Copyright Notice. All materials contained within this document are protected by United Statescopyright law and may not be reproduced, distributed, transmitted, displayed, published, orbroadcast without the prior, express written permission of Clearwater Compliance LLC. You may notalter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. Thisinformation is based on current federal law and subject to change based on changes in federal law orsubsequent interpretative guidance. Since this information is based on federal law, it must be modified toreflect state law where that state law is more stringent than the federal law or other state law exceptionsapply. This information is intended to be a general information resource regarding the matters covered, andmay not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONSAND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.The existence of a link or organizational reference in any of the following materials should not be assumed asan endorsement by Clearwater Compliance LLC.
November 6, 2015
How to Conduct NIST-based Risk Assessment to Comply with HIPAA & Other Regulations
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or [email protected] Compliance LLC
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates, Financial Services, Retail, Legal• Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
3. Healthcare IS the Next Cybersecurity Battleground
4. Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management
5. Too few organizations are working to do bona fide risk management AND “mature” their information risk management processes
6. Widespread Failure to Realize It’s a Patient Safety / Quality of Care / customer experience issue … not a “HIPAA or SOX or PCI or GLBA or FERPA compliance” issue …
7. Failure to Appreciate that Risk Assessments are a Basic Foundational Step AND Required by Regulation
Governance | People | Process | Technology | Maturity
“Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.1”
(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:(A) Risk analysis (Required). Conduct an accurate and
thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
1. Include all Sensitive Information in Scope of the Analysis 2. Collect and Document Data About All Information Assets3. Identify and Document Potential Threats and Vulnerabilities4. Assess Current Security Measures5. Determine the Likelihood of Threat Occurrence6. Determine the Potential Impact of Threat Occurrence7. Determine the Level of Risk8. Finalize Documentation 9. Periodically Review and Update the Risk Assessment
What Are All the Possible Ways in Which We May Compromise Sensitive Information?1http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf
Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 500 records compromised5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25• High = 15-24• Medium = 8-14• Low = 0-7
Risk Analysis Method - HHS OCR Guidance on Risk Analysis• Scope of the Analysis - all ePHI must be included in risk analysis• Data Collection – it must be documented
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Impact of Threat Occurrence
Determine the Level of Risk
The System Enables-• Finalize Documentation• Periodic Review and Updates
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information
Systems and Organizations: Building Effective Security Assessment Plans• NIST SP800-115 Technical Guide to Information Security Testing and Assessment• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals• CMS Security Risk Assessment Fact Sheet (Updated 20131122)• NIST Risk Management Framework 2009
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• February 11th, 18th, 25th 2016 • May 5th, 12th, 19th 2016
Join us for our next Live Event: April 21, 2015 - Orlando
Clearwater teaches Customer how to perform gap assessments and risk analyses AND to measure information risk management maturity levels to establish continuous process improvement.
“We do it with you” “We train you to do it”
Proven, Flexible Engagement Model - 100s of Successes | We Want Our Customers to Become Self-Sufficient
“We do it for you”
Clearwater provides content, strategy, leadership, tools, software and resources to complete gap assessments and risk analyses. Customer reviews recommendations.
Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations.
