Date post: | 03-Nov-2014 |
Category: |
Technology |
Upload: | elaine-axum |
View: | 317 times |
Download: | 0 times |
Clearwater HIPAA Risk Analysis™
Software Demonstration
1
Jon Stone, MPA, PMP615-210-9612
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
2
Your Presenter
© 2012-13 Clearwater Compliance LLC | All Rights Reserved 3
• 25+ years in Healthcare in the provider, payer and healthcare quality improvement fields
• Innovator | Strategic Program Manager | Consultant | Executive
• 15+ years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix.
• PMP, MPA - Healthcare Policy and Administration
Passion: Driving business, compliance and technology
solutions for improving healthcare operations and outcomes
Jon Stone, MPA, PMP
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
4
• Regulatory background
• Product features• Software walkthrough
• Product benefits
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Stage 1 and Stage 2 Meaningful Use require completion of a HIPAA Security Risk Analysis
Completing a formal Security Risk Analysis is required by the HIPAA Security Rule and must follow HHS/OCR guidelines
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Security violations can be devastating to an organization’s reputation and finances
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
You don’t know your risks…
Without the benefit of a HIPAA compliant Risk Analysis approach…
You are probably making privacy and security investments in a vacuum, without facts and data to facilitate informed decision making…
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
You are at high risk in the face of increasing enforcement actions
State AG Investigations
OCR Investigations
CMS Audits for MU
Without the benefit of a HIPAA compliant Risk Analysis approach…
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
The threat landscape is constantly changing
Organizations are struggling to identify threats…
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Organizations don’t know their vulnerabilities
Are critical systems encrypted?
Are passwords strong enough?
Are we prepared for disaster?
Are our employees trained?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
All this uncertainty means we don’t know our risks…
Regulatory Risks
Financial risks
Legal risks
Risks to our reputations
Risks to operations and care
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
What do the regulations require?
12
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
© 2012-13 Clearwater Compliance LLC | All Rights Reserved13
Three Dimensions of HIPAA Security Business Risk Management
Complete a Security Assessment to Determine Compliance
Complete a Risk Analysis
to Protect Sensitive Info
Perform Network and Penetration Testing for a full
Risk Program
2. Security45 CFR 164.308(a)(1)(ii)(A)
1. Compliance45 CFR 164.308(a)(8)
3. Test & Audit45 CFR 164.308(a)(8) & OCR
Audit Protocol
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
14
The Health and Human Services Office of Civil Rights Recommends
Regardless of the Risk analysis methodology employed…
You include the following key components
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
15
1.Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2.Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3.Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
4. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
5. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
16
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
7.Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).
8.Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
17
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final
18
© 2012-13 Clearwater Compliance LLC | All Rights Reserved19
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk • NIST SP800-53A, Rev 1, Guide for Assessing the Security
Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Myths1
20
HIPAA Security Risk Analysis Myths and FactsMyth Fact
The security risk analysis is optional for small providers.
False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive HER incentive payments must conduct a risk analysis.
Simply installing a certified EHR fulfills the security risk analysis MU requirement.
False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
My EHR vendor took care of everything I need to do about privacy and security.
False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their Products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
I have to outsource the security risk analysis.
False. It is possible for small practices to do risk analysis themselves using self-help tools such as the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology’s (ONC) risk analysis tool. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
1ONC Guide to Privacy and Security of Health Information
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Myths
21
HIPAA Security Risk Analysis Myths and FactsMyth Fact
A checklist will suffice for the risk analysis requirement.
False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
There is a specific risk analysis method that I must follow.
False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
My security risk analysis only needs to look at my EHR.
False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.
I only need to do a risk analysis once.
False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy___security_frame-work/1173
© 2012-13 Clearwater Compliance LLC | All Rights Reserved22
HIPAA Security Risk Analysis Myths and FactsMyth Fact
Before I attest for an EHR incentive program, I must fully mitigate all risks.
False. The EHR incentive program requires addressing any deficiencies identified during the risk analysis during the reporting period.
Each year, I’ll have to completely redo my security risk analysis.
False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.
Risk Analysis Myths
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is Not
A network vulnerability scanA penetration testA configuration auditA network diagram reviewInformation system activity reviewA questionnaire
23
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Is…
24
1NIST SP800-30
…the process of identifying, prioritizing, and estimating risks to organizational operations… resulting from the operation of an information system…
•Risk management incorporates threat and vulnerability analyses,
•Considers mitigations provided by security controls planned or in place1.
25
Clearwater HIPAA Risk Analysis™ Capabilities
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
26
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
The Risk Analysis DilemmaAssets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…
NIST SP 800-53 Controls
PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…569
Approximately 170,000,000 Permutations
27
VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant AccountsEndpoint Leakage VulnerabilitiesExcessive User PermissionsInsecure Network ConfigurationInsecure Software Development Processes
Insufficient Application CapacityInsufficient data backup
Insufficient data validationInsufficient equipment redundancyInsufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…
Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…
Threat AgentBurglar/ ThiefElectrical IncidentEntropyFire
FloodInclement weather
MalwareNetwork Connectivity OutagePower Outage/InterruptionEtcetera…
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
A Mature a Methodology for
Risk Management
28
The Unique Clearwater Risk Algorithm™
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Scroll Down To Determine Your Risk
Rating
29
The Unique Clearwater Risk Algorithm™
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Software Demonstration
30
Click Here to Go To Website
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
31
Clearwater HIPAA Risk Analysis™- Benefits
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™- Benefits
Provides a “by-the-book” approach to meet HIPAA and Meaningful Use requirements
Transforms risk management from “arts & crafts” to a mature, repeatable and sustainable process
Facilitates informed risk management decision making by enabling prioritization and justification of security investments
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™- Benefits
Captures a baseline for your current security risk profile and measures progress in treating identified risks
Becomes a “living, breathing tool” for ongoing HIPAA security risk management
Empowers your organization to become self-sufficient in meeting the requirement for a periodic risk analysis as defined in the HIPAA Security Rule 45 CFR 164.308(a)(1)(ii)(A)
© 2012-13 Clearwater Compliance LLC | All Rights Reserved34
Need help with resources or expertise?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved35
Need help with resources or expertise?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved36
Questions?
© 2012-13 Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://abouthipaa.com/webinars/upcoming-live-webinars
/
Get more info…
View pre-recorded Webinars like this one at:
http://abouthipaa.com/webinars/on-demand-webinars/