redspin webinar - prepare for a hipaa security risk analysis
DESCRIPTION
Learn how to prepare your organization for a HIPAA Risk Analysis. In this webinar, we'll cover a few easy pro-active steps that you can do to speed the process, improve the outcome and lower the potential mitigation costs of performing a HIPAA Security Risk Analysis and achieving the meaningful use core objectives around safeguarding electronic protected health information.TRANSCRIPT
![Page 1: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/1.jpg)
How to Prepare Your Organization for a HIPAA Security Risk Analysis
Presented by:
John Abraham
Founder & Chief Security Evangelist
Redspin
![Page 2: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/2.jpg)
• Penetration Testing– External Infrastructure
– Internal Infrastructure
– Web Applications
• IT Security Controls – HIPAA
– FFIEC/GLBA
– PCI
– NERC
• Social Engineering
About Redspin
![Page 3: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/3.jpg)
About The Speaker
John AbrahamFounder & Chief Security Evangelist
As Redspin's founder and Chief Security Evangelist, John is passionate about the importance of a structured information security program that enables management to focus IT resources on the most pressing security risk. John's belief is that addressing subtle issues within an organization's IT environment can yield significant business impact, so an ounce of prevention is the key operative behavior of successful risk management programs. John is one of Redspin's health IT security specialists, is a regular speaker on topics of security and healthcare ePHI risk management, and enjoys working with IT teams, compliance officers and executives on practical approaches to data security mitigation strategies.
![Page 4: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/4.jpg)
Preparing Your Organization for aHIPAA Security Risk Analysis
What we’ll cover today:
What is it?
How does it fit into my security program?
What are the preparation steps?
How can I avoid pitfalls & maximize value?
![Page 5: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/5.jpg)
Why now?
Meaningful use core objective (protecting ePHI)
HIPAA Compliance
Risk management
![Page 6: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/6.jpg)
Part 1HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
![Page 7: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/7.jpg)
![Page 8: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/8.jpg)
HIPAA Security Rule§ 164.308(a)(1)(ii)(A)
“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
![Page 9: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/9.jpg)
What is a Risk Analysis?(Also called: Risk Assessment)
Assessment of risk
CIA: confidentiality, availability and integrity
EPHI: created, received, maintained, transmitted
![Page 10: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/10.jpg)
How is it performed?- It’s an evaluation
1. Where is ePHI, what are critical apps
2. Threats
3. Vulnerabilities
4. Existing controls (effective?)
5. Determine risk (= probability * impact)
![Page 11: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/11.jpg)
Flexibility on RA Approach
“Security Rule does not prescribe a specific risk analysis methodology”
“Methods will vary dependent on the size, complexity, and capabilities of the organization”
“There are numerous methods of performing risk analysis”
“There is no single method or 'best practice' that guarantees compliance with the Security Rule”
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010
-http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
![Page 12: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/12.jpg)
Goals and Objectives
Identify (and prioritize) risk
Ensure controls are working
Recommend improvements
Foundation for robust security program
Achieve compliance
- HIPAA Security Rule & Meaningful Use
![Page 13: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/13.jpg)
Expected Outcomes
IT transparency
Executive understanding of current state of security
Prioritized view of risk
Provide data needed to create IT action plan
![Page 14: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/14.jpg)
Part 2HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
![Page 15: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/15.jpg)
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,
HIPAA - Administrative Safeguards (§164.308), ...
![Page 16: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/16.jpg)
![Page 17: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/17.jpg)
![Page 18: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/18.jpg)
Risk Analysis
“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in
the Security Rule.”
“A risk analysis is foundational”
“The Security Rule requires entities to evaluate risks and vulnerabilities... and to implement reasonable and appropriate security measures... Risk analysis is the first step in that process.”
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
![Page 19: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/19.jpg)
Part 3HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
![Page 20: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/20.jpg)
• Vendor selection (2-8 weeks)
• Risk Analysis timeline (1-4 weeks)Time
• Vendor selection (IT, compliance, executive)
• During RA (1 liaison)People
• Varies depending on size/complexityBudget
Organizational Resources
![Page 21: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/21.jpg)
What about cost?
Variables
– Depends on complexity, satellite locations, …
– Web application and network penetration testing
– Social engineering
– Business associate risk
![Page 22: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/22.jpg)
What is needed for a proposal?
What is size & complexity of IT environment
Key criteria...
RFP Template
![Page 23: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/23.jpg)
What is needed for analysis?
Liaison
ePHI inventory
Critical business associates
ISO – person responsible for security
Security policy
Documentation (whatever is available)
- Network diagrams, audit results, system docs
![Page 24: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/24.jpg)
Part 4HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
![Page 25: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/25.jpg)
Waiting for network to stabilize
1Pitfall
It Never Does!
![Page 26: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/26.jpg)
Assuming control addresses risk
2Pitfall
Existencedoes not equal
Effective
![Page 27: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/27.jpg)
![Page 28: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/28.jpg)
![Page 29: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/29.jpg)
![Page 30: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/30.jpg)
Thinking compliance is security
3Pitfall
Compliancedoes not equal
Security
![Page 31: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/31.jpg)
![Page 32: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/32.jpg)
Waiting until you implement ____
It may not be a high priority
4Pitfall
![Page 33: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/33.jpg)
Using a check-box approach to RA
5Pitfall
False positives make you look bad
Creates focus on less important issues, while
missing critical risk
Expensive mitigation
Lack of context
![Page 34: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/34.jpg)
HIPAA Security Rule
Covered entities may use any security measures that
allow the covered entity to reasonably and appropriately
implement the standards and implementation
specifications as specified in this subpart.
![Page 35: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/35.jpg)
HIPAA Security Rule
In deciding which security measures to use, a covered entity must take into account the following factors:
– (i) The size, complexity, and capabilities of the covered entity.
– (ii) The covered entity's technical infrastructure, hardware, and
software security capabilities.
– (iii) The costs of security measures.
– (iv) The probability and criticality of potential risks to electronic
protected health information.
![Page 36: Redspin Webinar - Prepare for a HIPAA Security Risk Analysis](https://reader034.vdocuments.net/reader034/viewer/2022051817/5492dd89ac7959132e8b4710/html5/thumbnails/36.jpg)
SummaryHIPAA Security Risk Analysis
What is it?
How does it fit into my security program?
What are the preparation steps?
How can I avoid pitfalls & maximize value?