SISA Information Security Pvt.Ltd, profile picture
Uploaded bySISA Information Security Pvt.Ltd
PPTX, PDF834 views

Hipaa risk analysis_1.4

Sisa Information Security Inc., founded in 2003, specializes in risk analysis with a focus on HIPAA compliance, leveraging its widely-used tool, Sisa Assistant. The document highlights the importance of formal risk assessment in protecting organizational information security, addressing misconceptions, and outlining processes for risk identification, estimation, and treatment. It emphasizes that effective risk management is vital for safeguarding sensitive information and ensuring ongoing compliance across various sectors, including healthcare and finance.

Embed presentation

Downloaded 15 times
© 2013 SISA Information Security Inc. About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. HIPAA Risk Analysis www.sisainfosec.com © 2013 SISA Information Security Inc.
© 2013 SISA Information Security Inc.© 2013 SISA Information Security Inc. Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA • CEO of SISA Information Security Inc • Two decades of information security experience and specialist on formal risk assessment methodologies. • Conducted around 120 workshops in over 13 countries on topics ranging from Risk Assessment, HIPAA, PCI and ISO. • Trained at CERT Coordination Center on Risk Assessment and recognized as authorized trainer/advisor for SEI in 2003. • Author of the Certified Information Security Risk Assessor Program (training dedicated towards formal methodologies) • PCI DSS Special Interest Group Proposer and Lead for Risk Assessment. LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
© 2013 SISA Information Security Inc. Agenda • Definition • Background • Current environment • Common Risk Analysis Process • Questions Objective: Step-by-step approach to HIPAA Risk Analysis
© 2013 SISA Information Security Inc. Risk Assessment Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses, its vulnerabilities and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!”
© 2013 SISA Information Security Inc. • Formal risk analysis (or risk assessment) - Essential component of HIPAA compliance - Can help organizations identify their most critical exposures vulnerabilities and — more importantly — safeguard overall privacy and security - Forms a basis for determining how risks should be managed • Add value by ensuring that resources are directed at the areas that are most important to management and governance. Background
© 2013 SISA Information Security Inc. HIPAA and Risk Analysis Administrative Safeguard Security Management Process • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). “
© 2013 SISA Information Security Inc. Risk Analysis: Why is it so critical? • Control optimization: Protect everything or do RISK Analysis to know what need to be protected • Treat helps to prioritize the mitigation process • Be secure, not just compliant: Effective and Efficient control deployment • Was secure yesterday but is it true today? Analyze the effectiveness of existing control on ongoing basis • Helps organization to take right decision at the right time
© 2013 SISA Information Security Inc. Current Environment • 80% of the organizations don’t have a consistent manner in assessing risk. • 4/5 of the organizations have no formal risk appetite defined. • 47/49 providers, 20/35 health plans and 2/7 of clearing houses did not have basic formal risk assessment Source: NIST-OCR 2013 Source: 2013 KPMG Survey
© 2013 SISA Information Security Inc. Common misconceptions • Vulnerability Assessment = Risk Analysis • Risk Analysis = Audit • Risk Analysis does not require any specific skill • Risk Analysis is black or white. • We already know the risk so why conduct formal Risk Analysis? • Risk Analysis has no business value and is required only for compliance purposes just before the audit • Risk Analysis does not require formal approach. Let me devise my own.
© 2013 SISA Information Security Inc. Common Risk Analysis Flow Risk Treatment Risk Analysis: Risk Identification Risk Analysis: Risk Estimation and Evaluation General Description of ISRA SISA Assistant Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
© 2013 SISA Information Security Inc. 1. General Description of ISRA • Basic Criteria • Scope and Boundaries • Organization for ISRM Identify, Describe (quantitatively or qualitatively) and Prioritize Risks Assessed risks prioritized according to Risk Evaluation Criteria. Risk Evaluation Risk Analysis: Risk Identification Risk Analysis: Risk Estimation General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries Asset owners Asset Location Asset function Assets are defined List of Assets. List of associated business processes. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Threats Threat Information from • Review of Incidents • Asset Owners • Asset Users, etc. Threats are defined • Threats • Threat source • Threat type Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Existing Controls • Documentation of controls • RTP Existing and planned controls are defined • Existing and planned controls • Implementation status • Usage status Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Vulnerabilities • Identified Assets • Identified Threats • Identified Existing Controls Vulnerabilities are identified • Vulnerabilities related to assets, threats, controls. • Vulnerabilities not related to any threat. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Consequences • Assets and business processes • Threats and vulnerabilities The impact of the loss of CIA is identified • Incident scenarios with their consequences related to assets and business processes Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low (b) Quantitative Estimation: $, hours, etc. Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification
© 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Assessment of consequences Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Assets and business processes • Threats and vulnerabilities • Incident scenarios The business impact from information security incidents is assessed. Assessed consequences of an incident scenario expressed in terms of assets and impact criteria.
© 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Level of Risk Estimation Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Incident scenarios with their consequences • Their likelihood (quantitative or qualitative). Level of risk is estimated for all relevant incident scenarios List of risks with value levels assigned.
© 2013 SISA Information Security Inc. 4. Risk Analysis: Risk Estimation Level of Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Risks with value levels assigned and risk evaluation criteria. Level of risk is compared against risk evaluation criteria and risk acceptance criteria Risks prioritized according to risk evaluation criteria in relation to the incident scenarios. Risk Evaluation Risk Analysis: Risk Estimation
© 2013 SISA Information Security Inc. Scope Physical Location – building, room, etc. Data Center Business Process Business Division Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
© 2013 SISA Information Security Inc. Asset Review  Admin Processes  Clinical Processes  Electronic Health Records System Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Threat Asset
© 2013 SISA Information Security Inc. Threat Review smart-ra.com Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Asset Threat
© 2013 SISA Information Security Inc. Vulnerability Review Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability Risk Profiling Threat Scope Results Documentation Risk Treatment Plan Asset Vulnerabilities
© 2013 SISA Information Security Inc. Risk Profiling Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account Revised Risk Score = Risk Score after •Evaluating Existing Controls •Applying New Controls Vulnerabilities Threat Scope Results Documentation Risk Treatment Plan Asset Risk Profiling
© 2013 SISA Information Security Inc. Risk Treatment Plan Vulnerabilities Threat Scope Results Documentation Risk Profiling Asset Risk Treatment Plan Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer  Take Approval if Tolerate/Terminate
© 2013 SISA Information Security Inc. Results Documentation smart-ra.com  Vulnerabilities Threat Scope Risk Profiling Risk Treatment Plan Asset Results Documentation  Document A-T-V Combination with the associated Risk  Calculation of Risk  RTP  Action Taken
© 2013 SISA Information Security Inc. Scenario – Threat Profiling We have had people moving from one department to another and it seems like some of them continue to have their previous access rights both to the network and to the lab area. Consequently PHI is accessible to more people than required.
© 2013 SISA Information Security Inc. Questions Email: dbs@sisainfosec.com About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. Sign up on our website to get a FREE 30 day trial. www.sisainfosec.com LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy

More Related Content

PDF
Security-Brochure
byTyler Carlson
 
PDF
Security-Brochure
byPrahlad Reddy
 
PDF
Technology leadership driving business innovation
byJoAnna Cheshire
 
PDF
The Value of Crowd-Sourced Threat Intelligence
byImperva
 
PDF
Connection can help keep your business secure!
byHeather Salmons Newswanger
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
PPTX
Cloud Storage and Security: Solving Compliance Challenges
byEric Vanderburg
 
PPTX
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
byEric Vanderburg
 
Security-Brochure
byTyler Carlson
 
Security-Brochure
byPrahlad Reddy
 
Technology leadership driving business innovation
byJoAnna Cheshire
 
The Value of Crowd-Sourced Threat Intelligence
byImperva
 
Connection can help keep your business secure!
byHeather Salmons Newswanger
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Cloud Storage and Security: Solving Compliance Challenges
byEric Vanderburg
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
byEric Vanderburg
 

What's hot

PPT
Supplement To Student Guide Seminar 03 A 3 Nov09
byTammy Clark
 
PDF
DSP-MSSMDR-DataSheet_Final (1)
byJonathan Holman
 
PDF
DSP-MSSMDR-DataSheet_Final (1)
bySpencer Henderson
 
PDF
Vendor Cybersecurity Governance: Scaling the risk
bySarah Clarke
 
PPTX
Mitigating Risk from Cyber Security Attacks
byTripwire
 
PDF
HIPAA compliance
byJoAnna Cheshire
 
PDF
Information Security Strategic Management
byMarcelo Martins
 
PDF
Ch3 cism 2014
byAladdin Dandis
 
PDF
Developing a 360° view of risk and compliance
byInuit AB
 
PPTX
HITRUST CSF in the Cloud
byOnRamp
 
PDF
Ch2 cism 2014
byAladdin Dandis
 
PDF
Cyber-Risk-Management-Assessment (1)
byOCTF Industry Engagement
 
PDF
Business case for information security program
byWilliam Godwin
 
PDF
Cisa 2013 ch0
byAladdin Dandis
 
PDF
Cisa 2013 ch5
byAladdin Dandis
 
PDF
HITRUST 101: All the basics you need to know
by➲ Stella Bridges
 
PPTX
Risk assessment
bykajal kumari
 
PDF
Super CISO 2020: How to Keep Your Job
byPriyanka Aash
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
byPriyanka Aash
 
Supplement To Student Guide Seminar 03 A 3 Nov09
byTammy Clark
 
DSP-MSSMDR-DataSheet_Final (1)
byJonathan Holman
 
DSP-MSSMDR-DataSheet_Final (1)
bySpencer Henderson
 
Vendor Cybersecurity Governance: Scaling the risk
bySarah Clarke
 
Mitigating Risk from Cyber Security Attacks
byTripwire
 
HIPAA compliance
byJoAnna Cheshire
 
Information Security Strategic Management
byMarcelo Martins
 
Ch3 cism 2014
byAladdin Dandis
 
Developing a 360° view of risk and compliance
byInuit AB
 
HITRUST CSF in the Cloud
byOnRamp
 
Ch2 cism 2014
byAladdin Dandis
 
Cyber-Risk-Management-Assessment (1)
byOCTF Industry Engagement
 
Business case for information security program
byWilliam Godwin
 
Cisa 2013 ch0
byAladdin Dandis
 
Cisa 2013 ch5
byAladdin Dandis
 
HITRUST 101: All the basics you need to know
by➲ Stella Bridges
 
Risk assessment
bykajal kumari
 
Super CISO 2020: How to Keep Your Job
byPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
byPriyanka Aash
 

Viewers also liked

PPTX
Understanding HIPAA
byManas Deep
 
PDF
New trends in Payments Security: NFC & Mobile
bySISA Information Security Pvt.Ltd
 
PDF
HIPAA HiTech Security Assessment
bydata brackets
 
PPT
Sujobinterview 090508185333 Phpapp01
byWlovelady
 
PPTX
Hipaa and him security brunelle
bysjbusnpa
 
PPTX
Skapa värden med kundmötet
byMartin Moström
 
PPT
SISA Collaboration without boundaries
bySitra / Hyvinvointi
 
PPT
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
Understanding HIPAA
byManas Deep
 
New trends in Payments Security: NFC & Mobile
bySISA Information Security Pvt.Ltd
 
HIPAA HiTech Security Assessment
bydata brackets
 
Sujobinterview 090508185333 Phpapp01
byWlovelady
 
Hipaa and him security brunelle
bysjbusnpa
 
Skapa värden med kundmötet
byMartin Moström
 
SISA Collaboration without boundaries
bySitra / Hyvinvointi
 
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 

Similar to Hipaa risk analysis_1.4

PDF
ISO 27005 Risk Assessment
bySmart Assessment
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PPTX
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
PPTX
IT Security Bachelor in information technology.pptx
byMahmadKasimAnsari
 
PPTX
Information Security Risk Management and Compliance.pptx
byAbraraw Zerfu
 
PPT
IT Security management and risk assessment
byCAS
 
PDF
cupdf.com_it-security-management-and-risk-assessment.pdf
byAgusNursidik
 
PDF
Microsoft InfoSec for cloud and mobile
byVijayananda Mohire
 
PPT
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
PPT
ch14.ppt
byFizZaShYkh
 
PDF
Cisa domain 1
byIsmail aboulezz
 
PPT
RiskAssesment.ppt
byAbdulSalamSagir1
 
PPTX
ISAA PPt
byRishabhAgrawal695188
 
PDF
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
byIOSR Journals
 
PPTX
Meaningful Use and Security Risk Analysis
byEvan Francen
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
PPTX
Risk Assessment
bymansoor765
 
PDF
Threat Based Risk Assessment
byMichael Lines
 
ISO 27005 Risk Assessment
bySmart Assessment
 
How to assess and manage cyber risk
byStephen Cobb
 
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
IT Security Bachelor in information technology.pptx
byMahmadKasimAnsari
 
Information Security Risk Management and Compliance.pptx
byAbraraw Zerfu
 
IT Security management and risk assessment
byCAS
 
cupdf.com_it-security-management-and-risk-assessment.pdf
byAgusNursidik
 
Microsoft InfoSec for cloud and mobile
byVijayananda Mohire
 
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
ch14.ppt
byFizZaShYkh
 
Cisa domain 1
byIsmail aboulezz
 
RiskAssesment.ppt
byAbdulSalamSagir1
 
ISAA PPt
byRishabhAgrawal695188
 
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
byIOSR Journals
 
Meaningful Use and Security Risk Analysis
byEvan Francen
 
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
Risk Assessment
bymansoor765
 
Threat Based Risk Assessment
byMichael Lines
 

Recently uploaded

PDF
MEDICAL TERMINOLOGY AND PATHOLOGY REPORTING.pdf
by20Michee04
 
PPTX
The presentation on the topic Chest Injury
byMilindSonawane22
 
PPTX
Comprehensive Occupational Health Services for Modern Workplaces.pptx
byoccmedaustralia
 
PPTX
Muscle Insufficiency Tone Power Endurance Fit ,Rigidity
byHome
 
DOCX
NURSING FOUNDATION lesson plan for b.sc and gnm nursing students
byNANDHINI268639
 
PDF
Diabetic Foot Ulcer Symptoms, Treatment, and Evidence-Based Management.pdf
bybenjamintaylor291996
 
PPTX
Vitamin A deficiency, Vitamin A deficiency.pptx
byMeghna Verma
 
PDF
Raman Bhaumik - A Licensed Pharmacist
byRaman Bhaumik
 
PPTX
Perianal Abscess and its Management.pptx
byMadiha Seraj
 
PPTX
FUNCTIONAL ANATOMY FOR FUNCTIONAL MOVEMENT .pptx
byInioluwaElijah
 
PDF
686700319-Molecular-Basis-of-Inheritance-Super-Notes-by-Seep-Pahuja.pdf
byAmanpreetKaur213317
 
PDF
Publications & Research_Punita V. Solanki_January 2026.pdf
byPunita V. Solanki
 
PPTX
APPROACH TO FEVER IN PEDIATRICS[1].pptTT
byGastonNDAGIJIMANA
 
PDF
NABH 6th Edition Assessor Question Bank & Evidence Manual.pdf
byDr Jitu Lal Meena
 
PDF
Raman Bhaumik - Passionate About Mentoring Aspiring Pharmacists
byRaman Bhaumik
 
PPT
Sindrom Koroner Akut - dr. Wicaksono N. Utomo RSIA Pratiwi.ppt
byWicaksonoNUtomo
 
PDF
NABH Quality Beacon (A Standardised Q&A and Evidence Manual for Patient Safe...
byDr Jitu Lal Meena
 
PDF
Punita V. Solanki Current Work Affiliations_January 2026.pdf
byPunita V. Solanki
 
PDF
AI vs Manual Appointment Booking in Hospitals The Real Difference.pdf - Healt...
byHealthray Technologies Pvt. Ltd.
 
PPTX
Child abuse child health nursing ppt Document from Mahi.pptx
bymahirav305
 
MEDICAL TERMINOLOGY AND PATHOLOGY REPORTING.pdf
by20Michee04
 
The presentation on the topic Chest Injury
byMilindSonawane22
 
Comprehensive Occupational Health Services for Modern Workplaces.pptx
byoccmedaustralia
 
Muscle Insufficiency Tone Power Endurance Fit ,Rigidity
byHome
 
NURSING FOUNDATION lesson plan for b.sc and gnm nursing students
byNANDHINI268639
 
Diabetic Foot Ulcer Symptoms, Treatment, and Evidence-Based Management.pdf
bybenjamintaylor291996
 
Vitamin A deficiency, Vitamin A deficiency.pptx
byMeghna Verma
 
Raman Bhaumik - A Licensed Pharmacist
byRaman Bhaumik
 
Perianal Abscess and its Management.pptx
byMadiha Seraj
 
FUNCTIONAL ANATOMY FOR FUNCTIONAL MOVEMENT .pptx
byInioluwaElijah
 
686700319-Molecular-Basis-of-Inheritance-Super-Notes-by-Seep-Pahuja.pdf
byAmanpreetKaur213317
 
Publications & Research_Punita V. Solanki_January 2026.pdf
byPunita V. Solanki
 
APPROACH TO FEVER IN PEDIATRICS[1].pptTT
byGastonNDAGIJIMANA
 
NABH 6th Edition Assessor Question Bank & Evidence Manual.pdf
byDr Jitu Lal Meena
 
Raman Bhaumik - Passionate About Mentoring Aspiring Pharmacists
byRaman Bhaumik
 
Sindrom Koroner Akut - dr. Wicaksono N. Utomo RSIA Pratiwi.ppt
byWicaksonoNUtomo
 
NABH Quality Beacon (A Standardised Q&A and Evidence Manual for Patient Safe...
byDr Jitu Lal Meena
 
Punita V. Solanki Current Work Affiliations_January 2026.pdf
byPunita V. Solanki
 
AI vs Manual Appointment Booking in Hospitals The Real Difference.pdf - Healt...
byHealthray Technologies Pvt. Ltd.
 
Child abuse child health nursing ppt Document from Mahi.pptx
bymahirav305
 

Hipaa risk analysis_1.4

  • 1.
    © 2013 SISAInformation Security Inc. About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. HIPAA Risk Analysis www.sisainfosec.com © 2013 SISA Information Security Inc.
  • 2.
    © 2013 SISAInformation Security Inc.© 2013 SISA Information Security Inc. Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA • CEO of SISA Information Security Inc • Two decades of information security experience and specialist on formal risk assessment methodologies. • Conducted around 120 workshops in over 13 countries on topics ranging from Risk Assessment, HIPAA, PCI and ISO. • Trained at CERT Coordination Center on Risk Assessment and recognized as authorized trainer/advisor for SEI in 2003. • Author of the Certified Information Security Risk Assessor Program (training dedicated towards formal methodologies) • PCI DSS Special Interest Group Proposer and Lead for Risk Assessment. LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
  • 3.
    © 2013 SISAInformation Security Inc. Agenda • Definition • Background • Current environment • Common Risk Analysis Process • Questions Objective: Step-by-step approach to HIPAA Risk Analysis
  • 4.
    © 2013 SISAInformation Security Inc. Risk Assessment Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses, its vulnerabilities and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!”
  • 5.
    © 2013 SISAInformation Security Inc. • Formal risk analysis (or risk assessment) - Essential component of HIPAA compliance - Can help organizations identify their most critical exposures vulnerabilities and — more importantly — safeguard overall privacy and security - Forms a basis for determining how risks should be managed • Add value by ensuring that resources are directed at the areas that are most important to management and governance. Background
  • 6.
    © 2013 SISAInformation Security Inc. HIPAA and Risk Analysis Administrative Safeguard Security Management Process • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). “
  • 7.
    © 2013 SISAInformation Security Inc. Risk Analysis: Why is it so critical? • Control optimization: Protect everything or do RISK Analysis to know what need to be protected • Treat helps to prioritize the mitigation process • Be secure, not just compliant: Effective and Efficient control deployment • Was secure yesterday but is it true today? Analyze the effectiveness of existing control on ongoing basis • Helps organization to take right decision at the right time
  • 8.
    © 2013 SISAInformation Security Inc. Current Environment • 80% of the organizations don’t have a consistent manner in assessing risk. • 4/5 of the organizations have no formal risk appetite defined. • 47/49 providers, 20/35 health plans and 2/7 of clearing houses did not have basic formal risk assessment Source: NIST-OCR 2013 Source: 2013 KPMG Survey
  • 9.
    © 2013 SISAInformation Security Inc. Common misconceptions • Vulnerability Assessment = Risk Analysis • Risk Analysis = Audit • Risk Analysis does not require any specific skill • Risk Analysis is black or white. • We already know the risk so why conduct formal Risk Analysis? • Risk Analysis has no business value and is required only for compliance purposes just before the audit • Risk Analysis does not require formal approach. Let me devise my own.
  • 10.
    © 2013 SISAInformation Security Inc. Common Risk Analysis Flow Risk Treatment Risk Analysis: Risk Identification Risk Analysis: Risk Estimation and Evaluation General Description of ISRA SISA Assistant Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
  • 11.
    © 2013 SISAInformation Security Inc. 1. General Description of ISRA • Basic Criteria • Scope and Boundaries • Organization for ISRM Identify, Describe (quantitatively or qualitatively) and Prioritize Risks Assessed risks prioritized according to Risk Evaluation Criteria. Risk Evaluation Risk Analysis: Risk Identification Risk Analysis: Risk Estimation General Description of ISRA
  • 12.
    © 2013 SISAInformation Security Inc. 2. Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries Asset owners Asset Location Asset function Assets are defined List of Assets. List of associated business processes. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 13.
    © 2013 SISAInformation Security Inc. 2. Risk Analysis: Risk Identification Identification of Threats Threat Information from • Review of Incidents • Asset Owners • Asset Users, etc. Threats are defined • Threats • Threat source • Threat type Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 14.
    © 2013 SISAInformation Security Inc. 2. Risk Analysis: Risk Identification Identification of Existing Controls • Documentation of controls • RTP Existing and planned controls are defined • Existing and planned controls • Implementation status • Usage status Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 15.
    © 2013 SISAInformation Security Inc. 2. Risk Analysis: Risk Identification Identification of Vulnerabilities • Identified Assets • Identified Threats • Identified Existing Controls Vulnerabilities are identified • Vulnerabilities related to assets, threats, controls. • Vulnerabilities not related to any threat. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 16.
    © 2013 SISAInformation Security Inc. 2. Risk Analysis: Risk Identification Identification of Consequences • Assets and business processes • Threats and vulnerabilities The impact of the loss of CIA is identified • Incident scenarios with their consequences related to assets and business processes Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 17.
    © 2013 SISAInformation Security Inc. 3. Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low (b) Quantitative Estimation: $, hours, etc. Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification
  • 18.
    © 2013 SISAInformation Security Inc. 3. Risk Analysis: Risk Estimation Assessment of consequences Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Assets and business processes • Threats and vulnerabilities • Incident scenarios The business impact from information security incidents is assessed. Assessed consequences of an incident scenario expressed in terms of assets and impact criteria.
  • 19.
    © 2013 SISAInformation Security Inc. 3. Risk Analysis: Risk Estimation Level of Risk Estimation Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Incident scenarios with their consequences • Their likelihood (quantitative or qualitative). Level of risk is estimated for all relevant incident scenarios List of risks with value levels assigned.
  • 20.
    © 2013 SISAInformation Security Inc. 4. Risk Analysis: Risk Estimation Level of Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Risks with value levels assigned and risk evaluation criteria. Level of risk is compared against risk evaluation criteria and risk acceptance criteria Risks prioritized according to risk evaluation criteria in relation to the incident scenarios. Risk Evaluation Risk Analysis: Risk Estimation
  • 21.
    © 2013 SISAInformation Security Inc. Scope Physical Location – building, room, etc. Data Center Business Process Business Division Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
  • 22.
    © 2013 SISAInformation Security Inc. Asset Review  Admin Processes  Clinical Processes  Electronic Health Records System Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Threat Asset
  • 23.
    © 2013 SISAInformation Security Inc. Threat Review smart-ra.com Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Asset Threat
  • 24.
    © 2013 SISAInformation Security Inc. Vulnerability Review Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability Risk Profiling Threat Scope Results Documentation Risk Treatment Plan Asset Vulnerabilities
  • 25.
    © 2013 SISAInformation Security Inc. Risk Profiling Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account Revised Risk Score = Risk Score after •Evaluating Existing Controls •Applying New Controls Vulnerabilities Threat Scope Results Documentation Risk Treatment Plan Asset Risk Profiling
  • 26.
    © 2013 SISAInformation Security Inc. Risk Treatment Plan Vulnerabilities Threat Scope Results Documentation Risk Profiling Asset Risk Treatment Plan Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer  Take Approval if Tolerate/Terminate
  • 27.
    © 2013 SISAInformation Security Inc. Results Documentation smart-ra.com  Vulnerabilities Threat Scope Risk Profiling Risk Treatment Plan Asset Results Documentation  Document A-T-V Combination with the associated Risk  Calculation of Risk  RTP  Action Taken
  • 28.
    © 2013 SISAInformation Security Inc. Scenario – Threat Profiling We have had people moving from one department to another and it seems like some of them continue to have their previous access rights both to the network and to the lab area. Consequently PHI is accessible to more people than required.
  • 29.
    © 2013 SISAInformation Security Inc. Questions Email: dbs@sisainfosec.com About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. Sign up on our website to get a FREE 30 day trial. www.sisainfosec.com LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy

Editor's Notes

  • #2 Good morning. Its great to be here and talk about a subject that is highly discussed and is at the center stage of discussion following the omnibus rule. For the new 50 minutes or so, we are going to be discussing on HIPAA Risk Analysis or HIPAA Risk Assessment. Technically speaking and going by ISO risk analysis is one of the components of Risk Assessment but since HIPAA Security Rule uses the word risk analysis we be a little liberal in using the word Risk Analysis but for all purposes refer to risk assessment. My central objective of this presentation is a step by step approach to doing a formal Risk Analysis which meets HIPAA and other compliance requirements. As we have less then a hour I would have succeeded in my presentation if I am able to drive home the necessity of doing it correctly.
  • #3 My experience with risk assessments started way back in 90’s when I had an information security project to be done when I was working for a Big 4 audit firms in India. It was pretty good but because we did that quite well following a already designed template. Off course later I went onto study formal risk assessments in depth in CERT Coordination Center in Pittsburgh and there was ocean of a difference when we do a formal risk assessment and a risk assessment which is done not following any methodology or process. When my company went on to become a PCI QSA when PCI SSC was founded, I understood that PCI DSS did not have much on formal risk assessment except that they had one small requirement under 6th milestone (1-6 Priority) and found that my entire team was checking the box because they did not understand it, our customers did not understand it. I later found out that its just not me but the entire community that was doing the same. So I proposed a special interest group under the PCI Council to examine this requirement and give it more teeth. So after working for more than one year on the document, we released a guidance document in November 2012 where I was to present on the same. Later I went to create a course on formal information security risk assessment as I wanted to fix the gap and also developed a product called SISA Assistant which has one of the modules as Risk Assessment as well.
  • #4  OCTAVE Overview
  • #6 Risk exposure decreases significantly when an organization knows exactly where PHI resides and how it is handled. A formal Risk Analysis examines the risks and controls related to three critical areas: People, Process and Technology.
  • #11 Vulnerability: Vulnerability is defined in NIST Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Threat: An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Risk: The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to— Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man- made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.