redspin webinar business associate risk
DESCRIPTION
Webinar on how healthcare organizations can manage business associate IT security risk.TRANSCRIPT
![Page 1: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/1.jpg)
Navigating Business Associate IT Security Risk
John Abraham – Redspin Security Evangelist
![Page 2: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/2.jpg)
New ResponsibilitiesPart 1For business associates and covered entities under HIPAA / HITECH Act
![Page 3: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/3.jpg)
Expanded Definitions Work for CE + Access PHI = BA Data transmission providers Subcontractors to BA
![Page 4: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/4.jpg)
HIPAA Security Rule...Applies to:
A) Covered Entities B) Business Associates C) Subcontractors D) All of the above
![Page 5: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/5.jpg)
Oops, I didn't know“lack of knowledge” is not a defense*
AKAwhat you don't know
{about BAs}
can hurt you
* 75 Federal Register 40878, July 14th, 2010 NPRM
![Page 6: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/6.jpg)
BAs Dual Risk Liability to government (HIPAA) Liability to CE (BAA)
![Page 7: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/7.jpg)
Liability to government (HIPAA) Liability to government (BA security)
CEs Dual Risk
![Page 8: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/8.jpg)
Penalties throughout PHI supply chain CEs BAs Subcontractors
![Page 9: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/9.jpg)
What's This MeansPart 2
![Page 10: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/10.jpg)
Active Enforcement Fines State budget crisis State Attorney's General
![Page 11: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/11.jpg)
Recent Enforcement Actions* Cignet $4.3million
Failure to provide 41 patient records, ignore subpoena Mass. General Hospital $1million
192 patient records left on subway CAP: Policies, procedures, training, auditing, reporting,
security controls
* http://www.hhs.gov/news/
![Page 12: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/12.jpg)
Transparency Right-to-audit clause in BAA
![Page 13: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/13.jpg)
HIPAA Security Rule Everyone needs to be compliant Everyone needs sound risk management
![Page 14: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/14.jpg)
Effectively Manage Your Own Risk
Part 3
![Page 15: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/15.jpg)
Three rules Focus Existence != Effective Compliance != Security
![Page 16: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/16.jpg)
1Rule:
Everyone has risk.Focus on critical.
![Page 17: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/17.jpg)
Systematic Risk Management
Focus, focus,focus
![Page 18: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/18.jpg)
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (§164.308), ...
![Page 19: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/19.jpg)
![Page 20: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/20.jpg)
![Page 21: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/21.jpg)
Systematic risk management Everyone has lots of risk → focus Let risk drive controls → focus Avoid over spending/implementing → focus
1Rule:
Focus
![Page 22: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/22.jpg)
2Rule:
Existencedoes not equal
Effective
![Page 23: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/23.jpg)
![Page 24: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/24.jpg)
PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
![Page 25: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/25.jpg)
PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
![Page 26: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/26.jpg)
![Page 27: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/27.jpg)
2Rule:
Don't just assume acontrol is working.
![Page 28: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/28.jpg)
3Rule:
Compliancedoes not equal
Security
![Page 29: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/29.jpg)
![Page 30: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/30.jpg)
Effectively Manage Business Associate Risk
Part 4
![Page 31: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/31.jpg)
Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
![Page 32: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/32.jpg)
Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
Matrix
![Page 33: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/33.jpg)
Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
Questionnaire
HIPAA Risk Analysis
![Page 34: Redspin Webinar Business Associate Risk](https://reader034.vdocument.in/reader034/viewer/2022051817/5492dd8bb47959744d8b4708/html5/thumbnails/34.jpg)
SummaryFor BAs & CEs New responsibilities (HIPAA Sec. Rule) Increased accountability / scrutiny Need effective (true) risk management BAs need to be ready to be audited by CEs CEs need to be ready to audit BAs