© Clearwater Compliance LLC | All Rights Reserved

Copyright NoticeCopyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com

1

© Clearwater Compliance LLC | All Rights Reserved

Legal DisclaimerLegal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

2

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or 800-704-3394

bob.chaput@ClearwaterCompliance.comClearwater Compliance LLC

Information Risk Management Essentials

DECEMBER 11, 2014

3

© Clearwater Compliance LLC | All Rights Reserved

Bob ChaputMA, CISSP, HCISPP, CRISC, CIPP/US

• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities and Business

Associates, Financial Services, Retail, Legal• Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA,

ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards

http://www.linkedin.com/in/BobChaput4

© Clearwater Compliance LLC | All Rights Reserved

Frame

Monitor

RespondAssess

Clearwater Information Risk Management Life Cycle1

Privacy AssessmentSecurity

Assessment

Today’s Topics

ePHI Discovery

Risk Response

Remediation

Risk StrategyGovernance

AuditingTechnical Testing

WorkforceTraining

Risk Analysis

1Adopted from NIST SP800-395

© Clearwater Compliance LLC | All Rights Reserved

Our Passion

… And, keeping those same organizations off the Wall of

Shame…!

…we’re helping organizations provide better care by safeguarding the very personal and intimate healthcare information of millions of fellow Americans…

6

© Clearwater Compliance LLC | All Rights Reserved

Some Ground Rules1. Slide materials… will be provided2. Questions in “Question Area” on GTW Control

Panel3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave

session6. Recorded version and final slides within 48

hours

7

© Clearwater Compliance LLC | All Rights Reserved

Poll #1 – How many Clearwater webinars have you attended?

8

© Clearwater Compliance LLC | All Rights Reserved

Poll #2 – What type of organization?

9

© Clearwater Compliance LLC | All Rights Reserved

How This Webinar Fits In• Information Risk

Management Essentials (you are here! – survey course)• How to Conduct Bona Fide

Security Risk Analysis (deeper dive)

• How to Conduct Bona Fide Security Risk Management (deeper dive)

Register For Upcoming Live Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

10

© Clearwater Compliance LLC | All Rights Reserved

First, My Lessons Learned1. Too many BOD / C-Suites are not educated and,

therefore, far too disengaged from information risk management

2. Too few organizations are working to complete bona fide risk management AND “mature” their information risk management processes

3. Too many people trying to “check-list” their way to security with “Top Challenges Facing CISOs…”-type lists

4. Security professionals are not necessarily information risk analysts or risk managers

5. Too few people understand risk, not to mention information risk analysis and risk management

6. It’s a patient safety/quality of care/information risk issue … not a “HIPAA compliance” issue

WE MUST CHANGE THE

CONVERSATION!11

© Clearwater Compliance LLC | All Rights Reserved

”First, Do No Harm."

- Hippocrates, 4th Century, B.C.E.

First Healthcare Risk Manager

12

© Clearwater Compliance LLC | All Rights Reserved

Types of Risk…Think – what can loss or harm to stakeholders?1. Legal2. Regulatory Compliance3. Financial4. Operational5. Strategic6. Reputational 7. Clinical 8. Others?9. Information 13

© Clearwater Compliance LLC | All Rights Reserved

Key Objectives / Points1. Healthcare is the Next Cyber Security

Battleground2. The Case for Action is Compelling – Much to

Lose and Lots of Potential Harm3. You Cannot Check-List Your Way to

Information Risk Management Success4. Organizations Must Establish, Operationalize

and Mature an Information Risk Management Program

14

© Clearwater Compliance LLC | All Rights Reserved

Key Objectives / Points1. Healthcare is the Next Cyber Security

Battleground

2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm

3. You Cannot Check-List Your Way to Information Risk Management Success

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Resources15

© Clearwater Compliance LLC | All Rights Reserved

Big Recent Events• October 2013 - 38 million customer improperly accessed | Adobe Systems• December 2013 - unauthorized access of payment card data of

approximately 40 million Target customers and the personal data of up to 70 million |Target Corporation

• January 2014 - 4.6 million user names and phone numbers accessed in cyber-attack | Snapchat

• March 2014 - compromised by Chinese hackers targeting the information of 10s of 100s of thousands of employees | the U.S. Gov Personnel Network

• June 2014 - the New York Times reported how cybercriminals are getting better at circumventing firewalls and antivirus programs, and more of them are resorting to ransom ware, which encrypts computer data and holds it hostage until a fee is paid;

• August 2014 - 4.5 million patients’ personal information was disclosed in alleged Chinese hacker attack| Community Health Systems

• August 2014 - “significant and egregious” data breach | JP Morgan • September 2014 – “no evidence that debit card PINs were compromised”

| Home Depot 16

© Clearwater Compliance LLC | All Rights Reserved

Recent FBI Healthcare Alerts: April / August 2014

“Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”

“…observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).”

Healthcare is the Next Cyber Security Battleground17

© Clearwater Compliance LLC | All Rights Reserved

MyPHI /ePHI

PHI, PIICredit Card,Intel. Prop.

The Risk Problem We’re Trying to Solve

What if my Protected Health Information is not complete, up-to-date and accurate?

What if my Protected Health Information is shared? With whom?

How?

What if my Protected Health Information is not there when it is needed?

AVAILABILITY

Don’t Compromise

C-I-A!

18

© Clearwater Compliance LLC | All Rights Reserved

Key Objectives / Points1. Healthcare is the Next Cyber Security

Battleground

2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm

3. You Cannot Check-List Your Way to Information Risk Management Success

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Resources19

© Clearwater Compliance LLC | All Rights Reserved

The Target Case – Ouch!

20

© Clearwater Compliance LLC | All Rights Reserved

Accretive Healthcare – Ouch!July 2011 - Accretive employee’s laptop computer,

containing 20 million pieces of information on 23,000 patients, was stolen from the passenger

compartment of the employee’s car

7/31/2012 $2.5M MN SAG Settlement

1/19/2012 MN SAG Suit

12/31/2013FTC Settle.

6/13/2013Class Action

Suit

03/14/2014De-Listed

NYSE

4/2/2013CEO

Replaced

8/26/2013CFO

Replaced

9/27/2013$14M Class Settlement

01/2014170 Job

Cuts

4/13/2013COO

Replaced

21

© Clearwater Compliance LLC | All Rights Reserved

Community Health Systems– ?August 2014 - Community Health Systems filed an

SEC 8-K to the U.S. Securities and Exchange Commission in which it “confirmed that its

computer network was the target of an external, criminal cyber-attack that the Company believes

occurred in April and June, 2014”. An estimated 4.5 million patients’ personal information was

disclosed. Community Health Systems SEC 8-K

?

© Clearwater Compliance LLC | All Rights Reserved

What About Our Patients?• Street cost for a stolen Record1

• Medical:$50 vs SSN:$1• Payout for identity theft1

• Medical:$20,000 vs Regular: $2,000• Medical records can be exploited 4x

longer1

• Credit cards can be cancelled; medical records cannot• Medical records stolen no chance of

clean start2

• STD? Abortion? Sex change? Slow-growing tumor? high BMI?

1RSA Report on Cybercrime and the Healthcare Industry

Medical Record Abuse consequences Prescription Fraud Embarrassment Financial Fraud Personal Data Resale Blackmail / Extortion Medical Claims Fraud Job loss / reputational2Fourth Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute

23

© Clearwater Compliance LLC | All Rights Reserved

Case study #1: Linda Weaver • Surprised to find a bill for the amputation of her

right foot• Soon discovered that it wasn’t just a mix-up• Stolen identity and insurance information had

been used to get surgery. • Stuck with the bill—and with a medical record

full of incorrect, potentially dangerous information

• Two years after her false amputation, Weaver suffered a real heart attack.

• She woke up in a hospital room, a nurse asked her what she takes for diabetes—which she doesn’t have

What About Our Patients?

24

© Clearwater Compliance LLC | All Rights Reserved

What About Our Patients?Case study #2: Anndorie Sachs -• Received a call from the Salt Lake City DCFS wanting answers• Someone answering Sachs’ name had given birth to a

premature baby girl Baby tested positive for meth • Real mother (Dorthy Bell Moran) fled hospital leaving the infant

and a $10,000 bill behind• Moran had stolen Sachs’ driver’s license from her car two

months before • DCFS prepared to declare Sachs an unfit mother & put her 4

kids into state custody. • Sachs’ real 7-year-old daughter was also pulled out of school by

DCFS agents and subjected to questioning• Sachs’ changed to including her blood type and other

information• Sachs can’t even view her own medical records; identity thief’s

own rights to medical privacy!! 25

© Clearwater Compliance LLC | All Rights Reserved

Healthcare – Why Bother?

Big Surprise!

26

© Clearwater Compliance LLC | All Rights Reserved

Must Do!• "We continue to see a lack of comprehensive and

enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems,”

• "That is why enforcement is a critical part of our arsenal of tools to ensure compliance.

• “These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”

• “When the OCR investigates a breach, we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... timely risk management practices is the cornerstone of any good compliance program."

Jocelyn SamuelsDirector – HHS’ Office for

Civil Rights

-- OCR/NIST Conference | September 23, 2014 27

© Clearwater Compliance LLC | All Rights Reserved

Risk Management RequirementsIndustry Guidance or

Requirement?Citation / Documents NIST Meet Guidance or

Requirement?

Healthcare Requirement • 45 CFR §164.308(a)(1)(ii)(A) and (B)• “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” • NIST SPs

YES

Retail Requirement • PCI/DSS Requirements and Security Assessment Procedures Version 3.0• PCI/DSS Information Supplement: PCI DSS Risk Assessment Guidelines YES

Financial Services Requirement • Section 501(b) of GLBA • Safeguards Rule at 16 C.F.R. § 314• 12 C.F.R. Part 570, Appendix A: Interagency Guidelines Establishing Standards for

Safety and Soundness

YES

Federal Agencies Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES

Education Guidance • Family Educational Rights and Privacy Act (FERPA) • FERPA contains non-binding recommendations to safeguard education records that

includes conducting a risk assessment. YES

Public Companies (SOX)

Requirement • Section 404 of the Sarbanes-Oxley Act of 2002• Financial RA known as SOX 404 top-down risk assessment (TDRA) Under Review

28

© Clearwater Compliance LLC | All Rights Reserved

Key Objectives / Points1. Healthcare is the Next Cyber Security

Battleground

2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm

3. You Cannot Check-List Your Way to Information Risk Management Success

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Resources29

© Clearwater Compliance LLC | All Rights Reserved

• Social Media and Compliance: Overview for Regulated Organizations• Lawmakers press HHS on HIPAA clarity for mobile app developers• Email Encryption, the HITECH Act, and Preventing Data Breaches• Network Security: Step Out of the Bull’s-Eye• Next Generation Network Security Architecture for Healthcare• Malware: Examining the Home Depot Breach• Mobile Malware: Securing Enterprise Data• Securing Identities for Enterprise Users, Devices and Applications• HIPAA Audits: Documentation Is Critical• Data Security for Mobile Users: One Size Does Not Fit All• Securing Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance• Your Data Under Siege: Defeating the Enemy of Complexity

Recent Headlines Checklist!

30

© Clearwater Compliance LLC | All Rights Reserved

Information Risk Depends on Impact

What if my (Protected Health) Information is not complete, up-to-date and accurate?

What if my (Protected Health) Information is shared? With whom?

How?

What if my (Protected Health) Information is not there when it is needed?

PHI, PIICredit Card,Intel. Prop.

AVAILABILITY

IMPACT = HARM or LOSS can occur…

compromise of C or I or A!

31

© Clearwater Compliance LLC | All Rights Reserved

1. What is our exposure of our information assets (e.g., ePHI)?

2. What decisions do we need we need to make to treat or manage risks?

Both Are Required in HIPAA Security Rule

To Solve the Problem

32

© Clearwater Compliance LLC | All Rights Reserved

Determine Level of RiskAsset Threat Source /

ActionVulnerability Likelihood Impact Risk Level

Laptop Burglar steals laptop No encryption High (5) High (5) 25

Laptop Burglar steals laptop Weak passwords

High (5) High (5) 25

Laptop Burglar steals laptop No tracking High (5) High (5) 25

Laptop Shoulder Surfer views No privacyscreen

Low (1) Medium (3) 3

Laptop Careless User Drops No data backup Medium (3) High (5) 15

Laptop Lightning Strike No surge protection

Low (1) High (5) 533

© Clearwater Compliance LLC | All Rights Reserved

Realize It’s a Journey, Not Destination

f([Asset*Threat*Vulnerability]Controls

* [Likelihood * Impact])

1NOTE: Equation above is shown for illustrative purposes only; there is no simple, closed-form equation for risk.

Risk =

Critical Point: Since all these variables change, risk analysis and risk management must become an ongoing, mature business process

34

© Clearwater Compliance LLC | All Rights Reserved

Poll #3 – Has your organization completed the HIPAA Security Risk Analysis and Risk Management required at 45 CFR 164.308(a)(1) at least once?

35

© Clearwater Compliance LLC | All Rights Reserved

No Rain, No Rainbow!

• No Asset No Risk• No Threat No Risk• No Vulnerability No

Risk

• Think “Triples”

36

© Clearwater Compliance LLC | All Rights Reserved

Risk Analysis Fundamentals• Must have asset-threat-

vulnerability to have risk• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like

speed is a derived value = distance / time)

• Fundamental nature of Risk is universal nothing special about Information Risk

37

© Clearwater Compliance LLC | All Rights Reserved

Decide Response or Treatment

38

© Clearwater Compliance LLC | All Rights Reserved

Risk Management Fundamentals• All Risks Must Be Managed or

Treated• Not All Risks Must Be Mitigated• Risk Management Requires

Setting Your Risk Appetite• Risk Management Requires

Real Risk Analysis• Risk Management is Informed

Decision Making – What’s New?39

© Clearwater Compliance LLC | All Rights Reserved

1. Healthcare is the Next Cyber Security Battleground

2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm

3. You Cannot Check-List Your Way to Information Risk Management Success

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Resources

Key Objectives / Points

40

© Clearwater Compliance LLC | All Rights Reserved

• A professional baseball team is more "mature" than a Little League team

• A professional team has self-perpetuating quality. They– Have coaching / oversight in place– Make good plays– Develop new players like themselves– Find ways to make better plays– Practice to ensure consistency– Use latest “technology”

Risk Management and Baseball

41

© Clearwater Compliance LLC | All Rights Reserved

Attributes of a Mature Process or Practice Area

• Governed• Measurable• Controlled• CPI-based• Standards-based

Major LeagueWhere Does Your Organization

Need to Be?Little League

• Proactive• Adaptable• Consistent• Predictable• Automated

Risk Management Maturity

42

© Clearwater Compliance LLC | All Rights Reserved

What is the Information Risk Management Capability Advancement Model (IRMCAM™)?

• Just like baseball teams, mature risk-aware organizations are different from immature risk-aware organizations

• IRMCAM™ strives to capture and describe these differences

• IRMCAM™ strives to create organizations that are “mature”, or more mature than before applying IRMCAM™

• Describes six levels of Information Risk Management process maturity

• Includes lots of detail about each level – we will look at some of it

Not One Size Fits All 43

© Clearwater Compliance LLC | All Rights Reserved

IRMCAM Index (IRMCAMi™) and LevelsKey Information Risk Management Practice Areas:1. Governance, Awareness of Benefits and Value2. People, Skills, Knowledge & Culture3. Process, Discipline & Repeatability4. Standards, Technology Tools / Scalability5. Engagement, Delivery & Operations

Established - 3

Predictable - 4

Mature - 5

Incomplete - 0

Performed - 1

Managed - 2 As measured by the extent of adoption, implementation and / or achievement…

44

© Clearwater Compliance LLC | All Rights Reserved

RISK MANAGEMENT IMPLEMENTATION MATURITYIncomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5

Engagement, Delivery & Operations

Use of Standards,Technology Tools

/ Scalability

Process, Discipline, & Repeatability

People, Skills, Knowledge &

Culture

Governance, Awareness of Benefits and

Value

Not Using

Aware but Not

Formalized Use

Using selectively

Using, repeatable

results

Sound understanding

, consistent use of tools

No PnPs, formal

practices

Some execution, no

records or docs.

Have framework & active when time permits

Some PnPs, docs; not

consistently followed

Some (ad hoc),

Insufficient resources

None

Unsure of benefits; no

executive focus

Aware of risk, but not

clear on benefits

Aware of some benefits

Incorporated into business planning and

strategic thinking

Aware of most

benefits; value

realized

Becoming a Formal

program

Embedded in decision

making, CPI

Formal PnPs and doc, widely

followed

Formal, continuous

process improvement

Regular use, outcomes consistent

Aware of benefits and

deployed across the

organization

Formal program

Robust, widely

adopted PnPs

KEY

RISK

MAN

AGEM

ENT

PRAC

TICE

ARE

AS

Little knowledge

Some risk skills training

in parts of organization

Good understanding across parts of organization

Knowledge across most

of organization

High degree of knowledge; refinement

Sound knowledge of

discipline and value

45

© Clearwater Compliance LLC | All Rights Reserved

Poll #4 – What would you estimate your organization's Information Risk Management Maturity level to be?

46

Established - 3

Predictable - 4

Mature - 5

Incomplete - 0

Performed - 1

Managed - 2 As measured by the extent of adoption, implementation and / or achievement…

© Clearwater Compliance LLC | All Rights Reserved

Key Objectives / Points1. Healthcare is the Next Cyber Security

Battleground

2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm

3. You Cannot Check-List Your Way to Information Risk Management Success

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Resources47

© Clearwater Compliance LLC | All Rights Reserved

What is Your Vision for Privacy, Security and Information Risk Management?

Necessary Evil

Operational Baseline

Competitive Advantage

Marketing, Customer Service & Patient Safety Strategy

Regulatory Compliance Project

Patient/Member Privacy & Security Program

48

© Clearwater Compliance LLC | All Rights Reserved

Risk Analysis Resources: http://clearwatercompliance.com/hipaa-hitech-

resources/

Two Helpful ResourcesRisk Analysis Buyer’s Guide

http://clearwatercompliance.com/hipaa-risk-analysis-buyers-guide-checklist/

49

© Clearwater Compliance LLC | All Rights Reserved

Download Whitepaper

Risky Business: How to Conduct a Bona Fide HIPAA Security Risk

Analysishttp://clearwatercompliance.com/hipaa-

risk-analysis-essentials-lp/

50

© Clearwater Compliance LLC | All Rights Reserved

Latest White PaperIndustry Advisors• David Finn | Health IT Officer | Symantec• Meredith Phillips | Chief Information Privacy & Security Officer |

HFHS• Eric Bergen | Independent Consultant• Sam Homer, Ph.D. | Healthcare Technology Strategist | HCSC• Kathy Jobes | CISO | Sentara Healthcare • Ed Schreibman | Vice President of Healthcare Compliance | Expert

Global Solutions, Inc.• Ian Johansson | Corporate Compliance Officer | Aloha Care• Deborah Schlesinger | Director Corporate Risk Management| SCAN

Health Plan• Adam Greene, JD | Attorney | Davis, Wright and Tremaine• Matt Hanis | Vice President | Lockton• Scott Blanchette | CIO | Kindred Healthcare• Kyle Duke | CIO | TN Division of Health Care Finance & Administration• Chris Dansie, Ph.D. | Assistant Professor | University of Utah

http://clearwatercompliance.com/thought-leadership/irmcam/51

© Clearwater Compliance LLC | All Rights Reserved

Supplemental Reading• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information

Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and

Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information

Systems and Organizations: Building Effective Security Assessment Plans• NIST SP800-115 Technical Guide to Information Security Testing and Assessment• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals• CMS Security Risk Assessment Fact Sheet (Updated 20131122)• NIST Risk Management Framework 2009

Remember! Security Rule is Based on

NIST!52

© Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Security Risk Analysis™

Educate | Assess | Respond Monitor| Document

https://clearwatercompliance.com/shop/clearwater-hipaa-risk-analysis/ 53

© Clearwater Compliance LLC | All Rights Reserved

Get more info…

Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

View pre-recorded Webinars like this one at:http://clearwatercompliance.com/on-

demand-webinars/54

© Clearwater Compliance LLC | All Rights Reserved

Clearwater Information Risk Management BootCamp™ Events

2015 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • February 5-12-19, 2015• May 7-14-21, 2015• August 6-13-20, 2015

2015 Plans - Live, In-Person Events (9-hours): • January 22 – Dallas• April 23 - Orlando• April 30 – New Orleans• July 16 – Denver• October 29 – Washington, DC

http://ClearwaterCompliance.com/bootcamps/

Take Your HIPAA Privacy and Security Program to a Better Place, Faster … Earn

CPE Credits!55

© Clearwater Compliance LLC | All Rights Reserved

Clearwater Designated (ISC)2 Official Training Partner Upcoming Clearwater Courses

• February 9 – 11, 2014 Miami, FL• April 6 - 8 – Nashville, TN• June 1 - 3 – Nashville, TN• August 10 - 12 – Nashville, TN• October 5 - 7 – Miami, FL

56

© Clearwater Compliance LLC | All Rights Reserved

Key Points to Remember1. Healthcare is the Next Cyber Security

Battleground

2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm

3. You Cannot Check-List Your Way to Information Risk Management Success

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Take advantage of Resources Provided

Business Risk Management Issue NOT an “IT Problem”

57

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US

http://www.ClearwaterCompliance.combob.chaput@ClearwaterCompliance.com

Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC

Contact

Exit Survey, Please

58