Legal Disclaimer

The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

Clearwater Compliance IRM | Analysis™Guided Tour

3

• VP of Product Innovation for Clearwater

Compliance, LLC

• 30 + years in Healthcare in the provider, payer

and healthcare quality improvement industries

• 20 + years of strategic leadership for

compliance and Healthcare information

technology projects involving the most

sensitive ePHI for companies such as CIGNA,

Healthways and Optum

• MPA - Healthcare Policy and Administration

Jon Stone, MPA, CRISC, HCISPP, PMP

Jon Stone, MPA, CRISC, HCISPP, PMPVice President of Product Innovation

Jon.Stone@ClearwaterCompliance.com615-210-9612

4

Some Ground Rules

1. Slide materials

A. Check GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode

5. Please complete Exit Survey, when you leave session

6. Recorded version and final slides within 48 hours

5

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process

(1)(i) Standard: Security management process. Implement policies and

procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

45 C.F.R. §164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and non-

technical evaluation, based initially upon the standards

implemented under this rule and subsequently, in response to

environmental or operational changes…

(A) Risk analysis (Required). Conduct an accurate and thorough

assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health

information…

What do the regulations require?

6

1.Scope of the Analysis - all ePHI must be included in risk analysis

2.Data Collection – it must be documented

3.Identify and Document Potential Threats and Vulnerabilities

4.Assess Current Security Measures

5.Determine the Likelihood of Threat Occurrence

6.Determine the Potential Impact of Threat Occurrence

7.Determine the Level of Risk

8.Finalize Documentation

9.Periodic Review and Updates

7

Guidance on Risk Analysis Requirements

under the HIPAA Security Rule Final

• NIST SP800-30 - Guide for Conducting Risk Assessments

• NIST SP800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

8

Assets and Media

Backup Media

Desktop

Disk Array

Electronic Medical Device

Laptop

Pager

Server

Smartphone

Storage Area Network

Tablet

Third-party service provider

Etcetera…

NIST SP 800-53 ControlsPS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

Hundreds and hundreds

Hundreds of Millions or Permutations

Vulnerabilities

Anti-malware Vulnerabilities

Destruction/Disposal Vulnerabilities

Dormant Accounts

Endpoint Leakage Vulnerabilities

Excessive User Permissions

Insecure Network Configuration

Insecure Software Development Processes

Insufficient Application Capacity

Insufficient data backup

Insufficient data validation

Insufficient equipment redundancy

Insufficient equipment shielding

Insufficient fire protection

Insufficient HVAC capability

Insufficient power capacity

Insufficient power shielding

Etcetera…

Threat Actions

Burglary/Theft

Corruption or destruction of important data

Data Leakage

Data Loss

Denial of Service

Destruction of important data

Electrical damage to equipment

Fire damage to equipment

Information leakage

Etcetera…

Threat Agent

Burglar/ Thief

Electrical Incident

Entropy

Fire

Flood

Inclement weather

Malware

Network Connectivity Outage

Power Outage/Interruption

Etcetera…

The Risk Analysis Dilemma

Key Steps in NIST SP800 30-Based Risk Assessment1

1http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf

9

Document Sensitive Information in Scope of the Analysis

Identify and Document Potential Threats and Vulnerabilities

Assess Current Security Measures

Determine the Likelihood of Threat Occurrence

Determine the Potential Impact of Threat Occurrence

Determine the Level of Risk

The System Enables-• Finalizing Documentation• Periodic Review and Updates

10

Software Demonstration

11

Questions?

12

Clearwater HIPAA and Cybersecurity BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn up to 10.8 CPE Credits!

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the

Clearwater HIPAA and Cybersecurity

BootCamp™ distills into one action-packed

day, the critical information you need to

know about the HIPAA Privacy and Security

Final Rules and the HITECH Breach

Notification Rule.

Join us for our next virtual, web-based events…Three, 3hr sessions:

• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017

13

Other Upcoming Clearwater Events

Visit ClearwaterCompliance.com for more

info!

July 14, 2106

Complimentary

Webinar

OCR’s Phase 2

Audits and How

Best to Prepare

August 3, 2106

Complimentary

Webinar

How to Adopt

the NIST

Cybersecurity

Framework

July 21, 2016

Complimentary

Webinar

The Critical

Difference:

HIPAA Security

Evaluation v

HIPAA Security

Risk Analysis

July 28, 2106

Complimentary

Webinar

HIPAA 101

14

Jon Stone, MPA, CRISC, HCISPP, PMP

https://www.clearwatercompliance.com

jon.stone@ClearwaterCompliance.com

Phone: 800-704-3394 or 615-210-9612

linkedin.com/in/jonstonepmp

Exit Survey, Please

15

WWW.CLEARWATERCOMPLIANCE.COM

http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance

800-704-3394