legal disclaimer - clearwater
TRANSCRIPT
© Clearwater Compliance | All Rights Reserved
1
Legal Disclaimer
The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
July 7, 2016
How to Conduct NIST-based Risk Assessment to Comply with HIPAA & Other Regulations
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or [email protected] Compliance LLC
© Clearwater Compliance | All Rights Reserved
3
MA, CISSP, HCISPP, CRISC, CIPP/US
Bob Chaput
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates, Financial Services, Retail, Legal• Member: ACAP, CHIME/ AEHIS, CAHP, IAPP, ISC2, HIMSS,
ISSA, ISACA, HCCA
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
4
01
03
02
Three IRM Agenda Items I Feel Deeply Inspired By…
TacticallyAssist in Establishing,
Implementing and Maturing IRM Program
OperationallyAssist in Completing Bona Fide, Comprehensive Risk
Analysis and Risk Response
StrategicallyAssist in Making IRM a Meaningful C-Suite / Board Agenda item
© Clearwater Compliance | All Rights Reserved
5
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
6
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
© Clearwater Compliance | All Rights Reserved
7
We are not attorneys! Ensure Competent Counsel
The Omnibus has arrived!Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
© Clearwater Compliance | All Rights Reserved
8
Questions Provided in Advance1. I‘ve heard you say “bona fide risk analysis” many times in the past. Why?2. Can you explain the difference between risk analysis and risk assessment,
which I often hear?3. If my organization needs to meet PCI DSS and HIPAA risk assessment
requirements, can I approach this using the same method?4. What are my chances of being audited by OCR? I really believe that’s low
risk?5. If I am audited by OCR, what will they request as proof that I am doing
bona fide risk assessments?6. Do our business associates have to do risk assessments with the same
level of rigor?7. We completed technical testing (pen testing, vulnerability scans, etc.); can
you tell me one more time why this is not acceptable as a risk assessment?8. Why can’t we just load up on cyber liability insurance and not worry about
this stuff? We’re trying to serve patients not become IT security gurus! 9. If we become HITRUST Certified, will that meet all our HIPAA and security
requirements?
© Clearwater Compliance | All Rights Reserved
9
Pause and Quick Poll
What type of organization do you represent?
Hospital / Health System
##
BA##
HYBRID## Don’t
Know##
Other CE##
© Clearwater Compliance | All Rights Reserved
10
Clearwater Supports the NIST Approach
Framework + Maturity Model+ Process
NIST SP800-39
IRM|Maturity™IRM|Pro™IRM|Capability™
© Clearwater Compliance | All Rights Reserved
11
Clearwater Information Risk Management Life Cycle1
1Adopted from NIST SP800-39-final_Managing Information Security Risk
© Clearwater Compliance | All Rights Reserved
12
Learning Outcomes… Attendees Will Be Able To:Describe the fundamentals of Information Risk Management
Define fundamental risk terminology – assets, threats, vulnerabilities, controls, etc
Explain why risk analysis is a core foundational step and describe the key steps
Cite general regulatory requirements for ongoing
risk assessments
Describe how/when the new Civil Money Penalty System may be
applied if risk assessments are not performed
Explain the difference between compliance
and security
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar
© Clearwater Compliance | All Rights Reserved
13
Discussion Flow
1. Problem2. NIST-Based Risk Assessment3. Resources
Clearwater Information Risk Management
Life Cycle
© Clearwater Compliance | All Rights Reserved
14
The Challenge At Hand, Then…1. Few organizations are doing it properly
1. 68% of 2012 OCR Phase I Audits Failed Risk Analysis (80% of Providers)2. 68% of 37 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses
2. There’s a general lack of executive engagement1. Current state: Tactical – Technical – Spot-Welding2. Future state: Strategic – Business - Architectural
3. It’s not just a HIPAA or SOX or PCI or GLBA or FERPA enforceable compliance requirement…with big penalties…1. It’s a Patient Safety / Quality of Care / customer experience issue2. Cyber / Privacy risks ‘bleeding into” medical malpractice
4. There’s a Failure to Appreciate that Risk Assessments are a Basic Foundational Step1. Few people understand risk; even many of the CISSPs2. SecOps : Risk Analysts :: Accountants : Financial Analysts
Governance | People | Process | Technology | Maturity
© Clearwater Compliance | All Rights Reserved
15
And, then there were 37…
© Clearwater Compliance | All Rights Reserved
16
The Risk Problem We’re Trying to Solve
What if my Sensitive Information is not
complete, up-to-date and accurate?
What if my Sensitive Information is shared?
With whom? How?
What if my Sensitive Information is not there when it is needed?
AVAILABILITY
Don’t Compromise
C-I-A!
ePHI, PII, PCI Data,
MNPI, Trade Secrets, Business Plans,
Software Code, Etc.
© Clearwater Compliance | All Rights Reserved
17
To Solve the Problem
1. What is our exposure of our information assets (e.g., ePHI)?
2. What decisions do we need we need to make to treat or manage risks?
Both Are Required in Federal Regulations AND As the Basis for any Respectable Information Security Program in Any Industry!
Risk Response
Risk Assessment
© Clearwater Compliance | All Rights Reserved
18
Pause and Quick Poll
At this time in our webinar, do you believe has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register that will meet OCR requirements?
© Clearwater Compliance | All Rights Reserved
19
Discussion Flow
1. Problem2. NIST-Based Risk Assessment3. Resources
Clearwater Information Risk Management
Life Cycle
© Clearwater Compliance | All Rights Reserved
20
Lots of Good Assessments, Only One Bona Fide Risk Analysis!• External Security Assessment• Architecture Assessment• Internal Security Assessment• Security Rule Compliance Assessment• Wireless LAN Security Validation• Information Security Program Assessment• Meaningful Use EHR Technical Controls Assessment• Social Engineering Assessment• OWASP Web Application Assessments• NIST CSF Current Profile Assessment• 10-Point Tactical HIPAA and Cyber Risk Management Assessment• Strategic Enterprise IRM Program Maturity Assessment • ETC…
Bona Fide, Comprehensive Risk Analysis Required at 45 CFR §164.308(a)(1)(ii)(A) MEANS OCR Guidance and NIST SP800-30!
Today’s Focus
© Clearwater Compliance | All Rights Reserved
21
Recent OCR Follow Up We’ve Seen
"OCR has determined that the risk analysis submitted by your organization as part of its recent response does not meet the requirement set forth at 45 CFR §164.308(a)(1)(ii)(A). Please review OCR’s guidance on the Security Rule’s risk analysis requirement located athttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html. For additional information, you may also wish to consult the National Institute of Standards and Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments,” located athttp://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf”
Recommend You Follow OCR Guidance and NIST SP800-30
© Clearwater Compliance | All Rights Reserved
22
HIPAA and OCR Require Tier 3 “Information Systems” Risk Management1
1NIST SP800-39-final_Managing Information Security Risk
© Clearwater Compliance | All Rights Reserved
23
• Adversarial• Accidental• Structural• Environmental
Owners
Assets
Controls & Safeguards
Threat Sources
Threats
value
Risks
wish to minimize
that exist in protecting
to reduce
may be reduced by
that may possess
may be aware of
wish to or may abuse, harm and / or damage
to
that increase
Vulnerabilities
give rise to
that exploitleading to
implement
“Parlez-vous Risk?”
© Clearwater Compliance | All Rights Reserved
24
Key Steps in NIST SP800 30-Based Risk Assessment1
1. Include all Sensitive Information in Scope of the Analysis 2. Collect and Document Data About All Information Assets3. Identify and Document Potential Threats and Vulnerabilities4. Assess Current Security Measures5. Determine the Likelihood of Threat Occurrence6. Determine the Potential Impact of Threat Occurrence7. Determine the Level of Risk8. Finalize Documentation 9. Periodically Review and Update the Risk Assessment
1http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf
© Clearwater Compliance | All Rights Reserved
25
1. & 2. Scope and Collect Data
Think: Information
Asset Inventory
© Clearwater Compliance | All Rights Reserved
26
Asset Inventory List
Where is all the ePHI?
© Clearwater Compliance | All Rights Reserved
27
Asset Inventory List
27
Seriously! …Where? How Much? What for? Who owns? Etc.
© Clearwater Compliance | All Rights Reserved
28
3. Identify Threats & Vulnerabilities
Think: Threat Sources, Threat
Actions, Weaknesses
© Clearwater Compliance | All Rights Reserved
29
Identify Threat Sources, Threat Actions and Vulnerabilities
Threat Sources
Threat Actions
Vulnerabilities
Much to Consider
© Clearwater Compliance | All Rights Reserved
30
4. Assess Current Security Measures
Think: Safeguards,
Countermeasures Already in Place
© Clearwater Compliance | All Rights Reserved
31
Controls Help Address Vulnerabilities
Controls• Policies & Procedures• Training & Awareness• Cable lock down• Strong passwords• Encryption• Remote wipe• Data Backup
Threat Source• Burglar who may steal
Laptop with ePHI
Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up
Threat Action• Steal Laptop
Information Asset• Laptop with ePHI
© Clearwater Compliance | All Rights Reserved
32
Assess Security Controls In Place
Detailed Analysis and Cross Walk
What controls do you have in place?
© Clearwater Compliance | All Rights Reserved
33
What A Risk Analysis Process Looks Like…
© Clearwater Compliance | All Rights Reserved
34
5. & 6. Determine Likelihood & Impact
Think: Probability of Bad Thing
Happening and, were it to happen,
Impact
© Clearwater Compliance | All Rights Reserved
35
Likelihood
Chance that bad thing will happen?
© Clearwater Compliance | All Rights Reserved
36
Impact
Harm or loss if bad thing happens?
© Clearwater Compliance | All Rights Reserved
37
Determine Likelihood and Impact
Asset Threat Source / Action
Vulnerability Likelihood Impact
Laptop Burglar steals laptop No encryption High (5) High (5)
Laptop Burglar steals laptop Weak passwords High (5) High (5)
Laptop Burglar steals laptop No tracking High (5) High (5)
Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)
Laptop Careless User Drops No data backup Medium (3) High (5)
Laptop Lightning Strike hits home
No surge protection Low (1) High (5)
etc
© Clearwater Compliance | All Rights Reserved
38
7. Determine Level of Risk
Think: Probability of Bad Thing
Happening and, were it to
happen, Impact
© Clearwater Compliance | All Rights Reserved
39
Determine Level of RiskAsset Threat Source /
ActionVulnerability Likelihood Impact Risk Level
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords
High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Shoulder Surfer views No privacyscreen
Low (1) Medium (3) 3
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Lightning Strike No surge protection
Low (1) High (5) 5
etc
© Clearwater Compliance | All Rights Reserved
40
Really?
You Must Get Specific on Media, Threat Sources, Threat Actions, Vulnerabilities, etc.
© Clearwater Compliance | All Rights Reserved
41
Establishing a Risk Value
Considering asset/media, threat, vulnerability & controls…
© Clearwater Compliance | All Rights Reserved
42
Establishing a Risk Value
Think Likelihood * Impact
Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 500 records compromised5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25• High = 15-24• Medium = 8-14• Low = 0-7
© Clearwater Compliance | All Rights Reserved
43
Risk Appetitea.k.a. Risk Threshold
“Risk appetite is the level of risk that organizations are willing to accept in pursuit of strategic goals and objectives.”1
20
15
10
0
25
5
Our Risk Appetite or Threshold is 10 We Will (Initially) Accept All Risks Below 10. We Will Avoid, Mitigate and/or Transfer All Risks 10 or Above.
HIGH
MEDIUM
LOW
CRITICAL
© Clearwater Compliance | All Rights Reserved
44
Example: Risk Threshold Set at 10
Generally, Avoid, Mitigate or Transfer
Generally, Accept
© Clearwater Compliance | All Rights Reserved
45
8. Finalize Documentation
Think: Best Basis for Decision
Making & Report Package for
Auditors
© Clearwater Compliance | All Rights Reserved
46
Asset Inventory Report
Show that you know where all the ePHI lives!
© Clearwater Compliance | All Rights Reserved
47
Risk Analysis Method - HHS OCR Guidance on Risk Analysis• Scope of the Analysis - all ePHI must be included in risk analysis• Data Collection – it must be documented
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Impact of Threat Occurrence
Determine the Level of Risk
The System Enables-• Finalize Documentation• Periodic Review and Updates
Show your work!
© Clearwater Compliance | All Rights Reserved
48
What A Risk Analysis Report Looks Like…Show you’ve identified all risks!
Generally, Avoid, Mitigate or Transfer
Generally, Accept
© Clearwater Compliance | All Rights Reserved
49
Risk Assessment Fundamentals
• Must be possible to have loss or harm in order to have risk
• Must have asset-threat-vulnerability to have risk
• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like speed is a
derived value = distance / time)• Fundamental nature of Risk is
universal• Critical Output: Risk Register
© Clearwater Compliance | All Rights Reserved
50
9. Periodic Review & Updates to RA
Think: Journey, Not Destination
… Not a Once and Done!
© Clearwater Compliance | All Rights Reserved
51
Ongoing, Mature Business Process
Show your Ongoing Effort!
© Clearwater Compliance | All Rights Reserved
Pause and Quick PollOn second thought, has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register that will meet OCR requirements?
© Clearwater Compliance | All Rights Reserved
53
Discussion Flow
1. Problem2. NIST-Based Risk Assessment3. Resources
Clearwater Information Risk Management
Life Cycle
© Clearwater Compliance | All Rights Reserved
54
Complimentary HIPAA Risk Analysis Review
https://clearwatercompliance.com/hipaa-risk-analysis-review/
© Clearwater Compliance | All Rights Reserved
55
IRM | Analysis™ Software
Our unique risk analysis software1 solution facilitates the WorkShop™ allows your organization to be as self-sufficient as you choose! … And, to
operationalize your Information Risk Management Program
Understand significant threats and vulnerabilities
Insight
Determine if you have the right controls in place
Controls
View critical risks on intuitive dashboards and
reports
Risk RatingAutomate the management of risk information across complex enterprises
Manage Complexity
Plan a course of action to reduce critical risks
Plan and Evaluate
Manage the implementation of effective safeguards
Implementation
1Guided Tour of IRM|Analysis™ – the Clearwater Risk Analysis Software
30-Day Free Trial!
© Clearwater Compliance | All Rights Reserved
56
Clearwater WorkShop™ Process
Proven Methodology, Continuously Improved Over Years• Overall Program Management• Used for Both Risk Analyses and Compliance
Gap Assessments (Security, Privacy & Breach Notification)
• Leverages Basecamp Project Management tool for secure collaboration and communication
• Methodology ensures consistency of approach across all work streams in the engagement
• Leverages IRM|Pro™ Software Suite• Major deliverables from each WorkShop™
• Fully-Provisioned Software with analysis / assessment results
• Trained Team in methodology and software• Findings, Observations & Recommendations
Reports• Analyze Findings• Document Observations• Develop Recommendations• Present and Sign Off
Written Report (t+2)03
• Plan / Gather / Schedule• Gather / Review Documentation• Provide SaaS Subscription/Train• Administer Surveys
Preparation (t-4)
01
• Facilitate & Discover• Educate & Equip• Interview & Document• Gather & Populate SaaS
Onsite Discovery/Assessment (t=0)
02
© Clearwater Compliance | All Rights Reserved
57
Key Resources• Sample - HIPAA Security Risk Analysis FOR Report• Guidance on Risk Analysis Requirements under the HIPAA Security Rule• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach
Additional Resources• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information
Systems and Organizations: Building Effective Security Assessment Plans• NIST SP800-115 Technical Guide to Information Security Testing and Assessment• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• NIST Risk Management Framework 2009
© Clearwater Compliance | All Rights Reserved
58
Download Whitepaper
30-Minute Guide to Hiring The Best Risk Analysis
Company | What to Look for in a HIPAA Risk Analysis Company & Solution
https://clearwatercompliance.com/industry-insights/white-papers/
© Clearwater Compliance | All Rights Reserved
59
Download Whitepaper
Harnessing the Power of NIST
Your Practical Guide to Effective Information Risk
Management
https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-
power-of-the-nist-framework/
© Clearwater Compliance | All Rights Reserved
60
Educational Resources
© Clearwater Compliance | All Rights Reserved
61
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
July 14, 2106 Complimentary
WebinarOCR’s Phase 2 Audits
and How Best to Prepare
August 3, 2106 Complimentary
WebinarHow to Adopt the NIST Cybersecurity
Framework
July 21, 2016Complimentary
WebinarThe Critical
Difference: HIPAA Security Evaluation
v HIPAA Security Risk Analysis
July 28, 2106 Complimentary
WebinarHIPAA 101
© Clearwater Compliance | All Rights Reserved
62
AHA Solutions Signature Learning Series™
Register Now: http://ow.ly/b0cX301LkDb
+
OCR’s Phase 2 HIPAA Security Audits and How Best to PrepareLearn how to prepare for Phase 2 OCR audits — direct from experts on OCR audit preparedness and a former OCR HIPAA
investigator.
This webinar is only available to AHA members.
Virtual Web Based Training Wednesday, July 27th, 2016
12:00-1:00 CDT
© Clearwater Compliance | All Rights Reserved
63
Clearwater HIPAA and Cybersecurity BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017
© Clearwater Compliance | All Rights Reserved
64
Key Points to Remember1. Few organizations are doing it properly
1. 68% of 2012 OCR Phase I Audits Failed Risk Analysis (80% of Providers)2. 68% of 37 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses
2. There’s a general lack of executive engagement1. Current state: Tactical – Technical – Spot-Welding2. Future state: Strategic – Business - Architectural
3. It’s not just a HIPAA or SOX or PCI or GLBA or FERPA enforceable compliance requirement…with big penalties…1. It’s a Patient Safety / Quality of Care / customer experience issue2. Cyber / Privacy risks ‘bleeding into” medical malpractice
4. There’s a Failure to Appreciate that Risk Assessments are a Basic Foundational Step1. Few people understand risk; even many of the CISSPs2. SecOps : Risk Analysts :: Accountants : Financial Analysts
Start By Getting Risk Analysis Right!
© Clearwater Compliance | All Rights Reserved
65
Questions Provided in Advance1. I‘ve heard you say “bona fide risk analysis” many times in the past. Why?2. Can you explain the difference between risk analysis and risk assessment,
which I often hear?3. If my organization needs to meet PCI DSS and HIPAA risk assessment
requirements, can I approach this using the same method?4. What are my chances of being audited by OCR? I really believe that’s low
risk?5. If I am audited by OCR, what will they request as proof that I am doing
bona fide risk assessments?6. Do our business associates have to do risk assessments with the same
level of rigor?7. We completed technical testing (pen testing, vulnerability scans, etc.); can
you tell me one more time why this is not acceptable as a risk assessment?8. Why can’t we just load up on cyber liability insurance and not worry about
this stuff? We’re trying to serve patients not become IT security gurus! 9. If we become HITRUST Certified, will that meet all our HIPAA and security
requirements?
© Clearwater Compliance | All Rights Reserved
66
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US
https://www.clearwatercompliance.com
Phone: 800-704-3394 or 615-656-4299
linkedin.com/in/BobChaput
Exit Survey, Please
© Clearwater Compliance | All Rights Reserved
67
What About HITRUST versus NIST?References / Articles for Your Own Due Diligence
• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security
• An Open Letter to the HITRUST Alliance (PartI) (Part II) (Part III)
• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt
• Should Business Associates Be HiTrust Certified?
• HITRUST, CSF and Mandatory Certification
• A Simpler and Better Alternative to the HITRUST Mandate For Third Party Risk Management In Healthcare
• 20+ Due Diligence Questions about the HITRUST Certification
• Research HITRUST Board companies on: HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page
We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”
As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on
the HHS Wall of Shame, with responsibility for 122MM of
156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for
complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.
© Clearwater Compliance | All Rights Reserved
68
“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an
external organization does not preclude HHS from subsequently finding a security violation.”
HHS FAQ on 3rd Party Certifications
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html
Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.
© Clearwater Compliance | All Rights Reserved
69
Regulatory Requirements
1http://www.ecfr.gov/cgi-bin/text-idx?SID=547a457f5304d286d3e9e0b241b76848&mc=true&node=se45.1.164_1308&rgn=div82https://clearwatercompliance.com/wp-content/uploads/2014/11/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
3http://ithandbook.ffiec.gov/it-booklets/information-security/introduction/coordination-with-glba-section-501%28b%29.aspx#cite-ref-0-0
© Clearwater Compliance | All Rights Reserved
70
Risk Analysis §164.308(a)(1)(ii)(A): (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information
2012Inquire of management if formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.
Evidence of risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment.
Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.
2016Does the entity have policies and procedures in place regarding a risk management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
Obtain and review policies and procedure related to risk management. Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.
Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment.
Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.
© Clearwater Compliance | All Rights Reserved
71
Security Management Process - Risk Management
§164.308(a)(1)(ii)(B): (Required) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with General Requirements
• Does the entity have policies and procedures in place regarding a risk management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
• Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
• Obtain and review policies and procedure related to risk management. Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.
• Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment.
• Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394 http://www.linkedin.com/in/bobchaput/
@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance