Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© Clearwater Compliance LLC | All Rights Reserved
Copyright NoticeCopyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
1
© Clearwater Compliance LLC | All Rights Reserved
Legal DisclaimerLegal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
2
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or 800-704-3394
[email protected] Compliance LLC
Information Risk Management Essentials
DECEMBER 11, 2014
3
© Clearwater Compliance LLC | All Rights Reserved
Bob ChaputMA, CISSP, HCISPP, CRISC, CIPP/US
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities and Business
Associates, Financial Services, Retail, Legal• Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA,
ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput4
© Clearwater Compliance LLC | All Rights Reserved
Frame
Monitor
RespondAssess
Clearwater Information Risk Management Life Cycle1
Privacy AssessmentSecurity
Assessment
Today’s Topics
ePHI Discovery
Risk Response
Remediation
Risk StrategyGovernance
AuditingTechnical Testing
WorkforceTraining
Risk Analysis
1Adopted from NIST SP800-395
© Clearwater Compliance LLC | All Rights Reserved
Our Passion
… And, keeping those same organizations off the Wall of
Shame…!
…we’re helping organizations provide better care by safeguarding the very personal and intimate healthcare information of millions of fellow Americans…
6
© Clearwater Compliance LLC | All Rights Reserved
Some Ground Rules1. Slide materials… will be provided2. Questions in “Question Area” on GTW Control
Panel3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave
session6. Recorded version and final slides within 48
hours
7
© Clearwater Compliance LLC | All Rights Reserved
Poll #1 – How many Clearwater webinars have you attended?
8
© Clearwater Compliance LLC | All Rights Reserved
Poll #2 – What type of organization?
9
© Clearwater Compliance LLC | All Rights Reserved
How This Webinar Fits In• Information Risk
Management Essentials (you are here! – survey course)• How to Conduct Bona Fide
Security Risk Analysis (deeper dive)
• How to Conduct Bona Fide Security Risk Management (deeper dive)
Register For Upcoming Live Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
10
© Clearwater Compliance LLC | All Rights Reserved
First, My Lessons Learned1. Too many BOD / C-Suites are not educated and,
therefore, far too disengaged from information risk management
2. Too few organizations are working to complete bona fide risk management AND “mature” their information risk management processes
3. Too many people trying to “check-list” their way to security with “Top Challenges Facing CISOs…”-type lists
4. Security professionals are not necessarily information risk analysts or risk managers
5. Too few people understand risk, not to mention information risk analysis and risk management
6. It’s a patient safety/quality of care/information risk issue … not a “HIPAA compliance” issue
WE MUST CHANGE THE
CONVERSATION!11
© Clearwater Compliance LLC | All Rights Reserved
”First, Do No Harm."
- Hippocrates, 4th Century, B.C.E.
First Healthcare Risk Manager
12
© Clearwater Compliance LLC | All Rights Reserved
Types of Risk…Think – what can loss or harm to stakeholders?1. Legal2. Regulatory Compliance3. Financial4. Operational5. Strategic6. Reputational 7. Clinical 8. Others?9. Information 13
© Clearwater Compliance LLC | All Rights Reserved
Key Objectives / Points1. Healthcare is the Next Cyber Security
Battleground2. The Case for Action is Compelling – Much to
Lose and Lots of Potential Harm3. You Cannot Check-List Your Way to
Information Risk Management Success4. Organizations Must Establish, Operationalize
and Mature an Information Risk Management Program
14
© Clearwater Compliance LLC | All Rights Reserved
Key Objectives / Points1. Healthcare is the Next Cyber Security
Battleground
2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm
3. You Cannot Check-List Your Way to Information Risk Management Success
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Resources15
© Clearwater Compliance LLC | All Rights Reserved
Big Recent Events• October 2013 - 38 million customer improperly accessed | Adobe Systems• December 2013 - unauthorized access of payment card data of
approximately 40 million Target customers and the personal data of up to 70 million |Target Corporation
• January 2014 - 4.6 million user names and phone numbers accessed in cyber-attack | Snapchat
• March 2014 - compromised by Chinese hackers targeting the information of 10s of 100s of thousands of employees | the U.S. Gov Personnel Network
• June 2014 - the New York Times reported how cybercriminals are getting better at circumventing firewalls and antivirus programs, and more of them are resorting to ransom ware, which encrypts computer data and holds it hostage until a fee is paid;
• August 2014 - 4.5 million patients’ personal information was disclosed in alleged Chinese hacker attack| Community Health Systems
• August 2014 - “significant and egregious” data breach | JP Morgan • September 2014 – “no evidence that debit card PINs were compromised”
| Home Depot 16
© Clearwater Compliance LLC | All Rights Reserved
Recent FBI Healthcare Alerts: April / August 2014
“Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”
“…observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).”
Healthcare is the Next Cyber Security Battleground17
© Clearwater Compliance LLC | All Rights Reserved
MyPHI /ePHI
PHI, PIICredit Card,Intel. Prop.
The Risk Problem We’re Trying to Solve
What if my Protected Health Information is not complete, up-to-date and accurate?
What if my Protected Health Information is shared? With whom?
How?
What if my Protected Health Information is not there when it is needed?
AVAILABILITY
Don’t Compromise
C-I-A!
18
© Clearwater Compliance LLC | All Rights Reserved
Key Objectives / Points1. Healthcare is the Next Cyber Security
Battleground
2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm
3. You Cannot Check-List Your Way to Information Risk Management Success
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Resources19
© Clearwater Compliance LLC | All Rights Reserved
The Target Case – Ouch!
20
© Clearwater Compliance LLC | All Rights Reserved
Accretive Healthcare – Ouch!July 2011 - Accretive employee’s laptop computer,
containing 20 million pieces of information on 23,000 patients, was stolen from the passenger
compartment of the employee’s car
7/31/2012 $2.5M MN SAG Settlement
1/19/2012 MN SAG Suit
12/31/2013FTC Settle.
6/13/2013Class Action
Suit
03/14/2014De-Listed
NYSE
4/2/2013CEO
Replaced
8/26/2013CFO
Replaced
9/27/2013$14M Class Settlement
01/2014170 Job
Cuts
4/13/2013COO
Replaced
21
© Clearwater Compliance LLC | All Rights Reserved
Community Health Systems– ?August 2014 - Community Health Systems filed an
SEC 8-K to the U.S. Securities and Exchange Commission in which it “confirmed that its
computer network was the target of an external, criminal cyber-attack that the Company believes
occurred in April and June, 2014”. An estimated 4.5 million patients’ personal information was
disclosed. Community Health Systems SEC 8-K
?
© Clearwater Compliance LLC | All Rights Reserved
What About Our Patients?• Street cost for a stolen Record1
• Medical:$50 vs SSN:$1• Payout for identity theft1
• Medical:$20,000 vs Regular: $2,000• Medical records can be exploited 4x
longer1
• Credit cards can be cancelled; medical records cannot• Medical records stolen no chance of
clean start2
• STD? Abortion? Sex change? Slow-growing tumor? high BMI?
1RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse consequences Prescription Fraud Embarrassment Financial Fraud Personal Data Resale Blackmail / Extortion Medical Claims Fraud Job loss / reputational2Fourth Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute
23
© Clearwater Compliance LLC | All Rights Reserved
Case study #1: Linda Weaver • Surprised to find a bill for the amputation of her
right foot• Soon discovered that it wasn’t just a mix-up• Stolen identity and insurance information had
been used to get surgery. • Stuck with the bill—and with a medical record
full of incorrect, potentially dangerous information
• Two years after her false amputation, Weaver suffered a real heart attack.
• She woke up in a hospital room, a nurse asked her what she takes for diabetes—which she doesn’t have
What About Our Patients?
24
© Clearwater Compliance LLC | All Rights Reserved
What About Our Patients?Case study #2: Anndorie Sachs -• Received a call from the Salt Lake City DCFS wanting answers• Someone answering Sachs’ name had given birth to a
premature baby girl Baby tested positive for meth • Real mother (Dorthy Bell Moran) fled hospital leaving the infant
and a $10,000 bill behind• Moran had stolen Sachs’ driver’s license from her car two
months before • DCFS prepared to declare Sachs an unfit mother & put her 4
kids into state custody. • Sachs’ real 7-year-old daughter was also pulled out of school by
DCFS agents and subjected to questioning• Sachs’ changed to including her blood type and other
information• Sachs can’t even view her own medical records; identity thief’s
own rights to medical privacy!! 25
© Clearwater Compliance LLC | All Rights Reserved
Healthcare – Why Bother?
Big Surprise!
26
© Clearwater Compliance LLC | All Rights Reserved
Must Do!• "We continue to see a lack of comprehensive and
enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems,”
• "That is why enforcement is a critical part of our arsenal of tools to ensure compliance.
• “These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”
• “When the OCR investigates a breach, we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... timely risk management practices is the cornerstone of any good compliance program."
Jocelyn SamuelsDirector – HHS’ Office for
Civil Rights
-- OCR/NIST Conference | September 23, 2014 27
© Clearwater Compliance LLC | All Rights Reserved
Risk Management RequirementsIndustry Guidance or
Requirement?Citation / Documents NIST Meet Guidance or
Requirement?
Healthcare Requirement • 45 CFR §164.308(a)(1)(ii)(A) and (B)• “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” • NIST SPs
YES
Retail Requirement • PCI/DSS Requirements and Security Assessment Procedures Version 3.0• PCI/DSS Information Supplement: PCI DSS Risk Assessment Guidelines YES
Financial Services Requirement • Section 501(b) of GLBA • Safeguards Rule at 16 C.F.R. § 314• 12 C.F.R. Part 570, Appendix A: Interagency Guidelines Establishing Standards for
Safety and Soundness
YES
Federal Agencies Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES
Education Guidance • Family Educational Rights and Privacy Act (FERPA) • FERPA contains non-binding recommendations to safeguard education records that
includes conducting a risk assessment. YES
Public Companies (SOX)
Requirement • Section 404 of the Sarbanes-Oxley Act of 2002• Financial RA known as SOX 404 top-down risk assessment (TDRA) Under Review
28
© Clearwater Compliance LLC | All Rights Reserved
Key Objectives / Points1. Healthcare is the Next Cyber Security
Battleground
2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm
3. You Cannot Check-List Your Way to Information Risk Management Success
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Resources29
© Clearwater Compliance LLC | All Rights Reserved
• Social Media and Compliance: Overview for Regulated Organizations• Lawmakers press HHS on HIPAA clarity for mobile app developers• Email Encryption, the HITECH Act, and Preventing Data Breaches• Network Security: Step Out of the Bull’s-Eye• Next Generation Network Security Architecture for Healthcare• Malware: Examining the Home Depot Breach• Mobile Malware: Securing Enterprise Data• Securing Identities for Enterprise Users, Devices and Applications• HIPAA Audits: Documentation Is Critical• Data Security for Mobile Users: One Size Does Not Fit All• Securing Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance• Your Data Under Siege: Defeating the Enemy of Complexity
Recent Headlines Checklist!
30
© Clearwater Compliance LLC | All Rights Reserved
Information Risk Depends on Impact
What if my (Protected Health) Information is not complete, up-to-date and accurate?
What if my (Protected Health) Information is shared? With whom?
How?
What if my (Protected Health) Information is not there when it is needed?
PHI, PIICredit Card,Intel. Prop.
AVAILABILITY
IMPACT = HARM or LOSS can occur…
compromise of C or I or A!
31
© Clearwater Compliance LLC | All Rights Reserved
1. What is our exposure of our information assets (e.g., ePHI)?
2. What decisions do we need we need to make to treat or manage risks?
Both Are Required in HIPAA Security Rule
To Solve the Problem
32
© Clearwater Compliance LLC | All Rights Reserved
Determine Level of RiskAsset Threat Source /
ActionVulnerability Likelihood Impact Risk Level
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords
High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Shoulder Surfer views No privacyscreen
Low (1) Medium (3) 3
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Lightning Strike No surge protection
Low (1) High (5) 533
© Clearwater Compliance LLC | All Rights Reserved
Realize It’s a Journey, Not Destination
f([Asset*Threat*Vulnerability]Controls
* [Likelihood * Impact])
1NOTE: Equation above is shown for illustrative purposes only; there is no simple, closed-form equation for risk.
Risk =
Critical Point: Since all these variables change, risk analysis and risk management must become an ongoing, mature business process
34
© Clearwater Compliance LLC | All Rights Reserved
Poll #3 – Has your organization completed the HIPAA Security Risk Analysis and Risk Management required at 45 CFR 164.308(a)(1) at least once?
35
© Clearwater Compliance LLC | All Rights Reserved
No Rain, No Rainbow!
• No Asset No Risk• No Threat No Risk• No Vulnerability No
Risk
• Think “Triples”
36
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Fundamentals• Must have asset-threat-
vulnerability to have risk• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like
speed is a derived value = distance / time)
• Fundamental nature of Risk is universal nothing special about Information Risk
37
© Clearwater Compliance LLC | All Rights Reserved
Decide Response or Treatment
38
© Clearwater Compliance LLC | All Rights Reserved
Risk Management Fundamentals• All Risks Must Be Managed or
Treated• Not All Risks Must Be Mitigated• Risk Management Requires
Setting Your Risk Appetite• Risk Management Requires
Real Risk Analysis• Risk Management is Informed
Decision Making – What’s New?39
© Clearwater Compliance LLC | All Rights Reserved
1. Healthcare is the Next Cyber Security Battleground
2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm
3. You Cannot Check-List Your Way to Information Risk Management Success
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Resources
Key Objectives / Points
40
© Clearwater Compliance LLC | All Rights Reserved
• A professional baseball team is more "mature" than a Little League team
• A professional team has self-perpetuating quality. They– Have coaching / oversight in place– Make good plays– Develop new players like themselves– Find ways to make better plays– Practice to ensure consistency– Use latest “technology”
Risk Management and Baseball
41
© Clearwater Compliance LLC | All Rights Reserved
Attributes of a Mature Process or Practice Area
• Governed• Measurable• Controlled• CPI-based• Standards-based
Major LeagueWhere Does Your Organization
Need to Be?Little League
• Proactive• Adaptable• Consistent• Predictable• Automated
Risk Management Maturity
42
© Clearwater Compliance LLC | All Rights Reserved
What is the Information Risk Management Capability Advancement Model (IRMCAM™)?
• Just like baseball teams, mature risk-aware organizations are different from immature risk-aware organizations
• IRMCAM™ strives to capture and describe these differences
• IRMCAM™ strives to create organizations that are “mature”, or more mature than before applying IRMCAM™
• Describes six levels of Information Risk Management process maturity
• Includes lots of detail about each level – we will look at some of it
Not One Size Fits All 43
© Clearwater Compliance LLC | All Rights Reserved
IRMCAM Index (IRMCAMi™) and LevelsKey Information Risk Management Practice Areas:1. Governance, Awareness of Benefits and Value2. People, Skills, Knowledge & Culture3. Process, Discipline & Repeatability4. Standards, Technology Tools / Scalability5. Engagement, Delivery & Operations
Established - 3
Predictable - 4
Mature - 5
Incomplete - 0
Performed - 1
Managed - 2 As measured by the extent of adoption, implementation and / or achievement…
44
© Clearwater Compliance LLC | All Rights Reserved
RISK MANAGEMENT IMPLEMENTATION MATURITYIncomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5
Engagement, Delivery & Operations
Use of Standards,Technology Tools
/ Scalability
Process, Discipline, & Repeatability
People, Skills, Knowledge &
Culture
Governance, Awareness of Benefits and
Value
Not Using
Aware but Not
Formalized Use
Using selectively
Using, repeatable
results
Sound understanding
, consistent use of tools
No PnPs, formal
practices
Some execution, no
records or docs.
Have framework & active when time permits
Some PnPs, docs; not
consistently followed
Some (ad hoc),
Insufficient resources
None
Unsure of benefits; no
executive focus
Aware of risk, but not
clear on benefits
Aware of some benefits
Incorporated into business planning and
strategic thinking
Aware of most
benefits; value
realized
Becoming a Formal
program
Embedded in decision
making, CPI
Formal PnPs and doc, widely
followed
Formal, continuous
process improvement
Regular use, outcomes consistent
Aware of benefits and
deployed across the
organization
Formal program
Robust, widely
adopted PnPs
KEY
RISK
MAN
AGEM
ENT
PRAC
TICE
ARE
AS
Little knowledge
Some risk skills training
in parts of organization
Good understanding across parts of organization
Knowledge across most
of organization
High degree of knowledge; refinement
Sound knowledge of
discipline and value
45
© Clearwater Compliance LLC | All Rights Reserved
Poll #4 – What would you estimate your organization's Information Risk Management Maturity level to be?
46
Established - 3
Predictable - 4
Mature - 5
Incomplete - 0
Performed - 1
Managed - 2 As measured by the extent of adoption, implementation and / or achievement…
© Clearwater Compliance LLC | All Rights Reserved
Key Objectives / Points1. Healthcare is the Next Cyber Security
Battleground
2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm
3. You Cannot Check-List Your Way to Information Risk Management Success
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Resources47
© Clearwater Compliance LLC | All Rights Reserved
What is Your Vision for Privacy, Security and Information Risk Management?
Necessary Evil
Operational Baseline
Competitive Advantage
Marketing, Customer Service & Patient Safety Strategy
Regulatory Compliance Project
Patient/Member Privacy & Security Program
48
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Resources: http://clearwatercompliance.com/hipaa-hitech-
resources/
Two Helpful ResourcesRisk Analysis Buyer’s Guide
http://clearwatercompliance.com/hipaa-risk-analysis-buyers-guide-checklist/
49
© Clearwater Compliance LLC | All Rights Reserved
Download Whitepaper
Risky Business: How to Conduct a Bona Fide HIPAA Security Risk
Analysishttp://clearwatercompliance.com/hipaa-
risk-analysis-essentials-lp/
50
© Clearwater Compliance LLC | All Rights Reserved
Latest White PaperIndustry Advisors• David Finn | Health IT Officer | Symantec• Meredith Phillips | Chief Information Privacy & Security Officer |
HFHS• Eric Bergen | Independent Consultant• Sam Homer, Ph.D. | Healthcare Technology Strategist | HCSC• Kathy Jobes | CISO | Sentara Healthcare • Ed Schreibman | Vice President of Healthcare Compliance | Expert
Global Solutions, Inc.• Ian Johansson | Corporate Compliance Officer | Aloha Care• Deborah Schlesinger | Director Corporate Risk Management| SCAN
Health Plan• Adam Greene, JD | Attorney | Davis, Wright and Tremaine• Matt Hanis | Vice President | Lockton• Scott Blanchette | CIO | Kindred Healthcare• Kyle Duke | CIO | TN Division of Health Care Finance & Administration• Chris Dansie, Ph.D. | Assistant Professor | University of Utah
http://clearwatercompliance.com/thought-leadership/irmcam/51
© Clearwater Compliance LLC | All Rights Reserved
Supplemental Reading• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information
Systems and Organizations: Building Effective Security Assessment Plans• NIST SP800-115 Technical Guide to Information Security Testing and Assessment• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals• CMS Security Risk Assessment Fact Sheet (Updated 20131122)• NIST Risk Management Framework 2009
Remember! Security Rule is Based on
NIST!52
© Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Risk Analysis™
Educate | Assess | Respond Monitor| Document
https://clearwatercompliance.com/shop/clearwater-hipaa-risk-analysis/ 53
© Clearwater Compliance LLC | All Rights Reserved
Get more info…
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
View pre-recorded Webinars like this one at:http://clearwatercompliance.com/on-
demand-webinars/54
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Information Risk Management BootCamp™ Events
2015 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • February 5-12-19, 2015• May 7-14-21, 2015• August 6-13-20, 2015
2015 Plans - Live, In-Person Events (9-hours): • January 22 – Dallas• April 23 - Orlando• April 30 – New Orleans• July 16 – Denver• October 29 – Washington, DC
http://ClearwaterCompliance.com/bootcamps/
Take Your HIPAA Privacy and Security Program to a Better Place, Faster … Earn
CPE Credits!55
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Designated (ISC)2 Official Training Partner Upcoming Clearwater Courses
• February 9 – 11, 2014 Miami, FL• April 6 - 8 – Nashville, TN• June 1 - 3 – Nashville, TN• August 10 - 12 – Nashville, TN• October 5 - 7 – Miami, FL
56
© Clearwater Compliance LLC | All Rights Reserved
Key Points to Remember1. Healthcare is the Next Cyber Security
Battleground
2. Case for Action is Compelling – Much to Lose and Lots of Potential Harm
3. You Cannot Check-List Your Way to Information Risk Management Success
4. Must Establish, Operationalize and Mature an Information Risk Management Program
5. Take advantage of Resources Provided
Business Risk Management Issue NOT an “IT Problem”
57
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US
http://[email protected]
Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC
Contact
Exit Survey, Please
58