Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© Clearwater Compliance | All Rights Reserved
1
Copyright Notice
Copyright Notice. All materials contained within this document are protected by United Statescopyright law and may not be reproduced, distributed, transmitted, displayed, published, orbroadcast without the prior, express written permission of Clearwater Compliance LLC. You may notalter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance | All Rights Reserved
2
Legal Disclaimer
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. Thisinformation is based on current federal law and subject to change based on changes in federal law orsubsequent interpretative guidance. Since this information is based on federal law, it must be modified toreflect state law where that state law is more stringent than the federal law or other state law exceptionsapply. This information is intended to be a general information resource regarding the matters covered, andmay not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONSAND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.The existence of a link or organizational reference in any of the following materials should not be assumed asan endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
3
October 13, 2015
How to Mature Your Information Risk Management Program
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or [email protected] Compliance LLC
© Clearwater Compliance | All Rights Reserved
4
MA, CISSP, HCISPP, CRISC, CIPP/USBob Chaput
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates, Financial Services, Retail, Legal• Member: ACAP, AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
ISACA, HCCA, HCAA,ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
5
We are not attorneys! Ensure Competent Counsel
The Omnibus has arrived!Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
© Clearwater Compliance | All Rights Reserved
6
Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be
This empowering philosophy underpins everything we do. Commitment to educational resources for our
audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-
leadership to better serve you
© Clearwater Compliance | All Rights Reserved
7
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
8
Awards and Recognition
Exclusive Endorsement
Ranked #11 - 2015Software Used by NSA/CAEs
Sole Source Provider
© Clearwater Compliance | All Rights Reserved
9
Some Ground Rules
1. Slide materialsA. Check “Handouts” area on GoToWebinar Control to
download materials now
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave
session6. Recorded version and final slides within 48 hours
© Clearwater Compliance | All Rights Reserved
10
How This Webinar Fits In to Our IRM Educational Track
Register For Our NEW Educational Tracks: https://clearwatercompliance.com/hipaa-education/educational-tracks/
You are
Here!
1. “NIST-based Information Risk Management Essentials” 2. “How to Establish Your NIST-based Risk Management
Program to Comply with HIPAA & Other Regulations”
3. “The Critical Difference - HIPAA Security Compliance Evaluation vs. HIPAA Security Risk Analysis”
4. “How to Conduct NIST-based Risk Assessment to Comply with Federal Regulations & Industry Standards”
5. “How to Conduct NIST-based Risk Response to Comply with Federal Regulations & Industry Standards”
6. “How to Monitor Your NIST-based Risk Management Program to Comply with Federal Regulations & Industry Standards”
7. “How to Mature Your Information Risk Management Program”
© Clearwater Compliance | All Rights Reserved
11
Learning Outcomes… Attendees Will Be Able To:
Describe the Information Risk Management Capability Advancement Model™ (IRMCAM™)
Determine their organization’s current level of IRM maturity
Explain the importance of a mature information risk
management program and framework
Explain the purpose and value of maturity models, in general, and
specifically as it relates to IRM
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar
© Clearwater Compliance | All Rights Reserved
12
Pause and Quick Poll
What type of organization do you represent?
Hospital / Health System##
BA##
HYBRID## Don’t
Know##
Other CE##
© Clearwater Compliance | All Rights Reserved
13
How many Clearwater Compliance webinars have you attended before?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
14
What if my Sensitive Information is not
complete, up-to-date and accurate?
What if my Sensitive Information is shared?
With whom? How?
What if my Sensitive Information is not there when it is needed?
AVAILABILITY
Don’t Compromise
C-I-A!
PHI, PIIPayment Card,
Intel. Prop., Etc.
Reminder: Problem We’re Trying to Solve
© Clearwater Compliance | All Rights Reserved
15
Clearwater Information Risk Management Life Cycle1
1Adopted from NIST SP800-39-final_Managing Information Security Risk
© Clearwater Compliance | All Rights Reserved
16
Agenda
• Problem• Actions• Results• Resources
© Clearwater Compliance | All Rights Reserved
17
The Information Risk Management (IRM) Problem1. 68% of 2012 OCR Phase I Auditees Failed Risk Analysis (80% of Providers)
2. 73% of 26 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses
3. Healthcare IS the Next Cybersecurity Battleground
4. Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management
5. Too few organizations are working to do bona fide risk management AND “mature” their information risk management processes
6. Widespread Failure to Realize It’s a Patient Safety / Quality of Care / Customer Experience issue … not a “HIPAA or SOX or PCI or GLBA or FERPA compliance” issue …
7. Failure to Appreciate that Risk Assessments are a Basic Foundational Step AND Required by Regulation
8. Few People Truly Understand RiskGovernance | People | Process |
Technology | Maturity
© Clearwater Compliance | All Rights Reserved
18
Healthcare Under Attack
“The health-care industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable”
-- Tom Kellermann, chief cyber security officer at Trend Micro Inc. May, 2015
http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually
© Clearwater Compliance | All Rights Reserved
19
Healthcare Under Attack
“Now healthcare is a considered a top target. The speed of these attacks and the volume with which they're occurring is increasing significantly. It just requires a much more robust response across the U.S. government and private sector.”
Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day.”
-- Jim Trainor, deputy assistant director, FBI Cyber Division April, 2015
http://searchhealthit.techtarget.com/news/4500246657/Federal-authorities-on-to-healthcare-cybercrime
© Clearwater Compliance | All Rights Reserved
20
Problem with THE Problem We’re All Trying to Solve
1. The Problem is the “Problem We’re Trying to Solve” is a dynamic, never-ending Problem!
2. Healthcare Industry, especially, is Immature When it Comes to Information Risk Management
© Clearwater Compliance | All Rights Reserved
21
Some Recent Events• March 2014 - compromised by Chinese hackers targeting the information of 10s of 100s of
thousands of employees | the U.S. Gov Personnel Network• June 2014 - the New York Times reported how cybercriminals are getting better at circumventing
firewalls and antivirus programs, and more of them are resorting to ransom ware, which encrypts computer data and holds it hostage until a fee is paid;
• August 2014 - 4.5 million patients’ personal information was disclosed in alleged Chinese hacker attack| Community Health Systems
• August 2014 - “significant and egregious” data breach | JP Morgan • September 2014 – “no evidence that debit card PINs were compromised”
| Home Depot• February 2015 - “80 million … target of a “very sophisticated external cyber attack” | Anthem• March 2015 – “11 million … Insurance Commissioner Mike Kreidler announced the launch of a
multi-state market conduct examination” | Premera Blue Cross• May 2015 – “about 1.1 million names, usernames, birth dates, email addresses and subscriber ID
numbers of current and former members and people who did business with CareFirst” | CareFirst Blue Cross Blue Shield
• June 2015 - OPM …• September 2015 – “10.5 million … one of a series of major digital intrusions into Blue Cross
affiliates and other health insurers nationwide over the last two years” | Excellus BlueCross BlueShield
• December 2015 – YOUR ORGANIZATION?…
Breach Fatigue, Anyone?
© Clearwater Compliance | All Rights Reserved
22
Case for Action or Cause for Shock?
• All Industries, Especially Healthcare, Under Attack
• Harm or Loss to Companies and Individuals• Regulatory Compliance and Security Risks Significant Financial Risks
PHI, The Next Patient Safety Issue!
© Clearwater Compliance | All Rights Reserved
23
Challenge: Balance and Move to Future State of IRM
Tactical
Technical
Spot-Welding
Strategic
Business
Architectural
Start the ConversationChange the Conversation
© Clearwater Compliance | All Rights Reserved
24
Pause and Quick Poll
If “Tactical-Technical-Spot-Welding” is a “1” and “Strategic-Business-Architectural” is a ”5”, where would you place your organization?
© Clearwater Compliance | All Rights Reserved
25
Agenda
• Problem• Actions• Results• Resources
© Clearwater Compliance | All Rights Reserved
26
01
03
02
Three IRM Agenda Items I Feel Deeply Inspired By…
TacticalEstablish, Implement and
Mature IRM Program
OperationalComplete Comprehensive Risk
Analysis and Risk Response
StrategicMake IRM a C-Suite / Board Agenda item
© Clearwater Compliance | All Rights Reserved
27
Clearwater Information Risk Management Life Cycle1
1Adopted from NIST SP800-39 Managing Information Security Risk Organization, Mission, and Information System View
• Need to Adopt a Framework we suggest NIST
• Need to Develop Maturity Model Approach Plan-Do-Check-Act Continuous Process Improvement
© Clearwater Compliance | All Rights Reserved
28
Risk Management and Baseball
• A Major League Baseball team is more "mature" than a Little League team
• A Major League Baseball team has self-perpetuating qualities. They:• Have strong management (Governance)• Develop new players like themselves (People)• Find ways to make better plays (Process)• Use latest balls, bats, equipment (Technology)• Are consistent and make good plays
(Implementation)
© Clearwater Compliance | All Rights Reserved
29
Risk Management and Baseball
• Is Little League good enough?
• How good does your team have to play?
• How mature does your Information Risk Management Process need to be?
• Are you making conscious, informed decisions about your required level of maturity?
© Clearwater Compliance | All Rights Reserved
30
Keep It Simple
1. Embrace the Fundamentals of Maturity Models
2. Understand critical “Capabilities” and “Best Practices” in Information Risk Management
3. Embrace Information Risk Management Capability Advancement Model™ (IRMCAM™)
4. Consciously decide what is best for your organization
5. Take actions to establish, operationalize and mature your program
© Clearwater Compliance | All Rights Reserved
31
Pause and Quick Poll
Are you familiar with the principles / concepts of maturity models?
© Clearwater Compliance | All Rights Reserved
32
Capability maturity models, in general
• Rate your organization – from the least mature level to the most mature level
• Identify descriptions of your organization’s current and possible future states
• Don’t make it a competition with other organizations
• Purpose is to:• Identify where organizations are in relation to
certain capabilities, activities and practices• Suggest how to set priorities for
improvements
Reference: ISO/IEC 15504 Process Assessment Standard
© Clearwater Compliance | All Rights Reserved
33
Attributes of a Mature Process or Practice Area
• Governed• Measurable• Controlled• CPI-based• Standards-based
Major League
Where Does Your Organization Need to Be?
Little League
• Proactive• Adaptable• Consistent• Predictable• Automated
Risk Management Maturity
© Clearwater Compliance | All Rights Reserved
34
Maturity in EMR Adoption
http://www.himssanalytics.org/emram/emram.aspx
Electronic Medical Record Adoption Model
(EMRAM)SM
HIMSS Analytics has devised the EMR Adoption Model, an 8-step
process that allows you to track your progress against healthcare
organizations across the country and view all scores in the HIMSS
Analytics® Database.
© Clearwater Compliance | All Rights Reserved
35
On a Scale of 0 (least mature) to 5 (most mature), how mature is your information risk management program?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
36
What is the Information Risk Management Capability Advancement Model™ (IRMCAM™)?
• Like baseball teams, mature risk-aware organizations are different from immature risk-aware organizations
• IRMCAM™ strives to capture and describe these differences
• IRMCAM™ strives to create organizations that are “mature”, or more mature than before applying IRMCAM™
• Describes six levels of Risk Management process maturity
• Includes lots of detail about each level – we will look at some of it
Not One Size Fits All
© Clearwater Compliance | All Rights Reserved
37
IRMCAM Index (IRMCAMi™) and Levels
Key Information Risk Management Practice Areas:1. Governance, Awareness of Benefits and Value2. People, Skills, Knowledge & Culture3. Process, Discipline & Repeatability4. Standards, Technology Tools / Scalability5. Engagement, Delivery & Operations Established - 3
Predictable - 4
Mature - 5
Incomplete - 0
Performed - 1
Managed - 2As measured by the extent of adoption, implementation and / or achievement…Plan-Do-Check-Act
© Clearwater Compliance | All Rights Reserved
38
INFORMATION RISK MANAGEMENT MATURITY LEVEL Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5
Governance, Awareness of
Benefits and Value
People, Skills, Knowledge &
Culture
Process, Discipline, & Repeatability
Use of Standards,Technology Tools /
Scalability
Engagement, Delivery & Operations
Have framework & active when time permits
Some (ad hoc), Insufficient resources
None Becoming a Formal program
Embedded in decision making,
CPIFormal program
KEY
RISK
MAN
AGEM
ENT
CAPA
BILI
TIES
The image part with relationship ID rId3 was not found in the file.
Unsure of benefits; no
executive focus
Aware of risk, but not clear on
benefits
Aware of some benefits
Incorporated into business planning
and strategic thinking
Aware of most benefits; value
realized
Aware of benefits and
deployed across the organization
Little knowledgeSome risk skills training in parts of organization
Good understanding across parts of organization
Knowledge across most of organization
High degree of knowledge; refinement
Sound knowledge of discipline and
value
No PnPs, formal practices
Some execution, no
records or docs.
Some PnPs, docs; not consistently
followed
Formal PnPs and doc, widely
followed
Formal, continuous
process improvement
Robust, widely adopted PnPs
Not Using Aware but Not Formalized Use Using selectively
Using, repeatable
results
Sound understanding,
consistent use of tools
Regular use, outcomes consistent
© Clearwater Compliance | All Rights Reserved
39
Key IRM Capabilities
1. Governance, Awareness of Benefits and Value
2. People, Skills, Knowledge & Culture3. Process, Discipline, & Repeatability4. Standards, Technology Tools and
Scalability5. Engagement, Delivery & Operations
Capabilities Are Evidenced by Practices
© Clearwater Compliance | All Rights Reserved
40
IRM Capabilities Are Evidenced by Best Practices1. Governance, Awareness of Benefits
and Business ValueA. The board or governance body has developed a working
knowledge of the information risk management framework and workflow concepts …
B. The board or governance body has developed a working knowledge of the information risk of compromise of confidentiality, integrity and/or availability of sensitive information.
C. The board or governance body has issued formal, written guidance for IRM.
D. There is awareness of all external requirements (e.g., regulatory, customer, business partners, etc.) for IRM in the organization.
E. Board or governance body views IRM as a business enabler…
F. Etc…
© Clearwater Compliance | All Rights Reserved
41
IRM Capabilities Are Evidenced by Best Practices2. People, Skills, Knowledge & Culture
A. There has been an emergence and designation of a formal IRM function within the organization.
B. A senior risk manager has been designated as the leader of the information risk management function.
C. A cross-functional executive oversight committee is chartered to guide and support the information risk manager.
D. A cross-functional working group, led by the information risk manager, is chartered to support the IRM function (so that each functional area can understand where it fits into the entire organizational IRM strategy and how it affects other areas).
E. The IRM function has a designated capital and operating expense budget.
F. Etc…
© Clearwater Compliance | All Rights Reserved
42
IRM Capabilities Are Evidenced by Best Practices3. Process, Discipline, & Repeatability
A. Formal, up-to-date and documented IRM policies and procedures (PnPs) are used and are defensible.
B. The organization’s risk assessment process including the characterization of threat sources, sources of threat information, representative threat actions, when to consider and how to evaluate threats, sources of vulnerability information, risk assessment methodologies to be used, and risk assumptions is formally documented.
C. The IRM program provides a complete, end-to-end process for inventorying and including all information assets used to create, receive, maintain or transmit sensitive data (e.g., PHI, PII, payment card data, company proprietary information and other sensitive data).
D. The IRM program’s risk assessment solution ensures that all relevant threat sources and threat actions that may exploit vulnerabilities are considered.
E. Etc.
© Clearwater Compliance | All Rights Reserved
43
IRM Capabilities Are Evidenced by Best Practices4. Standards, Technology Tools and
ScalabilityA. The organization is aware of the general category of
governance, risk and compliance (GRC) software tools that are available in the marketplace.
B. There is recognition in the organization of value of the use of consistent, automated IRM workflow tools (e.g., demonstrated compliance, optimizing cost of IRM, single source of the truth, scalability, etc.).
C. The organization is using an automation solution to manage, maintain and communicate its policies and procedures for all regulations with which it must comply.
D. The organization is using an automation solution for information security continuous monitoring.
E. Etc.
© Clearwater Compliance | All Rights Reserved
44
IRM Capabilities Are Evidenced by Best Practices5. Engagement, Delivery & Operations
A. The organization has documented the implementation plan for the scope of the organizational IRM process (e.g., organizational entities covered; mission/business functions affected; information assets to be included, etc.) and its rollout plan.
B. The organization has documented how its IRM process steps will be implemented. (e.g., sequence, degree of rigor, formality, and thoroughness of application) and in how the results of each step are captured and shared—both internally and externally, if necessary.
C. There is strong alignment of the organization's IRM strategy with the overall organizational business strategy.
D. Strategic objectives are based on an executive-level understanding of business threats and information risk scenarios.
E. Etc
© Clearwater Compliance | All Rights Reserved
45
How to Use IRMCAM™• Train your own team in IRMCAM™, then
conduct internal assessments.• For a large organizations with many exposures, could have a
big payoff• Use IRMCAM™ as a set of recommendations; apply as you
see fit
• Hire a 3rd Party IRMCAM™ Assessor to conduct a formal evaluation
• To win management attention• To ensure an independent, objective review• To demonstrate good intent to customers and regulators
• Determine Where You Are• Decide Where You Need to Be• Set Plan of Action to Get There!
© Clearwater Compliance | All Rights Reserved
46
Agenda
• Problem• Actions• Results• Resources
© Clearwater Compliance | All Rights Reserved
47
Benefits of Using IRMCAM™ to Mature Your IRM Program
Improved Information Risk Management Performance FEWER BREACHES, COMPLAINTS, FAILED AUDITS, ETC.
• Executive Engagement And Support• Information Risk Management
Consistency And Predictability• Cost Effectiveness And Efficiency• Continuous Process Improvement• Market Differentiation And
Competitive Advantage• Higher quality IRM investment
decisions
© Clearwater Compliance | All Rights Reserved
48
Pause and Quick Poll
Is your organization ready for a maturity model approach to information risk management?
© Clearwater Compliance | All Rights Reserved
49
Agenda
• Problem• Actions• Results• Resources
© Clearwater Compliance | All Rights Reserved
50
IRMCAM™ Model
© Clearwater Compliance | All Rights Reserved
51
Assessing Practices
In each capability area, we present a series of practices that, if implemented, would serve as evidence of progress in establishing and improving that capability. Consideration of these practices may also translate into an action plan for improvement. We rate each practice on a six-point rating scale using the Deming "plan-do-check-act" cycle:• Not started adopted, implemented or achieved (0% or
maturity 0)• Planning to adopt, implement or achieve (20% or
maturity 1)• Planning and doing (40% or maturity 2)• Planning, doing and checking (60% or maturity 3)• Planning, doing, checking, acting (80% or maturity 4)• Planning, doing, checking, acting & optimizing (100% or
maturity 5)
Please Use It / Provide Feedback
© Clearwater Compliance | All Rights Reserved
52
IRMCAM™ – V51. Prepare to use the Clearwater Information Risk
Management Capability Maturity Model™. 2. Set the desired information risk management
maturity level for the organization.3. Complete the Clearwater Information Risk
Management Capability Maturity Model Index™ tool
4. Identify any gaps that may exist between the desired state of maturity and the current state.
5. Assess all identified gaps that may exist between the desired and the current state.
6. Rank order identified gaps and remediate the highest priority gaps.
7. Document results and repeat the assessment periodically.
© Clearwater Compliance | All Rights Reserved
53
IRMCAM™From “Performed” to “Established”
© Clearwater Compliance | All Rights Reserved
54
Clearwater VisionClearwater Information Risk Management
Capability Advancement Model™ (IRMCAM™) Metrics
“…Facilitating Your Progress Towards Better Quality of Care and Increased Patient Safety Through
Mature Information Risk Management…”
© Clearwater Compliance | All Rights Reserved
55
Accompanying White Paper
Industry Advisors | Peer Review• David Finn | Health IT Officer | Symantec• Meredith Phillips | Chief Information Privacy & Security Officer | HFHS• Eric Bergen | Independent Consultant• Sam Homer, Ph.D. | Healthcare Technology Strategist | HCSC• Kathy Jobes | CISO | Sentara Healthcare • Ed Schreibman | Vice President of Healthcare Compliance | Expert Global
Solutions, Inc.• Ian Johansson | Corporate Compliance Officer | Aloha Care• Deborah Schlesinger | Director Corporate Risk Management| SCAN Health Plan• Adam Greene | Attorney | Davis, Wright and Tremaine• Matt Hanis | Vice President | Lockton• Scott Blanchette | CIO | Kindred Healthcare• Kyle Duke | CIO | TN Division of Health Care Finance & Administration• Chris Dansie, Ph.D. | Assistant Professor | University of Utah
http://clearwatercompliance.com/thought-leadership/irmcam/
© Clearwater Compliance | All Rights Reserved
56
Download Whitepaper
The Five Most Critical Issues Threatening Protected Health
Information Today(And What Health Care Professionals Can Do
About Them)https://clearwatercompliance.com/thought-leadership/white-papers/
© Clearwater Compliance | All Rights Reserved
57
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based event…Three, 3hr sessions:
• November 5th, 12th, 19th 2015
© Clearwater Compliance | All Rights Reserved
58
Other Upcoming Clearwater Events
Complimentary Webinar
How to Develop Your HIPAA
HITECH Policies and Procedures
10/15/2015Complimentary
WebinarThe Critical
Difference: HIPAA Security Evaluation v. HIPAA Security
Risk Analysis10/22/2015
Complimentary Webinar
HIPAA-HITECH 101
10/29/2015
Virtual HIPAA Compliance
Program BootCamp™11/5, 11/12,
11/19
Visit ClearwaterCompliance.com for more info!
© Clearwater Compliance | All Rights Reserved
59
Resources
Register For Upcoming Live HIPAA-HITECH Webinars at:
https://clearwatercompliance.com/webinars/
© Clearwater Compliance | All Rights Reserved
60
Final Thoughts• Privacy, Security and Compliance Risk
Management is a Business/Board Issue• It Needs to Be Addressed Both Bottoms Up
and Top Down• Alignment Between Business Strategy
Information Risk Management Must Be Achieved
• A IRMCAM™ Assessment Is a Great Place to Start the Discussion – Little League? Minor League? Major League?
© Clearwater Compliance | All Rights Reserved
61
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/UShttp://[email protected]
Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC
Contact
Exit Survey, Please
© Clearwater Compliance | All Rights Reserved
62
Why Clearwater
Clearwater Compliance – A Better, Brighter Idea!
Highly Reference-able Hospital / Health System Customer Base, with Exclusive AHA Endorsement
Commercially Competitive Professional Services Fees
Proven Experience in Large Complex Healthcare
Environments
Independent, Objective Advisory Services with
No Vendor Ties
Deep Experience with 35+ Organizations Audited by
OCR, CMS & OIG
Business Risk Management focus While Achieving Regulatory Compliance
Seasoned, Credentialed Professionals in Healthcare Privacy, Security, Compliance & Information Risk Management
Significant Post Breach Experience and Partner Network
© Clearwater Compliance | All Rights Reserved
63
As Seen In…
© Clearwater Compliance | All Rights Reserved
64
AHA Has Completed Your Due Diligence For You!Health Care Information Privacy, Security, Compliance and Risk Management Solutions from Clearwater Compliance LLC have earned the exclusive endorsement of the American Hospital Association.
“In line with our mission to foster operational excellence in hospitals and health care systems, we collaborate with hospital leaders to identify key challenges the health care field faces. After conducting the proprietary AHA Signature Due Diligence Process™, we award the exclusive AHA Endorsement to the solution that stands out from other candidates in best enabling hospitals to surmount an operational challenge.” - AHA
Exclusive Endorsement
© Clearwater Compliance | All Rights Reserved
65
Awards and Recognition
Exclusive Endorsement
Ranked #11 - 2015Software Used by NSA/CAEs
Sole Source Provider
© Clearwater Compliance | All Rights Reserved
66
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394The image part with relationship ID rId3 was not found in the file.
The image part with relationship ID rId3 was not found in the file.
The image part with relationship ID rId3 was not found in the file.
http://www.linkedin.com/in/bobchaput/@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance