2012 10 19 risk analysis training deck
TRANSCRIPT
© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Risk Analysis™
1
Jon Stone, MPA, [email protected]
2
25+ years in Healthcare in the provider, payer and healthcare quality improvement fieldsInnovator | Strategic Program Manager | Consultant | Executive15+ years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix.PMP, MPA - Healthcare Policy and Administration
Jon Stone, MPA, PMP
Jon Stone, MPA, [email protected]
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
Security Evaluation v. Risk Analysis
3
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Security45 CFR 164.308(a)(1)
(ii)(A)
Two Dimensions of HIPAA
Security Business Risk Management
Compliance45 CFR 164.308(a)(8)
4
Overall Business Risk Management Program;Not “an IT project”
© 2011-2012 Clearwater Compliance LLC | All Rights Reserved
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Regardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits
must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
…from HHS/OCR Final Guidance
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
5
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final
6
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk • NIST SP800-53 Revision 3 Final, Recommended controls for Fe
deral Information Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Cont
rols in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is Not
• A network vulnerability scan• A penetration test• A configuration audit• A network diagram review• A questionnaire• Information system activity review
7
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is…
8
1NIST SP800-30
A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to
organizational operations (including mission, functions, image, reputation), organizational
assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers
mitigations provided by security controls planned or in place1.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved9
Inventory Information Assets that Store ePHI
Understand Significant Threats and Vulnerabilities
Determine if You Have the Right
Controls in Place
Determine Your Likelihood of Harm
and Risk Rating
Create Compliance Documentation and
Management Reports
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Delivers mature methodology with the unique Clearwater Risk Algorithm™ for healthcare.Records a complete repository about information assets and the associated threats, vulnerabilities and risk rating Strictly follows HHS/OCR guidance and NIST risk assessment processesHighlights security control deficiencies Permanently records and updates your current security risk profile Perpetual Information Asset Inventory and Risk Analysis repository
Clearwater HIPAA Risk Analysis™ - Features
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Risk Analysis Dilemma
Assets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…
NIST SP 800-53 Controls
PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…569
Approximately 170,000,000 Permutations
11
VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant AccountsEndpoint Leakage VulnerabilitiesExcessive User PermissionsInsecure Network ConfigurationInsecure Software Development Processes
Insufficient Application CapacityInsufficient data backup
Insufficient data validationInsufficient equipment redundancyInsufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…
Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…
Threat AgentBurglar/ ThiefElectrical IncidentEntropyFire
FloodInclement weather
MalwareNetwork Connectivity OutagePower Outage/InterruptionEtcetera…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved12
The Unique Clearwater Risk Algorithm
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Software Demonstration
13
Click Here to Go To Website
© 2010-12 Clearwater Compliance LLC | All Rights Reserved14
Risk Rating Report
© 2010-12 Clearwater Compliance LLC | All Rights Reserved15
For more assistance
Call 1-800-704-3394 for support Don’t forget the FAQs For release notes and video FAQs go to
http://clearwatercompliance.com/hipaa/blog/
Email [email protected]
© 2010-12 Clearwater Compliance LLC | All Rights Reserved16
Questions?
© 2011-2012 Clearwater Compliance LLC | All Rights Reserved 17
Need help with resources or expertise?