Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Redspin Webinar - Prepare for a HIPAA Security Risk Analysis

705

Published on

Learn how to prepare your organization for a HIPAA Risk Analysis. In this webinar, we'll cover a few easy pro-active steps that you can do to speed the process, improve the outcome and lower the …

Learn how to prepare your organization for a HIPAA Risk Analysis. In this webinar, we'll cover a few easy pro-active steps that you can do to speed the process, improve the outcome and lower the potential mitigation costs of performing a HIPAA Security Risk Analysis and achieving the meaningful use core objectives around safeguarding electronic protected health information.

Published in: Health & Medicine, Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
705
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How to Prepare Your Organization for a HIPAA Security Risk Analysis Presented by: John Abraham Founder & Chief Security Evangelist Redspin
  • 2. About Redspin• Penetration Testing – External Infrastructure – Internal Infrastructure – Web Applications• IT Security Controls – HIPAA – FFIEC/GLBA – PCI – NERC• Social Engineering
  • 3. About The Speaker John Abraham Founder & Chief Security EvangelistAs Redspins founder and Chief Security Evangelist, John ispassionate about the importance of a structuredinformation security program that enables management tofocus IT resources on the most pressing security risk.Johns belief is that addressing subtle issues within anorganizations IT environment can yield significant businessimpact, so an ounce of prevention is the key operativebehavior of successful risk management programs. John isone of Redspins health IT security specialists, is a regularspeaker on topics of security and healthcare ePHI riskmanagement, and enjoys working with IT teams,compliance officers and executives on practical approachesto data security mitigation strategies.
  • 4. Preparing Your Organization for aHIPAA Security Risk AnalysisWhat we’ll cover today: What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?
  • 5. Why now? Meaningful use core objective (protecting ePHI) HIPAA Compliance Risk management
  • 6. Part 1HIPAA Security Risk Analysis1. What is it?2. How does it fit into my security program?3. What are the preparation steps?4. How can I avoid pitfalls & maximize value?
  • 7. HIPAA Security Rule§ 164.308(a)(1)(ii)(A)“Risk analysis (Required). Conduct an accurate and thoroughassessment of the potential risks and vulnerabilities to theconfidentiality, integrity, and availability of electronic protectedhealth information held by the covered entity.”
  • 8. What is a Risk Analysis?(Also called: Risk Assessment) Assessment of risk CIA: confidentiality, availability and integrity EPHI: created, received, maintained, transmitted
  • 9. How is it performed?- It’s an evaluation1. Where is ePHI, what are critical apps2. Threats3. Vulnerabilities4. Existing controls (effective?)5. Determine risk (= probability * impact)
  • 10. Flexibility on RA Approach “Security Rule does not prescribe a specific risk analysis methodology” “Methods will vary dependent on the size, complexity, and capabilities of the organization” “There are numerous methods of performing risk analysis” “There is no single method or best practice that guarantees compliance with the Security Rule” Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010 -http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
  • 11. Goals and Objectives Identify (and prioritize) risk Ensure controls are working Recommend improvements Foundation for robust security program Achieve compliance - HIPAA Security Rule & Meaningful Use
  • 12. Expected Outcomes IT transparency Executive understanding of current state of security Prioritized view of risk Provide data needed to create IT action plan
  • 13. Part 2HIPAA Security Risk Analysis1. What is it?2. How does it fit into my security program?3. What are the preparation steps?4. How can I avoid pitfalls & maximize value?
  • 14. Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,HIPAA - Administrative Safeguards (§164.308), ...
  • 15. Risk Analysis “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.” “A risk analysis is foundational” “The Security Rule requires entities to evaluate risks and vulnerabilities... and to implement reasonable and appropriate security measures... Risk analysis is the first step in that process.” Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010 http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
  • 16. Part 3HIPAA Security Risk Analysis1. What is it?2. How does it fit into my security program?3. What are the preparation steps?4. How can I avoid pitfalls & maximize value?
  • 17. Organizational Resources • Vendor selection (2-8 weeks)Time • Risk Analysis timeline (1-4 weeks) • Vendor selection (IT, compliance,People executive) • During RA (1 liaison)Budget • Varies depending on size/complexity
  • 18. What about cost? Variables – Depends on complexity, satellite locations, … – Web application and network penetration testing – Social engineering – Business associate risk
  • 19. What is needed for a proposal? What is size & complexity of IT environment Key criteria... RFP Template
  • 20. What is needed for analysis? Liaison ePHI inventory Critical business associates ISO – person responsible for security Security policy Documentation (whatever is available) - Network diagrams, audit results, system docs
  • 21. Part 4HIPAA Security Risk Analysis1. What is it?2. How does it fit into my security program?3. What are the preparation steps?4. How can I avoid pitfalls & maximize value?
  • 22. 1 PitfallWaiting for network to stabilize It Never Does!
  • 23. 2 PitfallAssuming control addresses risk Existence does not equal Effective
  • 24. 3 PitfallThinking compliance is security Compliance does not equal Security
  • 25. 4 PitfallWaiting until you implement ____It may not be a high priority
  • 26. 5 PitfallUsing a check-box approach to RA False positives make you look bad Creates focus on less important issues, while missing critical risk Expensive mitigation Lack of context
  • 27. HIPAA Security Rule Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
  • 28. HIPAA Security Rule In deciding which security measures to use, a covered entity must take into account the following factors: – (i) The size, complexity, and capabilities of the covered entity. – (ii) The covered entitys technical infrastructure, hardware, and software security capabilities. – (iii) The costs of security measures. – (iv) The probability and criticality of potential risks to electronic protected health information.
  • 29. SummaryHIPAA Security Risk Analysis What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?

×