2016 Mega

Healthcare

Conference

"Navigating the

World of

Healthcare"

January 20-22, 2016

Kalahari Resort and

Convention Center

Page 1 © Wipfli LLP www.wipfli.com/healthcare

HIPAA Risk

Management:

Leveraging the Benefits

of Health Information

Trust Alliance

(HITRUST)

10:30 a.m. – Noon

Rick Ensenbach, Manager

Heal thcare Risk Advisory

Forensics Services Pract ice

Objectives

3

• Understand and communicate;

− The difference between risk management, risk

assessment, and risk analysis

− Why risk management is needed

− Who is responsibilities for risk management

− The different phases of risk management

− How HITRUST Common Security Framework

can be used in risk management

Why Risk Management?

4

• Regulatory compliance (i.e., HIPAA)

• Reinforcement of organizational security program

and culture

• Insurability (e.g., cyber insurance)

• Reduce/limit the scope and cost of a breach

• Reduce costs and prevent unnecessary spending

• Market differentiator

• Support efforts to attract and retain top talent

Key Business Drivers

5

• Regulatory compliance

− HIPAA Security Rule

− Meaningful Use - specific to EMR/EHR environment

• Federal audits (i.e., Office of Civil Rights)

• Breach notification

− To determine what is a reportable breach to HHS

− Breach investigations by Fed, State, AG, etc.

Audits/Compliance Reviews

6

Audits/Compliance Reviews

7

• Office of Civil Rights (OCR) is planning to begin its formal audit

program soon.

− Starting with desktop/remote audits, on-site audits as needed, usually

prompted by “a need” for further evaluation.

• OCR breach investigations

• CMS Meaningful Use audits (already underway)

• State Attorney Generals

OCR Director Samuels:

“We are committed to implementing a “robust” audit program!”

Regulatory Risk Management Requirements

8

Actual language from an OCR Initial Data Request – First step

of a formal audit:

“Please submit a copy of <insert your organization’s

name>’s most recent risk analysis, as well as a copy

of all risk analyses performed for or by <insert your

organization’s name> within the past 6 years

pursuant to 45 C.F.R. § 164.308(a)(I)(ii)(A). If no risk

analysis has been performed, please state so.”

Regulatory Risk Management Requirements

9

• HIPAA Security Rule

Regular assessments of the potential risks and vulnerabilities to

the confidentiality, availability, and integrity of all ePHI that an

organization creates, receives, maintains, or transmits.

• HITECH/Meaningful Use

Annually conduct/review a security risk analysis to assess

whether the technical, administrative, and physical safeguards

and risk management strategies are sufficient to reduce the

potential risks and vulnerabilities to the confidentiality,

availability, and integrity of ePHI created by or maintained in

the Electronic Health Record system.

OCR Director Samuels: “We expect to see “comprehensive” risk assessments.”

Risk Management

10

What Is Risk Management?

11

• Risk Management - The process of managing risks to organizational operations

(including business mission, functions, image, reputation), organizational assets,

individuals, etc. Activities include:

− Risk Assessment

− Risk Analysis

− Risk Mitigation

− Risk Decision (i.e. avoidance, reduction, transference, acceptance)

− Continuous Monitoring

• Compliance Assessment: Is any activity to determine, directly or indirectly, that

a process, product, or service meets (complies with) a defined requirement (i.e.

statutory, regulatory or internal policy).

• Internal Audit: Is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations.

*Compliance and Internal Audit are catalysts for improving an organization's risk

management by providing insight and recommendations based on analyses and

assessments of data and business processes.

What Is Risk Management?

12

Proper risk management can help senior leadership address

the following concerns:

• How do we know we are doing enough?

• How do we know we are not doing/spending more than we

need to?

• Are we any better off than we were before?

• Are we adapting to meet evolving threats?

What Is Risk Management?

13

• Not a one-time event or an annual

checklist - ongoing

• Not an audit or compliance

• Not IT’s responsibility

• Inclusive of all regulatory and

statutory requirements

• Inclusive of people,

processes, and technology

• Inclusive of industry security

standards (e.g., PCI, JCAHO,

NCQA, CMS, ISO27001, etc.)

• Inclusive of Federal and statutory

requirements

Risk Assessment

14

What Is Risk Assessment?

15

Risk Assessment - Process of identifying and

prioritizing risks to the confidentiality, integrity, and

availability of PHI.

• Identification without analysis

• Annual organizational assessment

• Always followed by a risk analysis

Risk Analysis

16

What Is Risk Analysis?

17

Risk Analysis - Process of analyzing risks identified to

determine the likelihood of occurrence and impact, then

deciding what controls will be implemented to reduce the risk to

an acceptable level.

• In-depth analysis that takes the following into consideration

to determine mitigation activity and acceptance:

– Criticality

– Impact

– Likelihood/Probability

• Always followed by risk mitigation

Risk Assessment/Analysis

18

• Types of assessments

− Program assessments (i.e., HITRUST)

− Physical security walk-throughs

− Testing of security controls and processes

− Table top exercises

− Technical assessments

Application, network, wireless security

assessment

Vulnerability assessment/penetration

test

– Social engineering exercises

– Independent assessments or audits

– Business Associate risk assessments

When to Conduct a Risk Assessment/Analysis

19

• Risk assessments need to be performed for the following

events:

– After a disaster or disruption

– Policy exception process

– To determine whether a security incident is a reportable breach

– Post security incident/breach

– Post audit/assessment

– During the system/application development and acquisition process

– Pre-production rollout

– Pre/Post system/application upgrades or modifications

– Prior to doing business with vendors, business associates, etc.

– When addressing how to mitigate the risk of newly discovered threats and vulnerabilities

– Post merger and acquisition

– Annual security/privacy program assessment (compliance/risk assessment)

Risk Mitigation

20

What Is Risk Mitigation?

21

Risk Mitigation – Process of taking steps to reduce adverse effects of risk

to an acceptable level by senior leadership or designated representative.

– Criticality

– Impact/Recovery Time Objectives (i.e. BIA)

– Likelihood/Probability

– Control Selection

– Cost-Benefit Analysis

• Always followed by a risk decision; avoidance, reduction, transference or

acceptance.

Risk Decision

22

Risk Decisions

23

Avoidance - This approach eliminates the risk by avoidance of the activity

which provides the risk. For example, the risk associated with utilization of

wireless technologies can be mitigated by deciding not to use wireless

technologies at all.

Reduction - Risk can be reduced by way of controls that can reduce the

likelihood or impact of a risk. An example would be encryption of network

traffic to minimize risks that threaten the confidentiality of data.

Transference - Risk can be reduced by shifting it to an outside entity. An

example would be the purchase of insurance.

Acceptance - Choosing to accept risk by not selecting any of the

recommended approaches.

All decisions, must be documented and accepted by the appropriate level of

management or a designated representative who has the proper authority

and responsibility, and can defend the decision.

Continuous Monitoring

24

What is Continuous Monitoring

25

Continuous Monitoring - process and technology used to

detect and monitor compliance and risk issues associated with

an organization's environment.

• Regardless of the risk decision, there will always be residual

risk.

• Ongoing process utilizing a variety of methods

• Utilization of the risk register

• Adjust risk decisions as needed – obtain approval from

appropriate decision maker

Risk Management – Where to Start

26

• Create a policy and procedure that describes your program and processes

associated with risk management:

− Purpose

− Roles/Responsibilities

− Identification of standard(s) to be used

− Establishment of Risk Management Council??

− Definition of what risk assessments/analyses are and when they are required

− Documentation and retention requirements

− Definition of risk mitigation, acceptance, and continuous monitoring requirements

• Educate everyone that needs to be involved in the risk management

process

Risk Management - Challenges

27

• Selecting a process

• Understanding that there will be multiple approaches

• Separating risk management from compliance

• Remaining unbiased

• Understand who should be accepting risk

• Acceptance of final decision, even if you don’t like it

• Realizing this is a full-time/ongoing process

Risk Management – Ongoing

28

• Document, document, document . . .

• Revisit decisions and adjust (e.g. Risk Register)

• Continuously monitor implemented controls and adjust when

needed

• Risk Mitigation – presenting recommendations

− Present risks and recommendations to the business in terms and conditions

that they will understand.

− Present more than one option and include initial/ongoing costs, corrective

measures, efforts to implement, etc.

− Be ready to provide details as to how you came up with your

recommendations.

HITRUST

29

Who Is HITRUST?

30

• The Health Information Trust Alliance (HITRUST):

− Was founded in 2007, became nonprofit in 2011

− Is led by a full-time management and development team

− Is governed by an Executive Council comprised of founders and leaders from across

the health care industry

− Maintains the Common Security Framework (CSF)

− Performs education, advocacy, and other outreach activities

− Maintains, educates, and certifies a community of practitioners/assessors

− Provides clarification and interpretation of CSF to practitioners, assessors, and clients

− Is responsible for reviewing and providing feedback on all assessment reports

− Provides validated reports for all types of assessments

− Is certification authority

MyCSF Authoritative References

ISO/IEC27001:2013

ISO/IEC27002:2013

ISO/IEC27799:2008

COBIT5

HIPAA

Omnibus Rule

NIST SP 800‐53

NIST SP 800‐66

PCI DSS

16 CFR Part 681

FTC Red Flags Rule

Federal Tax Information

MARS-E

FISMA

21 CFR Part 11

JCAHO IM

CMS ARS

CAQH CORE

Texas Medical Records Act 181

CSA Cloud Controls Matrix

Texas Admin. Code 390.2

NRS 603A (State of Nevada)

NIST Cybersecurity Framework

201 CMR 17.00 (State of Mass.)

31

MyCSF

32

• Scales according to type, size, and complexity of an implementing

organization

• Provides prescriptive requirements to ensure clarity

• Follows a risk-based approach offering multiple levels of implementation

requirements determined by risks and thresholds (like the HIPAA

regulation, it is not meant to be a yes or no checklist)

• Allows for the adoption of alternate controls when necessary

• While not a substitute, it can be used to help with other security audits or

reviews

• A methodology organizations can use as a common baseline/mechanism

for managing business associates’ compliance with HIPAA

• Can serve a dual role as compliance tool and risk assessment

MyCSF

33

• Three levels of requirements – Level 1 is

considered baseline level

− Organizational Factors – Defined by size

and complexity of organization (e.g.,

number of covered lives, licensed beds,

visits per year, number of employees)

− System Factors – Defined by system

attributes (e.g., storage, process, or

transmission of PHI, accessibility from

Internet by third party or public)

− Regulatory/Statutory Factors

• Each additional level encompasses the

lower levels and additional requirements

commensurate with increasing levels of risk

MyCSF

34

• Is updated annually based on:

− New security standards and regulations

− Changes to existing authoritative sources

− Breach data

− Industry feedback, best practices, and lessons learned

• MyCSF is comprised of:

− 14 control categories (13 security and 1 privacy)

− 45 control objectives

− 149 implementation requirements

Assessments can be over 1000 baseline requirement statements

MyCSF

35

Assessment domains

Information Protection Program Endpoint Protection

Portable Media Security Mobile Device Security

Wireless Security Configuration Management

Vulnerability Management Network Protection

Transmission Protection Password Management

Access Control Audit Logging & Monitoring

Education, Training & Awareness Third-Party Assurance

Incident Management Risk Management

Physical & Environmental Security Data Protection & Privacy

Business Continuity & Disaster Recovery

HITRUST Assessment Scope

36

Assessment Types

37

• Self-Assessment (lowest level of assurance)

− Affordable

− Quickly completed

− Stepping stone to validated assessment

− Includes formal report and other related assessment documentation

• Validated Assessment (higher level of assurance)

− Medium or high level of effort, requires on-site testing

− Requires third-party assessor

− Stepping stone to certification

− More costly due to assessor requirement

− Includes formal report and other related assessment documentation

Assessment Types

38

• Certification (highest level of assurance)

− Requires a validated assessment

− Requires HITRUST approval

− Includes formal report that is good for 2 years

− Includes interim assessment performed at 1-year mark

− Most expensive, requires assessor and an annual subscription to MyCSF

− Includes formal report and other related assessment documentation

Baseline Assessment

39

• Each baseline assessment question addresses the

following:

− Policy, Process, Implementation, Measured, and Managed

(last two pertain to metrics)

− Five maturity levels

Non-Compliant (0%)

Somewhat Compliant (25%)

Partially Compliant (50%)

Mostly Compliant (75%)

Fully Compliant (100%)

Scope Overview

40

• CSF applies to all covered information regardless of type (words,

numbers, pictures, etc.) and transmission methods (networks, fax,

post)

• CSF controls are designed to apply to all information systems

irrelevant of classification or function. This includes:

− All patient care (medical) systems, applications, and devices that store and

process ePHI whether they are standalone systems or connected to the network

− All business systems and applications that store, process, or transmit ePHI to

support billing, customer service, and general administrative operations

− Supporting systems and applications including application software components,

databases, operating systems, interfaces, tools, and servers

− All infrastructure components, such as routers and firewalls, that are connected

to or facilitate the transmission of ePHI to/from the types of systems described

above

Who Can Use the Tool

41

• Covered Entities

− Biotech Company

− Health Plan/PBM/Insurance

− IT Service Provider/Vendor

− Medical Facility/Hospital

− Pharmacy Company

− Physician Practice

− Third Party Processor

• Business Associates

• HITRUST Assessors

Business Associates Under Pressure

42

7,500 BAs will be required to obtain HITRUST Certification

within next 24 mos.

A growing number of health care organizations, including

Anthem, Health Care Services Corp., Highmark, Humana, and

UnitedHealth Group, are requiring their business associates to

obtain CSF Certification as a means of demonstrating effective

security and privacy practices aligned with the requirements of

the health industry.

In Closing . . .

43

• Successful activities that lead to an effective, reliable risk management

program include:

− Identification of assets that create, store, and transmit covered information,

including business machines, personally owned devices, and medical

devices/equipment

− Staying abreast of the threat environment

− Identification of business associates and their exposure to covered information

− Periodic third-party assessments

− Continuous monitoring

− Workforce education and awareness

− Assigned responsibility

− Formal documentation

− Implementation of realistic governance and technical controls

− Senior leadership support

− Recognition that risk management is an ongoing effort, not a one-time task

44

45

Contact Information

46

Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP

Manager, Health Care Practice

3703 Oakwood Hills Parkway, Eau Claire, WI 54701

952.548.6708

rensenbach@wipfli.com

www.wipfli.com/healthcare

47

www.wipfli.com/healthcare