© Clearwater Compliance | All Rights Reserved
1
Copyright Notice
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance | All Rights Reserved
2
Legal Disclaimer
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
3
December 8 , 2015
How to Mature Your Information Risk Management Program
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC
© Clearwater Compliance | All Rights Reserved
4
MA, CISSP, HCISPP, CRISC, CIPP/US Bob Chaput
• CEO & Founder – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates, Financial Services, Retail, Legal • Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
ISACA, HCCA, HCAA,ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
5
We are not attorneys! Ensure Competent Counsel
The Omnibus has arrived! Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
© Clearwater Compliance | All Rights Reserved
6
Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be
This empowering philosophy underpins everything we do. Commitment to educational resources for our
audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-
leadership to better serve you
© Clearwater Compliance | All Rights Reserved
7
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
8
Awards and Recognition
Exclusive Endorsement
Ranked #11 – 2015 & 2016 Software Used by NSA/CAEs
Sole Source Provider
© Clearwater Compliance | All Rights Reserved
9
Some Ground Rules
1. Slide materials A. Check “Handouts” area on GoToWebinar
Control to download materials now
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode 5. Please complete Exit Survey, when you
leave session 6. Recorded version and final slides within 48
hours
© Clearwater Compliance | All Rights Reserved
10
How This Webinar Fits In to Our IRM Educational Track
Register For Our NEW Educational Tracks: https://clearwatercompliance.com/hipaa-education/educational-tracks/
You are
Here!
1. “NIST-based Information Risk Management Essentials”
2. “How to Establish Your NIST-based Risk Management Program to Comply with HIPAA & Other Regulations”
3. “The Critical Difference - HIPAA Security Compliance Evaluation vs. HIPAA Security Risk Analysis”
4. “How to Conduct NIST-based Risk Assessment to Comply with Federal Regulations & Industry Standards”
5. “How to Conduct NIST-based Risk Response to Comply with Federal Regulations & Industry Standards”
6. “How to Monitor Your NIST-based Risk Management Program to Comply with Federal Regulations & Industry Standards”
7. “How to Mature Your Information Risk Management Program”
© Clearwater Compliance | All Rights Reserved
11
Learning Outcomes… Attendees Will Be Able To:
Describe the Information Risk Management Capability Advancement Model™ (IRMCAM™)
Determine their organization’s current level of IRM maturity
Explain the importance of a mature information risk
management program and framework
Explain the purpose and value of maturity models, in general, and
specifically as it relates to IRM
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar
© Clearwater Compliance | All Rights Reserved
12
Pause and Quick Poll
What type of organization do you represent?
Hospital / Health System
BA HYBRID Don’t Know
Other CE
© Clearwater Compliance | All Rights Reserved
13
How many Clearwater Compliance webinars have you attended before?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
14
What if my Sensitive Information is not
complete, up-to-date and accurate?
What if my Sensitive Information is shared?
With whom? How?
What if my Sensitive Information is not there when it is needed?
AVAILABILITY
Don’t Compromise
C-I-A!
PHI, PII Payment Card,
Intel. Prop., Etc.
Reminder: Problem We’re Trying to Solve
© Clearwater Compliance | All Rights Reserved
15
Clearwater Information Risk Management Life Cycle1
1Adopted from NIST SP800-39-final_Managing Information Security Risk
© Clearwater Compliance | All Rights Reserved
16
Agenda
• Problem • Actions • Results • Resources
© Clearwater Compliance | All Rights Reserved
17
The Information Risk Management (IRM) Problem 1. 68% of 2012 OCR Phase I Auditees Failed Risk Analysis (80% of Providers)
2. 74% of 27 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses
3. Healthcare IS the Next Cybersecurity Battleground
4. Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management
5. Too few organizations are working to do bona fide risk management AND “mature” their information risk management processes
6. Widespread Failure to Realize It’s a Patient Safety / Quality of Care / Customer Experience issue … not a “HIPAA or SOX or PCI or GLBA or FERPA compliance” issue …
7. Failure to Appreciate that Risk Assessments are a Basic Foundational Step AND Required by Regulation
8. Few People Truly Understand Risk Governance | People | Process |
Technology | Maturity
© Clearwater Compliance | All Rights Reserved
18
Healthcare Under Attack
“The health-care industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable”
-- Tom Kellermann, chief cyber security officer at
Trend Micro Inc. May, 2015
http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually
© Clearwater Compliance | All Rights Reserved
19
Healthcare Under Attack
“Now healthcare is a considered a top target. The speed of these attacks and the volume with which they're occurring is increasing significantly. It just requires a much more robust response across the U.S. government and private sector.” Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day.”
-- Jim Trainor, deputy assistant director,
FBI Cyber Division April, 2015
http://searchhealthit.techtarget.com/news/4500246657/Federal-authorities-on-to-healthcare-cybercrime
© Clearwater Compliance | All Rights Reserved
20
Problem with THE Problem We’re All Trying to Solve
1. The Problem is the “Problem We’re Trying to Solve” is a dynamic, never-ending Problem!
2. Healthcare Industry, especially, is Immature When it Comes to Information Risk Management
© Clearwater Compliance | All Rights Reserved
21
Some Recent Events • March 2014 - compromised by Chinese hackers targeting the information of 10s of 100s of
thousands of employees | the U.S. Gov Personnel Network • June 2014 - the New York Times reported how cybercriminals are getting better at circumventing
firewalls and antivirus programs, and more of them are resorting to ransom ware, which encrypts computer data and holds it hostage until a fee is paid;
• August 2014 - 4.5 million patients’ personal information was disclosed in alleged Chinese hacker attack| Community Health Systems
• August 2014 - “significant and egregious” data breach | JP Morgan • September 2014 – “no evidence that debit card PINs were compromised”
| Home Depot • February 2015 - “80 million … target of a “very sophisticated external cyber attack” | Anthem • March 2015 – “11 million … Insurance Commissioner Mike Kreidler announced the launch of a
multi-state market conduct examination” | Premera Blue Cross • May 2015 – “about 1.1 million names, usernames, birth dates, email addresses and subscriber ID
numbers of current and former members and people who did business with CareFirst” | CareFirst Blue Cross Blue Shield
• June 2015 - OPM … • September 2015 – “10.5 million … one of a series of major digital intrusions into Blue Cross
affiliates and other health insurers nationwide over the last two years” | Excellus BlueCross BlueShield
• December 2015 – YOUR ORGANIZATION?…
Breach Fatigue, Anyone?
© Clearwater Compliance | All Rights Reserved
22
And, then there were 27… Lahey Clinic Hospital, Inc.
© Clearwater Compliance | All Rights Reserved
23
Case for Action or Cause for Shock?
• All Industries, Especially Healthcare, Under Attack
• Harm or Loss to Companies and Individuals
• Regulatory Compliance and Security Risks Significant Financial Risks
PHI, The Next Patient Safety Issue!
© Clearwater Compliance | All Rights Reserved
24
Challenge: Balance and Move to Future State of IRM
Tactical
Technical
Spot-Welding
Strategic
Business
Architectural
Start the Conversation Change the Conversation
© Clearwater Compliance | All Rights Reserved
25
Pause and Quick Poll
If “Tactical-Technical-Spot-Welding” is a “1” and “Strategic-Business-Architectural” is a ”5”, where would you place your organization?
© Clearwater Compliance | All Rights Reserved
26
Agenda
• Problem • Actions • Results • Resources
© Clearwater Compliance | All Rights Reserved
27
01
03
02
Three IRM Agenda Items I Feel Deeply Inspired By…
Tactical Establish, Implement and
Mature IRM Program
Operational Complete Bona Fide,
Comprehensive Risk Analysis and Risk Response
Strategic Make IRM a C-Suite / Board Agenda item
© Clearwater Compliance | All Rights Reserved
28
NIST Approach Framework + Process + Maturity Model
© Clearwater Compliance | All Rights Reserved
29
Clearwater Information Risk Management Life Cycle1
1Adopted from NIST SP800-39 Managing Information Security Risk Organization, Mission, and Information System View
• Need to Adopt a Framework • Need to Adopt a Process • Need to Develop Maturity Model
Approach
© Clearwater Compliance | All Rights Reserved
30
Risk Management and Baseball
• A Major League Baseball team is more "mature" than a Little League team
• A Major League Baseball team has self-perpetuating qualities. They: • Have strong management (Governance) • Develop new players like themselves (People) • Find ways to make better plays (Process) • Use latest balls, bats, equipment (Technology) • Are consistent and make good plays
(Implementation)
© Clearwater Compliance | All Rights Reserved
31
Risk Management and Baseball
• Is Little League good enough?
• How good does your team have to play?
• How mature does your Information Risk Management Process need to be?
• Are you making conscious, informed decisions about your required level of maturity?
© Clearwater Compliance | All Rights Reserved
32
Keep It Simple
1. Embrace the Fundamentals of Maturity Models
2. Understand critical “Capabilities” and “Best Practices” in Information Risk Management
3. Embrace Information Risk Management Capability Advancement Model™ (IRMCAM™)
4. Consciously decide what is best for your organization
5. Take actions to establish, operationalize and mature your program
© Clearwater Compliance | All Rights Reserved
33
Pause and Quick Poll
Are you familiar with the principles / concepts of maturity models?
© Clearwater Compliance | All Rights Reserved
34
Capability maturity models, in general
• Rate your organization – from the least mature level to the most mature level
• Identify descriptions of your organization’s current and possible future states
• Don’t make it a competition with other organizations
• Purpose is to: • Identify where organizations are in relation to
certain capabilities, activities and practices • Suggest how to set priorities for
improvements
Reference: ISO/IEC 15504 Process Assessment Standard
© Clearwater Compliance | All Rights Reserved
35
Attributes of a Mature Process or Practice Area
• Governed • Measurable • Controlled • CPI-based • Standards-based
Major League
Where Does Your Organization Need to Be?
Little League
• Proactive • Adaptable • Consistent • Predictable • Automated
Risk Management Maturity
© Clearwater Compliance | All Rights Reserved
36
Maturity in EMR Adoption
http://www.himssanalytics.org/emram/emram.aspx
Electronic Medical Record Adoption Model
(EMRAM)SM
HIMSS Analytics has devised the EMR Adoption Model, an 8-step
process that allows you to track your progress against healthcare
organizations across the country and view all scores in the HIMSS
Analytics® Database.
© Clearwater Compliance | All Rights Reserved
37
On a Scale of 0 (least mature) to 5 (most mature), how mature is your information risk management program?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
38
What is the Information Risk Management Capability Advancement Model™ (IRMCAM™)?
• Like baseball teams, mature risk-aware organizations are different from immature risk-aware organizations
• IRMCAM™ strives to capture and describe these differences
• IRMCAM™ strives to create organizations that are “mature”, or more mature than before applying IRMCAM™
• Describes six levels of Risk Management process maturity
• Includes lots of detail about each level – we will look at some of it
Not One Size Fits All
© Clearwater Compliance | All Rights Reserved
39
IRMCAM Index (IRMCAMi™) and Levels
Key Information Risk Management Capabilities: 1. Governance, Awareness of Benefits and Value 2. People, Skills, Knowledge & Culture 3. Process, Discipline & Repeatability 4. Standards, Technology Tools / Scalability 5. Engagement, Delivery & Operations Established - 3
Predictable - 4
Mature - 5
Incomplete - 0
Performed - 1
Managed - 2 As measured by the extent of adoption, implementation and / or achievement…Plan-Do-Check-Act
© Clearwater Compliance | All Rights Reserved
40
INFORMATION RISK MANAGEMENT MATURITY LEVEL Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5
Governance, Awareness of
Benefits and Value
People, Skills, Knowledge &
Culture
Process, Discipline, & Repeatability
Use of Standards, Technology Tools /
Scalability
Engagement, Delivery & Operations
Have framework & active when time permits
Some (ad hoc), Insufficient resources
None Becoming a Formal program
Embedded in decision making,
CPI Formal program
KEY
RISK
MAN
AGEM
ENT
CAPA
BILI
TIES
Unsure of benefits; no
executive focus
Aware of risk, but not clear on
benefits
Aware of some benefits
Incorporated into business planning
and strategic thinking
Aware of most benefits; value
realized
Aware of benefits and
deployed across the organization
Little knowledge Some risk skills training in parts of organization
Good understanding across parts of organization
Knowledge across most of organization
High degree of knowledge; refinement
Sound knowledge of discipline and
value
No PnPs, formal practices
Some execution, no
records or docs.
Some PnPs, docs; not consistently
followed
Formal PnPs and doc, widely
followed
Formal, continuous
process improvement
Robust, widely adopted PnPs
Not Using Aware but Not Formalized Use Using selectively
Using, repeatable
results
Sound understanding,
consistent use of tools
Regular use, outcomes consistent
© Clearwater Compliance | All Rights Reserved
41
Key IRM Capabilities
1. Governance, Awareness of Benefits and Value
2. People, Skills, Knowledge & Culture 3. Process, Discipline, & Repeatability 4. Standards, Technology Tools and
Scalability 5. Engagement, Delivery & Operations
Capabilities Are Evidenced by Practices
© Clearwater Compliance | All Rights Reserved
42
IRM Capabilities Are Evidenced by Best Practices 1. Governance, Awareness of Benefits
and Business Value A. The board or governance body has developed a working
knowledge of the information risk management framework and workflow concepts …
B. The board or governance body has developed a working knowledge of the information risk of compromise of confidentiality, integrity and/or availability of sensitive information.
C. The board or governance body has issued formal, written guidance for IRM.
D. There is awareness of all external requirements (e.g., regulatory, customer, business partners, etc.) for IRM in the organization.
E. Board or governance body views IRM as a business enabler…
F. Etc…
© Clearwater Compliance | All Rights Reserved
43
IRM Capabilities Are Evidenced by Best Practices 2. People, Skills, Knowledge & Culture
A. There has been an emergence and designation of a formal IRM function within the organization.
B. A senior risk manager has been designated as the leader of the information risk management function.
C. A cross-functional executive oversight committee is chartered to guide and support the information risk manager.
D. A cross-functional working group, led by the information risk manager, is chartered to support the IRM function (so that each functional area can understand where it fits into the entire organizational IRM strategy and how it affects other areas).
E. The IRM function has a designated capital and operating expense budget.
F. Etc…
© Clearwater Compliance | All Rights Reserved
44
IRM Capabilities Are Evidenced by Best Practices 3. Process, Discipline, & Repeatability
A. Formal, up-to-date and documented IRM policies and procedures (PnPs) are used and are defensible.
B. The organization’s risk assessment process including the characterization of threat sources, sources of threat information, representative threat actions, when to consider and how to evaluate threats, sources of vulnerability information, risk assessment methodologies to be used, and risk assumptions is formally documented.
C. The IRM program provides a complete, end-to-end process for inventorying and including all information assets used to create, receive, maintain or transmit sensitive data (e.g., PHI, PII, payment card data, company proprietary information and other sensitive data).
D. The IRM program’s risk assessment solution ensures that all relevant threat sources and threat actions that may exploit vulnerabilities are considered.
E. Etc.
© Clearwater Compliance | All Rights Reserved
45
IRM Capabilities Are Evidenced by Best Practices 4. Standards, Technology Tools and
Scalability A. The organization is aware of the general category of
governance, risk and compliance (GRC) software tools that are available in the marketplace.
B. There is recognition in the organization of value of the use of consistent, automated IRM workflow tools (e.g., demonstrated compliance, optimizing cost of IRM, single source of the truth, scalability, etc.).
C. The organization is using an automation solution to manage, maintain and communicate its policies and procedures for all regulations with which it must comply.
D. The organization is using an automation solution for information security continuous monitoring.
E. Etc.
© Clearwater Compliance | All Rights Reserved
46
IRM Capabilities Are Evidenced by Best Practices 5. Engagement, Delivery & Operations
A. The organization has documented the implementation plan for the scope of the organizational IRM process (e.g., organizational entities covered; mission/business functions affected; information assets to be included, etc.) and its rollout plan.
B. The organization has documented how its IRM process steps will be implemented. (e.g., sequence, degree of rigor, formality, and thoroughness of application) and in how the results of each step are captured and shared—both internally and externally, if necessary.
C. There is strong alignment of the organization's IRM strategy with the overall organizational business strategy.
D. Strategic objectives are based on an executive-level understanding of business threats and information risk scenarios.
E. Etc
© Clearwater Compliance | All Rights Reserved
47
How to Use IRMCAM™ • Train your own team in IRMCAM™, then
conduct internal assessments. • For a large organizations with many exposures, could have a
big payoff • Use IRMCAM™ as a set of recommendations; apply as you
see fit
• Hire a 3rd Party IRMCAM™ Assessor to conduct a formal evaluation
• To win management attention • To ensure an independent, objective review • To demonstrate good intent to customers and regulators
• Determine Where You Are • Decide Where You Need to Be • Set Plan of Action to Get There!
© Clearwater Compliance | All Rights Reserved
48
Agenda
• Problem • Actions • Results • Resources
© Clearwater Compliance | All Rights Reserved
49
Benefits of Using IRMCAM™ to Mature Your IRM Program
Improved Information Risk Management Performance FEWER BREACHES, COMPLAINTS, FAILED AUDITS, ETC.
• Executive Engagement And Support • Information Risk Management
Consistency And Predictability • Cost Effectiveness And Efficiency • Continuous Process Improvement • Market Differentiation And
Competitive Advantage • Higher quality IRM investment
decisions
© Clearwater Compliance | All Rights Reserved
50
Pause and Quick Poll
Is your organization ready for a maturity model approach to information risk management?
© Clearwater Compliance | All Rights Reserved
51
Agenda
• Problem • Actions • Results • Resources
© Clearwater Compliance | All Rights Reserved
52
IRMCAM™ Model
© Clearwater Compliance | All Rights Reserved
53
Assessing Practices
In each capability area, we present a series of practices that, if implemented, would serve as evidence of progress in establishing and improving that capability. Consideration of these practices may also translate into an action plan for improvement. We rate each practice on a six-point rating scale using the Deming "plan-do-check-act" cycle: • Not started adopted, implemented or achieved (0% or
maturity 0) • Planning to adopt, implement or achieve (20% or
maturity 1) • Planning and doing (40% or maturity 2) • Planning, doing and checking (60% or maturity 3) • Planning, doing, checking, acting (80% or maturity 4) • Planning, doing, checking, acting & optimizing (100% or
maturity 5)
Please Use It / Provide Feedback
© Clearwater Compliance | All Rights Reserved
54
IRMCAM™ – V5 1. Prepare to use the Clearwater Information Risk
Management Capability Maturity Model™. 2. Set the desired information risk management
maturity level for the organization. 3. Complete the Clearwater Information Risk
Management Capability Maturity Model Index™ tool
4. Identify any gaps that may exist between the desired state of maturity and the current state.
5. Assess all identified gaps that may exist between the desired and the current state.
6. Rank order identified gaps and remediate the highest priority gaps.
7. Document results and repeat the assessment periodically.
© Clearwater Compliance | All Rights Reserved
55
IRMCAM™ From “Performed” to “Established”
© Clearwater Compliance | All Rights Reserved
56
Clearwater Vision Clearwater Information Risk Management
Capability Advancement Model™ (IRMCAM™) Metrics
“…Facilitating Your Progress Towards Better Quality of Care and Increased Patient Safety Through
Mature Information Risk Management…”
© Clearwater Compliance | All Rights Reserved
57
Download Whitepaper
Harnessing the Power of NIST
Your Practical Guide to Effective Information Risk Management
https://clearwatercompliance.com/thought-
leadership/white-papers/harnessing-the-power-of-the-nist-framework/
© Clearwater Compliance | All Rights Reserved
58
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• February 11th, 18th, 25th 2016 • May 5th, 12th, 19th 2016
Join us for our next Live Event: April 21, 2016 - Orlando
© Clearwater Compliance | All Rights Reserved
59
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
January 7, 2016 Complimentary
Webinar How to Conduct NIST-based Risk
Response to Comply with HIPAA & Other
Regulations
January 14, 2016 Complimentary
Webinar How to Prepare for a
Privacy/Breach Notification OCR
Audit or Investigation
January 26, 2016 Complimentary Webinar – co-
presented with Atlas Health
Demystifying HIPAA and the Cloud
December 17, 2015 Complimentary
Webinar How to Develop your
HIPAA-HITECH Policies &
Procedures
© Clearwater Compliance | All Rights Reserved
60
Resources
Register For Upcoming Live HIPAA-HITECH Webinars at:
https://clearwatercompliance.
com/webinars/
© Clearwater Compliance | All Rights Reserved
61
Final Thoughts • Privacy, Security and Compliance Risk
Management is a Business/Board Issue • It Needs to Be Addressed Both Bottoms Up
and Top Down • Alignment Between Business Strategy
Information Risk Management Must Be Achieved
• A IRMCAM™ Assessment Is a Great Place to Start the Discussion – Little League? Minor League? Major League?
© Clearwater Compliance | All Rights Reserved
62
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US http://www.ClearwaterCompliance.com [email protected] Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC
Contact
To help protect your privacy, PowerPoint has blocked automatic download of this picture.
Exit Survey, Please
© Clearwater Compliance | All Rights Reserved
63
Why Clearwater
Clearwater Compliance – A Better, Brighter Idea!
Highly Reference-able Hospital / Health System Customer Base, with Exclusive AHA Endorsement
Commercially Competitive Professional Services Fees
Proven Experience in Large Complex Healthcare
Environments
Independent, Objective Advisory Services with
No Vendor Ties
Deep Experience with 35+ Organizations Audited by
OCR, CMS & OIG
Business Risk Management focus While Achieving Regulatory Compliance
Seasoned, Credentialed Professionals in Healthcare Privacy, Security, Compliance & Information Risk Management
Significant Post Breach Experience and Partner Network
© Clearwater Compliance | All Rights Reserved
64
As Seen In…
© Clearwater Compliance | All Rights Reserved
65
What About HITRUST?
• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security
• An Open Letter to the HITRUST Alliance
© Clearwater Compliance | All Rights Reserved
66
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394
http://www.linkedin.com/in/bobchaput/ @clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance