Your SlideShare is downloading. ×
2013 01-18 demonstration of the risk analysis software
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

2013 01-18 demonstration of the risk analysis software

161

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
161
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Moving quickly, raise hand anytime
  • Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines
  • Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines
  • You don’t know your risks…
  • You are at high risk of non-compliance..
  • Organizations are struggling to identify threats…
  • Organization Don’t know their VulnerabilitiesAre critical systems encrypted?Are passwords strong enough?Are we prepared in the event of disaster?
  • All this uncertainty means we don’t know our riskUnknownFinancial RisksUnidentified Legal RisksUnclearRegulatory RisksLittle understanding of the risks to our data to day operations.
  • Facilitates informed decision making enables prioritization and justification of security investments based on quantifiable deficienciesTransforms risk management from “arts & crafts” to science & engineering with a mature, repeatable and sustainable processEquips ready access to your Information Asset Inventory and your Risk Profile for informed risk management decisions or presentation to auditors or potential clientsCaptures a baseline for your current security risk profile and enables quantitative measurement of your progress in implementing needed controlsEmpowers your organization to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A) Becomes a “living, breathing tool” for ongoing date security risk management
  • Facilitates informed decision making enables prioritization and justification of security investments based on quantifiable deficienciesTransforms risk management from “arts & crafts” to science & engineering with a mature, repeatable and sustainable processEquips ready access to your Information Asset Inventory and your Risk Profile for informed risk management decisions or presentation to auditors or potential clientsCaptures a baseline for your current security risk profile and enables quantitative measurement of your progress in implementing needed controlsEmpowers your organization to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A) Becomes a “living, breathing tool” for ongoing date security risk management
  • Transcript

    • 1. Clearwater HIPAA Risk Analysis™ Software Demonstration Jon Stone, MPA, PMP 615-210-9612 Jon.Stone@ClearwaterCompliance.com 1
    • 2. Your Presenter© 2012-13 Clearwater Compliance LLC | All Rights Reserved 2
    • 3. Jon Stone, MPA, PMP • 25+ years in Healthcare in the provider, payer and healthcare quality improvement fields • Innovator | Strategic Program Manager | Consultant | Executive • 15+ years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix. • PMP, MPA - Healthcare Policy and Administration Passion: Driving business, compliance and technology solutions for improving healthcare operations and outcomes© 2012-13 Clearwater Compliance LLC | All Rights Reserved 3
    • 4. Session Objectives • Regulatory background • Product features • Software walkthrough • Product benefits© 2012-13 Clearwater Compliance LLC | All Rights Reserved 4
    • 5. Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines Stage 1 and Stage 2 Meaningful Use require completion of a HIPAA Security Risk Analysis© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 6. Security violations can be devastating to an organization’s reputation and finances© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 7. Without the benefit of a HIPAA compliant Risk Analysis approach… You don’t know your risks… You are probably making privacy and security investments in a vacuum, without facts and data to facilitate informed decision making…© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 8. Without the benefit of a HIPAA compliant Risk Analysis approach… You are at high risk in the face of increasing enforcement actions State AG Investigations OCR Investigations CMS Audits for MU© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 9. The threat landscape is constantly changing Organizations are struggling to identify threats…© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 10. Organizations don’t know their vulnerabilities Are critical systems encrypted? Are passwords strong enough? Are we prepared for disaster? Are our employees trained?© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 11. All this uncertainty means we don’t know our risks… Regulatory Risks Financial risks Legal risks Risks to our reputations Risks to operations and care© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 12. What do the regulations require? 45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 45 C.F.R. §164.308(a)(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entitys security policies and procedures meet the requirements of this subpart.© 2012-13 Clearwater Compliance LLC | All Rights Reserved 12
    • 13. Three Dimensions of HIPAASecurity Business Risk Management Complete a Complete a Security 1. Compliance Risk Analysis 2. Security Assessment to 45 CFR 164.308(a)(8) to Protect 45 CFR 164.308(a)(1)(ii)(A) Determine Sensitive Info Compliance Perform& Audit 3. Test Network and 164.308(a)(8) & OCR 45 CFR Penetration Audit Protocol Testing for a full Risk Program© 2012-13 Clearwater Compliance LLC | All Rights Reserved 13
    • 14. Regardless of the Riskanalysis methodologyemployed… The Health and Human Services Office of Civil Rights Recommends You include the following key components © 2012-13 Clearwater Compliance LLC | All Rights Reserved 14
    • 15. 1.Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a)). 2.Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).) 3.Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)© 2012-13 Clearwater Compliance LLC | All Rights Reserved 15
    • 16. 4. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) 5. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) 6. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)© 2012-13 Clearwater Compliance LLC | All Rights Reserved 16
    • 17. 7. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1). 8. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)© 2012-13 Clearwater Compliance LLC | All Rights Reserved 17
    • 18. Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final© 2012-13 Clearwater Compliance LLC | All Rights Reserved 18
    • 19. • NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT • NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations • NIST SP800-34 Contingency Planning Guide for Federal Information Systems • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST SP800-39-final_Managing Information Security Risk • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans© 2012-13 Clearwater Compliance LLC | All Rights Reserved 19
    • 20. Risk Analysis Myths1 HIPAA Security Risk Analysis Myths and Facts Myth FactThe security risk analysis is False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive HER incentive payments mustoptional for small providers. conduct a risk analysis.Simply installing a certifiedEHR fulfills the security risk False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not justanalysis MU requirement. what is in your EHR. False. Your EHR vendor may be able to provide information, assistance, and training onMy EHR vendor took care of the privacy and security aspects of the EHR product. However, EHR vendors are noteverything I need to doabout privacy and security. responsible for making their Products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted. False. It is possible for small practices to do risk analysis themselves using self-help tools such as the U.S. Department of Health and Human Services Office of the NationalI have to outsource the Coordinator for Health Information Technology’s (ONC) risk analysis tool. However, doingsecurity risk analysis. a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional. © 2012-13 Clearwater Compliance LLC | All Rights Reserved 1ONC Guide to Privacy and Security of Health Information 20
    • 21. Risk Analysis Myths HIPAA Security Risk Analysis Myths and Facts Myth FactA checklist will suffice for False. Checklists can be useful tools, especially when starting a risk analysis, but they fallthe risk analysis short of performing a systematic security risk analysis or documenting that one has beenrequirement. performed.There is a specific risk False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations inanalysis method that I must identifying and implementing the most effective and appropriate safeguards to secure e-follow. PHI. False. Review all electronic devices that store, capture, or modify electronic protectedMy security risk analysis health information. Include your EHR hardware and software and devices that can accessonly needs to look at my your EHR data (e.g., your tablet computer, your practice manager’s mobile phone).EHR. Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use. False. To comply with HIPAA, you must continue to review, correct or modify, and updateI only need to do a risk security protections. For more on reassessing your security practices, please seeanalysis once. http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy___securit y_frame-work/1173 © 2012-13 Clearwater Compliance LLC | All Rights Reserved 21
    • 22. Risk Analysis Myths HIPAA Security Risk Analysis Myths and Facts Myth FactBefore I attest for an EHR False. The EHR incentive program requires addressing any deficiencies identified duringincentive program, I must the risk analysis during the reporting period.fully mitigate all risks.Each year, I’ll have to False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysiscompletely redo my security for changes in risks.risk analysis. © 2012-13 Clearwater Compliance LLC | All Rights Reserved 22
    • 23. What A Risk Analysis Is Not • A network vulnerability scan • A penetration test • A configuration audit • A network diagram review • Information system activity review • A questionnaire© 2012-13 Clearwater Compliance LLC | All Rights Reserved 23
    • 24. Risk Analysis Is… …the process of identifying, prioritizing, and estimating risks to organizational operations… resulting from the operation of an information system… • Risk management incorporates threat and vulnerability analyses, • Considers mitigations provided by security controls planned or in place1. 1NIST SP800-30© 2012-13 Clearwater Compliance LLC | All Rights Reserved 24
    • 25. Clearwater HIPAA RiskAnalysis™ Capabilities 25
    • 26. © 2012-13 Clearwater Compliance LLC | All Rights Reserved 26
    • 27. The Risk Analysis DilemmaAssets and Media Threat Agent Threat Actions Vulnerabilities NIST SP 800-53 Controls Anti-malware PS-6 a The organization ensuresBackup Media Burglar/ Thief Burglary/Theft that individuals requiring access toDesktop Electrical Incident Corruption or Vulnerabilities organizational information andDisk Array Entropy destruction of Destruction/Disposal information systems sign appropriate access agreementsElectronic Medical Fire important data Vulnerabilities prior to being granted access.Device Data Leakage Dormant Accounts PS-6 b The organization Flood reviews/updates the accessLaptop Data Loss Endpoint Leakage Inclement weather agreements [Assignment: Denial of Service Vulnerabilities organization-defined frequency].Pager Malware AC-19 a The organization Destruction of Excessive User PermissionsServer Network Connectivity establishes usage restrictions and important data Insecure Network implementation guidance forSmartphone Outage Electrical damage to Configuration organization-controlled mobileStorage Area Power devices. equipment Insecure Software AC-19 b The organizationNetwork Outage/Interruption Fire damage to Development Processes authorizes connection of mobileTablet Etcetera… devices meeting organizational equipment Insufficient Application usage restrictions andThird-party service Information leakage Capacity implementation guidance toprovider organizational information systems. Etcetera… Insufficient data backupEtcetera… AC-19 d The organization enforces Insufficient data validation requirements for the connection of mobile devices to organizational Approximately 170,000,000 Insufficient equipment information systems. redundancy AC-19 e The organization disables Permutations Insufficient equipment information system functionality that provides the capability for shielding automatic execution of code on Insufficient fire protection mobile devices without user direction; Issues specially Insufficient HVAC capability configured mobile devices to Insufficient power capacity individuals traveling to locations that the organization deems to be Insufficient power shielding of significant risk in accordance with organizational policies and Etcetera… procedures. Etcetera…569 © 2012-13 Clearwater Compliance LLC | All Rights Reserved 27
    • 28. The Unique Clearwater Risk Algorithm™© 2012-13 Clearwater Compliance LLC | All Rights Reserved 28
    • 29. The Unique Clearwater Risk Algorithm™© 2012-13 Clearwater Compliance LLC | All Rights Reserved 29
    • 30. Software Demonstration Click Here to Go To Website© 2012-13 Clearwater Compliance LLC | All Rights Reserved 30
    • 31. Clearwater HIPAA Risk Analysis™- Benefits© 2012-13 Clearwater Compliance LLC | All Rights Reserved 31
    • 32. Clearwater HIPAA Risk Analysis™- BenefitsProvides a “by-the-book” approach to meetHIPAA and Meaningful Use requirements Transforms risk management from “arts & crafts” to a mature, repeatable and sustainable process Facilitates informed risk management decision making by enabling prioritization and justification of security investments © 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 33. Clearwater HIPAA Risk Analysis™- BenefitsCaptures a baseline for your current securityrisk profile and measures progress in treatingidentified risks Becomes a “living, breathing tool” for ongoing HIPAA security risk management Empowers your organization to become self- sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A)© 2012-13 Clearwater Compliance LLC | All Rights Reserved
    • 34. Need help with resources or expertise?© 2012-13 Clearwater Compliance LLC | All Rights Reserved 34
    • 35. Need help with resources or expertise?© 2012-13 Clearwater Compliance LLC | All Rights Reserved 35
    • 36. Questions?© 2012-13 Clearwater Compliance LLC | All Rights Reserved 36
    • 37. Get more info… Register For Upcoming Live HIPAA-HITECH Webinars at: http://abouthipaa.com/webi nars/upcoming-live- webinars/ View pre-recorded Webinars like this one at: http://abouthipaa.com/webin ars/on-demand-webinars/© 2012-13 Clearwater Compliance LLC | All Rights Reserved

    ×