2016 Mega
Healthcare
Conference
"Navigating the
World of
Healthcare"
January 20-22, 2016
Kalahari Resort and
Convention Center
Page 1 © Wipfli LLP www.wipfli.com/healthcare
HIPAA Risk
Management:
Leveraging the Benefits
of Health Information
Trust Alliance
(HITRUST)
10:30 a.m. – Noon
Rick Ensenbach, Manager
Heal thcare Risk Advisory
Forensics Services Pract ice
Objectives
3
• Understand and communicate;
− The difference between risk management, risk
assessment, and risk analysis
− Why risk management is needed
− Who is responsibilities for risk management
− The different phases of risk management
− How HITRUST Common Security Framework
can be used in risk management
Why Risk Management?
4
• Regulatory compliance (i.e., HIPAA)
• Reinforcement of organizational security program
and culture
• Insurability (e.g., cyber insurance)
• Reduce/limit the scope and cost of a breach
• Reduce costs and prevent unnecessary spending
• Market differentiator
• Support efforts to attract and retain top talent
Key Business Drivers
5
• Regulatory compliance
− HIPAA Security Rule
− Meaningful Use - specific to EMR/EHR environment
• Federal audits (i.e., Office of Civil Rights)
• Breach notification
− To determine what is a reportable breach to HHS
− Breach investigations by Fed, State, AG, etc.
Audits/Compliance Reviews
7
• Office of Civil Rights (OCR) is planning to begin its formal audit
program soon.
− Starting with desktop/remote audits, on-site audits as needed, usually
prompted by “a need” for further evaluation.
• OCR breach investigations
• CMS Meaningful Use audits (already underway)
• State Attorney Generals
OCR Director Samuels:
“We are committed to implementing a “robust” audit program!”
Regulatory Risk Management Requirements
8
Actual language from an OCR Initial Data Request – First step
of a formal audit:
“Please submit a copy of <insert your organization’s
name>’s most recent risk analysis, as well as a copy
of all risk analyses performed for or by <insert your
organization’s name> within the past 6 years
pursuant to 45 C.F.R. § 164.308(a)(I)(ii)(A). If no risk
analysis has been performed, please state so.”
Regulatory Risk Management Requirements
9
• HIPAA Security Rule
Regular assessments of the potential risks and vulnerabilities to
the confidentiality, availability, and integrity of all ePHI that an
organization creates, receives, maintains, or transmits.
• HITECH/Meaningful Use
Annually conduct/review a security risk analysis to assess
whether the technical, administrative, and physical safeguards
and risk management strategies are sufficient to reduce the
potential risks and vulnerabilities to the confidentiality,
availability, and integrity of ePHI created by or maintained in
the Electronic Health Record system.
OCR Director Samuels: “We expect to see “comprehensive” risk assessments.”
What Is Risk Management?
11
• Risk Management - The process of managing risks to organizational operations
(including business mission, functions, image, reputation), organizational assets,
individuals, etc. Activities include:
− Risk Assessment
− Risk Analysis
− Risk Mitigation
− Risk Decision (i.e. avoidance, reduction, transference, acceptance)
− Continuous Monitoring
• Compliance Assessment: Is any activity to determine, directly or indirectly, that
a process, product, or service meets (complies with) a defined requirement (i.e.
statutory, regulatory or internal policy).
• Internal Audit: Is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations.
*Compliance and Internal Audit are catalysts for improving an organization's risk
management by providing insight and recommendations based on analyses and
assessments of data and business processes.
What Is Risk Management?
12
Proper risk management can help senior leadership address
the following concerns:
• How do we know we are doing enough?
• How do we know we are not doing/spending more than we
need to?
• Are we any better off than we were before?
• Are we adapting to meet evolving threats?
What Is Risk Management?
13
• Not a one-time event or an annual
checklist - ongoing
• Not an audit or compliance
• Not IT’s responsibility
• Inclusive of all regulatory and
statutory requirements
• Inclusive of people,
processes, and technology
• Inclusive of industry security
standards (e.g., PCI, JCAHO,
NCQA, CMS, ISO27001, etc.)
• Inclusive of Federal and statutory
requirements
Risk Assessment
14
What Is Risk Assessment?
15
Risk Assessment - Process of identifying and
prioritizing risks to the confidentiality, integrity, and
availability of PHI.
• Identification without analysis
• Annual organizational assessment
• Always followed by a risk analysis
Risk Analysis
16
What Is Risk Analysis?
17
Risk Analysis - Process of analyzing risks identified to
determine the likelihood of occurrence and impact, then
deciding what controls will be implemented to reduce the risk to
an acceptable level.
• In-depth analysis that takes the following into consideration
to determine mitigation activity and acceptance:
– Criticality
– Impact
– Likelihood/Probability
• Always followed by risk mitigation
Risk Assessment/Analysis
18
• Types of assessments
− Program assessments (i.e., HITRUST)
− Physical security walk-throughs
− Testing of security controls and processes
− Table top exercises
− Technical assessments
Application, network, wireless security
assessment
Vulnerability assessment/penetration
test
– Social engineering exercises
– Independent assessments or audits
– Business Associate risk assessments
When to Conduct a Risk Assessment/Analysis
19
• Risk assessments need to be performed for the following
events:
– After a disaster or disruption
– Policy exception process
– To determine whether a security incident is a reportable breach
– Post security incident/breach
– Post audit/assessment
– During the system/application development and acquisition process
– Pre-production rollout
– Pre/Post system/application upgrades or modifications
– Prior to doing business with vendors, business associates, etc.
– When addressing how to mitigate the risk of newly discovered threats and vulnerabilities
– Post merger and acquisition
– Annual security/privacy program assessment (compliance/risk assessment)
Risk Mitigation
20
What Is Risk Mitigation?
21
Risk Mitigation – Process of taking steps to reduce adverse effects of risk
to an acceptable level by senior leadership or designated representative.
– Criticality
– Impact/Recovery Time Objectives (i.e. BIA)
– Likelihood/Probability
– Control Selection
– Cost-Benefit Analysis
• Always followed by a risk decision; avoidance, reduction, transference or
acceptance.
Risk Decision
22
Risk Decisions
23
Avoidance - This approach eliminates the risk by avoidance of the activity
which provides the risk. For example, the risk associated with utilization of
wireless technologies can be mitigated by deciding not to use wireless
technologies at all.
Reduction - Risk can be reduced by way of controls that can reduce the
likelihood or impact of a risk. An example would be encryption of network
traffic to minimize risks that threaten the confidentiality of data.
Transference - Risk can be reduced by shifting it to an outside entity. An
example would be the purchase of insurance.
Acceptance - Choosing to accept risk by not selecting any of the
recommended approaches.
All decisions, must be documented and accepted by the appropriate level of
management or a designated representative who has the proper authority
and responsibility, and can defend the decision.
Continuous Monitoring
24
What is Continuous Monitoring
25
Continuous Monitoring - process and technology used to
detect and monitor compliance and risk issues associated with
an organization's environment.
• Regardless of the risk decision, there will always be residual
risk.
• Ongoing process utilizing a variety of methods
• Utilization of the risk register
• Adjust risk decisions as needed – obtain approval from
appropriate decision maker
Risk Management – Where to Start
26
• Create a policy and procedure that describes your program and processes
associated with risk management:
− Purpose
− Roles/Responsibilities
− Identification of standard(s) to be used
− Establishment of Risk Management Council??
− Definition of what risk assessments/analyses are and when they are required
− Documentation and retention requirements
− Definition of risk mitigation, acceptance, and continuous monitoring requirements
• Educate everyone that needs to be involved in the risk management
process
Risk Management - Challenges
27
• Selecting a process
• Understanding that there will be multiple approaches
• Separating risk management from compliance
• Remaining unbiased
• Understand who should be accepting risk
• Acceptance of final decision, even if you don’t like it
• Realizing this is a full-time/ongoing process
Risk Management – Ongoing
28
• Document, document, document . . .
• Revisit decisions and adjust (e.g. Risk Register)
• Continuously monitor implemented controls and adjust when
needed
• Risk Mitigation – presenting recommendations
− Present risks and recommendations to the business in terms and conditions
that they will understand.
− Present more than one option and include initial/ongoing costs, corrective
measures, efforts to implement, etc.
− Be ready to provide details as to how you came up with your
recommendations.
HITRUST
29
Who Is HITRUST?
30
• The Health Information Trust Alliance (HITRUST):
− Was founded in 2007, became nonprofit in 2011
− Is led by a full-time management and development team
− Is governed by an Executive Council comprised of founders and leaders from across
the health care industry
− Maintains the Common Security Framework (CSF)
− Performs education, advocacy, and other outreach activities
− Maintains, educates, and certifies a community of practitioners/assessors
− Provides clarification and interpretation of CSF to practitioners, assessors, and clients
− Is responsible for reviewing and providing feedback on all assessment reports
− Provides validated reports for all types of assessments
− Is certification authority
MyCSF Authoritative References
ISO/IEC27001:2013
ISO/IEC27002:2013
ISO/IEC27799:2008
COBIT5
HIPAA
Omnibus Rule
NIST SP 800‐53
NIST SP 800‐66
PCI DSS
16 CFR Part 681
FTC Red Flags Rule
Federal Tax Information
MARS-E
FISMA
21 CFR Part 11
JCAHO IM
CMS ARS
CAQH CORE
Texas Medical Records Act 181
CSA Cloud Controls Matrix
Texas Admin. Code 390.2
NRS 603A (State of Nevada)
NIST Cybersecurity Framework
201 CMR 17.00 (State of Mass.)
31
MyCSF
32
• Scales according to type, size, and complexity of an implementing
organization
• Provides prescriptive requirements to ensure clarity
• Follows a risk-based approach offering multiple levels of implementation
requirements determined by risks and thresholds (like the HIPAA
regulation, it is not meant to be a yes or no checklist)
• Allows for the adoption of alternate controls when necessary
• While not a substitute, it can be used to help with other security audits or
reviews
• A methodology organizations can use as a common baseline/mechanism
for managing business associates’ compliance with HIPAA
• Can serve a dual role as compliance tool and risk assessment
MyCSF
33
• Three levels of requirements – Level 1 is
considered baseline level
− Organizational Factors – Defined by size
and complexity of organization (e.g.,
number of covered lives, licensed beds,
visits per year, number of employees)
− System Factors – Defined by system
attributes (e.g., storage, process, or
transmission of PHI, accessibility from
Internet by third party or public)
− Regulatory/Statutory Factors
• Each additional level encompasses the
lower levels and additional requirements
commensurate with increasing levels of risk
MyCSF
34
• Is updated annually based on:
− New security standards and regulations
− Changes to existing authoritative sources
− Breach data
− Industry feedback, best practices, and lessons learned
• MyCSF is comprised of:
− 14 control categories (13 security and 1 privacy)
− 45 control objectives
− 149 implementation requirements
Assessments can be over 1000 baseline requirement statements
MyCSF
35
Assessment domains
Information Protection Program Endpoint Protection
Portable Media Security Mobile Device Security
Wireless Security Configuration Management
Vulnerability Management Network Protection
Transmission Protection Password Management
Access Control Audit Logging & Monitoring
Education, Training & Awareness Third-Party Assurance
Incident Management Risk Management
Physical & Environmental Security Data Protection & Privacy
Business Continuity & Disaster Recovery
Assessment Types
37
• Self-Assessment (lowest level of assurance)
− Affordable
− Quickly completed
− Stepping stone to validated assessment
− Includes formal report and other related assessment documentation
• Validated Assessment (higher level of assurance)
− Medium or high level of effort, requires on-site testing
− Requires third-party assessor
− Stepping stone to certification
− More costly due to assessor requirement
− Includes formal report and other related assessment documentation
Assessment Types
38
• Certification (highest level of assurance)
− Requires a validated assessment
− Requires HITRUST approval
− Includes formal report that is good for 2 years
− Includes interim assessment performed at 1-year mark
− Most expensive, requires assessor and an annual subscription to MyCSF
− Includes formal report and other related assessment documentation
Baseline Assessment
39
• Each baseline assessment question addresses the
following:
− Policy, Process, Implementation, Measured, and Managed
(last two pertain to metrics)
− Five maturity levels
Non-Compliant (0%)
Somewhat Compliant (25%)
Partially Compliant (50%)
Mostly Compliant (75%)
Fully Compliant (100%)
Scope Overview
40
• CSF applies to all covered information regardless of type (words,
numbers, pictures, etc.) and transmission methods (networks, fax,
post)
• CSF controls are designed to apply to all information systems
irrelevant of classification or function. This includes:
− All patient care (medical) systems, applications, and devices that store and
process ePHI whether they are standalone systems or connected to the network
− All business systems and applications that store, process, or transmit ePHI to
support billing, customer service, and general administrative operations
− Supporting systems and applications including application software components,
databases, operating systems, interfaces, tools, and servers
− All infrastructure components, such as routers and firewalls, that are connected
to or facilitate the transmission of ePHI to/from the types of systems described
above
Who Can Use the Tool
41
• Covered Entities
− Biotech Company
− Health Plan/PBM/Insurance
− IT Service Provider/Vendor
− Medical Facility/Hospital
− Pharmacy Company
− Physician Practice
− Third Party Processor
• Business Associates
• HITRUST Assessors
Business Associates Under Pressure
42
7,500 BAs will be required to obtain HITRUST Certification
within next 24 mos.
A growing number of health care organizations, including
Anthem, Health Care Services Corp., Highmark, Humana, and
UnitedHealth Group, are requiring their business associates to
obtain CSF Certification as a means of demonstrating effective
security and privacy practices aligned with the requirements of
the health industry.
In Closing . . .
43
• Successful activities that lead to an effective, reliable risk management
program include:
− Identification of assets that create, store, and transmit covered information,
including business machines, personally owned devices, and medical
devices/equipment
− Staying abreast of the threat environment
− Identification of business associates and their exposure to covered information
− Periodic third-party assessments
− Continuous monitoring
− Workforce education and awareness
− Assigned responsibility
− Formal documentation
− Implementation of realistic governance and technical controls
− Senior leadership support
− Recognition that risk management is an ongoing effort, not a one-time task
Contact Information
46
Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP
Manager, Health Care Practice
3703 Oakwood Hills Parkway, Eau Claire, WI 54701
952.548.6708
www.wipfli.com/healthcare