Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
Clearwater Customer Council Meeting
February 19, 2019
© Clearwater Compliance LLC | All Rights Reserved
3
Agenda
Introduction
Educational Content:
Adam Nunn | Principal Consultant
“Rethinking Cybersecurity Policy Governance ”
Feedback and Suggestions
© Clearwater Compliance LLC | All Rights Reserved
4
About Your Hosts
Jon Stone, SVP, Product Innovation MPA, PMP, HCISPP, CRISC• 25+ years in Healthcare in the compliance, provider, payer and healthcare quality
improvement fields
• Innovator | Strategic Program Manager | Consultant | Executive
• 15+ years of strategic leadership for compliance and Healthcare information technology
projects involving sensitive ePHI for companies such as CIGNA, Healthways and
OPTUMInsight
• PMP, MPA - Healthcare Policy and Administration
• Business Passion: Driving business and technology solutions for improving healthcare
operations and outcomes
• Play Passion: Cycling and Oil Painting
615-210-9612
© Clearwater Compliance LLC | All Rights Reserved
5
Lori Hessey, Director Customer Success
• 10 + years of Customer Support in Healthcare• 5 + years experience in SaaS Startup Companies • 5 + years Sales & Business Development• Responsible for customer implementation, training, marketing and quality assurance• Manages the Clearwater Customer Success and Support Team
615-823-5190
About Your Hosts
© Clearwater Compliance LLC | All Rights Reserved
6
Purpose of the Customer Community
Where Clearwater customers go to get additional value and benefits
Customer Council Meetings• Complimentary educational content• A place for customers to interact and learn from each other
© Clearwater Compliance LLC | All Rights Reserved
7
• All attendees on mute • Type in Q&A section with a question or
comment• We will be watching the Q&A section
like a hawk and will make sure your comment or question gets addressed!
Meeting Logistics: Audio Control Panel
This Photo by Unknown Author is licensed under CC BY-SA
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
‘Rethinking Cybersecurity Policy Governance’
Adam Nunn, Principal Consultant [email protected]
© Clearwater Compliance LLC | All Rights Reserved
9
About Your Presenter Adam Nunn, Principal Consultant• Twenty-three years in healthcare cybersecurity and regulatory compliance.
• As internal Chief Compliance Officer and Chief Information Security Officer, directly
administered programs for hospitals and healthcare service organizations, including
clinics, laboratories, pharmacies, business associates, and health plans.
• Cybersecurity and regulatory compliance experience in a wide range of
organizational structures, from start-ups to multi-billion dollar enterprises,
including venture-capital, private-equity, not for profit, and publicly-traded
organizations.
• CISSP from 2003-2013 with an ISSMP concentration.
• Former member of the HITRUST Leadership Roundtable.
• Former Officer of Middle Tennessee Chapter of the Information Systems Security
Association.
• Active member of the Health Care Compliance Association and Information
Systems Security Association.
© Clearwater Compliance LLC | All Rights Reserved
10
What we’re going to discuss
• Common Questions and Comments Often Heard about Policy
• Cybersecurity Policy Defined• Effectiveness of Cybersecurity Policy• Principle-Based Policy Governance
Introduction• Example of Principle-Based Policy Governance• Requirements for Implementation
© Clearwater Compliance LLC | All Rights Reserved
11
Common Questions and Statements about Policy
• We have policies, but…• We missed our deadline…• We have established
policies, but they…• Our policy doesn’t match
the….• The Board of Directors
must approve all policy changes, but...
© Clearwater Compliance LLC | All Rights Reserved
12
Common Questions and Statements
• Policy expectations…• Having a policy that’s
not implemented…• We established some
policies, but …• We’re not sure who
is…• We lack support to…
© Clearwater Compliance LLC | All Rights Reserved
13
What is Cybersecurity Policy?
What do the regulations require?
Some examples…
✓ Prevent, detect, and contain
✓ Sanctions
✓ System activity
✓ Security official
✓ Appropriate access
© Clearwater Compliance LLC | All Rights Reserved
14
What is Cybersecurity Policy?
Cybersecurity policies establish expectations for the protection
of information against deliberate and accidental
threats and vulnerabilities.
© Clearwater Compliance LLC | All Rights Reserved
15
What is Cybersecurity Policy?
Policies within
organizations are
at a various state
of complexity and
maturity.
© Clearwater Compliance LLC | All Rights Reserved
16
How effective are cybersecurity policies?
Organizations struggle with embedding
security expectations
into day-to-day operations.
© Clearwater Compliance LLC | All Rights Reserved
17
How effective are cybersecurity policies?
Board and senior leadership level expectations may not
always translate into actionable, trackable, and
continually maintained cybersecurity policy and
procedure.
© Clearwater Compliance LLC | All Rights Reserved
18
How effective are cybersecurity policies?
© Clearwater Compliance LLC | All Rights Reserved
19
Potential Policy Governance Maturation- Is there a better way?
How might this look?
© Clearwater Compliance LLC | All Rights Reserved
20
Principle Based Governance?
© Clearwater Compliance LLC | All Rights Reserved
21
Principle Based Governance?
Principle 1. Identify- Our organization understands cybersecurity risks to systems, people, assets, data, and capabilities. We understand the business context and risks relating to cybersecurity and identify appropriate resources within a prioritized risk management strategy to support critical functions.
Principle 2: Protect- We develop and implement appropriate safeguards to ensure delivery of critical services. These safeguards support the organization's ability to limit or contain impact of potential cybersecurity events.
© Clearwater Compliance LLC | All Rights Reserved
22
Principle Based Governance?
Principle 4: Respond- We continually develop and implement procedures to take action when cybersecurity incidents and events are detected. These processes support our ability to contain the impact of potential cybersecurity events and incidents.
Principle 5: Recover- Our organization regularly develops and implements activities and plans for resilience and to restore any capabilities or services that are impaired due to cybersecurity events or incidents. These functions support timely recovery to normal operations and reduce the impact of cybersecurity incidents and events.
Principle 3: Detect- Our organization continually develops and implements appropriate activities that identify cybersecurity events. These functions enable the timely discovery of cybersecurity events without our environment that impact us, our customers, and partners.
© Clearwater Compliance LLC | All Rights Reserved
23
Example- How might this be accomplished?
Principle 1. Identify- Our organization understands cybersecurity risks to systems, people, assets, data, and capabilities. We understand the business context and risks relating to cybersecurity and identify appropriate resources within a prioritized risk management strategy to support critical functions.
ID.AM-1 [Policy Statement] Physical devices and systems within the organization are inventoried.
[Security Standard] Inventories of physical and virtual information systems are accurately maintained.
[Maturity Level 1] [Procedure] Assigned Owner: [Workstation Administration Manager] Define within the 'Workstation Inventory Procedures and Standards’, requirements for how workstation inventories are maintained, where inventory information is stored, the contents of the inventory, and requirements for how often the inventory is updated.
[Maturity Level 2] [Procedure] Assigned Owner: [Workstation Administration] Implement the requirements as defined within the 'Workstation Inventory Procedures and Standards' document.
[Maturity Level 3] [Procedure] Assigned Owner: [Workstation Administration Manager] Annual Task- Perform a review and update as necessary of the 'Workstation Inventory Procedures and Standards'.
[Maturity Level 4] [Procedure] Assigned Owner: [Workstation Administration Manager] Annual Task- Perform an audit, by sampling, to validate the requirements of the 'Workstation Inventory Procedures and Standards' and quarterly inventory reconciliations were appropriately complied with in the previous year.
© Clearwater Compliance LLC | All Rights Reserved
24
Requirements
A principle-based policy governance approach such as this would require:
• A top-down culture
• An organizationally selected cybersecurity control framework
• A process management engine
© Clearwater Compliance LLC | All Rights Reserved
25
Summary
We are using a legacy policy
structure that was developed prior to widely available
security standards and process
automation tools.
© Clearwater Compliance LLC | All Rights Reserved
26
Summary
Can we replace our traditional policies with a framework
based on now widely available
cybersecurity control standards?
© Clearwater Compliance LLC | All Rights Reserved
27
What we discussed
• Common Questions and Comments Often Heard about Policy
• Cybersecurity Policy Defined• Effectiveness of Cybersecurity Policy• Principle-Based Policy Governance
Introduction• Example of Principle-Based Policy Governance• Requirements for Implementation
© Clearwater Compliance LLC | All Rights Reserved
28
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Click to edit Master text styles
Questions?
Adam Nunn, Principal Consultant [email protected]
References and Links to Additional Information:
Dr. Gary Hinson PhD MBA CISSP, noticebored.com- I credit Gary with first exposing me to Principle-Based Policy Governance.
© Clearwater Compliance LLC | All Rights Reserved
29
Upcoming Events
Don’t miss Breakfast & Breaches!
Join us for this special LIVE Expert Panel Discussion, in town hall format, with Illinois OCR investigators, as we tackle critical subjects, including HIPAA & Cyber Risk Management readiness, recovery, and current requirements.
Be our guest onsite at Lockton Companies in Chicago or join us via LIVE video webcast! Reserve your seat!
This webinar is designed to help covered entities and business associates understand and act on specific Risk Analysis requirements. We will share a step-by-step methodology based on OCR and NIST guidance.
Reserve your seat!
© Clearwater Compliance LLC | All Rights Reserved
www.ClearwaterCompliance.com
LINKEDIN | www.linkedin.com/company/clearwater-compliance-llc/
TWITTER | @clearwaterhipaa
EMAIL | [email protected]
PHONE | 800-704-3394
Thank You.
© Clearwater Compliance LLC | All Rights Reserved