Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved 1 "Whatsoever things I see or hear concerning.

Similar presentations


Presentation on theme: "© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved 1 "Whatsoever things I see or hear concerning."— Presentation transcript:

1 © Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved 1 "Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." -Hippocratic Oath, 4 th Century, B.C.E. Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance First HIPAA Security Risk Analyst

2 © Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved How to Conduct a Meaningful Use / HIPAA Security Risk Analysis How to Conduct a Meaningful Use / HIPAA Security Risk Analysis April 17, Bob Chaput, MA, CISSP, CHP, CHSS, MCSE or Clearwater Compliance LLC

3 © Clearwater Compliance LLC | All Rights Reserved Bob Chaput CISSP, MA, CHP, CHSS, MCSE 3 President – Clearwater Compliance LLCClearwater Compliance LLC 30+ years in Business, Operations and Technology 20+ years in Healthcare Executive | Educator |Entrepreneur Global Executive: GE, JNJ, HWAY Responsible for largest healthcare datasets in world Numerous Technical Certifications (MCSE, MCSA, etc) Expertise and Focus: Healthcare, Financial Services, Legal Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards

4 © Clearwater Compliance LLC | All Rights Reserved About HIPAA-HITECH Compliance 1. We are not attorneys! 2. HIPAA and HITECH is dynamic! 3. Lots of different interpretations! So there! 4

5 © Clearwater Compliance LLC | All Rights Reserved 3.Complete a Risk Analysis per 45 CFR § (a)(1)(ii)(A) to assess risk and determine the CE’s security posture and initiate a corrective action plan. 4.Complete an assessment of compliance with the Privacy Rule using per 45 CFR § Administrative Requirements as a guide. 5.Document and act upon a corrective action plan for Security Rule compliance, Privacy Rule compliance, and overall Risk Management per 45 CFR § (a)(1)(ii)(B). 5 Actions to Take Now 5 1.Formally establish and charter a Privacy and Security Risk Management Council and establish a Security Management Process per 45 CFR § (a)(1). 2.Complete an Evaluation per 45 CFR § (a)(8) to assess Security Rule “black letter” compliance and to understand the complete regulation; the Security Rule is the ultimate checklist. Demonstrate Good Faith Effort

6 © Clearwater Compliance LLC | All Rights Reserved Session Objectives 1. Review Regulatory Requirements and HHS/OCR Final Guidance 2. Understand Risk Analysis Essentials 3. Learn how to Complete a Risk Analysis 6

7 © Clearwater Compliance LLC | All Rights Reserved HITECH meets HIPAA … at Meaningful Use 7 HIPAA Security Final Rule Meaningful Use Final Rule Risk Analysis 45 CFR (a)(1)(ii) (A)

8 © Clearwater Compliance LLC | All Rights Reserved Security 45 CFR (a)(1)(ii)(A) Two Dimensions of HIPAA Security Business Risk Management Compliance 45 CFR (a)(8) 8 Overall Business Risk Management Program; Not “an IT project”

9 © Clearwater Compliance LLC | All Rights Reserved Security Evaluation v. Risk Analysis 45 C.F.R. § (a)(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart C.F.R. § (a)(1)(i) Standard: Security Management Process (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

10 © Clearwater Compliance LLC | All Rights Reserved EP Meaningful Use - Core Eligible Professionals 15 Core Objectives 1.Computerized provider order entry (CPOE) 2.E-Prescribing (eRx) 3.Report ambulatory clinical quality measures to CMS/States 4.Implement one clinical decision support rule 5.Provide patients with an electronic copy of their health information, upon request 6.Provide clinical summaries for patients for each office visit 7.Drug-drug and drug-allergy interaction checks 8.Record demographics 9.Maintain an up-to-date problem list of current and active diagnoses 10.Maintain active medication list 11.Maintain active medication allergy list 12.Record and chart changes in vital signs 13.Record smoking status for patients 13 years or older 14.Capability to exchange key clinical information among providers of care and patient-authorized entities electronically 15.Protect electronic health information

11 © Clearwater Compliance LLC | All Rights Reserved EH & CAH Meaningful Use EHs and CAHs 14 Core Objectives 1.Use CPOE for medication orders directly entered by any licensed healthcare professional who can enter orders into the medical record per State, local, and professional guidelines. 2.Implement drug-drug and drug-allergy interaction checks. 3.Maintain an up-to-date problem list of current and active diagnoses 4.Maintain active medication list. 5.Maintain active medication allergy list. 6.Record specific set of demographics 7.Record and chart specific changes in the certain vital 8.Record smoking for patients 13 years old or older 9.Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals, the States. 10.Implement one clinical decision support rule related to a high priority hospital condition along with the ability to track compliance with that rule. 11.Provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies, discharge summary, procedures), upon request. 12.Provide patients with an electronic copy of their discharge instructions at time of discharge, upon request. 13.Capability to exchange key clinical information (for example, problem list, medication list, medication allergies, and diagnostic test results), among providers of care and patient authorized entities electronically. 14.Protect electronic health information

12 © Clearwater Compliance LLC | All Rights Reserved Regardless of the risk analysis methodology employed… 1.Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § (a)). 2.Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ (a)(1)(ii)(A) and (b)(1).) 3.Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ (a)(2), (a)(1)(ii)(A) and (b)(1)(ii).) …from HHS/OCR Final Guidance 4.Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ (b)(1), (a)(1)(ii)(A), and (b)(1).) 5.Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § (b)(2)(iv).) 6.Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § (b)(2)(iv).) 7.Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ (a)(2), (a)(1)(ii)(A), and (b)(1).) 8.Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § (b)(1).) 9.Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ (e) and (b)(2)(iii).) 12

13 © Clearwater Compliance LLC | All Rights Reserved Risk Management Guidance Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final 13 NIST SP Revision 1 Guide for Conducting Risk Assessments – DRAFT NIST SP Revision 1 Guide for Conducting Risk Assessments – DRAFT NIST SP Contingency Planning Guide for Federal Information Systems NIST SP Contingency Planning Guide for Federal Information Systems NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP final_Managing Information Security Risk NIST SP Revision 3 Final, Recommended controls for Federal Information Systems and Organizations NIST SP Revision 3 Final, Recommended controls for Federal Information Systems and Organizations NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

14 © Clearwater Compliance LLC | All Rights Reserved Session Objectives 1. Review Regulatory Requirements and HHS/OCR Final Guidance 2. Understand Risk Analysis Essentials 3. Learn how to Complete a Risk Analysis 14

15 © Clearwater Compliance LLC | All Rights Reserved 15 Risk Analysis is Not Easy

16 © Clearwater Compliance LLC | All Rights Reserved What A Risk Analysis Is Not A network vulnerability scan A penetration test A configuration audit A network diagram review A questionnaire Information system activity review 16 A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

17 © Clearwater Compliance LLC | All Rights Reserved NOT Risk Management 17

18 © Clearwater Compliance LLC | All Rights Reserved Risk Analysis and Risk Management 1.What is our exposure of our information assets (e.g., ePHI)? 18 2.What do we need to do to treat or manage risks? Both Are Required in MU and HIPAA

19 © Clearwater Compliance LLC | All Rights Reserved 19 Risk Management Approach Asset Inventory Risk Analysis Risk Treatment Docu mentation Security Risk Management Process

20 © Clearwater Compliance LLC | All Rights Reserved Risk = Impact * Likelihood What is Risk? Goal = Understand What Risks Exist and Into What Category They Fall 20 Overall Risk Value Impact HIGHMediumHighCritical MEDIUMLowMediumHigh LOWLow Medium LOWMEDIUMHIGH Likelihood

21 © Clearwater Compliance LLC | All Rights Reserved 21 Risk Analysis “Algebra”

22 © Clearwater Compliance LLC | All Rights Reserved 1.Adversarial Individual-Outsider, -Insider, Group-Ad hoc,-Established… 2.Accidental Ordinary User, Privileged User 3.Structural IT Equipment, Environmental Controls, Software 4.Environmental Natural or man-made disaster (fire, flood, hurricane), Unusual natural event, Infrastructure failure/outage (telecomm, power) Threat Sources … An adapted definition of threat Source, from NIST SP *00-30, is “The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability...” 22

23 © Clearwater Compliance LLC | All Rights Reserved 1.Lack of strong password 2.Lack of personal firewall 3.Lack of data backup 4.Lack of policies 5.Failure to follow policies 6.Lack of training 7.Lack of encryption on laptops with ePHI… 8.…and on and on … Vulnerabilities NIST Special Publication (SP) as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.” 23

24 © Clearwater Compliance LLC | All Rights Reserved Controls Help Address Vulnerabilities 24 Controls Policies & Procedures Training & Awareness Cable lock down Strong passwords Encryption Remote wipe Data Backup Threat Source Burglar who may steal Laptop with ePHI Vulnerabilities Device is portable Weak password ePHI is not encrypted ePHI is not backed up Information Asset Laptop with ePHI

25 © Clearwater Compliance LLC | All Rights Reserved Risk = f([Assets+Threats+Vulnerabilities+Controls] * [Likelihood * Impact]) 25 Risks Financial Political Legal Regulatory Operational impact Reputational Likelihood Not Applicable Rare Unlikely Moderate Likely Almost Certain Impact Not Applicable Insignificant Minor Moderate Major Disastrous Based on threat, vulnerabilities and current controls in place Based on size, sensitivity and effort or cost of remediation

26 © Clearwater Compliance LLC | All Rights Reserved Establishing a Risk Value 26 Risk = Likelihood * Impact RankDescriptionExample 0Not ApplicableWill never happen 1RareMay happen once every 10 years 2UnlikelyMay happen once every 3 years 3ModerateMay happen once every 1 year 4LikelyMay happen once every month 5Almost CertainMay happen once every week Impact Likelihood RankDescriptionExample 0Not ApplicableDoes not apply 1InsignificantNot reportable; Remediate within 1 hour 2MinorNot reportable; Remediate within 1 business day 3ModerateNot reportable; Remediate within 5 business days 4MajorReportable; Less than 1,000 records compromised 5DisastrousReportable; Greater than 1,000 records compromised Critical = 25 High = Medium = 8-14 Low = 0-7

27 © Clearwater Compliance LLC | All Rights Reserved Simplified Risk Analysis Example 27 AssetThreatVulnerability Likelihood (1-5) Impact (1-5) Risk ( L * I) LaptopTheftDevice is portable 4312 Weak password 248 ePHI is not encrypted 3515 ePHI is not backed up 122

28 © Clearwater Compliance LLC | All Rights Reserved The Process 28 Risk Approach Asset Inventory Risk Analysis Risk Treatment Docu- mentation

29 © Clearwater Compliance LLC | All Rights Reserved Criteria For Accepting Risks Example: Acceptable level of risk: 14 Value of risk A: 9 – no treatment is needed Value of risk B: 17 – risk treatment is needed 29  Score Range: 0-25  Risk Values  Critical = 25  High =  Medium = 8-14  Low = 0-7

30 © Clearwater Compliance LLC | All Rights Reserved Risk Treatment making informed decisions Risk Management = making informed decisions about treating risks 1.Avoid 2.Accept 3.Mitigate 4.Transfer 5.Share Not all Risks need “mitigation” All Risks need “treatment” 30

31 © Clearwater Compliance LLC | All Rights Reserved Risk Management Avoid / Transfer Risks Accept Risks Mitigate / Transfer Risks Risk Identification  Risk Treatment Risks of all types & sizes exist 31

32 © Clearwater Compliance LLC | All Rights Reserved Risk Mitigation Example 32 AssetThreatVulnerabilityLikelihood (1-5) Impact (1-5) Risk ( L * I) LaptopTheftDevice is portable 4312 ePHI is not encrypted 3515 AssetThreatVulnerabilityNew ControlLikelihood (1- 5) Impact (1- 5) Residual Risk ( L * I) LaptopTheftDevice is portable Cable lock down 133 ePHI is not encrypted Full Disk Encryption 155 Before After

33 © Clearwater Compliance LLC | All Rights Reserved Session Objectives 1. Review Regulatory Requirements and HHS/OCR Final Guidance 2. Understand Risk Analysis Essentials 3. Learn how to Complete a Risk Analysis 33

34 © Clearwater Compliance LLC | All Rights Reserved The Process 34 Risk Approach Asset Inventory Risk Analysis Risk Treatment Docu- mentation

35 © Clearwater Compliance LLC | All Rights Reserved The Risk Analysis Dilemma Over 10 million Permutations  Potential Risk-Controls 35

36 © Clearwater Compliance LLC | All Rights Reserved 36 Software Design Basis HHS / OCR Final Guidance on Risk Analysis NIST SP Revision 1 Guide for Conducting Risk Assessments – DRAFT NIST SP Revision 1 Guide for Conducting Risk Assessments – DRAFT NIST SP Contingency Planning Guide for Federal Information Systems NIST SP Contingency Planning Guide for Federal Information Systems NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP final_Managing Information Security Risk NIST SP final_Managing Information Security Risk NIST SP Revision 3 Final, Recommended controls for Federal Information Systems and Organizations NIST SP Revision 3 Final, Recommended controls for Federal Information Systems and Organizations NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

37 © Clearwater Compliance LLC | All Rights Reserved Clearwater HIPAA Security Risk Analysis™ 37 Educate | Assess | Respond Monitor| Document https://HIPAASecurityRiskAnalysis.com/

38 © Clearwater Compliance LLC | All Rights Reserved How Risk Analysis Software Helps You 38 Risk Approach Asset Inventory Risk Analysis Risk Treatment Docu- mentation Produces and houses all essential documentation Provides “living, breathing risk management repository” Enables easier, future incremental analyses Approach rigorously based on OCR & NIST Guidance Semi-quantitative Comprehensive Flexible for Setting Risk Appetite Comprehensive documentation Captures essential documentation Identifies underlying media Creates database for deletes / adds / changes Includes 9 essential elements Serves as ‘wizard’ to guide detailed process Assures consistency, repeatability Ratings facilitate dynamic risk ranking Reporting facilitates informed decision making “Notes” facilitate critical documentation re: Risk treatment decisions

39 © Clearwater Compliance LLC | All Rights Reserved 39 Asset Inventory List

40 © Clearwater Compliance LLC | All Rights Reserved 40 Risk Questionnaire Form

41 © Clearwater Compliance LLC | All Rights Reserved 41 Risk Rating Report

42 © Clearwater Compliance LLC | All Rights Reserved 42 Sample Export – Asset Inventory

43 © Clearwater Compliance LLC | All Rights Reserved High Value – High Impact Risk Analysis WorkShop™ Process I.PREPARATION A.Plan / Gather B.Read Ahead C.Complete QuickScreen™ 43 II.ONSITE SESSION A.Facilitate B.Educate C.Evaluate III.CONSULTATION A. B.Telephone C.Web Meetings

44 © Clearwater Compliance LLC | All Rights Reserved Summary and Next Steps 44  Risk Analysis is a Critical, Foundational Step  Consider Assessing the Forest as Well  Completing a Risk Analysis is key to HIPAA compliance  But, is not your only requirement…  Stay Business Risk Management-Focused  Don’t Call The Geek Squad  Large or Small: Get Help (Tools, Experts, etc)  Consider tools and templates

45 © Clearwater Compliance LLC | All Rights Reserved June 25, 2012 | Chicago, IL Clearwater HIPAA Audit Prep BootCamp ™ Take Your HIPAA Compliance Program to a Better Place, Faster

46 © Clearwater Compliance LLC | All Rights Reserved 46 Jim Mathis, JD, CHC, CHP Healthcare Industry Attorney HIPAA Consultant Bob Chaput, CISSP, CHP, CHSS, MCSE CEO Clearwater Compliance Expert Instructors James C. Pyles Principal Powers Pyles Sutter & Verville PC

47 © Clearwater Compliance LLC | All Rights Reserved Get Smart! “On Demand” HIPAA HITECH RESOURCES, IF NEEDED:

48 © Clearwater Compliance LLC | All Rights Reserved Bob Chaput, CISSP Bob Chaput, CISSP Phone: or Clearwater Compliance LLC Bob Chaput, CISSP 48 Contact

49 © Clearwater Compliance LLC | All Rights Reserved Additional Information 49

50 © Clearwater Compliance LLC | All Rights Reserved Why Now? – What We’re Hearing “Our business partners (health plans) are demanding we become compliant…” – large national care management company (BA) “We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric Practice (CE) “We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA) “With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE) “We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research consortium (BA) “We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA) 50

51 © Clearwater Compliance LLC | All Rights Reserved “The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium "The HIPAA Security Assessment ToolKit™ and WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization What Our Customers Say… 51 “… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization “…the process of going through the self-assessment WorkShop™ was a great shared learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm “…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs


Download ppt "© 2010-12 Clearwater Compliance LLC | All Rights Reserved© 2010-11 Clearwater Compliance LLC | All Rights Reserved 1 "Whatsoever things I see or hear concerning."

Similar presentations


Ads by Google