Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
• CEO & Founder – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates, Financial Services, Retail, Legal • Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
3. Healthcare IS the Next Cybersecurity Battleground
4. Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management
5. Too few organizations are working to do bona fide risk management AND “mature” their information risk management processes
6. Widespread Failure to Realize It’s a Patient Safety / Quality of Care / Customer Experience issue … not a “HIPAA or SOX or PCI or GLBA or FERPA compliance” issue …
7. Failure to Appreciate that Risk Assessments are a Basic Foundational Step AND Required by Regulation
8. Few People Truly Understand Risk Governance | People | Process |
“The health-care industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable”
-- Tom Kellermann, chief cyber security officer at
“Now healthcare is a considered a top target. The speed of these attacks and the volume with which they're occurring is increasing significantly. It just requires a much more robust response across the U.S. government and private sector.” Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day.”
Some Recent Events • March 2014 - compromised by Chinese hackers targeting the information of 10s of 100s of
thousands of employees | the U.S. Gov Personnel Network • June 2014 - the New York Times reported how cybercriminals are getting better at circumventing
firewalls and antivirus programs, and more of them are resorting to ransom ware, which encrypts computer data and holds it hostage until a fee is paid;
• August 2014 - 4.5 million patients’ personal information was disclosed in alleged Chinese hacker attack| Community Health Systems
• August 2014 - “significant and egregious” data breach | JP Morgan • September 2014 – “no evidence that debit card PINs were compromised”
| Home Depot • February 2015 - “80 million … target of a “very sophisticated external cyber attack” | Anthem • March 2015 – “11 million … Insurance Commissioner Mike Kreidler announced the launch of a
multi-state market conduct examination” | Premera Blue Cross • May 2015 – “about 1.1 million names, usernames, birth dates, email addresses and subscriber ID
numbers of current and former members and people who did business with CareFirst” | CareFirst Blue Cross Blue Shield
• June 2015 - OPM … • September 2015 – “10.5 million … one of a series of major digital intrusions into Blue Cross
affiliates and other health insurers nationwide over the last two years” | Excellus BlueCross BlueShield
• A Major League Baseball team is more "mature" than a Little League team
• A Major League Baseball team has self-perpetuating qualities. They: • Have strong management (Governance) • Develop new players like themselves (People) • Find ways to make better plays (Process) • Use latest balls, bats, equipment (Technology) • Are consistent and make good plays
IRM Capabilities Are Evidenced by Best Practices 1. Governance, Awareness of Benefits
and Business Value A. The board or governance body has developed a working
knowledge of the information risk management framework and workflow concepts …
B. The board or governance body has developed a working knowledge of the information risk of compromise of confidentiality, integrity and/or availability of sensitive information.
C. The board or governance body has issued formal, written guidance for IRM.
D. There is awareness of all external requirements (e.g., regulatory, customer, business partners, etc.) for IRM in the organization.
E. Board or governance body views IRM as a business enabler…
IRM Capabilities Are Evidenced by Best Practices 2. People, Skills, Knowledge & Culture
A. There has been an emergence and designation of a formal IRM function within the organization.
B. A senior risk manager has been designated as the leader of the information risk management function.
C. A cross-functional executive oversight committee is chartered to guide and support the information risk manager.
D. A cross-functional working group, led by the information risk manager, is chartered to support the IRM function (so that each functional area can understand where it fits into the entire organizational IRM strategy and how it affects other areas).
E. The IRM function has a designated capital and operating expense budget.
IRM Capabilities Are Evidenced by Best Practices 3. Process, Discipline, & Repeatability
A. Formal, up-to-date and documented IRM policies and procedures (PnPs) are used and are defensible.
B. The organization’s risk assessment process including the characterization of threat sources, sources of threat information, representative threat actions, when to consider and how to evaluate threats, sources of vulnerability information, risk assessment methodologies to be used, and risk assumptions is formally documented.
C. The IRM program provides a complete, end-to-end process for inventorying and including all information assets used to create, receive, maintain or transmit sensitive data (e.g., PHI, PII, payment card data, company proprietary information and other sensitive data).
D. The IRM program’s risk assessment solution ensures that all relevant threat sources and threat actions that may exploit vulnerabilities are considered.
IRM Capabilities Are Evidenced by Best Practices 4. Standards, Technology Tools and
Scalability A. The organization is aware of the general category of
governance, risk and compliance (GRC) software tools that are available in the marketplace.
B. There is recognition in the organization of value of the use of consistent, automated IRM workflow tools (e.g., demonstrated compliance, optimizing cost of IRM, single source of the truth, scalability, etc.).
C. The organization is using an automation solution to manage, maintain and communicate its policies and procedures for all regulations with which it must comply.
D. The organization is using an automation solution for information security continuous monitoring.
IRM Capabilities Are Evidenced by Best Practices 5. Engagement, Delivery & Operations
A. The organization has documented the implementation plan for the scope of the organizational IRM process (e.g., organizational entities covered; mission/business functions affected; information assets to be included, etc.) and its rollout plan.
B. The organization has documented how its IRM process steps will be implemented. (e.g., sequence, degree of rigor, formality, and thoroughness of application) and in how the results of each step are captured and shared—both internally and externally, if necessary.
C. There is strong alignment of the organization's IRM strategy with the overall organizational business strategy.
D. Strategic objectives are based on an executive-level understanding of business threats and information risk scenarios.
In each capability area, we present a series of practices that, if implemented, would serve as evidence of progress in establishing and improving that capability. Consideration of these practices may also translate into an action plan for improvement. We rate each practice on a six-point rating scale using the Deming "plan-do-check-act" cycle: • Not started adopted, implemented or achieved (0% or
maturity 0) • Planning to adopt, implement or achieve (20% or
maturity 1) • Planning and doing (40% or maturity 2) • Planning, doing and checking (60% or maturity 3) • Planning, doing, checking, acting (80% or maturity 4) • Planning, doing, checking, acting & optimizing (100% or
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• February 11th, 18th, 25th 2016 • May 5th, 12th, 19th 2016
Join us for our next Live Event: April 21, 2016 - Orlando
