Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 1
How to Conduct a Bona Fide HIPAA Security Risk Analysis
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 2
Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394
[email protected] Clearwater Compliance LLC
How to Conduct a Bona Fide HIPAA Security Risk Analysis
December 18, 2012
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS
3
• CEO & Founder – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Industry Expertise and Focus: Healthcare Covered Entities and Business
Associates, Financial Services, Retail, Legal • Member: IAPP, ISC2, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, SIM
Chambers, Boards
http://www.linkedin.com/in/BobChaput
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Our Passion
4
… And, keeping those same
organizations off the Wall of
Shame…!
…we’re helping
organizations
safeguard the very
personal and private
healthcare information
of millions of fellow
Americans…
We’re excited about
what we do
because…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA-HITECH Credentials
5
• Since 2010
• ~250 Customers; across US
• Compliance Assessments | Risk
Analyses | Technical Testing |
Policies & Procedures | Training |
Remediation | Executive Coaching |
BootCamps
• ~10 Audits & Investigations currently
• >100 Audits in past
• Raving Fan customers!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Mega Session Objective
Help You Understand and
Address This Very
Specific HIPAA / Security
Foundational
Requirement …
Separate Fact from Fiction 6
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #1 – How Many Webinars?
7
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
8
1. Understand & Review Regulatory Requirements, Potential Liabilities and HHS/OCR Final Guidance
2. Understand Risk Analysis & Management Essentials
3. Learn how to Complete a Risk Analysis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
2. Security
45 CFR
164.308(a)(1)(ii)(A)
Three Dimensions of HIPAA Security Business Risk Management
1. Compliance 45 CFR 164.308(a)(8)
9
3. Test &
Audit 45 CFR 164.308(a)(8) &
OCR Audit Protocol
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Related Webinars to View
• The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis
• How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule
10
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HITECH meets HIPAA … at Meaningful Use
11
Risk Analysis
45 CFR 164.308(a)(1)(ii)(A)
HIPAA Security
Final Rule Meaningful Use
Final Rule
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Implementation Spec
12
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management
Process
(1)(i) Standard: Security management process. Implement policies
and procedures to prevent, detect, contain, and correct security
violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and
thorough assessment of the potential risks and vulnerabilities to
the confidentiality, integrity, and availability of electronic
protected health information held by the covered entity.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 13
Risk Analysis is Not Going Away
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HHS/OCR Final Guidance
14
Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in
the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§
164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and
document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI.
(See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of
potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of
potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat
occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R.
§ 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update
and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Management Guidance
15
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 16
Failure to Comply Key Concerns
OCR Investigations
CMS Audits / FCA
OCR Audits
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #2 (OCR Audit)
17
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Audit Protocols
18
Audit Procedures Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate
assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an
assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment
process or methodology considers the elements in the criteria and has been updated or maintained to
reflect changes in the covered entity's environment. Determine if the covered entity risk assessment has
been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain,
process, or transmit ePHI.
Established Performance Criteria §164.308(a)(1): Security Management Process
§164.308(a)(1)(ii)(A) - Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health
information held by the covered entity.
Key Activity Conduct Risk Assessment
Audit Procedures 1. Inquire of management as to whether formal or informal policies or
practices exist to conduct an accurate assessment of potential risks and
vulnerabilities to the confidentiality, integrity, and availability of ePHI.
2. Obtain and review relevant documentation and evaluate the content
relative to the specified criteria for an assessment of potential risks and
vulnerabilities of ePHI.
3. Evidence of covered entity risk assessment process or methodology
considers the elements in the criteria and has been updated or
maintained to reflect changes in the covered entity's environment.
4. Determine if the covered entity risk assessment has been conducted on a
periodic basis.
5. Determine if the covered entity has identified all systems that contain,
process, or transmit ePHI.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 19
OCR Corrective Action Plans
CAP Requirement MEEI CVS
Rite-Aid
BCBS TN
Mass General Hospital
Phoenix Cardiac Surgery
UCLA
AK DHSS
Establish a Comprehensive Information Security Program x
Designate an accountable Security Owner x x Develop and maintain privacy and security policies and procedures to comply with Federal standards x x x x x x x Distribute and update policies and procedures x x x x x x x Procedures to include responding to security incidents x x x x x x x Implement training with certifications and sanctions for non-compliance x x x x x x x Conduct a Risk Analysis and a Risk Management Process x x x x x x x x Design and Implement Reasonable Administrative, Physical and Technical Safeguards to control risks x x x x x x x x
Develop and use reasonable steps to select and retain service providers x Evaluate and adjust Security Program in light of testing and monitoring and material changes to the environment x x x x x x x x Obtain assessments from qualified objective independent 3rd party x x x x x x x x Retain required documentation x x x x x x x x
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
20
1. Understand & Review Regulatory Requirements, Potential Liabilities and HHS/OCR Final Guidance
2. Understand Risk Analysis & Management Essentials
3. Learn how to Complete a Risk Analysis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
21
Risk Analysis Myths1
1ONC Guide to Privacy and Security of
Health Information
“As with any new program
or regulation, there may
be misinformation making
the rounds. The following
table distinguishes fact
from fiction...“
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 22
Risk Analysis Myths1
HIPAA Security Risk Analysis Myths and Facts Myth Fact
The security risk analysis is optional for small providers.
False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive HER incentive payments must conduct a risk analysis.
Simply installing a certified EHR fulfills the security risk analysis MU requirement.
False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
My EHR vendor took care of everything I need to do about privacy and security.
False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security
aspects of the EHR product. However, EHR vendors are not responsible for making their Products compliant with
HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
I have to outsource the security risk analysis.
False. It is possible for small practices to do risk analysis themselves using self-help tools such as the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology’s (ONC) risk analysis tool. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
1ONC Guide to Privacy and Security of Health Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 23
HIPAA Security Risk Analysis Myths and Facts Myth Fact
A checklist will suffice for the risk analysis requirement.
False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
There is a specific risk analysis method that I must follow.
False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
My security risk analysis only needs to look at my EHR.
False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.
I only need to do a risk analysis once.
False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy___security_frame-work/1173
Risk Analysis Myths1
1ONC Guide to Privacy and Security of Health Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 24
HIPAA Security Risk Analysis Myths and Facts Myth Fact
Before I attest for an EHR incentive program, I must fully mitigate all risks.
False. The EHR incentive program requires addressing any deficiencies identified during the risk analysis during the reporting period.
Each year, I’ll have to completely redo my security risk analysis.
False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.
Risk Analysis Myths1
1ONC Guide to Privacy and Security of Health Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
25
CMS Meaningful Use Attestation Audits https://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Attesta
tion.html#10
Will CMS conduct audits?
“Any provider attesting to receive an EHR incentive
payment for either the Medicare EHR Incentive
Program or the Medicaid EHR Incentive Program
potentially may be subject to an audit.”
“…If you attest prior to actually meeting the
meaningful use security requirement, you could
increase your business liability for federal law
violations and making a FALSE CLAIM.”
(emphasis added)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Thinking Like a Risk Analyst
Threat
(Actor) CAN EXPLOIT Vulnerability
(Weakness) AND CAUSE
Impact
(Cost)
Security Risk exists when….
Risk Analysis is the identification and rank-ordering of
risks through the assessment of Controls in place to
detect and block the threat, to detect and fix a
vulnerability, or to respond to incidents (impacts) when
all else fails. 26
…in protecting an asset….
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Thinking Like a Risk Manager
Avoid / Transfer Risks
Accept Risks
Mitigate / Transfer Risks
Risk Identification
Ris
k
Tre
atm
en
t
Risks of all types & sizes exist
27
Risk Management is making informed decisions on how to treat risks.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is Not • A network vulnerability scan
• A penetration test
• A configuration audit
• A network diagram review
• A questionnaire
• Information system activity review
28
ALL IMPORTANT BUT DO NOT COMPRISE A RISK ANALYSIS
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What A Risk Analysis Is…
29 1NIST SP800-30
A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an
information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls
planned or in place1.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
30
Poll #3 – Bona Fide Risk Analysis?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
2. What do we need to do to
treat or manage risks?
Risk Analysis and Risk Management
1. What is our exposure of
our information assets
(e.g., ePHI)?
31
Both Are Required in MU and HIPAA
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Controls Help Address Vulnerabilities
32
Controls • Policies & Procedures
• Training & Awareness
• Cable lock down
• Strong passwords
• Encryption
• Remote wipe
• Data Backup
Threat Source • Burglar who may steal
Laptop with ePHI
Vulnerabilities • Device is portable
• Weak password
• ePHI is not encrypted
• ePHI is not backed up
Threat Action • Steal Laptop
Information Asset • Laptop with ePHI
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk = f([Assets+Threats+Vulnerabilities+Controls] * [Likelihood * Impact])
33
Risks • Financial
• Political
• Clinical
• Legal
• Regulatory
• Operational
• Reputational
Likelihood • Not Applicable
• Rare
• Unlikely
• Moderate
• Likely
• Almost Certain
Impact • Not Applicable
• Insignificant
• Minor
• Moderate
• Major
• Disastrous
Based on threat,
vulnerabilities and current controls in
place
Based on size, sensitivity
and effort or cost of
remediation
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Establishing a Risk Value
34
Risk = Likelihood * Impact
Rank Description Example
0 Not Applicable Will never happen
1 Rare May happen once every 10 years
2 Unlikely May happen once every 3 years
3 Moderate May happen once every 1 year
4 Likely May happen once every month
5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example
0 Not Applicable Does not apply
1 Insignificant Not reportable; Remediate within 1 hour
2 Minor Not reportable; Remediate within 1 business day
3 Moderate Not reportable; Remediate within 5 business days
4 Major Reportable; Less than 500 records compromised
5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25
• High = 15-24
• Medium = 8-14
• Low = 0-7
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
35
1. Understand Review Regulatory Requirements, Potential Liabilities and HHS/OCR Final Guidance
2. Understand Risk Analysis & Management Essentials
3. Learn how to Complete a Risk Analysis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis
36
Inventory Information Assets that Store ePHI
Understand Significant Threats and Vulnerabilities
Determine if You Have the Right
Controls in Place
Determine Your Likelihood of Harm
and Risk Rating
Create Compliance Documentation and
Management Reports
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
NIST SP800-30, Rev 3
37
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Risk Analysis™
38
Educate | Assess | Respond Monitor| Document
https://HIPAASecurityRiskAnalysis.com/
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 39
Asset Inventory List
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 40
What A Risk Analysis Process Looks Like…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 41
Risk Rating Report
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
High Value - High Impact
Risk Analysis WorkShop™ Process I. PREPARATION
A. Plan / Gather / Schedule B. Read Ahead / Review Materials C. Provide SaaS Subscription/Train D. Complete Asset inventory
II. ONSITE ASSESSMENT A. Discover B. Educate & Equip C. Identify Threats D. Review Controls
III. WRITTEN REPORT A. Populate SaaS B. Follow Up C. Analyze & Report D. Presentation and Sign Off 42
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Key WorkShop™ Deliverables 1. Preparation for Mandatory Audits
2. Objective, Independent 3rd Party Analysis
3. Solid Educational Foundation
4. Completion of 45 CFR 164.308(a)(1)(ii)(A) - Risk
Analysis
5. Complete Foundational Security Program Step
6. Preliminary Remediation Plan
7. Risk Analysis / Remediation Report
8. Fully Populated SaaS tool Ongoing Management 43
Demonstrate
Good Faith Effort
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Ways to Work Together
I. Software Subscription Only
– Subscribe to our Software-as-a-Service (SaaS) Applications and use your internal staff members to complete the work.
Fishing Equipment
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Ways to Work Together
II. Software Subscription + N Days of Consulting
– Subscribe to our Software-as-a-Service (SaaS) Applications and engage Clearwater experts to advise, guide and review work.
+ Fishing Lessons
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Ways to Work Together
III. Software Subscription + WorkShop to Complete Risk Analysis
– Subscribe to our Software-as-a-Service (SaaS) Applications and engage Clearwater to drive completion of work.
+ Fishing Charter
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
47
Risk Analysis is a Critical, Foundational Step
Consider Assessing the Forest as Well
Completing a Risk Analysis is key to HIPAA compliance
But, is not your only requirement…
Stay Business Risk Management-Focused
Don’t Call The Geek Squad
Large or Small: Get Help (Tools, Experts, etc)
Consider tools and templates
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://abouthipaa.com/webinars/upcoming-live-webinars/
48
Get more info…
View pre-recorded Webinars like this one at:
http://abouthipaa.com/webinars/on-demand-webinars/
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 49
Clearwater HIPAA Audit Prep BootCamp™
Take Your HIPAA
Compliance
Program to a
Better Place,
Faster
February 21, 2013 | Washington DC March 21, 2013 | San Diego CA
February 12-19-26, 2013 | New Virtual BootCamp™ Clearwater HIPAA Audit Prep BootCamp™
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
50
Mary Chaput, MBA, CIPP/US
CFO & Chief Compliance Officer
Clearwater Compliance
Bob Chaput, CISSP, CIPP/US CHP, CHSS
CEO
Clearwater Compliance
Expert Instructors
James C. Pyles
Principal
Powers Pyles Sutter & Verville PC
Jacquelyn Starnes
Director, Internal Audit
Hospice Compassus
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #4 – Best Medium for You?
51
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, CIPP/US
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
52
Contact
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Information
53