developing an ocr-proof risk management plan€¦ · 05.08.2019 · • 15+ years in information...
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
August 15, 2019
CISO Virtual Cybersecurity SymposiumSession 3 | Module 5
Developing an OCR-Proof Risk Management Plan
Cathie Brown & Alex Masten
© Clearwater Compliance LLC | All Rights Reserved
2
Today's Module 5 Presenters
Cathie BrownPMP, CGEIT, CISM, CISSP
Vice President, Professional Services
• 30+ years in Information Technology, including 20 years in Health IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk
Management teams, Healthcare and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, Chair of Women in Health IT SIG
© Clearwater Compliance LLC | All Rights Reserved
3
Today's Module 5 Presenters
Alex MastenMSA, HCISPP
Director of Training and Solutions Architect
• 10+ years of Healthcare Compliance Experience from all three designations of a Covered Entity
• 5+ years of Information Security Risk Management experience• 4+ years of executive leadership experience• 5+ years of project management and business analyst experience• Former Corporate Compliance Officer for a third-party Cloud Service Provider (CSP)• Proven success managing client relationships and securing renewals• Sitting for CISSP, Certification in Healthcare Privacy and Security (CHPS), and
Certification in Health Care Compliance (CHC) in 2020
© Clearwater Compliance LLC | All Rights Reserved
4
Title: Developing an OCR-Proof Risk Management Plan
Module Duration = 50 Minutes
Learning Objectives Addressed in This Module:1. Understand the regulatory requirements and most effective standards
for responding to risk2. Know the four essential options for effective risk response3. Evaluate alternatives to reduce risk in terms of effectiveness and
feasibility4. Learn how to make sure risk responses get implemented through
tracking new or improved controls and safeguards
Module 5 Overview
© Clearwater Compliance LLC | All Rights Reserved
5
Pause and Quick Poll
5.1 What type of organization do you represent?
Hospital/ Health System
BA HYBRIDDon’t Know
Other CE
© Clearwater Compliance LLC | All Rights Reserved
6
Discussion Flow
What does ‘OCR-Proof’ mean?
Risk Analysis and Risk Response
Risk Management
© Clearwater Compliance LLC | All Rights Reserved
7
5.2 Before we begin, do you believe your organization has completed a bona fide Risk Analysis and has a Risk Management Plan in place that meets OCR requirements?
Pause and Quick Poll
© Clearwater Compliance LLC | All Rights Reserved
8
HIPAA Regulatory Requirements for OCR-Proof IRM
© Clearwater Compliance LLC | All Rights Reserved
9
45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
© Clearwater Compliance LLC | All Rights Reserved
10
Risk Analysis & Risk Management Adverse Findings
1. WRONG REPORT: submission of a Non-Technical Evaluation or Technical Evaluation or something else
2. NOT ASSET-BASED: too many organizations treating as a checklist matter rather than a loss/harm matter
3. NOT COMPREHENSIVE ENOUGH: must include every asset in every LOB in every facility in every location
4. NOT DETAILED ENOUGH: not considering every asset-threat-vulnerability scenario
5. NOT FOLLOWING OCR/NIST GUIDANCE: 9 essential elements in OCR guidance 6. NOT ENOUGH DOCUMENTATION/ENGAGEMENT: little evidence of vibrant
ongoing program and management engagement
TO DATE, THERE HAVE BEEN
66OFFICE FOR CIVIL RIGHTS ENFORCEMENT ACTIONS
90%of those enforcement actions
related to ePHI included adverse findings in organizations’
RISK ANALYSIS & RISK MANAGEMENT
IRM|Analysis™ and Clearwater isolate &
address all of these issues
© Clearwater Compliance LLC | All Rights Reserved
11
OCR’s Breadth and Depth Re: Risk AnalysisInformation Asset Types = Breadth
Traditional IT Assets
Medical Devices
Networking Infrastructure Components
Third-party Services and
Providers
Other IoT Integrated Devices or Equipment
OCR-Quality Review = Depth
45 CFR §164.306(a)
45 CFR §164.308(a)(1)(ii)(A)
“Guidance on Risk Analysis Requirements under the HIPAA Security Rule”
"OCR Audit Protocol – Updated April 2016"
"OCR Resolution Agreements / Corrective Action Plans"
NIST SP 800-30 “Guide for Conducting Risk Assessments”
© Clearwater Compliance LLC | All Rights Reserved
12
Discussion Flow
What does ‘OCR-Proof’ mean?
Risk Analysis and Risk Response
Risk Management
© Clearwater Compliance LLC | All Rights Reserved
13
Information Risk Management - Three Critical Building Blocks
Framework + Maturity Model+ Process
NIST SP800-39
IRM|Pro®IRM|Framework™
Immature<25% Defined<50% Managed<75% Established<94% Optimized>95%
Governance, Awareness of Benefits and Value
No Board Oversight Council or strategy for
IRM
Risk Management is on the agenda, but IRM not
considered important strategically
Board engagement and documented guiding principles aligning
strategic decisions with IRM
Cyber expertise on the Board and active
engagement in IRM activities and decisions
IRM is incorporated into all business strategic and tactical decisions
People, Skills, Knowledge & Culture
No Executive Committee exists to execute an
IRM strategy or tactics
A Working Group has started to be
established with some understanding of the
importance of IRM
Cyber expertise exists on the Executive Committee and responsibiilities for
the Working Group have been established
Executive Committee has determined a risk threshold on which
busines decisions are made
High degree of IRM knowledge and
understanding across the whole organization
re IRM decisions
Process, Discipline, & Repeatability
No or incomplete P&Ps or formal practices
regarding IRM
Some P&Ps have been documented; no or minimal Evidence of
Practice existS
The process for framing assessing and resonding
to IRM risks are documented and followed
Responsibility for documenting P&Ps and evidence of practice has been assigned are being
followed
The organization has adopted a continuous process improvement
and milestones to reach a maturity level
Use of Standards, Technology Tools /
Scalability
No standards or tools for scaling IRM activities exist
Some standards have been adopted and some
tools for scaling IRM activities exist
IRM tools have started to be integrated into business and IT
strategies, tactics and plans
Tools for tactical operations have been
adopted e.g. detection, incident response, identity
management, etc.
Sound understanding, consistent use of
standards and tools for productivity and
scalability
Engagement, Delivery & Operations
Any IRM activity is primarily driven by
compliance requirements, not
business
IRM activity is adhoc, driven by individuals who apply their own
priorities to the process
Use of the IRM process, framework and strategy is
somewhat consistent across the organization
All IRM participants are convinced that the IRM program has reduced
security incidents
IRM is embedded in decision making and continuous process
improvement is a way of life
INFORMATION RISK MANAGEMENT MATURITY LEVEL
KEY
RIS
K M
AN
AG
EMEN
T C
APA
BIL
ITIE
S
© Clearwater Compliance LLC | All Rights Reserved
14
Risk Analysis: The Risk Problem We’re Trying to Solve
AVAILABILITY
What if Sensitive Information is not
complete, up-to-date and accurate?
What if Sensitive Information is
shared?
What if Sensitive Information, Systems or
Devices are not there when it is needed?
Info Systems &
Devices Don’t Compromise
C-I-A!
Single Biggest Issue: Risk Identification
© Clearwater Compliance LLC | All Rights Reserved
15
Risk Analysis: To Solve the Problem
1. What are ALL the exposures of our ALLour information assets (e.g., ePHI)?
2. What decisions do we need we need to make to treat or manage risks?
Both Are Required in Federal Regulations AND As the Basis for any Respectable Information Security Program in Any Industry!
Risk Response
Risk Assessment
© Clearwater Compliance LLC | All Rights Reserved
16
Lots of Good Assessments, Only One Bona Fide Risk Analysis!• External Security Assessment
• Architecture Assessment
• Internal Security Assessment
• Security Rule Compliance Assessment
• Wireless LAN Security Validation
• Information Security Program Assessment
• Meaningful Use EHR Technical Controls Assessment
• Social Engineering Assessment
• OWASP Web Application Assessments
• NIST CSF Current Profile Assessment
• 10-Point Tactical HIPAA and Cyber Risk Management Assessment
• Strategic Enterprise IRM Program Maturity Assessment
• ETC…
Bona Fide, Comprehensive Risk Analysis Required at 45 CFR §164.308(a)(1)(ii)(A) MEANS OCR Guidance and NIST SP800-30!
© Clearwater Compliance LLC | All Rights Reserved
17
Rx: OCR Risk Analysis GuidanceRegardless of the risk analysis methodology employed…1. Scope of the Analysis 2. Data Collection 3. Identify and Document Potential Threats and Vulnerabilities 4. Assess Current Security Measures 5. Determine the Likelihood of Threat Occurrence 6. Determine the Potential Impact of Threat Occurrence 7. Determine the Level of Risk 8. Finalize Documentation 9. Periodic Review and Updates to the Risk Assessment 10. Meet Emerging OCR Standard of Care (added by Clearwater)
© Clearwater Compliance LLC | All Rights Reserved
18
• Risk exists when and only when an Asset, a Threat and a Vulnerability are present
• It’s about saving your assets, not about someone else's controls checklist
• No Assets No Risk
• No Threats No Risk
• No Vulnerabilities No Risk
Must Examine All Reasonably Anticipated Asset-Threat-Vulnerability Combinations
© Clearwater Compliance LLC | All Rights Reserved
19
Assets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…
NIST SP 800-53 Controls
PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Hundreds and hundreds
Millions of Combinations
VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant AccountsEndpoint Leakage VulnerabilitiesExcessive User PermissionsInsecure Network ConfigurationInsecure Software Development Processes
Insufficient Application CapacityInsufficient data backupInsufficient data validationInsufficient equipment redundancyInsufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…
Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…
Threat AgentBurglar/ ThiefElectrical IncidentEntropyFireFloodInclement weatherMalwareNetwork Connectivity OutagePower Outage/InterruptionEtcetera…
The Risk Analysis Dilemma
© Clearwater Compliance LLC | All Rights Reserved
20
Review Point 5: Determine Likelihood
Chance that bad thing will happen?
© Clearwater Compliance LLC | All Rights Reserved
21
Review Point 6: Determine Impact
Harm or loss if bad thing happens?
© Clearwater Compliance LLC | All Rights Reserved
22
Review Point 7: Establish Risk Threshold (e.g., 10)
Generally, Avoid, Mitigate or Transfer
Generally, Accept
© Clearwater Compliance LLC | All Rights Reserved
23
Review Point 1-A: Scope of the Analysis
© Clearwater Compliance LLC | All Rights Reserved
24
Review Point 1-B: Scope of the Analysis
© Clearwater Compliance LLC | All Rights Reserved
25
Determining Type and Number of Entities (PDF)
CHC
Research
Insurance
Clinics
Imaging Center
Home Health
Hospitals LTC Facility ASC
EMSHospice Rehab Clinic
Rural Clinic Dialysis Clinic Behavioral
© Clearwater Compliance LLC | All Rights Reserved
26
Review Point 2-A: Data Collection
© Clearwater Compliance LLC | All Rights Reserved
27
Review Point 2-B: Data Collection
© Clearwater Compliance LLC | All Rights Reserved
28
Review Point 3: Identify and Document Threats & Vulnerabilities
© Clearwater Compliance LLC | All Rights Reserved
29
Review Point 4-A: Assess Relevant Security Controls In Place
© Clearwater Compliance LLC | All Rights Reserved
30
Review Point 7: Determine the Level of Risk
Level of Risk
© Clearwater Compliance LLC | All Rights Reserved
31
Asset Threat Source / Action
Vulnerability Likelihood Impact Risk Rating
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3) 3
Laptop Lightning Strike No surge protection Low (1) High (5) 5
Etc.
Review Point 7: Determine the Level of Risk at Granular Level
© Clearwater Compliance LLC | All Rights Reserved
32
Really?
You Must Get Specific on Asset / Media, Threats and Vulnerabilities, etc.
© Clearwater Compliance LLC | All Rights Reserved
33
Review Point 8-A: Finalize Documentation
Generally, Avoid, Mitigate or Transfer
Generally, Accept
© Clearwater Compliance LLC | All Rights Reserved
34
Review Point 8-B: Finalize Documentation
© Clearwater Compliance LLC | All Rights Reserved
35
Review Point 8-C: Finalize Documentation
© Clearwater Compliance LLC | All Rights Reserved
36Show your Ongoing Effort!
Review Point 9: Periodic Review and Updates
© Clearwater Compliance LLC | All Rights Reserved
37
Informed Risk Response Decisions
Risk is considered low, below our threshold
Risk is above our threshold, benefit is not worth the risk to the organization
Controls must be implemented to minimize the impact of this risk
Risk is necessary to the missionof the organization and must betransferred or shared (e.g., cyber insurance
© Clearwater Compliance LLC | All Rights Reserved
38
IRM: Risk Action Plan
© Clearwater Compliance LLC | All Rights Reserved
39
5.3 On second thought, has your organization completed a bona fide Risk Analysis and have a Risk Management Program in place?
Pause and Quick Poll
© Clearwater Compliance LLC | All Rights Reserved
40
Discussion Flow
What does ‘OCR-Proof’ mean?
Risk Analysis and Risk Response
Risk Management
© Clearwater Compliance LLC | All Rights Reserved
41
Risk Management Fundamentals
• All Risks Must Be Managed• Not All Risks Must Be Mitigated• Risk Management Requires Setting Your Risk Appetite• Risk Management Requires Real Risk Analysis• Risk Management is Informed Decision Making – What’s New?
© Clearwater Compliance LLC | All Rights Reserved
42
OCR-Proof Risk Management
Risk Analysis
Risk Response
Risk Management
ThreatsVulnerabilitiesImpactThreshold
AcceptMitigateAvoidShare/Transfer Develop/Implement RM Plan
Implement Security MeasuresEvaluate and Maintain Security Measures
Starts with an OCR-Proof Risk Analysis
© Clearwater Compliance LLC | All Rights Reserved
43
Development and Implement the Risk Management Plan
Purpose: Provide structure for the covered entity’s evaluation, prioritization, and implementationof risk-reducing security measures
Prioritization: • Which risks should be addressed immediately?• Which security measures should be implemented?
Implementation:• Document the risks being addressed • Define the security measures selected to reduce the risks• Implementation project priorities, e.g., required resources, assigned responsibilities, start
and completion dates, maintenance requirements
Project Management and Governance
© Clearwater Compliance LLC | All Rights Reserved
44
Implement, Evaluate and Maintain Security Measures
Security Measure
Technical Implementation
Non-Technical Implementation
Evaluate and Maintain
Identity & Access
Passwords Complexity Password Policies Password Education
Monitor for password resetsUpdate password education
Disaster Recovery
Automated Backups Disaster Recovery PoliciesDisaster Recovery Plan
Test Disaster Recovery PlanAfter Action ReportUpdate policies and DR Plan
Network Security
Next Generation Firewalls
Network Security PoliciesConfiguration Documentation
Review firewall LogsUpdate configuration for new threatsUpdate configuration Documentation
Data Protection in Transit
Encryption via SSL VPN
Encryption PoliciesSSL VPN Education
Monitor logs for effective use of SSL VPNContinue education for users
ETC… … … …
EXAMPLES
© Clearwater Compliance LLC | All Rights Reserved
45
Discussion Flow
What does ‘OCR-Proof’ mean?
Risk Analysis and Risk Response
Risk Management
BONUS: Final Thoughts
© Clearwater Compliance LLC | All Rights Reserved
46
Does this look like a controls checklist? It’s a systematic, ongoing process!
Regardless of the risk analysis methodology employed…1. Scope of the Analysis 2. Data Collection 3. Identify and Document Potential Threats and Vulnerabilities 4. Assess Current Security Measures 5. Determine the Likelihood of Threat Occurrence 6. Determine the Potential Impact of Threat Occurrence 7. Determine the Level of Risk 8. Finalize Documentation 9. Periodic Review and Updates to the Risk Assessment 10.Meet Emerging OCR Standard of Care (added by Clearwater)
Review Plan OCR Risk Analysis Guidance
© Clearwater Compliance LLC | All Rights Reserved
47
Bottom Line
NOT About Someone Else’s Control ChecklistIt’s About Saving Your Assets and Doing No Harm!
© Clearwater Compliance LLC | All Rights Reserved
48
OCR-Quality Risk Analysis – Risk Management ReviewThe ten Risk Analysis Key Essential Criteria that are assessed are derived from:1. the HIPAA Risk Analysis implementation specification language
at 45 CFR §164.308(a)(1)(ii)(A) of the HIPAA Security Rule;2. the methodology outlined in the HHS/OCR “Guidance on Risk
Analysis Requirements under the HIPAA Security Rule”;3. the underlying NIST Special Publications for performing a risk
assessment and, specifically NIST SP 800-30 “Guide for Conducting Risk Assessments”;
4. the documentation found in OCR investigation letters and "OCR Resolution Agreements / Corrective Action Plans".
5. the "OCR Audit Protocol – Updated April 2016" specific to Risk Analysis and Risk Management .
6. our work with numerous organizations subjected to OCR enforcement actions that included reviews of organizations' risk analyses.
© Clearwater Compliance LLC | All Rights Reserved
49
Pause and Quick Poll
5.4 This webinar was valuable in increasing my understanding of conducting an OCR-Quality Risk Analysis and Risk Management.
Strongly Agree
Not Sure
Strongly Disagree
AgreeDisagree
© Clearwater Compliance LLC | All Rights Reserved
50
Module 5: Supplemental Resources• Sample - HIPAA Security Risk Analysis FOR Report• Guidance on Risk Analysis Requirements under the HIPAA Security Rule• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach • The Clearwater Definition of an Information Asset
Additional Resources• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations • NIST SP800-115 Technical Guide to Information Security Testing and Assessment• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• NIST Risk Management Framework 2009
© Clearwater Compliance LLC | All Rights Reserved
51
Thank You & Questions
Cathie Brown [email protected] or 434-665-0345
Alex [email protected](317) 679-2031
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1