SlideShare a Scribd company logo

Hipaa risk analysis_1.4

Download as PPTX, PDF
SISA Information Security Pvt.Ltd
SISA Information Security Pvt.Ltd

Step by Step Guide for HIPAA RIsk Analysis, Find out your strengthes, Weaknesses, Vulnerabilities and exposures.

Healthcare
1 of 29
© 2013 SISA Information Security Inc. About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. HIPAA Risk Analysis www.sisainfosec.com © 2013 SISA Information Security Inc.
© 2013 SISA Information Security Inc.© 2013 SISA Information Security Inc. Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA • CEO of SISA Information Security Inc • Two decades of information security experience and specialist on formal risk assessment methodologies. • Conducted around 120 workshops in over 13 countries on topics ranging from Risk Assessment, HIPAA, PCI and ISO. • Trained at CERT Coordination Center on Risk Assessment and recognized as authorized trainer/advisor for SEI in 2003. • Author of the Certified Information Security Risk Assessor Program (training dedicated towards formal methodologies) • PCI DSS Special Interest Group Proposer and Lead for Risk Assessment. LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
© 2013 SISA Information Security Inc. Agenda • Definition • Background • Current environment • Common Risk Analysis Process • Questions Objective: Step-by-step approach to HIPAA Risk Analysis
© 2013 SISA Information Security Inc. Risk Assessment Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses, its vulnerabilities and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!”
© 2013 SISA Information Security Inc. • Formal risk analysis (or risk assessment) - Essential component of HIPAA compliance - Can help organizations identify their most critical exposures vulnerabilities and — more importantly — safeguard overall privacy and security - Forms a basis for determining how risks should be managed • Add value by ensuring that resources are directed at the areas that are most important to management and governance. Background
© 2013 SISA Information Security Inc. HIPAA and Risk Analysis Administrative Safeguard Security Management Process • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). “
© 2013 SISA Information Security Inc. Risk Analysis: Why is it so critical? • Control optimization: Protect everything or do RISK Analysis to know what need to be protected • Treat helps to prioritize the mitigation process • Be secure, not just compliant: Effective and Efficient control deployment • Was secure yesterday but is it true today? Analyze the effectiveness of existing control on ongoing basis • Helps organization to take right decision at the right time
© 2013 SISA Information Security Inc. Current Environment • 80% of the organizations don’t have a consistent manner in assessing risk. • 4/5 of the organizations have no formal risk appetite defined. • 47/49 providers, 20/35 health plans and 2/7 of clearing houses did not have basic formal risk assessment Source: NIST-OCR 2013 Source: 2013 KPMG Survey
© 2013 SISA Information Security Inc. Common misconceptions • Vulnerability Assessment = Risk Analysis • Risk Analysis = Audit • Risk Analysis does not require any specific skill • Risk Analysis is black or white. • We already know the risk so why conduct formal Risk Analysis? • Risk Analysis has no business value and is required only for compliance purposes just before the audit • Risk Analysis does not require formal approach. Let me devise my own.
© 2013 SISA Information Security Inc. Common Risk Analysis Flow Risk Treatment Risk Analysis: Risk Identification Risk Analysis: Risk Estimation and Evaluation General Description of ISRA SISA Assistant Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
© 2013 SISA Information Security Inc. 1. General Description of ISRA • Basic Criteria • Scope and Boundaries • Organization for ISRM Identify, Describe (quantitatively or qualitatively) and Prioritize Risks Assessed risks prioritized according to Risk Evaluation Criteria. Risk Evaluation Risk Analysis: Risk Identification Risk Analysis: Risk Estimation General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries Asset owners Asset Location Asset function Assets are defined List of Assets. List of associated business processes. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Threats Threat Information from • Review of Incidents • Asset Owners • Asset Users, etc. Threats are defined • Threats • Threat source • Threat type Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Existing Controls • Documentation of controls • RTP Existing and planned controls are defined • Existing and planned controls • Implementation status • Usage status Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Vulnerabilities • Identified Assets • Identified Threats • Identified Existing Controls Vulnerabilities are identified • Vulnerabilities related to assets, threats, controls. • Vulnerabilities not related to any threat. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Consequences • Assets and business processes • Threats and vulnerabilities The impact of the loss of CIA is identified • Incident scenarios with their consequences related to assets and business processes Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
© 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low (b) Quantitative Estimation: $, hours, etc. Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification
© 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Assessment of consequences Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Assets and business processes • Threats and vulnerabilities • Incident scenarios The business impact from information security incidents is assessed. Assessed consequences of an incident scenario expressed in terms of assets and impact criteria.
© 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Level of Risk Estimation Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Incident scenarios with their consequences • Their likelihood (quantitative or qualitative). Level of risk is estimated for all relevant incident scenarios List of risks with value levels assigned.
© 2013 SISA Information Security Inc. 4. Risk Analysis: Risk Estimation Level of Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Risks with value levels assigned and risk evaluation criteria. Level of risk is compared against risk evaluation criteria and risk acceptance criteria Risks prioritized according to risk evaluation criteria in relation to the incident scenarios. Risk Evaluation Risk Analysis: Risk Estimation
© 2013 SISA Information Security Inc. Scope Physical Location – building, room, etc. Data Center Business Process Business Division Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
© 2013 SISA Information Security Inc. Asset Review  Admin Processes  Clinical Processes  Electronic Health Records System Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Threat Asset
© 2013 SISA Information Security Inc. Threat Review smart-ra.com Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Asset Threat
© 2013 SISA Information Security Inc. Vulnerability Review Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability Risk Profiling Threat Scope Results Documentation Risk Treatment Plan Asset Vulnerabilities
© 2013 SISA Information Security Inc. Risk Profiling Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account Revised Risk Score = Risk Score after •Evaluating Existing Controls •Applying New Controls Vulnerabilities Threat Scope Results Documentation Risk Treatment Plan Asset Risk Profiling
© 2013 SISA Information Security Inc. Risk Treatment Plan Vulnerabilities Threat Scope Results Documentation Risk Profiling Asset Risk Treatment Plan Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer  Take Approval if Tolerate/Terminate
© 2013 SISA Information Security Inc. Results Documentation smart-ra.com  Vulnerabilities Threat Scope Risk Profiling Risk Treatment Plan Asset Results Documentation  Document A-T-V Combination with the associated Risk  Calculation of Risk  RTP  Action Taken
© 2013 SISA Information Security Inc. Scenario – Threat Profiling We have had people moving from one department to another and it seems like some of them continue to have their previous access rights both to the network and to the lab area. Consequently PHI is accessible to more people than required.
© 2013 SISA Information Security Inc. Questions Email: dbs@sisainfosec.com About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. Sign up on our website to get a FREE 30 day trial. www.sisainfosec.com LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy

Recommended

Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Tyler Carlson
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Prahlad Reddy
 
Technology leadership driving business innovation
Technology leadership driving business innovationTechnology leadership driving business innovation
Technology leadership driving business innovation
JoAnna Cheshire
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
Imperva
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
Eric Vanderburg
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
Eric Vanderburg
 

Recommended

Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Tyler Carlson
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
Prahlad Reddy
 
Technology leadership driving business innovation
Technology leadership driving business innovationTechnology leadership driving business innovation
Technology leadership driving business innovation
JoAnna Cheshire
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
Imperva
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
Eric Vanderburg
 
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware ProblemThe Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
Eric Vanderburg
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Jonathan Holman
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Spencer Henderson
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
Tripwire
 
HIPAA compliance
HIPAA complianceHIPAA compliance
HIPAA compliance
JoAnna Cheshire
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
Aladdin Dandis
 
Developing a 360° view of risk and compliance
Developing a 360° view of risk and complianceDeveloping a 360° view of risk and compliance
Developing a 360° view of risk and compliance
Inuit AB
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
OnRamp
 
Ch2 cism 2014
Ch2 cism 2014Ch2 cism 2014
Ch2 cism 2014
Aladdin Dandis
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
OCTF Industry Engagement
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
Aladdin Dandis
 
Cisa 2013 ch5
Cisa 2013 ch5Cisa 2013 ch5
Cisa 2013 ch5
Aladdin Dandis
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
kajal kumari
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
Priyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
Manas Deep
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 

More Related Content

What's hot

Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Jonathan Holman
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Spencer Henderson
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
Tripwire
 
HIPAA compliance
HIPAA complianceHIPAA compliance
HIPAA compliance
JoAnna Cheshire
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
Aladdin Dandis
 
Developing a 360° view of risk and compliance
Developing a 360° view of risk and complianceDeveloping a 360° view of risk and compliance
Developing a 360° view of risk and compliance
Inuit AB
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
OnRamp
 
Ch2 cism 2014
Ch2 cism 2014Ch2 cism 2014
Ch2 cism 2014
Aladdin Dandis
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
OCTF Industry Engagement
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
Aladdin Dandis
 
Cisa 2013 ch5
Cisa 2013 ch5Cisa 2013 ch5
Cisa 2013 ch5
Aladdin Dandis
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
kajal kumari
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
Priyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 

What's hot (19)

Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
 
HIPAA compliance
HIPAA complianceHIPAA compliance
HIPAA compliance
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Developing a 360° view of risk and compliance
Developing a 360° view of risk and complianceDeveloping a 360° view of risk and compliance
Developing a 360° view of risk and compliance
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
Ch2 cism 2014
Ch2 cism 2014Ch2 cism 2014
Ch2 cism 2014
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Cisa 2013 ch0
Cisa 2013 ch0Cisa 2013 ch0
Cisa 2013 ch0
 
Cisa 2013 ch5
Cisa 2013 ch5Cisa 2013 ch5
Cisa 2013 ch5
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 

Viewers also liked

Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
Manas Deep
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Sujobinterview 090508185333 Phpapp01
Sujobinterview 090508185333 Phpapp01Sujobinterview 090508185333 Phpapp01
Sujobinterview 090508185333 Phpapp01
Wlovelady
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunelle
sjbusnpa
 
Skapa värden med kundmötet
Skapa värden med kundmötetSkapa värden med kundmötet
Skapa värden med kundmötet
Martin Moström
 
SISA Collaboration without boundaries
SISA Collaboration without boundariesSISA Collaboration without boundaries
SISA Collaboration without boundaries
Sitra / Hyvinvointi
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
 

Viewers also liked (8)

Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Sujobinterview 090508185333 Phpapp01
Sujobinterview 090508185333 Phpapp01Sujobinterview 090508185333 Phpapp01
Sujobinterview 090508185333 Phpapp01
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunelle
 
Skapa värden med kundmötet
Skapa värden med kundmötetSkapa värden med kundmötet
Skapa värden med kundmötet
 
SISA Collaboration without boundaries
SISA Collaboration without boundariesSISA Collaboration without boundaries
SISA Collaboration without boundaries
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 

Similar to Hipaa risk analysis_1.4

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
AjjuSingh2
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Resolver Inc.
 
Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptx
ibrahimsukari2
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
chaudhryzunair4
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
healthpoint
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
Sam Bowne
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
dotco
 
Isms
IsmsIsms
Isms
penetration Tester
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 

Similar to Hipaa risk analysis_1.4 (20)

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
 
Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptx
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Isms
IsmsIsms
Isms
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 

Recently uploaded

PPT on Embryological and fetal development
PPT on Embryological and fetal developmentPPT on Embryological and fetal development
PPT on Embryological and fetal development
smileysharma63
 
Bathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Bathinda
Bathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 BathindaBathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Bathinda
Bathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Bathinda
varun0kumar00
 
Discover the Perfect Way to Relax - Malayali Kerala Spa Ajman
Discover the Perfect Way to Relax - Malayali Kerala Spa AjmanDiscover the Perfect Way to Relax - Malayali Kerala Spa Ajman
Discover the Perfect Way to Relax - Malayali Kerala Spa Ajman
Malayali Kerala Spa Ajman
 
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa AjmanLuxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Malayali Kerala Spa Ajman
 
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
garge6804
 
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
Media Logic
 
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
DrDevTaneja1
 
GORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptx
GORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptxGORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptx
GORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptx
Rommel Luis III Israel
 
Simple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every DaySimple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every Day
Lucas Smith
 
Test bank advanced health assessment and differential diagnosis essentials fo...
Test bank advanced health assessment and differential diagnosis essentials fo...Test bank advanced health assessment and differential diagnosis essentials fo...
Test bank advanced health assessment and differential diagnosis essentials fo...
rightmanforbloodline
 
Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -
Gokul Rangarajan
 
COLD CREAM AND VANISHING CREAM, IP-I, PCI
COLD CREAM AND VANISHING CREAM, IP-I, PCICOLD CREAM AND VANISHING CREAM, IP-I, PCI
COLD CREAM AND VANISHING CREAM, IP-I, PCI
ssuser555edf
 
ASSESSMENT OF THE EYE (2)-Health Assessment.pptx
ASSESSMENT OF THE EYE (2)-Health Assessment.pptxASSESSMENT OF THE EYE (2)-Health Assessment.pptx
ASSESSMENT OF THE EYE (2)-Health Assessment.pptx
Rommel Luis III Israel
 
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCWPRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
dnee1
 
Linga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the bodyLinga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the body
Karuna Yoga Vidya Peetham
 
Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...
rightmanforbloodline
 
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in GoaCall Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
rajni kaurn06
 
Exosome Therapy’s Regenerative Effects on Skin and Hair Rejuvenation
Exosome Therapy’s Regenerative Effects on Skin and Hair RejuvenationExosome Therapy’s Regenerative Effects on Skin and Hair Rejuvenation
Exosome Therapy’s Regenerative Effects on Skin and Hair Rejuvenation
Advancexo
 
Unlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENT
Unlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENTUnlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENT
Unlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENT
rajesh344555
 
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts AvailableCall Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
kmiss 1062#v08
 

Recently uploaded (20)

PPT on Embryological and fetal development
PPT on Embryological and fetal developmentPPT on Embryological and fetal development
PPT on Embryological and fetal development
 
Bathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Bathinda
Bathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 BathindaBathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Bathinda
Bathinda ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 7742996321 ℂ𝕒𝕝𝕝 𝔾𝕚𝕣𝕝𝕤 Bathinda
 
Discover the Perfect Way to Relax - Malayali Kerala Spa Ajman
Discover the Perfect Way to Relax - Malayali Kerala Spa AjmanDiscover the Perfect Way to Relax - Malayali Kerala Spa Ajman
Discover the Perfect Way to Relax - Malayali Kerala Spa Ajman
 
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa AjmanLuxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
Luxury Massage Experience at Affordable Rate - Malayali Kerala Spa Ajman
 
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
 
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
 
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
Digital Health in India_Health Informatics Trained Manpower _DrDevTaneja_15.0...
 
GORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptx
GORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptxGORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptx
GORDON'S 11 FUNCTIONAL PATTERN-Health Assessment.pptx
 
Simple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every DaySimple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every Day
 
Test bank advanced health assessment and differential diagnosis essentials fo...
Test bank advanced health assessment and differential diagnosis essentials fo...Test bank advanced health assessment and differential diagnosis essentials fo...
Test bank advanced health assessment and differential diagnosis essentials fo...
 
Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -
 
COLD CREAM AND VANISHING CREAM, IP-I, PCI
COLD CREAM AND VANISHING CREAM, IP-I, PCICOLD CREAM AND VANISHING CREAM, IP-I, PCI
COLD CREAM AND VANISHING CREAM, IP-I, PCI
 
ASSESSMENT OF THE EYE (2)-Health Assessment.pptx
ASSESSMENT OF THE EYE (2)-Health Assessment.pptxASSESSMENT OF THE EYE (2)-Health Assessment.pptx
ASSESSMENT OF THE EYE (2)-Health Assessment.pptx
 
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCWPRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
 
Linga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the bodyLinga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the body
 
Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...
 
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in GoaCall Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
 
Exosome Therapy’s Regenerative Effects on Skin and Hair Rejuvenation
Exosome Therapy’s Regenerative Effects on Skin and Hair RejuvenationExosome Therapy’s Regenerative Effects on Skin and Hair Rejuvenation
Exosome Therapy’s Regenerative Effects on Skin and Hair Rejuvenation
 
Unlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENT
Unlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENTUnlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENT
Unlimited Short Call Girls Thane ✅ 9833325238 FULL CASH PAYMENT
 
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts AvailableCall Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
Call Girls Kolkata 8824825030 Top Class Kolkata Escorts Available
 

Hipaa risk analysis_1.4

  • 1. © 2013 SISA Information Security Inc. About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. HIPAA Risk Analysis www.sisainfosec.com © 2013 SISA Information Security Inc.
  • 2. © 2013 SISA Information Security Inc.© 2013 SISA Information Security Inc. Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA • CEO of SISA Information Security Inc • Two decades of information security experience and specialist on formal risk assessment methodologies. • Conducted around 120 workshops in over 13 countries on topics ranging from Risk Assessment, HIPAA, PCI and ISO. • Trained at CERT Coordination Center on Risk Assessment and recognized as authorized trainer/advisor for SEI in 2003. • Author of the Certified Information Security Risk Assessor Program (training dedicated towards formal methodologies) • PCI DSS Special Interest Group Proposer and Lead for Risk Assessment. LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
  • 3. © 2013 SISA Information Security Inc. Agenda • Definition • Background • Current environment • Common Risk Analysis Process • Questions Objective: Step-by-step approach to HIPAA Risk Analysis
  • 4. © 2013 SISA Information Security Inc. Risk Assessment Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses, its vulnerabilities and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!”
  • 5. © 2013 SISA Information Security Inc. • Formal risk analysis (or risk assessment) - Essential component of HIPAA compliance - Can help organizations identify their most critical exposures vulnerabilities and — more importantly — safeguard overall privacy and security - Forms a basis for determining how risks should be managed • Add value by ensuring that resources are directed at the areas that are most important to management and governance. Background
  • 6. © 2013 SISA Information Security Inc. HIPAA and Risk Analysis Administrative Safeguard Security Management Process • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). “
  • 7. © 2013 SISA Information Security Inc. Risk Analysis: Why is it so critical? • Control optimization: Protect everything or do RISK Analysis to know what need to be protected • Treat helps to prioritize the mitigation process • Be secure, not just compliant: Effective and Efficient control deployment • Was secure yesterday but is it true today? Analyze the effectiveness of existing control on ongoing basis • Helps organization to take right decision at the right time
  • 8. © 2013 SISA Information Security Inc. Current Environment • 80% of the organizations don’t have a consistent manner in assessing risk. • 4/5 of the organizations have no formal risk appetite defined. • 47/49 providers, 20/35 health plans and 2/7 of clearing houses did not have basic formal risk assessment Source: NIST-OCR 2013 Source: 2013 KPMG Survey
  • 9. © 2013 SISA Information Security Inc. Common misconceptions • Vulnerability Assessment = Risk Analysis • Risk Analysis = Audit • Risk Analysis does not require any specific skill • Risk Analysis is black or white. • We already know the risk so why conduct formal Risk Analysis? • Risk Analysis has no business value and is required only for compliance purposes just before the audit • Risk Analysis does not require formal approach. Let me devise my own.
  • 10. © 2013 SISA Information Security Inc. Common Risk Analysis Flow Risk Treatment Risk Analysis: Risk Identification Risk Analysis: Risk Estimation and Evaluation General Description of ISRA SISA Assistant Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
  • 11. © 2013 SISA Information Security Inc. 1. General Description of ISRA • Basic Criteria • Scope and Boundaries • Organization for ISRM Identify, Describe (quantitatively or qualitatively) and Prioritize Risks Assessed risks prioritized according to Risk Evaluation Criteria. Risk Evaluation Risk Analysis: Risk Identification Risk Analysis: Risk Estimation General Description of ISRA
  • 12. © 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Assets Scope and Boundaries Asset owners Asset Location Asset function Assets are defined List of Assets. List of associated business processes. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 13. © 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Threats Threat Information from • Review of Incidents • Asset Owners • Asset Users, etc. Threats are defined • Threats • Threat source • Threat type Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 14. © 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Existing Controls • Documentation of controls • RTP Existing and planned controls are defined • Existing and planned controls • Implementation status • Usage status Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 15. © 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Vulnerabilities • Identified Assets • Identified Threats • Identified Existing Controls Vulnerabilities are identified • Vulnerabilities related to assets, threats, controls. • Vulnerabilities not related to any threat. Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 16. © 2013 SISA Information Security Inc. 2. Risk Analysis: Risk Identification Identification of Consequences • Assets and business processes • Threats and vulnerabilities The impact of the loss of CIA is identified • Incident scenarios with their consequences related to assets and business processes Risk Evaluation Risk Analysis: Risk Estimation Risk Analysis: Risk Identification General Description of ISRA
  • 17. © 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Risk Estimation Methodologies (a) Qualitative Estimation: High, Medium, Low (b) Quantitative Estimation: $, hours, etc. Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification
  • 18. © 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Assessment of consequences Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Assets and business processes • Threats and vulnerabilities • Incident scenarios The business impact from information security incidents is assessed. Assessed consequences of an incident scenario expressed in terms of assets and impact criteria.
  • 19. © 2013 SISA Information Security Inc. 3. Risk Analysis: Risk Estimation Level of Risk Estimation Risk Evaluation Risk Analysis: Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Incident scenarios with their consequences • Their likelihood (quantitative or qualitative). Level of risk is estimated for all relevant incident scenarios List of risks with value levels assigned.
  • 20. © 2013 SISA Information Security Inc. 4. Risk Analysis: Risk Estimation Level of Risk Estimation General Description of ISRA Risk Analysis: Risk Identification • Risks with value levels assigned and risk evaluation criteria. Level of risk is compared against risk evaluation criteria and risk acceptance criteria Risks prioritized according to risk evaluation criteria in relation to the incident scenarios. Risk Evaluation Risk Analysis: Risk Estimation
  • 21. © 2013 SISA Information Security Inc. Scope Physical Location – building, room, etc. Data Center Business Process Business Division Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
  • 22. © 2013 SISA Information Security Inc. Asset Review  Admin Processes  Clinical Processes  Electronic Health Records System Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Threat Asset
  • 23. © 2013 SISA Information Security Inc. Threat Review smart-ra.com Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Asset Threat
  • 24. © 2013 SISA Information Security Inc. Vulnerability Review Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability Risk Profiling Threat Scope Results Documentation Risk Treatment Plan Asset Vulnerabilities
  • 25. © 2013 SISA Information Security Inc. Risk Profiling Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account Revised Risk Score = Risk Score after •Evaluating Existing Controls •Applying New Controls Vulnerabilities Threat Scope Results Documentation Risk Treatment Plan Asset Risk Profiling
  • 26. © 2013 SISA Information Security Inc. Risk Treatment Plan Vulnerabilities Threat Scope Results Documentation Risk Profiling Asset Risk Treatment Plan Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer  Take Approval if Tolerate/Terminate
  • 27. © 2013 SISA Information Security Inc. Results Documentation smart-ra.com  Vulnerabilities Threat Scope Risk Profiling Risk Treatment Plan Asset Results Documentation  Document A-T-V Combination with the associated Risk  Calculation of Risk  RTP  Action Taken
  • 28. © 2013 SISA Information Security Inc. Scenario – Threat Profiling We have had people moving from one department to another and it seems like some of them continue to have their previous access rights both to the network and to the lab area. Consequently PHI is accessible to more people than required.
  • 29. © 2013 SISA Information Security Inc. Questions Email: dbs@sisainfosec.com About SISA: SISA Information Security was founded in 2003 and has over 300 customers ranging from healthcare, insurance, banks, hospitality and information technology. SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for HIPAA compliance. Sign up on our website to get a FREE 30 day trial. www.sisainfosec.com LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy

Editor's Notes

  1. Good morning. Its great to be here and talk about a subject that is highly discussed and is at the center stage of discussion following the omnibus rule. For the new 50 minutes or so, we are going to be discussing on HIPAA Risk Analysis or HIPAA Risk Assessment. Technically speaking and going by ISO risk analysis is one of the components of Risk Assessment but since HIPAA Security Rule uses the word risk analysis we be a little liberal in using the word Risk Analysis but for all purposes refer to risk assessment. My central objective of this presentation is a step by step approach to doing a formal Risk Analysis which meets HIPAA and other compliance requirements. As we have less then a hour I would have succeeded in my presentation if I am able to drive home the necessity of doing it correctly.
  2. My experience with risk assessments started way back in 90’s when I had an information security project to be done when I was working for a Big 4 audit firms in India. It was pretty good but because we did that quite well following a already designed template. Off course later I went onto study formal risk assessments in depth in CERT Coordination Center in Pittsburgh and there was ocean of a difference when we do a formal risk assessment and a risk assessment which is done not following any methodology or process. When my company went on to become a PCI QSA when PCI SSC was founded, I understood that PCI DSS did not have much on formal risk assessment except that they had one small requirement under 6th milestone (1-6 Priority) and found that my entire team was checking the box because they did not understand it, our customers did not understand it. I later found out that its just not me but the entire community that was doing the same. So I proposed a special interest group under the PCI Council to examine this requirement and give it more teeth. So after working for more than one year on the document, we released a guidance document in November 2012 where I was to present on the same. Later I went to create a course on formal information security risk assessment as I wanted to fix the gap and also developed a product called SISA Assistant which has one of the modules as Risk Assessment as well.
  3. OCTAVE Overview
  4. Risk exposure decreases significantly when an organization knows exactly where PHI resides and how it is handled. A formal Risk Analysis examines the risks and controls related to three critical areas: People, Process and Technology.
  5. Vulnerability: Vulnerability is defined in NIST Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Threat: An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Risk: The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to— Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man- made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.