com/

mailto:[email protected]


73

As Seen In…


74

Learning Outcomes… Attendees Will Be Able To:Explain what OCR looks for in an audit or investigation regarding Security Evaluation and Risk Analysis

Take practical steps to complete Security Evaluations and Risk Analyses

Explain how Security Evaluations and Risk Analyses fit into an overall HIPAA Compliance Program

Articulate and cite explicit HIPAA Security

Rule requirements

Explain Why Security Evaluation is Not a Risk Analysis and vice versa

Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar


75

References / Articles for Your Own HITRUST Due Diligence

• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security• An Open Letter to the HITRUST Alliance• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt• Should Business Associates Be HiTrust Certified?• HITRUST, CSF and Mandatory Certification• 20+ Due Diligence Questions about the HITRUST Certification• Research HITRUST Board companies on:

HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page

We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”

As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on

the HHS Wall of Shame, with responsibility for 122MM of

156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for

complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.

http://www.rsaconference.com/blogs/hitrust-or-high-risk-the-health-information

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-kamal-govindaswamy-cissp-cipp-us-ccsp

http://www.hipaaone.com/hitrust-breaches-lay-the-welcome-mat-for-hackers/

http://www.govinfosecurity.com/should-bas-be-hitrust-certified-a-8366

https://www.linkedin.com/pulse/hitrust-csf-mandatory-certification-heather-havens

https://clearwatercompliance.com/blog/20-due-diligence-questions-about-the-hitrust-certification/

https://hitrustalliance.net/about-us/board-directors/

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://projects.propublica.org/hipaa/

WWW.CLEARWATERCOMPLIANCE.COM

(800) 704-3394http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance

legal disclaimer - clearwater · 5/26/2016 · the evaluation standard § 164.308(a)(8) requires...

Documents