More Related Content Similar to 2013 01-18 demonstration of the risk analysis software Similar to 2013 01-18 demonstration of the risk analysis software (20) 2013 01-18 demonstration of the risk analysis software1. Clearwater HIPAA
Risk Analysis™
Software
Demonstration
Jon Stone, MPA, PMP
615-210-9612
Jon.Stone@ClearwaterCompliance.com
1
3. Jon Stone, MPA, PMP
• 25+ years in Healthcare in the provider, payer
and healthcare quality improvement fields
• Innovator | Strategic Program Manager |
Consultant | Executive
• 15+ years of strategic leadership for
compliance and Healthcare information
technology projects involving the most
sensitive ePHI for companies such as
CIGNA, Healthways and Ingenix.
• PMP, MPA - Healthcare Policy and
Administration
Passion: Driving business, compliance and technology
solutions for improving healthcare operations and outcomes
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
3
4. Session Objectives
• Regulatory
background
• Product features
• Software
walkthrough
• Product benefits
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
4
5. Completing a formal Security Risk
Analysis is required by the HIPAA
Security Rule and must follow
HHS/OCR guidelines
Stage 1 and Stage 2 Meaningful
Use require completion of a HIPAA
Security Risk Analysis
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
6. Security violations can be
devastating to an organization’s
reputation and finances
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
7. Without the benefit of a HIPAA
compliant Risk Analysis
approach…
You don’t know your risks…
You are probably making privacy
and security investments in a
vacuum, without facts and data to
facilitate informed decision
making…
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
8. Without the benefit of a HIPAA
compliant Risk Analysis
approach…
You are at high risk in the face of
increasing enforcement actions
State AG Investigations
OCR Investigations
CMS Audits for MU
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
9. The threat landscape
is constantly
changing
Organizations are
struggling to identify
threats…
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
10. Organizations don’t
know their
vulnerabilities
Are critical systems encrypted?
Are passwords strong enough?
Are we prepared for disaster?
Are our employees trained?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
11. All this uncertainty
means we don’t know
our risks…
Regulatory Risks
Financial risks
Legal risks
Risks to our reputations
Risks to operations and care
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
12. What do the regulations require?
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process
(1)(i) Standard: Security management process. Implement policies and
procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health
information held by the covered entity.
45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-technical
evaluation, based initially upon the standards implemented under this
rule and subsequently, in response to environmental or operational
changes affecting the security of electronic protected health
information, which establishes the extent to which an entity's
security policies and procedures meet the requirements of this
subpart.
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
12
13. Three Dimensions of HIPAA
Security Business Risk Management
Complete a Complete a
Security
1. Compliance Risk Analysis
2. Security
Assessment to
45 CFR 164.308(a)(8) to Protect
45 CFR 164.308(a)(1)(ii)(A)
Determine Sensitive Info
Compliance
Perform& Audit
3. Test Network
and 164.308(a)(8) & OCR
45 CFR Penetration
Audit Protocol
Testing for a full
Risk Program
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
13
14. Regardless of the Risk
analysis methodology
employed…
The Health and Human Services
Office of Civil Rights Recommends
You include the following key
components
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
14
15. 1.Scope of the Analysis - all ePHI that an
organization creates, receives, maintains, or
transmits must be included in the risk analysis. (45
C.F.R. § 164.306(a)).
2.Data Collection - The data on ePHI gathered using
these methods must be documented. (See 45
C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3.Identify and Document Potential Threats and
Vulnerabilities - Organizations must identify and
document reasonably anticipated threats to ePHI.
(See 45 C.F.R. §§
164.306(a)(2), 164.308(a)(1)(ii)(A) and
164.316(b)(1)(ii).)
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
15
16. 4. Determine the Likelihood of Threat Occurrence - The
Security Rule requires organizations to take into
account the likelihood of potential risks to ePHI. (See 45
C.F.R. § 164.306(b)(2)(iv).)
5. Determine the Potential Impact of Threat Occurrence -
The Rule also requires consideration of the “criticality,”
or impact, of potential risks to
confidentiality, integrity, and availability of ePHI. (See
45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Level of Risk - The level of risk could be
determined, for example, by analyzing the values
assigned to the likelihood of threat occurrence and
resulting impact of threat occurrence. (See 45 C.F.R.
§§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and
164.316(b)(1).)
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
16
17. 7. Finalize Documentation - The Security
Rule requires the risk analysis to be
documented but does not require a specific
format. (See 45 C.F.R. § 164.316(b)(1).
8. Periodic Review and Updates to the
Risk Assessment - The risk analysis
process should be ongoing. In order for an
entity to update and document its security
measures “as needed,” which the Rule
requires, it should conduct continuous risk
analysis to identify when updates are
needed. (45 C.F.R. §§ 164.306(e) and
164.316(b)(2)(iii).)
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
17
18. Guidance on Risk Analysis
Requirements under the
HIPAA Security Rule Final
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
18
19. • NIST SP800-30 Revision 1 Guide for Conducting
Risk Assessments – DRAFT
• NIST SP800-53 Revision 3 Final, Recommended
controls for Federal Information Systems and
Organizations
• NIST SP800-34 Contingency Planning Guide for Federal
Information Systems
• NIST SP800-37, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security
Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• NIST SP800-53A, Rev 1, Guide for Assessing the Security
Controls in Federal Information Systems and
Organizations: Building Effective Security Assessment
Plans
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
19
20. Risk Analysis Myths1
HIPAA Security Risk Analysis Myths and Facts
Myth Fact
The security risk analysis is
False. All providers who are “covered entities” under HIPAA are required to perform a
risk analysis. In addition, all providers who want to receive HER incentive payments must
optional for small providers.
conduct a risk analysis.
Simply installing a certified
EHR fulfills the security risk
False. Even with a certified EHR, you must perform a full security risk analysis. Security
requirements address all electronic protected health information you maintain, not just
analysis MU requirement.
what is in your EHR.
False. Your EHR vendor may be able to provide information, assistance, and training on
My EHR vendor took care of
the privacy and security aspects of the EHR product. However, EHR vendors are not
everything I need to do
about privacy and security. responsible for making their Products compliant with HIPAA Privacy and Security Rules. It
is solely your responsibility to have a complete risk analysis conducted.
False. It is possible for small practices to do risk analysis themselves using self-help tools
such as the U.S. Department of Health and Human Services Office of the National
I have to outsource the Coordinator for Health Information Technology’s (ONC) risk analysis tool. However, doing
security risk analysis. a thorough and professional risk analysis that will stand up to a compliance review will
require expert knowledge that could be obtained through services of an experienced
outside professional.
© 2012-13 Clearwater Compliance LLC | All Rights Reserved 1ONC Guide to Privacy and Security of Health Information 20
21. Risk Analysis Myths
HIPAA Security Risk Analysis Myths and Facts
Myth Fact
A checklist will suffice for False. Checklists can be useful tools, especially when starting a risk analysis, but they fall
the risk analysis short of performing a systematic security risk analysis or documenting that one has been
requirement. performed.
There is a specific risk
False. A risk analysis can be performed in countless ways. OCR has issued Guidance on
Risk Analysis Requirements of the Security Rule. This guidance assists organizations in
analysis method that I must
identifying and implementing the most effective and appropriate safeguards to secure e-
follow.
PHI.
False. Review all electronic devices that store, capture, or modify electronic protected
My security risk analysis health information. Include your EHR hardware and software and devices that can access
only needs to look at my your EHR data (e.g., your tablet computer, your practice manager’s mobile phone).
EHR. Remember that copiers also store data. Please see U.S. Department of Health and Human
Services (HHS) guidance on remote use.
False. To comply with HIPAA, you must continue to review, correct or modify, and update
I only need to do a risk security protections. For more on reassessing your security practices, please see
analysis once. http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy___securit
y_frame-work/1173
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
21
22. Risk Analysis Myths
HIPAA Security Risk Analysis Myths and Facts
Myth Fact
Before I attest for an EHR False. The EHR incentive program requires addressing any deficiencies identified during
incentive program, I must the risk analysis during the reporting period.
fully mitigate all risks.
Each year, I’ll have to
False. Perform the full security risk analysis as you adopt an EHR. Each year or when
changes to your practice or electronic systems occur, review and update the prior analysis
completely redo my security
for changes in risks.
risk analysis.
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
22
23. What A Risk Analysis Is Not
• A network vulnerability scan
• A penetration test
• A configuration audit
• A network diagram review
• Information system activity review
• A questionnaire
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
23
24. Risk Analysis Is…
…the process of
identifying, prioritizing, and
estimating risks to organizational
operations… resulting from the
operation of an information
system…
• Risk management incorporates threat
and vulnerability analyses,
• Considers mitigations provided by
security controls planned or in place1.
1NIST SP800-30
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
24
27. The Risk Analysis Dilemma
Assets and Media Threat Agent Threat Actions Vulnerabilities NIST SP 800-53 Controls
Anti-malware PS-6 a The organization ensures
Backup Media Burglar/ Thief Burglary/Theft that individuals requiring access to
Desktop Electrical Incident Corruption or Vulnerabilities organizational information and
Disk Array Entropy destruction of Destruction/Disposal information systems sign
appropriate access agreements
Electronic Medical Fire important data Vulnerabilities prior to being granted access.
Device Data Leakage Dormant Accounts PS-6 b The organization
Flood reviews/updates the access
Laptop Data Loss Endpoint Leakage
Inclement weather agreements [Assignment:
Denial of Service Vulnerabilities organization-defined frequency].
Pager Malware AC-19 a The organization
Destruction of Excessive User Permissions
Server Network Connectivity establishes usage restrictions and
important data Insecure Network implementation guidance for
Smartphone Outage
Electrical damage to Configuration organization-controlled mobile
Storage Area Power devices.
equipment Insecure Software AC-19 b The organization
Network Outage/Interruption
Fire damage to Development Processes authorizes connection of mobile
Tablet Etcetera… devices meeting organizational
equipment Insufficient Application usage restrictions and
Third-party service
Information leakage Capacity implementation guidance to
provider organizational information systems.
Etcetera… Insufficient data backup
Etcetera… AC-19 d The organization enforces
Insufficient data validation requirements for the connection of
mobile devices to organizational
Approximately 170,000,000 Insufficient equipment information systems.
redundancy AC-19 e The organization disables
Permutations Insufficient equipment information system functionality
that provides the capability for
shielding automatic execution of code on
Insufficient fire protection mobile devices without user
direction; Issues specially
Insufficient HVAC capability configured mobile devices to
Insufficient power capacity individuals traveling to locations
that the organization deems to be
Insufficient power shielding of significant risk in accordance with
organizational policies and
Etcetera… procedures.
Etcetera…569
© 2012-13 Clearwater Compliance LLC | All Rights Reserved 27
30. Software Demonstration
Click Here to Go
To Website
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
30
31. Clearwater HIPAA Risk Analysis™- Benefits
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
31
32. Clearwater HIPAA Risk Analysis™- Benefits
Provides a “by-the-book” approach to meet
HIPAA and Meaningful Use requirements
Transforms risk management from “arts &
crafts” to a mature, repeatable and
sustainable process
Facilitates informed risk management
decision making by enabling prioritization
and justification of security investments
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
33. Clearwater HIPAA Risk Analysis™- Benefits
Captures a baseline for your current security
risk profile and measures progress in treating
identified risks
Becomes a “living, breathing tool” for ongoing
HIPAA security risk management
Empowers your organization to become self-
sufficient in meeting the requirement for a
periodic risk analysis as defined in the HIPAA
Security Rule 45 CFR 164.308(a)(1)(ii)(A)
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
34. Need help with resources or expertise?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
34
35. Need help with resources or expertise?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
35
37. Get more info…
Register For Upcoming Live
HIPAA-HITECH Webinars at:
http://abouthipaa.com/webi
nars/upcoming-live-
webinars/
View pre-recorded Webinars
like this one at:
http://abouthipaa.com/webin
ars/on-demand-webinars/
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Editor's Notes Moving quickly, raise hand anytime Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines You don’t know your risks… You are at high risk of non-compliance.. Organizations are struggling to identify threats… Organization Don’t know their VulnerabilitiesAre critical systems encrypted?Are passwords strong enough?Are we prepared in the event of disaster? All this uncertainty means we don’t know our riskUnknownFinancial RisksUnidentified Legal RisksUnclearRegulatory RisksLittle understanding of the risks to our data to day operations. Facilitates informed decision making enables prioritization and justification of security investments based on quantifiable deficienciesTransforms risk management from “arts & crafts” to science & engineering with a mature, repeatable and sustainable processEquips ready access to your Information Asset Inventory and your Risk Profile for informed risk management decisions or presentation to auditors or potential clientsCaptures a baseline for your current security risk profile and enables quantitative measurement of your progress in implementing needed controlsEmpowers your organization to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A) Becomes a “living, breathing tool” for ongoing date security risk management Facilitates informed decision making enables prioritization and justification of security investments based on quantifiable deficienciesTransforms risk management from “arts & crafts” to science & engineering with a mature, repeatable and sustainable processEquips ready access to your Information Asset Inventory and your Risk Profile for informed risk management decisions or presentation to auditors or potential clientsCaptures a baseline for your current security risk profile and enables quantitative measurement of your progress in implementing needed controlsEmpowers your organization to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A) Becomes a “living, breathing tool” for ongoing date security risk management