Copyright Notice...2015/11/20 · 3. Train all Members of Your Workforce (45 CFR 164.530(b) and 45...
Transcript of Copyright Notice...2015/11/20 · 3. Train all Members of Your Workforce (45 CFR 164.530(b) and 45...
© Clearwater Compliance | All Rights Reserved
1
Copyright Notice
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance | All Rights Reserved
2
Legal Disclaimer
Legal Disclaimer. This information does not constitute legal recommendations and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
3
WelcomeWelcome to today’s Live Event… we will begin shortly…
Please feel free to use the “Question” area to pose any ‘burning’ questions you may have in advance…
“So you know your risks, now what?”
© Clearwater Compliance | All Rights Reserved
4
‘So you know your risks, now what?’How to Conduct Bona Fide Security Risk Response
© Clearwater Compliance | All Rights Reserved
5
• VP of Product Innovation for Clearwater Compliance, LLC
• 30 + years in Healthcare in the provider, payer and healthcare quality improvement industries
• 20 + years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Optum
• MPA - Healthcare Policy and Administration
Jon Stone, MPA, CRISC, HCISPP, PMP
Jon Stone, MPA, CRISC, HCISPP, PMP
Vice President of Product Innovation
615-210-9612
© Clearwater Compliance | All Rights Reserved
6
Some Ground Rules
1. Slide materials… will be provided
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode
5. Please complete Exit Survey when you leave session
6. Recorded version and final slides within 48 hours
© Clearwater Compliance | All Rights Reserved
7
How This Webinar Fits In
• Information Risk Management Essentials (survey course)
• Bona Fide Risk Analysis and Risk Management (survey course)
• How to Establish Your Risk Management Program (deeper dive)
• How to Conduct Bona Fide Security Risk Analysis (deeper dive)
• How to Conduct Bona Fide Security Risk Response (deeper dive)
• How to Mature Your Risk Management Program (deeper dive)
Register For Upcoming Live Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
You are Here!
© Clearwater Compliance | All Rights Reserved
8
How This Webinar Fits In…
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR §
164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
4. Complete a HIPAA Security Risk Analysis & Risk Management (45 CFR §164.308(a)(1)(ii)(A) and (B))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e)
and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR
§164.400)
9. Assess your current Insurance Coverage (e.g., Cyber Liability, D&O, P&C)
10. Document and act upon a remediation plan
You are Here!
© Clearwater Compliance | All Rights Reserved
9
Top 8 Reasons To Undertake Risk Analysis And Risk Response
Bottom Line: You will know all your exposures and be able to make informed decisions about them…
1. Take better care of customers, patients, members, residents, etc.
2. Avoid Security Incidents and/or Breaches
3. Meet Specific Regulatory & Industry Requirements (HIPAA/HITECH, PCS DSS)
4. Completion of Foundational Security Program
5. Development of Remediation Plan
6. Tremendous Educational Experience
7. Basis for Continuous Process Improvement
8. Essential for realizing IT and Business Strategy
© Clearwater Compliance | All Rights Reserved
10
Clearwater Information Risk Management Life Cycle
© Clearwater Compliance | All Rights Reserved
11
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
Outline
© Clearwater Compliance | All Rights Reserved
12
Must Do!
• Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. - 45 C.F.R. §164.308(a)(1)(i)(A)
• Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). - 45 C.F.R. §164.308(a)(1)(i)(B)
• “The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” – SEC Press release, 2007
• “PCI DSS 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP800-30” – PCI DSS 2.0)
© Clearwater Compliance | All Rights Reserved
13
Meaningful Use
...and implement security updates as neccessary and correct identified security deficiencies as part of its risk management process
Stage 2
© Clearwater Compliance | All Rights Reserved
14
Moving From Audit To Enforcement – Risk Analysis
“9. Please submit a copy of XXX most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XXX within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.”
© Clearwater Compliance | All Rights Reserved
15
Moving From Audit To Enforcement – Risk Response“10. Please provide evidence of XXXsecurity measures that are in place to reduce the risks to ePHI identified in the risk analysis (i.e. risk management plan and accompanying evidence).
Please be sure to submit a copy of a risk management plan(s) associated with each risk analysis requested above. These risk management plans should describe the security measures implemented by XXX to sufficiently reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level to comply with 164.308(a)(1)(ii).
Please ensure the risk management plan states the dates of implementation and/or estimated dates of completion for each security measure. Provide evidence of implementation where applicable (i.e. screenshots, business associate agreements, photographs, etc.)”
© Clearwater Compliance | All Rights Reserved
16
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
17
Risk Response Fundamentals
• All Risks Need a Response• Not All Risks Must Be Mitigated• Risk Response Requires Setting
Your Risk Threshold• Risk Response Requires Real Risk
Analysis• Risk Response is Informed
Decision Making – What’s New?
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
19
Risk Tolerance
Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organization and is a key element of the organizational risk frame.
An important risk management activity and also part of risk framing, is the determination of risk tolerance.
© Clearwater Compliance | All Rights Reserved
20
• Organizations that deal with critical and/or sensitive information, personally identifiable information, or classified information, the emphasis is often on preventing unauthorized disclosure.
• Organizations driven by a combination of culture and the nature of their missions and business functions, the emphasis is on maintaining the availability of information systems to drive growth or sales.
No two organization are alike…
Determining Your Risk Threshold
DefiningThe values, beliefs, and norms of organizations are examined in order to understand how risk trade offs are made.
AssessingA risk assessment identifies the kinds and levels of risk to which organizations may be exposed. This assessment considers both the likelihood and impact of undesired events.
CultureThe cultural willingness to accept
certain types of loss within organizations.
LeadershipSubjective risk related actions of
senior leaders/executives.
© Clearwater Compliance | All Rights Reserved
21
Select your Risk Threshold based on your overall tolerance for uncertainty that is acceptable to the organization.
Risk Threshold
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
23
1. Scope of the Analysis - all ePHI must be included in risk analysis
2. Data Collection – it must be documented
3. Identify and Document Potential Threats and Vulnerabilities
4. Assess Current Security Measures
5. Determine the Likelihood of Threat Occurrence
6. Determine the Potential Impact of Threat Occurrence
7. Determine the Level of Risk
8. Finalize Documentation
9. Periodic Review and Updates
HHS OCR Guidance On Risk Analysis
© Clearwater Compliance | All Rights Reserved
24
Establishing A Risk Value
Think Likelihood * Impact
Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week
Imp
act
Like
liho
od
Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 500 records compromised5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25
• High = 15-24
• Medium = 8-14
• Low = 0-7
Rat
ing
© Clearwater Compliance | All Rights Reserved
25
Communicate Risk Analysis Results
QuantifyEstimated most probable loss magnitude, high-end loss potential
Map to StrategyTie risks to strategy and
company objectives
Think BroadlyDon’t forget significant reputational, legal or regulatory considerations
Inform and EducateInclude the key components of
risk (likelihood and impact)
Report the results of Risk Analysis in terms and formats useful to support business and risk management decisions
© Clearwater Compliance | All Rights Reserved
26
NIST SP 800-39, pg. 43
NIST SP 800-39, pg. 42
NIST SP 800-39, pg. 43
NIST SP 800-39, pg. 44
NIST Risk Response Process
Risk Response Identification
Risk Response Implementation
Risk Response Decision
Evaluate Alternatives
Begins with determining your Risk Threshold NIST SP 800-39 pg. 2
01
02
03
04
© Clearwater Compliance | All Rights Reserved
27
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
28
Risk Response Identification
01
Risk AcceptanceRisk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. NIST SP 800-39, pg. 42
04
Risk AvoidanceRisk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk. NIST SP 800-39, pg. 42
02
Risk MitigationRisk mitigation, or risk reduction, is the
appropriate risk response for that portion of risk that cannot be accepted, avoided,
shared, or transferred. [Adding or enhancing controls or safeguards] NIST SP
800-39, pg. 42
03
Risk TransferRisk transfer shifts the risk liability from one organization to another
organization (e.g., using insurance to transfer risk from particular
organizations to insurance companies). NIST SP 800-39, pg. 43
Also known as Risk Treatment
© Clearwater Compliance | All Rights Reserved
29
• Controls or safeguards must be implemented to secure information from threats and ensure confidentiality, integrity & availability through:
• Deterrent controls
• Preventive controls
• Detective controls
• Corrective controls
• Compensating controls
• Compliance regulations/standards often require specific named controls
Controls Or Safeguards
© Clearwater Compliance | All Rights Reserved
30
ThreatAction
Threat Source
DeterrentControl
DetectiveControl
PreventiveControl
Impact
Vulnerability
Corrective Control
Compensating Control
CreatesReduces
Likelihoodof
Exploits
Results in
Decreases
Reduces
May Trigger
Discovers
ReducesLikelihood
of
Protects
© Clearwater Compliance | All Rights Reserved
Control Type Everyday Example Security Example
Preventative
Security Guard Employee supervision
Guard Dog Physical access monitoring
Lighting On-site generator
Locks Two-factor authentication
Deterrent
Fence Physically secured demarcation points
Alarms Anti-virus software
Motion Sensors Network disconnect of idle or malicious connections
Bank vault Two-man rule
Detective
Video Monitoring Snooping detective software
Meta Data Central monitoring of anti-virus and personal firewall logs
Key Logger Logging of information access
Identity User permissions reviews
Corrective
Jail Controls around user-installed software
Fines Accounts lock after too many failed logins
Penalties Network traffic throttling
Access Testing of password strengths
Compensating
Insurance Tracking of backup media
Extra Keys Data backup
Archives Encryption of disks (full disk, file based, etc.)
Auditors Segregation of duties
© Clearwater Compliance | All Rights Reserved
32
FISMA Control Families
NIST Control Families
ISO 27002 Control Families
Options for Control Choices
© Clearwater Compliance | All Rights Reserved
33
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
35
Evaluate Alternatives
Effectiveness - the expected effectiveness in achieving desired risk response
Build in additional Controls
Increase the strength of a control
Feasibility - the anticipated feasibility of implementation
Don’t forget mission, legal, technical, operationalconsiderations
Cost
© Clearwater Compliance | All Rights Reserved
36
Evaluate Alternatives - Risk Avoidance Example
Risk avoidance is the risk response technique that entails eliminating hazards, activities and
exposures that place an organization's valuable assets at risk.
© Clearwater Compliance | All Rights Reserved
37
Evaluate a course of action to reduce a risk
Evaluate Alternatives – Mitigation Example
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
39
Risk Response Decision
DocumentDocument the investment of resources
ApproveSelect a course of action
Residual Risk RatingDocument Residual Risk
Decide on the appropriate course of action for responding to risk
© Clearwater Compliance | All Rights Reserved
40
Residual risk is the projected portion of the risk that is left after risk treatment has been applied
Residual Risk and Approval
© Clearwater Compliance | All Rights Reserved
41
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
43
Essential Implementation Elements
MonitoringPlans for monitoring the effectiveness of risk response measures
EvidenceAttachments, Notes, Design Documents, Testing Artifacts, Deployment Plans
PlanningTimeline for
implementation of risk response measures
AccountabilityIndividuals responsible
for the selected risk response measures
© Clearwater Compliance | All Rights Reserved
44
Initiate Risk Response Activities as projects
Implementation Planning
© Clearwater Compliance | All Rights Reserved
45
• Specifications of effectiveness criteria
• Control Objectives
• Indicators and thresholds against which the effectiveness of the control can be measured
Plan For Monitoring Effectives
© Clearwater Compliance | All Rights Reserved
46
Action Plan Fundamentals
NotesDocumentation of accomplishments, next steps and risks/issues/barriers
Search and FilteringView and sorting for Urgent, Past Due, On the Horizon activities
DatesDue Dates, Interim Dates,
Completion Dates
ResponsibilityOwnership and Accountability
DescriptionConcise and well
described requirements that minimize confusion
© Clearwater Compliance | All Rights Reserved
47
Moving From Audit To Enforcement – Risk Response
Please ensure the risk management plan states the dates of implementation and/or estimated dates of completion for each security measure. Provide evidence of implementation where applicable (i.e. screenshots, business associate agreements, photographs, etc.)”
© Clearwater Compliance | All Rights Reserved
48
Manage from a Risk Action Plan (Risk Management Plan)
Risk Action Plan
© Clearwater Compliance | All Rights Reserved
49Maintain documentation
Risk Action Plan
© Clearwater Compliance | All Rights Reserved
50
Log Accomplishments, Next Steps and Barriers to drive progress
Risk Action Plan
© Clearwater Compliance | All Rights Reserved
51
What Comes After Risk Response?
© Clearwater Compliance | All Rights Reserved
52
Monitor Operational Alignment With Risk Tolerance Threshold
• Key Goals:• Verify Compliance (compliance monitoring)• Determine the ongoing effectiveness of risk response • Identifying risk impacting changes to organizational information systems and
environment of operation:
• Monitoring is the “check” portion of the Plan/Do/Check/Act Deming Cycle
• Requires automated data collection and reporting, as well as thoughtful & deliberate manual reviews
• Monitoring should be architected into control & reporting solutions vs. “bolting on” after the fact.
• Vital that this be considered a continuous process – NIST800-137• “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of
information security, vulnerabilities, and threats to support organizational risk management decisions” –NIST800-137, p vi
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
54
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
55
Supplemental Reading
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
• NIST SP800-115 Technical Guide to Information Security Testing and Assessment
• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05
• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals
• CMS Security Risk Assessment Fact Sheet (Updated 20131122)
• NIST Risk Management Framework 2009
Remember! Security Rule is Based on
NIST!
© Clearwater Compliance | All Rights Reserved
56
Download Whitepaper
Risky Business: How to Conduct a Bona Fide HIPAA Security Risk
Analysishttp://clearwatercompliance.com/hipaa-
risk-analysis-essentials-lp/
© Clearwater Compliance | All Rights Reserved
57
Methodology and Software …• Proactive• Adaptable• Consistent• Predictable• Measurable• Standards-based
Science & Engineering
Risk Analysis and Risk Management Maturity
Arts & Crafts
© Clearwater Compliance | All Rights Reserved
58
Clearwater WorkShop™ Process
• Analyze Findings • Document Observations• Develop Recommendations• Present and Sign Off
Written Report
• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys
Preparation
• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS
Onsite Discovery/Assessment
Software SubscriptionPlus WorkShop™
• 2.5-hours training for as many staff as you wish
• Ongoing technical support• IRM | Analysis™ - 2 or 3-year
subscription, paid annually.• Ongoing software updates.• Ongoing Community engagement.• Professional consulting services to
complete the risk analysis process, end-to-end.
• Risk Analysis Report with Findings, Observations and Recommendations.
• Fully-populated IRM | Analysis™ software application.
Our goal at Clearwater is to help your organization become as self-sufficient as you would like to be, as quickly as you would like to be.
01
02
03
© Clearwater Compliance | All Rights Reserved
59
What Differentiates Clearwater
Proven Model
Thought-, Methodology-Leadership | Full range of
solutions to 500+ customers across US
Raving fan references
Deep Experience
Highly credentialed consultants30+ OCR/CMS/OIG audits and
investigations. | Millions of Lives Under Our Processes, Safeguards
and Protection
Market
RecognitionInvaluable Insights from Executives, Colleagues,
Attorneys and Regulators | Critically Acclaimed Solutions
#11, March 2015
Prevention | Confidence | Assurance
© Clearwater Compliance | All Rights Reserved
60
Get More Info…
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/liv
e-educational-webinars/
View pre-recorded Webinars like this one at:http://clearwatercompliance.com/on-
demand-webinars/
© Clearwater Compliance | All Rights Reserved
61
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
December 8, 2015Complimentary
WebinarHow to Mature Your
Information Risk Management
Program
December 10, 2015Complimentary
WebinarHow to Implement a
Strong, Proactive HIPAA Business Associate Risk
Management Plan December 17, 2015Complimentary
WebinarHow to Develop your
HIPAA-HITECH Policies & Procedures
December 3, 2015Complimentary
WebinarHow to Calculate the
Cost of a Data Breach and How to Get the Budget for Your HIPAA-HITECH
Compliance Program
© Clearwater Compliance | All Rights Reserved
62
© Clearwater Compliance | All Rights Reserved
63
WWW.CLEARWATERCOMPLIANCE.COM
106 WINDWARD PTHENDERSONVILLE, TN 37075-5108
(800) 704-3394
http://www.linkedin.com/in/bobchaput/
@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance