© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

August 15, 2019

CISO Virtual Cybersecurity SymposiumSession 3 | Module 5

Developing an OCR-Proof Risk Management Plan

Cathie Brown & Alex Masten

© Clearwater Compliance LLC | All Rights Reserved

2

Today's Module 5 Presenters

Cathie BrownPMP, CGEIT, CISM, CISSP

Vice President, Professional Services

• 30+ years in Information Technology, including 20 years in Health IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk

Management teams, Healthcare and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, Chair of Women in Health IT SIG

© Clearwater Compliance LLC | All Rights Reserved

3

Today's Module 5 Presenters

Alex MastenMSA, HCISPP

Director of Training and Solutions Architect

• 10+ years of Healthcare Compliance Experience from all three designations of a Covered Entity

• 5+ years of Information Security Risk Management experience• 4+ years of executive leadership experience• 5+ years of project management and business analyst experience• Former Corporate Compliance Officer for a third-party Cloud Service Provider (CSP)• Proven success managing client relationships and securing renewals• Sitting for CISSP, Certification in Healthcare Privacy and Security (CHPS), and

Certification in Health Care Compliance (CHC) in 2020

© Clearwater Compliance LLC | All Rights Reserved

4

Title: Developing an OCR-Proof Risk Management Plan

Module Duration = 50 Minutes

Learning Objectives Addressed in This Module:1. Understand the regulatory requirements and most effective standards

for responding to risk2. Know the four essential options for effective risk response3. Evaluate alternatives to reduce risk in terms of effectiveness and

feasibility4. Learn how to make sure risk responses get implemented through

tracking new or improved controls and safeguards

Module 5 Overview

© Clearwater Compliance LLC | All Rights Reserved

5

Pause and Quick Poll

5.1 What type of organization do you represent?

Hospital/ Health System

BA HYBRIDDon’t Know

Other CE

© Clearwater Compliance LLC | All Rights Reserved

6

Discussion Flow

What does ‘OCR-Proof’ mean?

Risk Analysis and Risk Response

Risk Management

© Clearwater Compliance LLC | All Rights Reserved

7

5.2 Before we begin, do you believe your organization has completed a bona fide Risk Analysis and has a Risk Management Plan in place that meets OCR requirements?

Pause and Quick Poll

© Clearwater Compliance LLC | All Rights Reserved

8

HIPAA Regulatory Requirements for OCR-Proof IRM

© Clearwater Compliance LLC | All Rights Reserved

9

45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

© Clearwater Compliance LLC | All Rights Reserved

10

Risk Analysis & Risk Management Adverse Findings

1. WRONG REPORT: submission of a Non-Technical Evaluation or Technical Evaluation or something else

2. NOT ASSET-BASED: too many organizations treating as a checklist matter rather than a loss/harm matter

3. NOT COMPREHENSIVE ENOUGH: must include every asset in every LOB in every facility in every location

4. NOT DETAILED ENOUGH: not considering every asset-threat-vulnerability scenario

5. NOT FOLLOWING OCR/NIST GUIDANCE: 9 essential elements in OCR guidance 6. NOT ENOUGH DOCUMENTATION/ENGAGEMENT: little evidence of vibrant

ongoing program and management engagement

TO DATE, THERE HAVE BEEN

66OFFICE FOR CIVIL RIGHTS ENFORCEMENT ACTIONS

90%of those enforcement actions

related to ePHI included adverse findings in organizations’

RISK ANALYSIS & RISK MANAGEMENT

IRM|Analysis™ and Clearwater isolate &

address all of these issues

© Clearwater Compliance LLC | All Rights Reserved

11

OCR’s Breadth and Depth Re: Risk AnalysisInformation Asset Types = Breadth

Traditional IT Assets

Medical Devices

Networking Infrastructure Components

Third-party Services and

Providers

Other IoT Integrated Devices or Equipment

OCR-Quality Review = Depth

45 CFR §164.306(a)

45 CFR §164.308(a)(1)(ii)(A)

“Guidance on Risk Analysis Requirements under the HIPAA Security Rule”

"OCR Audit Protocol – Updated April 2016"

"OCR Resolution Agreements / Corrective Action Plans"

NIST SP 800-30 “Guide for Conducting Risk Assessments”

© Clearwater Compliance LLC | All Rights Reserved

12

Discussion Flow

What does ‘OCR-Proof’ mean?

Risk Analysis and Risk Response

Risk Management

© Clearwater Compliance LLC | All Rights Reserved

13

Information Risk Management - Three Critical Building Blocks

Framework + Maturity Model+ Process

NIST SP800-39

IRM|Pro®IRM|Framework™

Immature<25% Defined<50% Managed<75% Established<94% Optimized>95%

Governance, Awareness of Benefits and Value

No Board Oversight Council or strategy for

IRM

Risk Management is on the agenda, but IRM not

considered important strategically

Board engagement and documented guiding principles aligning

strategic decisions with IRM

Cyber expertise on the Board and active

engagement in IRM activities and decisions

IRM is incorporated into all business strategic and tactical decisions

People, Skills, Knowledge & Culture

No Executive Committee exists to execute an

IRM strategy or tactics

A Working Group has started to be

established with some understanding of the

importance of IRM

Cyber expertise exists on the Executive Committee and responsibiilities for

the Working Group have been established

Executive Committee has determined a risk threshold on which

busines decisions are made

High degree of IRM knowledge and

understanding across the whole organization

re IRM decisions

Process, Discipline, & Repeatability

No or incomplete P&Ps or formal practices

regarding IRM

Some P&Ps have been documented; no or minimal Evidence of

Practice existS

The process for framing assessing and resonding

to IRM risks are documented and followed

Responsibility for documenting P&Ps and evidence of practice has been assigned are being

followed

The organization has adopted a continuous process improvement

and milestones to reach a maturity level

Use of Standards, Technology Tools /

Scalability

No standards or tools for scaling IRM activities exist

Some standards have been adopted and some

tools for scaling IRM activities exist

IRM tools have started to be integrated into business and IT

strategies, tactics and plans

Tools for tactical operations have been

adopted e.g. detection, incident response, identity

management, etc.

Sound understanding, consistent use of

standards and tools for productivity and

scalability

Engagement, Delivery & Operations

Any IRM activity is primarily driven by

compliance requirements, not

business

IRM activity is adhoc, driven by individuals who apply their own

priorities to the process

Use of the IRM process, framework and strategy is

somewhat consistent across the organization

All IRM participants are convinced that the IRM program has reduced

security incidents

IRM is embedded in decision making and continuous process

improvement is a way of life

INFORMATION RISK MANAGEMENT MATURITY LEVEL

KEY

RIS

K M

AN

AG

EMEN

T C

APA

BIL

ITIE

S

© Clearwater Compliance LLC | All Rights Reserved

14

Risk Analysis: The Risk Problem We’re Trying to Solve

AVAILABILITY

What if Sensitive Information is not

complete, up-to-date and accurate?

What if Sensitive Information is

shared?

What if Sensitive Information, Systems or

Devices are not there when it is needed?

Info Systems &

Devices Don’t Compromise

C-I-A!

Single Biggest Issue: Risk Identification

© Clearwater Compliance LLC | All Rights Reserved

15

Risk Analysis: To Solve the Problem

1. What are ALL the exposures of our ALLour information assets (e.g., ePHI)?

2. What decisions do we need we need to make to treat or manage risks?

Both Are Required in Federal Regulations AND As the Basis for any Respectable Information Security Program in Any Industry!

Risk Response

Risk Assessment

© Clearwater Compliance LLC | All Rights Reserved

16

Lots of Good Assessments, Only One Bona Fide Risk Analysis!• External Security Assessment

• Architecture Assessment

• Internal Security Assessment

• Security Rule Compliance Assessment

• Wireless LAN Security Validation

• Information Security Program Assessment

• Meaningful Use EHR Technical Controls Assessment

• Social Engineering Assessment

• OWASP Web Application Assessments

• NIST CSF Current Profile Assessment

• 10-Point Tactical HIPAA and Cyber Risk Management Assessment

• Strategic Enterprise IRM Program Maturity Assessment

• ETC…

Bona Fide, Comprehensive Risk Analysis Required at 45 CFR §164.308(a)(1)(ii)(A) MEANS OCR Guidance and NIST SP800-30!

© Clearwater Compliance LLC | All Rights Reserved

17

Rx: OCR Risk Analysis GuidanceRegardless of the risk analysis methodology employed…1. Scope of the Analysis 2. Data Collection 3. Identify and Document Potential Threats and Vulnerabilities 4. Assess Current Security Measures 5. Determine the Likelihood of Threat Occurrence 6. Determine the Potential Impact of Threat Occurrence 7. Determine the Level of Risk 8. Finalize Documentation 9. Periodic Review and Updates to the Risk Assessment 10. Meet Emerging OCR Standard of Care (added by Clearwater)

© Clearwater Compliance LLC | All Rights Reserved

18

• Risk exists when and only when an Asset, a Threat and a Vulnerability are present

• It’s about saving your assets, not about someone else's controls checklist

• No Assets No Risk

• No Threats No Risk

• No Vulnerabilities No Risk

Must Examine All Reasonably Anticipated Asset-Threat-Vulnerability Combinations

© Clearwater Compliance LLC | All Rights Reserved

19

Assets and MediaBackup MediaDesktopDisk ArrayElectronic Medical DeviceLaptopPagerServerSmartphoneStorage Area NetworkTabletThird-party service providerEtcetera…

NIST SP 800-53 Controls

PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Hundreds and hundreds

Millions of Combinations

VulnerabilitiesAnti-malware VulnerabilitiesDestruction/Disposal VulnerabilitiesDormant AccountsEndpoint Leakage VulnerabilitiesExcessive User PermissionsInsecure Network ConfigurationInsecure Software Development Processes

Insufficient Application CapacityInsufficient data backupInsufficient data validationInsufficient equipment redundancyInsufficient equipment shieldingInsufficient fire protectionInsufficient HVAC capabilityInsufficient power capacityInsufficient power shieldingEtcetera…

Threat ActionsBurglary/TheftCorruption or destruction of important dataData LeakageData LossDenial of ServiceDestruction of important dataElectrical damage to equipmentFire damage to equipmentInformation leakageEtcetera…

Threat AgentBurglar/ ThiefElectrical IncidentEntropyFireFloodInclement weatherMalwareNetwork Connectivity OutagePower Outage/InterruptionEtcetera…

The Risk Analysis Dilemma

© Clearwater Compliance LLC | All Rights Reserved

20

Review Point 5: Determine Likelihood

Chance that bad thing will happen?

© Clearwater Compliance LLC | All Rights Reserved

21

Review Point 6: Determine Impact

Harm or loss if bad thing happens?

© Clearwater Compliance LLC | All Rights Reserved

22

Review Point 7: Establish Risk Threshold (e.g., 10)

Generally, Avoid, Mitigate or Transfer

Generally, Accept

© Clearwater Compliance LLC | All Rights Reserved

23

Review Point 1-A: Scope of the Analysis

© Clearwater Compliance LLC | All Rights Reserved

24

Review Point 1-B: Scope of the Analysis

© Clearwater Compliance LLC | All Rights Reserved

25

Determining Type and Number of Entities (PDF)

CHC

Research

Insurance

Clinics

Imaging Center

Home Health

Hospitals LTC Facility ASC

EMSHospice Rehab Clinic

Rural Clinic Dialysis Clinic Behavioral

© Clearwater Compliance LLC | All Rights Reserved

26

Review Point 2-A: Data Collection

© Clearwater Compliance LLC | All Rights Reserved

27

Review Point 2-B: Data Collection

© Clearwater Compliance LLC | All Rights Reserved

28

Review Point 3: Identify and Document Threats & Vulnerabilities

© Clearwater Compliance LLC | All Rights Reserved

29

Review Point 4-A: Assess Relevant Security Controls In Place

© Clearwater Compliance LLC | All Rights Reserved

30

Review Point 7: Determine the Level of Risk

Level of Risk

© Clearwater Compliance LLC | All Rights Reserved

31

Asset Threat Source / Action

Vulnerability Likelihood Impact Risk Rating

Laptop Burglar steals laptop No encryption High (5) High (5) 25

Laptop Burglar steals laptop Weak passwords High (5) High (5) 25

Laptop Burglar steals laptop No tracking High (5) High (5) 25

Laptop Careless User Drops No data backup Medium (3) High (5) 15

Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3) 3

Laptop Lightning Strike No surge protection Low (1) High (5) 5

Etc.

Review Point 7: Determine the Level of Risk at Granular Level

© Clearwater Compliance LLC | All Rights Reserved

32

Really?

You Must Get Specific on Asset / Media, Threats and Vulnerabilities, etc.

© Clearwater Compliance LLC | All Rights Reserved

33

Review Point 8-A: Finalize Documentation

Generally, Avoid, Mitigate or Transfer

Generally, Accept

© Clearwater Compliance LLC | All Rights Reserved

34

Review Point 8-B: Finalize Documentation

© Clearwater Compliance LLC | All Rights Reserved

35

Review Point 8-C: Finalize Documentation

© Clearwater Compliance LLC | All Rights Reserved

36Show your Ongoing Effort!

Review Point 9: Periodic Review and Updates

© Clearwater Compliance LLC | All Rights Reserved

37

Informed Risk Response Decisions

Risk is considered low, below our threshold

Risk is above our threshold, benefit is not worth the risk to the organization

Controls must be implemented to minimize the impact of this risk

Risk is necessary to the missionof the organization and must betransferred or shared (e.g., cyber insurance

© Clearwater Compliance LLC | All Rights Reserved

38

IRM: Risk Action Plan

© Clearwater Compliance LLC | All Rights Reserved

39

5.3 On second thought, has your organization completed a bona fide Risk Analysis and have a Risk Management Program in place?

Pause and Quick Poll

© Clearwater Compliance LLC | All Rights Reserved

40

Discussion Flow

What does ‘OCR-Proof’ mean?

Risk Analysis and Risk Response

Risk Management

© Clearwater Compliance LLC | All Rights Reserved

41

Risk Management Fundamentals

• All Risks Must Be Managed• Not All Risks Must Be Mitigated• Risk Management Requires Setting Your Risk Appetite• Risk Management Requires Real Risk Analysis• Risk Management is Informed Decision Making – What’s New?

© Clearwater Compliance LLC | All Rights Reserved

42

OCR-Proof Risk Management

Risk Analysis

Risk Response

Risk Management

ThreatsVulnerabilitiesImpactThreshold

AcceptMitigateAvoidShare/Transfer Develop/Implement RM Plan

Implement Security MeasuresEvaluate and Maintain Security Measures

Starts with an OCR-Proof Risk Analysis

© Clearwater Compliance LLC | All Rights Reserved

43

Development and Implement the Risk Management Plan

Purpose: Provide structure for the covered entity’s evaluation, prioritization, and implementationof risk-reducing security measures

Prioritization: • Which risks should be addressed immediately?• Which security measures should be implemented?

Implementation:• Document the risks being addressed • Define the security measures selected to reduce the risks• Implementation project priorities, e.g., required resources, assigned responsibilities, start

and completion dates, maintenance requirements

Project Management and Governance

© Clearwater Compliance LLC | All Rights Reserved

44

Implement, Evaluate and Maintain Security Measures

Security Measure

Technical Implementation

Non-Technical Implementation

Evaluate and Maintain

Identity & Access

Passwords Complexity Password Policies Password Education

Monitor for password resetsUpdate password education

Disaster Recovery

Automated Backups Disaster Recovery PoliciesDisaster Recovery Plan

Test Disaster Recovery PlanAfter Action ReportUpdate policies and DR Plan

Network Security

Next Generation Firewalls

Network Security PoliciesConfiguration Documentation

Review firewall LogsUpdate configuration for new threatsUpdate configuration Documentation

Data Protection in Transit

Encryption via SSL VPN

Encryption PoliciesSSL VPN Education

Monitor logs for effective use of SSL VPNContinue education for users

ETC… … … …

EXAMPLES

© Clearwater Compliance LLC | All Rights Reserved

45

Discussion Flow

What does ‘OCR-Proof’ mean?

Risk Analysis and Risk Response

Risk Management

BONUS: Final Thoughts

© Clearwater Compliance LLC | All Rights Reserved

46

Does this look like a controls checklist? It’s a systematic, ongoing process!

Regardless of the risk analysis methodology employed…1. Scope of the Analysis 2. Data Collection 3. Identify and Document Potential Threats and Vulnerabilities 4. Assess Current Security Measures 5. Determine the Likelihood of Threat Occurrence 6. Determine the Potential Impact of Threat Occurrence 7. Determine the Level of Risk 8. Finalize Documentation 9. Periodic Review and Updates to the Risk Assessment 10.Meet Emerging OCR Standard of Care (added by Clearwater)

Review Plan OCR Risk Analysis Guidance

© Clearwater Compliance LLC | All Rights Reserved

47

Bottom Line

NOT About Someone Else’s Control ChecklistIt’s About Saving Your Assets and Doing No Harm!

© Clearwater Compliance LLC | All Rights Reserved

48

OCR-Quality Risk Analysis – Risk Management ReviewThe ten Risk Analysis Key Essential Criteria that are assessed are derived from:1. the HIPAA Risk Analysis implementation specification language

at 45 CFR §164.308(a)(1)(ii)(A) of the HIPAA Security Rule;2. the methodology outlined in the HHS/OCR “Guidance on Risk

Analysis Requirements under the HIPAA Security Rule”;3. the underlying NIST Special Publications for performing a risk

assessment and, specifically NIST SP 800-30 “Guide for Conducting Risk Assessments”;

4. the documentation found in OCR investigation letters and "OCR Resolution Agreements / Corrective Action Plans".

5. the "OCR Audit Protocol – Updated April 2016" specific to Risk Analysis and Risk Management .

6. our work with numerous organizations subjected to OCR enforcement actions that included reviews of organizations' risk analyses.

© Clearwater Compliance LLC | All Rights Reserved

49

Pause and Quick Poll

5.4 This webinar was valuable in increasing my understanding of conducting an OCR-Quality Risk Analysis and Risk Management.

Strongly Agree

Not Sure

Strongly Disagree

AgreeDisagree

© Clearwater Compliance LLC | All Rights Reserved

50

Module 5: Supplemental Resources• Sample - HIPAA Security Risk Analysis FOR Report• Guidance on Risk Analysis Requirements under the HIPAA Security Rule• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal

Information Systems: A Security Life Cycle Approach • The Clearwater Definition of an Information Asset

Additional Resources• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and

Organizations • NIST SP800-115 Technical Guide to Information Security Testing and Assessment• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• NIST Risk Management Framework 2009

© Clearwater Compliance LLC | All Rights Reserved

51

Thank You & Questions

Cathie Brown Cathie.brown@ClearwaterCompliance.com800-704-3394 or 434-665-0345

Alex MastenAlex.Masten@ClearwaterCompliance.com(317) 679-2031

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1