How to Prepare Your Organization for a HIPAA Security Risk Analysis

Presented by:

John Abraham

Founder & Chief Security Evangelist

Redspin

• Penetration Testing– External Infrastructure

– Internal Infrastructure

– Web Applications

• IT Security Controls – HIPAA

– FFIEC/GLBA

– PCI

– NERC

• Social Engineering

About Redspin

About The Speaker

John AbrahamFounder & Chief Security Evangelist

As Redspin's founder and Chief Security Evangelist, John is passionate about the importance of a structured information security program that enables management to focus IT resources on the most pressing security risk. John's belief is that addressing subtle issues within an organization's IT environment can yield significant business impact, so an ounce of prevention is the key operative behavior of successful risk management programs. John is one of Redspin's health IT security specialists, is a regular speaker on topics of security and healthcare ePHI risk management, and enjoys working with IT teams, compliance officers and executives on practical approaches to data security mitigation strategies.

Preparing Your Organization for aHIPAA Security Risk Analysis

What we’ll cover today:

What is it?

How does it fit into my security program?

What are the preparation steps?

How can I avoid pitfalls & maximize value?

Why now?

Meaningful use core objective (protecting ePHI)

HIPAA Compliance

Risk management

Part 1HIPAA Security Risk Analysis

1. What is it?

2. How does it fit into my security program?

3. What are the preparation steps?

4. How can I avoid pitfalls & maximize value?

HIPAA Security Rule§ 164.308(a)(1)(ii)(A)

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

What is a Risk Analysis?(Also called: Risk Assessment)

Assessment of risk

CIA: confidentiality, availability and integrity

EPHI: created, received, maintained, transmitted

How is it performed?- It’s an evaluation

1. Where is ePHI, what are critical apps

2. Threats

3. Vulnerabilities

4. Existing controls (effective?)

5. Determine risk (= probability * impact)

Flexibility on RA Approach

“Security Rule does not prescribe a specific risk analysis methodology”

“Methods will vary dependent on the size, complexity, and capabilities of the organization”

“There are numerous methods of performing risk analysis”

“There is no single method or 'best practice' that guarantees compliance with the Security Rule”

Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010

-http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Goals and Objectives

Identify (and prioritize) risk

Ensure controls are working

Recommend improvements

Foundation for robust security program

Achieve compliance

- HIPAA Security Rule & Meaningful Use

Expected Outcomes

IT transparency

Executive understanding of current state of security

Prioritized view of risk

Provide data needed to create IT action plan

Part 2HIPAA Security Risk Analysis

1. What is it?

2. How does it fit into my security program?

3. What are the preparation steps?

4. How can I avoid pitfalls & maximize value?

Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,

HIPAA - Administrative Safeguards (§164.308), ...

Risk Analysis

“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in

the Security Rule.”

“A risk analysis is foundational”

“The Security Rule requires entities to evaluate risks and vulnerabilities... and to implement reasonable and appropriate security measures... Risk analysis is the first step in that process.”

Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Part 3HIPAA Security Risk Analysis

1. What is it?

2. How does it fit into my security program?

3. What are the preparation steps?

4. How can I avoid pitfalls & maximize value?

• Vendor selection (2-8 weeks)

• Risk Analysis timeline (1-4 weeks)Time

• Vendor selection (IT, compliance, executive)

• During RA (1 liaison)People

• Varies depending on size/complexityBudget

Organizational Resources

What about cost?

Variables

– Depends on complexity, satellite locations, …

– Web application and network penetration testing

– Social engineering

– Business associate risk

What is needed for a proposal?

What is size & complexity of IT environment

Key criteria...

RFP Template

What is needed for analysis?

Liaison

ePHI inventory

Critical business associates

ISO – person responsible for security

Security policy

Documentation (whatever is available)

- Network diagrams, audit results, system docs

Part 4HIPAA Security Risk Analysis

1. What is it?

2. How does it fit into my security program?

3. What are the preparation steps?

4. How can I avoid pitfalls & maximize value?

Waiting for network to stabilize

1Pitfall

It Never Does!

Assuming control addresses risk

2Pitfall

Existencedoes not equal

Effective

Thinking compliance is security

3Pitfall

Compliancedoes not equal

Security

Waiting until you implement ____

It may not be a high priority

4Pitfall

Using a check-box approach to RA

5Pitfall

False positives make you look bad

Creates focus on less important issues, while

missing critical risk

Expensive mitigation

Lack of context

HIPAA Security Rule

Covered entities may use any security measures that

allow the covered entity to reasonably and appropriately

implement the standards and implementation

specifications as specified in this subpart.

HIPAA Security Rule

In deciding which security measures to use, a covered entity must take into account the following factors:

– (i) The size, complexity, and capabilities of the covered entity.

– (ii) The covered entity's technical infrastructure, hardware, and

software security capabilities.

– (iii) The costs of security measures.

– (iv) The probability and criticality of potential risks to electronic

protected health information.

SummaryHIPAA Security Risk Analysis

What is it?

How does it fit into my security program?

What are the preparation steps?

How can I avoid pitfalls & maximize value?