© Clearwater Compliance | All Rights Reserved
1
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United Statescopyright law and may not be reproduced, distributed, transmitted, displayed, published, orbroadcast without the prior, express written permission of Clearwater Compliance LLC. You may notalter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance | All Rights Reserved
2
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. Thisinformation is based on current federal law and subject to change based on changes in federal law orsubsequent interpretative guidance. Since this information is based on federal law, it must be modified toreflect state law where that state law is more stringent than the federal law or other state law exceptionsapply. This information is intended to be a general information resource regarding the matters covered, andmay not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONSAND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.The existence of a link or organizational reference in any of the following materials should not be assumed asan endorsement by Clearwater Compliance LLC.
November 6, 2015
How to Conduct NIST-based Risk Assessment to Comply with HIPAA & Other Regulations
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or [email protected] Compliance LLC
© Clearwater Compliance | All Rights Reserved
4
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
5
Awards and Recognition
#11 - 2015
Exclusive Sole Source Provider
Software Used by NSA/CAEs
© Clearwater Compliance | All Rights Reserved
6
MA, CISSP, HCISPP, CRISC, CIPP/US
Bob Chaput
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates, Financial Services, Retail, Legal• Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
ISACA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
7
Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be
This empowering philosophy underpins everything we do. Commitment to educational resources for our
audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-
leadership
© Clearwater Compliance | All Rights Reserved
8
Some Ground Rules
1. Slide materialsA. Check “Download” area on GoToWebinar Control
panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave
session6. Recorded version and final slides within 48 hours
© Clearwater Compliance | All Rights Reserved
9
We are not attorneys! Ensure Competent Counsel
The Omnibus has arrived!Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
© Clearwater Compliance | All Rights Reserved
10
01
03
02
Three IRM Agenda Items I Feel Deeply Inspired By…
TacticallyAssist in Establishing,
Implementing and Maturing IRM Program
OperationallyAssist in Completing Bona Fide, Comprehensive Risk
Analysis and Risk Response
StrategicallyAssist in Makning IRM a
Meaningful C-Suite / Board Agenda item
© Clearwater Compliance | All Rights Reserved
11
How This Webinar Fits In to Our IRM Educational Track
Register For Our NEW Educational Tracks: https://clearwatercompliance.com/hipaa-education/educational-tracks/
You are Here!
1. “NIST-based Information Risk Management Essentials” 2. “How to Establish Your NIST-based Risk Management
Program to Comply with HIPAA & Other Regulations”
3. “The Critical Difference - HIPAA Security Compliance Evaluation vs. HIPAA Security Risk Analysis”
4. “How to Conduct NIST-based Risk Assessment to Comply with Federal Regulations & Industry Standards”
5. “How to Conduct NIST-based Risk Response to Comply with Federal Regulations & Industry Standards”
6. “How to Monitor Your NIST-based Risk Management Program to Comply with Federal Regulations & Industry Standards”
7. “How to Mature Your Information Risk Management Program”
© Clearwater Compliance | All Rights Reserved
12
4. Complete a HIPAA Security Risk Analysis and Risk Management (45 CFR §164.308(a)(1)(ii)(A) and (B))
5. Complete a HIPAA Security Non-Technical Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Complete Privacy Rule and Breach Notification Rule compliance assessments (45 CFR §164.500 and 45 CFR §164.400)
8. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
9. Assess your current Insurance Coverage (e.g., Cyber Liability, Geenral Liability, D&O, E&O, P&C)
10. Document and act upon a remediation plan (45 CFR §164.530(c) and 45 CFR §164.306 (a))
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 , 45 CFR §164.316 and 45 CFR §164.414)
3. Train all Members of Your Workforce (45 CFR §164.530(b), 45 CFR §164.308(a)(5)) and 45 CFR §164.414)
Derived from OCR Enforcement Actions| Demonstrate Reasonable Diligence
Where This Webinar Fits Into Your HIPAA/ IRM Program
You are
Here!
© Clearwater Compliance | All Rights Reserved
13
Learning Outcomes… Attendees Will Be Able To:
Describe the fundamentals of Information Risk Management
Define fundamental risk terminology – assets, threats, vulnerabilities, controls, etc
Explain why risk analysis is a core foundational step and describe the key steps
Cite general regulatory requirements for ongoing
risk assessments
Describe how/when the new Civil Money Penalty System may be
applied if risk assessments are not performed
Explain the difference between compliance
and security
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar
© Clearwater Compliance | All Rights Reserved
14
Pause and Quick Poll
What type of organization do you represent?
Hospital / Health System##
BA##
HYBRID## Don’t
Know##
Other CE##
© Clearwater Compliance | All Rights Reserved
15
Discussion Flow
1. Problem2. NIST-Based Risk Assessment3. Resources
Clearwater Information Risk Management
Life Cycle
© Clearwater Compliance | All Rights Reserved
17
Pause and Quick Poll
What is the greatest amount of risk that you observed in any image?
© Clearwater Compliance | All Rights Reserved
18
Key Points of Exercise
• Must be possible to have loss or harm in order to have risk
• Must have asset-threat-vulnerability “triple” to have risk
• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like speed is
a derived value = distance / time)
YOU CANNOT DO RISK ANALYSIS WITH A CHECKLIST!
© Clearwater Compliance | All Rights Reserved
19
The Problem At Hand, Then…1. 68% of 2012 OCR Phase I Audits Failed Risk Analysis (80% of Providers)
2. 73% of 26 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses
3. Healthcare IS the Next Cybersecurity Battleground
4. Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management
5. Too few organizations are working to do bona fide risk management AND “mature” their information risk management processes
6. Widespread Failure to Realize It’s a Patient Safety / Quality of Care / customer experience issue … not a “HIPAA or SOX or PCI or GLBA or FERPA compliance” issue …
7. Failure to Appreciate that Risk Assessments are a Basic Foundational Step AND Required by Regulation
Governance | People | Process | Technology | Maturity
© Clearwater Compliance | All Rights Reserved
20
And, then there were 26… Cancer Care Group P.C.
• BLUF:• $750,000• 18 Docs ~$42K / doc• CAP
• July 19, 2012 event• Indianapolis• Employee Laptop Bag
• Laptop• Server Backup Media
• 55,000 individuals’ ePHI• From April 21, 2005…
• No Risk Analyses• No PnPs on Device &
Media Controls
© Clearwater Compliance | All Rights Reserved
21
The Risk Problem We’re Trying to Solve
What if my Sensitive Information is not
complete, up-to-date and accurate?
What if my Sensitive Information is shared?
With whom? How?
What if my Sensitive Information is not there when it is needed?
AVAILABILITY
Don’t Compromise
C-I-A!
PHI, PIIPayment Card,
Intel. Prop., Etc.
© Clearwater Compliance | All Rights Reserved
22
To Solve the Problem
1. What is our exposure of our information assets (e.g., ePHI)?
2. What decisions do we need we need to make to treat or manage risks?
Both Are Required in Federal Regulations AND As the Basis for any Respectable Information Security Program in Any Industry!
Risk Response
Risk Assessment
© Clearwater Compliance | All Rights Reserved
23
Pause and Quick Poll
At this time in our webinar, do you feel your organization completed a comprehensive “risk assessment” and produced a documented Risk Register?
© Clearwater Compliance | All Rights Reserved
24
Discussion Flow
1. Problem2. NIST-Based Risk Assessment3. Resources
Clearwater Information Risk Management
Life Cycle
© Clearwater Compliance | All Rights Reserved
25
Information Risk Management Definition1
“Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.1”
251http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
© Clearwater Compliance | All Rights Reserved
261Adopted from NIST SP800-39 - http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
Clearwater Information Risk Management Life Cycle1
26
© Clearwater Compliance | All Rights Reserved
27
Pause and Quick Poll
What are the four stages of the NIST Risk Management Process?
© Clearwater Compliance | All Rights Reserved
28
Actions
1. Think Ongoing Program, Not Project!!2. Become familiar with your exact requirements for
Risk Assessment (e.g., HIPAA, PCI, SOX, etc.)3. Learn the terminology of risk and risk analysis;
Read supplemental material 4. Be absolutely clear on what is NOT a risk analysis5. Select the methodology you will follow and make
sure it meets requirements6. Complete your risk analysis7. Build and execute your risk response plan8. Update your risk analysis at least once a year
© Clearwater Compliance | All Rights Reserved
29
Sample Regulatory Requirement
(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:(A) Risk analysis (Required). Conduct an accurate and
thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Think “Risk Assessment”
1http://www.ecfr.gov/cgi-bin/text-idx?SID=547a457f5304d286d3e9e0b241b76848&mc=true&node=se45.1.164_1308&rgn=div8
© Clearwater Compliance | All Rights Reserved
30
Sample Industry Requirement
1https://clearwatercompliance.com/wp-content/uploads/2014/11/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
© Clearwater Compliance | All Rights Reserved
31
FFIEC/GLBA Risk Assessment Requirement
1http://ithandbook.ffiec.gov/it-booklets/information-security/introduction/coordination-with-glba-section-501%28b%29.aspx#cite-ref-0-0
© Clearwater Compliance | All Rights Reserved
32
• Adversarial• Accidental• Structural• Environmental
Owners
Assets
Controls & Safeguards
Threat Sources
Threats
value
Risks
wish to minimize
that exist in protecting
to reduce
may be reduced by
that may possess
may be aware of
wish to or may abuse, harm and / or damage
to
that increase
Vulnerabilities
give rise to
that exploitleading to
implement
“Speaking Risk”
© Clearwater Compliance | All Rights Reserved
33
Key Steps in NIST SP800 30-Based Risk Assessment1
1. Include all Sensitive Information in Scope of the Analysis 2. Collect and Document Data About All Information Assets3. Identify and Document Potential Threats and Vulnerabilities4. Assess Current Security Measures5. Determine the Likelihood of Threat Occurrence6. Determine the Potential Impact of Threat Occurrence7. Determine the Level of Risk8. Finalize Documentation 9. Periodically Review and Update the Risk Assessment
1http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf
© Clearwater Compliance | All Rights Reserved
34
NIST Risk Assessment Process1
Finalize Information Asset Inventory
Determine Risk Level
Determine Likelihood & Impact
Identify Threats & Vulnerabilities
01
02
03
04
What Are All the Possible Ways in Which We May Compromise Sensitive Information?1http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf
© Clearwater Compliance | All Rights Reserved
35
1. & 2. Scope and Collect Data
Think: Information
Asset Inventory
© Clearwater Compliance | All Rights Reserved
37
Asset Inventory List
37
Seriously! …Where? How Much? What for? Who owns? Etc.
© Clearwater Compliance | All Rights Reserved
38
3. Identify Threats & Vulnerabilities
Think: Threat Sources, Threat
Actions, Weaknesses
© Clearwater Compliance | All Rights Reserved
39
Identify Threat Sources, Threat Actions and Vulnerabilities
© Clearwater Compliance | All Rights Reserved
40
Identify Threat Sources, Threat Actions and Vulnerabilities
Threat Sources
Threat Actions
Vulnerabilities
Much to Consider
© Clearwater Compliance | All Rights Reserved
41
4. Assess Current Security Measures
Think: Safeguards,
Countermeasures Already in Place
© Clearwater Compliance | All Rights Reserved
42
Mitigate = Controls
ThreatAction
Threat Source
DeterrentControl
DetectiveControl
PreventiveControl Impact
Vulnerability
Corrective Control
Compensating Control
CreatesReduces
Likelihoodof
Exploits
Results in
Decreases
Reduces
May Trigger
Discovers
ReducesLikelihood
of
Protects
© Clearwater Compliance | All Rights Reserved
43
Controls Help Address Vulnerabilities
Controls• Policies & Procedures• Training & Awareness• Cable lock down• Strong passwords• Encryption• Remote wipe• Data Backup
Threat Source• Burglar who may steal
Laptop with ePHI
Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up
Threat Action• Steal Laptop
Information Asset• Laptop with ePHI
© Clearwater Compliance | All Rights Reserved
44
Assess Security Controls In Place
Detailed Analysis and Cross Walk
What controls do you have in place?
© Clearwater Compliance | All Rights Reserved
46
5. & 6. Determine Likelihood & Impact
Think: Probability of Bad Thing
Happening and, were it to happen,
Impact
© Clearwater Compliance | All Rights Reserved
49
Determine Likelihood and Impact
Asset Threat Source / Action
Vulnerability Likelihood Impact
Laptop Burglar steals laptop No encryption High (5) High (5)
Laptop Burglar steals laptop Weak passwords High (5) High (5)
Laptop Burglar steals laptop No tracking High (5) High (5)
Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)
Laptop Careless User Drops No data backup Medium (3) High (5)
Laptop Lightning Strike hits home
No surge protection Low (1) High (5)
etc
© Clearwater Compliance | All Rights Reserved
50
7. Determine Level of Risk
Think: Probability of Bad Thing
Happening and, were it to happen,
Impact
© Clearwater Compliance | All Rights Reserved
51
Determine Level of RiskAsset Threat Source /
ActionVulnerability Likelihood Impact Risk Level
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords
High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Shoulder Surfer views No privacyscreen
Low (1) Medium (3) 3
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Lightning Strike No surge protection
Low (1) High (5) 5
etc
© Clearwater Compliance | All Rights Reserved
53
Establishing a Risk Value
Think Likelihood * Impact
Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 500 records compromised5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25• High = 15-24• Medium = 8-14• Low = 0-7
© Clearwater Compliance | All Rights Reserved
54
Risk Tolerance& Risk Appetite& Risk Threshold
Our Risk Tolerance is Between 8 and 14 We May Accept Risks as High as 14; We May Avoid, Mitigate or Transfer Risks as Low as 8
“Risk tolerance is the level of risk that organizations are willing to accept in pursuit of strategic goals and objectives.”1
1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
20
15
10
0
25
5
Our Risk Appetite or Threshold is 12 We Will (Initially) Accept All Risks Below 12. We Will Avoid, Mitigate and/or Transfer All Risks 12 or Above.
HIGH
MEDIUM
LOW
CRITICAL
© Clearwater Compliance | All Rights Reserved
55
8. Finalize Documentation
Think: Best Basis for Decision
Making & Report Package for
Auditors
© Clearwater Compliance | All Rights Reserved
56
Asset Inventory Report
Show that you know where all the ePHI lives!
© Clearwater Compliance | All Rights Reserved
57
Risk Analysis Method - HHS OCR Guidance on Risk Analysis• Scope of the Analysis - all ePHI must be included in risk analysis• Data Collection – it must be documented
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Impact of Threat Occurrence
Determine the Level of Risk
The System Enables-• Finalize Documentation• Periodic Review and Updates
Show your work!
© Clearwater Compliance | All Rights Reserved
58
What A Risk Analysis Report Looks Like…Show you’ve identified all risks!
© Clearwater Compliance | All Rights Reserved
59
Dashboard - Risk Rating Distribution
Show that you know how risks are distributed!
© Clearwater Compliance | All Rights Reserved
60
What A Risk Analysis Report Looks Like…
Show You Know Your Riskiest Assets!
© Clearwater Compliance | All Rights Reserved
61
Risk Assessment Fundamentals
• Must be possible to have loss or harm in order to have risk
• Must have asset-threat-vulnerability to have risk
• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like speed is
a derived value = distance / time)• Fundamental nature of Risk is
universal• Critical Output: Risk Register
© Clearwater Compliance | All Rights Reserved
62
9. Periodic Review & Updates to RA
Think: Journey, Not Destination
… Not a Once and Done!
© Clearwater Compliance | All Rights Reserved
63
Ongoing, Mature Business Process
Show your Ongoing Effort!
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
On second thought, has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register?
© Clearwater Compliance | All Rights Reserved
65
Discussion Flow
1. Problem2. NIST-Based Risk Assessment3. Resources
Clearwater Information Risk Management
Life Cycle
© Clearwater Compliance | All Rights Reserved
66
IRM | Analysis™ Software
Our unique risk analysis software1 solution facilitates the WorkShop™ allows your organization to be as self-sufficient as you choose! … And, to
operationalize your Information Risk Management Program
Understand significant threats and vulnerabilities
Insight
Determine if you have the right controls in place
Controls
View critical risks on intuitive dashboards and
reports
Risk RatingAutomate the management of risk information across complex enterprises
Manage Complexity
Plan a course of action to reduce critical risks
Plan and Evaluate
Manage the implementation of effective safeguards
Implementation
1Guided Tour of IRM|Analysis™ – the Clearwater Risk Analysis Software
30-Day Free Trial!Call Tracy at: 800-704-3394 x3010
© Clearwater Compliance | All Rights Reserved
67
30-Day Free Trial of IRM|Analysis™ - First Time Ever
Get a Jump on 2016 Risk Analysis
Strictly follows the NIST and HHS/OCR guidance
Award-winning HIPAA Risk Analysis Software!
http://clearwatercompliance.com/risk-analysis-free-trial
Contact Us Today for this Limited Time Offer
[email protected] x 2002
Please Call Back If Our Lines Are Busy
Exclusive
© Clearwater Compliance | All Rights Reserved
68
Clearwater WorkShop™ Process
Proven Methodology, Continuously Improved Over Years• Overall Program Management• Used for Both Risk Analyses and Compliance
Gap Assessments (Security, Privacy & Breach Notification)
• Leverages Basecamp Project Management tool for secure collaboration and communication
• Methodology ensures consistency of approach across all work streams in the engagement
• Leverages IRM|Pro™ Software Suite• Major deliverables from each WorkShop™
• Fully-Provisioned Software with analysis / assessment results
• Trained Team in methodology and software• Findings, Observations & Recommendations
Reports• Analyze Findings• Document Observations• Develop Recommendations• Present and Sign Off
Written Report (t+2)03
• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys
Preparation (t-4)
01
• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS
Onsite Discovery/Assessment (t=0)
02
© Clearwater Compliance | All Rights Reserved
69
Supplemental Reading
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information
Systems and Organizations: Building Effective Security Assessment Plans• NIST SP800-115 Technical Guide to Information Security Testing and Assessment• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals• CMS Security Risk Assessment Fact Sheet (Updated 20131122)• NIST Risk Management Framework 2009
Remember! Security Rule is Based on
NIST!
© Clearwater Compliance | All Rights Reserved
71
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• February 11th, 18th, 25th 2016 • May 5th, 12th, 19th 2016
Join us for our next Live Event: April 21, 2015 - Orlando
© Clearwater Compliance | All Rights Reserved
72
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
November 13, 2015Complimentary
WebinarHow to Prepare for a Privacy/Breach OCR
Audit or Investigation
November 20, 2015Complimentary
WebinarHow to Conduct NIST-based Risk
Response to Comply with HIPAA & Other
Regulations
December 3, 2015Complimentary
WebinarHow to Calculate the Cost of a Data Breach and How to Get the
Budget for Your HIPAA-HITECH
Compliance ProgramDecember 8, 2015
Complimentary Webinar
How to Mature Your Information Risk
Management Program
© Clearwater Compliance | All Rights Reserved
73
Resources
73
Register For Upcoming Live HIPAA-HITECH Webinars at:
https://clearwatercompliance.com/webinars/
© Clearwater Compliance | All Rights Reserved
74
NEW – Education Tracks
Register For Our NEW Educational Tracks: https://clearwatercompliance.com/hipaa-education/educational-tracks/
© Clearwater Compliance | All Rights Reserved
75
1. Healthcare is the Next Cyber Security Battleground & the Case for Action is Compelling – Much to Lose and Lots of Potential Harm
2. You Cannot Check-List Your Way to Information Risk Management Success
3. Adopt a Framework; Consider NIST4. Must Establish, Operationalize and
Mature an Information Risk Management Program
5. Take advantage of Resources Provided
Key Points to Remember
75
Business Risk Management Issue NOT an “IT Problem”
© Clearwater Compliance | All Rights Reserved
76
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US
http://[email protected]
Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC
76
Contact
Exit Survey, Please
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394 http://www.linkedin.com/in/bobchaput/@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance
© Clearwater Compliance | All Rights Reserved
78
The Clearwater Engagement Model
Clearwater teaches Customer how to perform gap assessments and risk analyses AND to measure information risk management maturity levels to establish continuous process improvement.
“We do it with you” “We train you to do it”
Proven, Flexible Engagement Model - 100s of Successes | We Want Our Customers to Become Self-Sufficient
“We do it for you”
Clearwater provides content, strategy, leadership, tools, software and resources to complete gap assessments and risk analyses. Customer reviews recommendations.
Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations.
Customer’s RoleClearwater’s Role
© Clearwater Compliance | All Rights Reserved
79
Why Clearwater
Clearwater Compliance – A Better, Brighter Idea!
Highly Reference-able Hospital / Health System Customer Base, with Exclusive AHA Endorsement
Commercially Competitive Professional Services Fees
Proven Experience in Large Complex Healthcare
Environments
Independent, Objective Advisory Services with
No Vendor Ties
Deep Experience with 35+ Organizations Audited by
OCR, CMS & OIG
Business Risk Management focus While Achieving Regulatory Compliance
Seasoned, Credentialed Professionals in Healthcare Privacy, Security, Compliance & Information Risk Management
Significant Post Breach Experience and Partner Network