1 / 51

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burn

First HIPAA Security Risk Analyst. "Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."

carrie
Download Presentation

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burn

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. First HIPAA Security Risk Analyst • "Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." • Hippocratic Oath, 4th Century, B.C.E. Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance

  2. How to Conduct a Meaningful Use / HIPAA Security Risk AnalysisApril 17, 2012 Bob Chaput, MA, CISSP, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394 bob.chaput@ClearwaterCompliance.com Clearwater Compliance LLC

  3. Bob Chaput CISSP, MA, CHP, CHSS, MCSE • President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal • Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards http://www.linkedin.com/in/BobChaput

  4. About HIPAA-HITECH Compliance We are not attorneys! HIPAA and HITECH is dynamic! Lots of different interpretations! So there!

  5. 5 Actions to Take Now Formally establish and charter a Privacy and Security Risk Management Council and establish a Security Management Process per 45 CFR §164.308(a)(1). Complete an Evaluation per 45 CFR §164.308(a)(8) to assess Security Rule “black letter” compliance and to understand the complete regulation; the Security Rule is the ultimate checklist. Complete a Risk Analysis per 45 CFR §164.308(a)(1)(ii)(A) to assess risk and determine the CE’s security posture and initiate a corrective action plan. Complete an assessment of compliance with the Privacy Rule using per 45 CFR §164.530 Administrative Requirements as a guide. Document and act upon a corrective action plan for Security Rule compliance, Privacy Rule compliance, and overall Risk Management per 45 CFR §164.308(a)(1)(ii)(B). Demonstrate Good Faith Effort

  6. Session Objectives • Review Regulatory Requirements and HHS/OCR Final Guidance • Understand Risk Analysis Essentials • Learn how to Complete a Risk Analysis

  7. HITECH meets HIPAA …at Meaningful Use Risk Analysis 45 CFR 164.308(a)(1)(ii)(A) HIPAA Security Final Rule Meaningful Use Final Rule

  8. Two Dimensions of HIPAA Security Business Risk Management Compliance 45 CFR 164.308(a)(8) Security 45 CFR 164.308(a)(1)(ii)(A) Overall Business Risk Management Program; Not “an IT project”

  9. Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8) Standard: Evaluation.Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. • 45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process • (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. • (ii) Implementation specifications: • (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

  10. EP Meaningful Use - Core Eligible Professionals 15 Core Objectives Computerized provider order entry (CPOE) E-Prescribing (eRx) Report ambulatory clinical quality measures to CMS/States Implement one clinical decision support rule Provide patients with an electronic copy of their health information, upon request Provide clinical summaries for patients for each office visit Drug-drug and drug-allergy interaction checks Record demographics Maintain an up-to-date problem list of current and active diagnoses Maintain active medication list Maintain active medication allergy list Record and chart changes in vital signs Record smoking status for patients 13 years or older Capability to exchange key clinical information among providers of care and patient-authorized entities electronically Protect electronic health information

  11. EH & CAH Meaningful Use EHs and CAHs 14 Core Objectives Use CPOE for medication orders directly entered by any licensed healthcare professional who can enter orders into the medical record per State, local, and professional guidelines. Implement drug-drug and drug-allergy interaction checks. Maintain an up-to-date problem list of current and active diagnoses Maintain active medication list. Maintain active medication allergy list. Record specific set of demographics Record and chart specific changes in the certain vital Record smoking for patients 13 years old or older Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals, the States. Implement one clinical decision support rule related to a high priority hospital condition along with the ability to track compliance with that rule. Provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies, discharge summary, procedures), upon request. Provide patients with an electronic copy of their discharge instructions at time of discharge, upon request. Capability to exchange key clinical information (for example, problem list, medication list, medication allergies, and diagnostic test results), among providers of care and patient authorized entities electronically. Protect electronic health information

  12. …from HHS/OCR Final Guidance • Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).) • Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) • Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) • Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).) • Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) • Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) Regardless of the risk analysis methodology employed… • Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § 164.306(a)). • Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).) • Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

  13. Risk Management Guidance Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final • NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT • NIST SP800-34 Contingency Planning Guide for Federal Information Systems • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST SP800-39-final_Managing Information Security Risk  • NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

  14. Session Objectives • Review Regulatory Requirements and HHS/OCR Final Guidance • Understand Risk Analysis Essentials • Learn how to Complete a Risk Analysis

  15. Risk Analysis is Not Easy

  16. What A Risk Analysis Is Not A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. A network vulnerability scan A penetration test A configuration audit A network diagram review A questionnaire Information system activity review

  17. NOT Risk Management

  18. Risk Analysis and Risk Management • What is our exposure of our information assets (e.g., ePHI)? • What do we need to do to treat or manage risks? Both Are Required in MU and HIPAA

  19. Security Risk Management Process

  20. What is Risk? Goal = Understand What Risks Exist and Into What Category They Fall Risk = Impact * Likelihood

  21. Risk Analysis “Algebra”

  22. Threat Sources … An adapted definition of threat Source, from NIST SP *00-30, is “The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability...” • Adversarial • Individual-Outsider, -Insider, Group-Ad hoc,-Established… • Accidental • Ordinary User, Privileged User • Structural • IT Equipment, Environmental Controls, Software • Environmental • Natural or man-made disaster (fire, flood, hurricane), Unusual natural event, Infrastructure failure/outage (telecomm, power)

  23. Vulnerabilities NIST Special Publication (SP) 800-30 as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.” Lack of strong password Lack of personal firewall Lack of data backup Lack of policies Failure to follow policies Lack of training Lack of encryption on laptops with ePHI… …and on and on …

  24. Controls Help Address Vulnerabilities Threat Source • Burglar who may steal Laptop with ePHI Vulnerabilities • Device is portable • Weak password • ePHI is not encrypted • ePHI is not backed up Information Asset • Laptop with ePHI Controls Policies & Procedures Training & Awareness Cable lock down Strong passwords Encryption Remote wipe Data Backup

  25. Risk = f([Assets+Threats+Vulnerabilities+Controls] * [Likelihood * Impact]) Likelihood • Not Applicable • Rare • Unlikely • Moderate • Likely • Almost Certain Impact • Not Applicable • Insignificant • Minor • Moderate • Major • Disastrous Based on threat, vulnerabilities and current controls in place Based on size, sensitivity and effort or cost of remediation Risks Financial Political Legal Regulatory Operational impact Reputational

  26. Establishing a Risk Value Likelihood Impact • Critical = 25 • High = 15-24 • Medium = 8-14 • Low = 0-7 Risk = Likelihood * Impact

  27. Simplified Risk Analysis Example

  28. The Process

  29. Criteria For Accepting Risks • Score Range: 0-25 • Risk Values • Critical = 25 • High = 15-24 • Medium = 8-14 • Low = 0-7 Example: Acceptable level of risk: 14 Value of risk A: 9 – no treatment is needed Value of risk B: 17 – risk treatment is needed

  30. Risk Treatment • Risk Management = making informed decisions about treating risks • Avoid • Accept • Mitigate • Transfer • Share • Not all Risks need “mitigation” • All Risks need “treatment”

  31. Risk Management Risks of all types & sizes exist Risk Identification  Avoid / Transfer Risks Risk Treatment Mitigate / Transfer Risks Accept Risks

  32. Risk Mitigation Example After Before

  33. Session Objectives • Review Regulatory Requirements and HHS/OCR Final Guidance • Understand Risk Analysis Essentials • Learn how to Complete a Risk Analysis

  34. The Process

  35. The Risk Analysis Dilemma Over 10 million Permutations  Potential Risk-Controls

  36. SoftwareDesign Basis • HHS / OCR Final Guidance on Risk Analysis • NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT • NIST SP800-34 Contingency Planning Guide for Federal Information Systems • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST SP800-39-final_Managing Information Security Risk  • NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

  37. Clearwater HIPAA Security Risk Analysis™ Educate | Assess | Respond Monitor| Document https://HIPAASecurityRiskAnalysis.com/

  38. How Risk Analysis Software Helps You • Approach rigorously based on OCR & NIST Guidance • Semi-quantitative • Comprehensive • Flexible for Setting Risk Appetite • Comprehensive documentation • Captures essential documentation • Identifies underlying media • Creates database for deletes / adds / changes • Includes 9 essential elements • Serves as ‘wizard’ to guide detailed process • Assures consistency, repeatability • Ratings facilitate dynamic risk ranking • Reporting facilitates informed decision making • “Notes” facilitate critical documentation re: Risk treatment decisions • Produces and houses all essential documentation • Provides “living, breathing risk management repository” • Enables easier, future incremental analyses

  39. Asset Inventory List

  40. Risk Questionnaire Form

  41. Risk Rating Report

  42. Sample Export – Asset Inventory

  43. Risk Analysis WorkShop™ Process • PREPARATION • Plan / Gather • Read Ahead • Complete QuickScreen™ • ONSITE SESSION • Facilitate • Educate • Evaluate • CONSULTATION • E-mail • Telephone • Web Meetings High Value – High Impact

  44. Summary and Next Steps • Risk Analysis is a Critical, Foundational Step • Consider Assessing the Forest as Well • Completing a Risk Analysis is key to HIPAA compliance • But, is not your only requirement… • Stay Business Risk Management-Focused • Don’t Call The Geek Squad • Large or Small: Get Help (Tools, Experts, etc) • Consider tools and templates

  45. June 25, 2012 | Chicago, ILClearwater HIPAA Audit Prep BootCamp™ Take Your HIPAA Compliance Program to a Better Place, Faster

  46. Expert Instructors Bob Chaput, CISSP, CHP, CHSS, MCSE CEO Clearwater Compliance Jim Mathis, JD, CHC, CHP Healthcare Industry Attorney HIPAA Consultant James C. Pyles Principal Powers Pyles Sutter & Verville PC

  47. Get Smart! “On Demand” HIPAA HITECH RESOURCES, IF NEEDED: http://AboutHIPAA.com/about-hipaa/resources/ http://AboutHIPAA.com/webinars/

  48. Bob Chaput, CISSPhttp://www.ClearwaterCompliance.combob.chaput@ClearwaterCompliance.comPhone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC Contact

  49. Additional Information

  50. Why Now? – What We’re Hearing “Our business partners (health plans) are demanding we become compliant…” – large national care management company (BA) “We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric Practice (CE) “We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA) “With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE) “We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research consortium (BA) “We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)

More Related