Legal Disclaimer - Clearwater

© Clearwater Compliance | All Rights Reserved

1

Legal Disclaimer

The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

July 7, 2016

How to Conduct NIST-based Risk Assessment to Comply with HIPAA & Other Regulations

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or [email protected] Compliance LLC

http://www.linkedin.com/in/BobChaput


3

MA, CISSP, HCISPP, CRISC, CIPP/US

Bob Chaput

• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities

and Business Associates, Financial Services, Retail, Legal• Member: ACAP, CHIME/ AEHIS, CAHP, IAPP, ISC2, HIMSS,

ISSA, ISACA, HCCA


http://hipaasecurityassessment.com/



4

01

03

02

Three IRM Agenda Items I Feel Deeply Inspired By…

TacticallyAssist in Establishing,

Implementing and Maturing IRM Program

OperationallyAssist in Completing Bona Fide, Comprehensive Risk

Analysis and Risk Response

StrategicallyAssist in Making IRM a Meaningful C-Suite / Board Agenda item


5

Our Passion

We’re excited about what we do because…

…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!


6

Awards and Recognition

2015 & 2016

Exclusive

Industry Resource Provider

Software Used by NSA/CAEs

Sole Source Provider

#11 – 2015 & 2016


7

We are not attorneys! Ensure Competent Counsel

The Omnibus has arrived!Welcome Aboard, BAs!

Lots of different interpretations! Please, Ask Lots of Questions!

But FIRST!


8

Questions Provided in Advance1. I‘ve heard you say “bona fide risk analysis” many times in the past. Why?2. Can you explain the difference between risk analysis and risk assessment,

which I often hear?3. If my organization needs to meet PCI DSS and HIPAA risk assessment

requirements, can I approach this using the same method?4. What are my chances of being audited by OCR? I really believe that’s low

risk?5. If I am audited by OCR, what will they request as proof that I am doing

bona fide risk assessments?6. Do our business associates have to do risk assessments with the same

level of rigor?7. We completed technical testing (pen testing, vulnerability scans, etc.); can

you tell me one more time why this is not acceptable as a risk assessment?8. Why can’t we just load up on cyber liability insurance and not worry about

this stuff? We’re trying to serve patients not become IT security gurus! 9. If we become HITRUST Certified, will that meet all our HIPAA and security

requirements?


9

Pause and Quick Poll

What type of organization do you represent?

Hospital / Health System

##

BA##

HYBRID## Don’t

Know##

Other CE##


10

Clearwater Supports the NIST Approach

Framework + Maturity Model+ Process

NIST SP800-39

IRM|Maturity™IRM|Pro™IRM|Capability™


11

Clearwater Information Risk Management Life Cycle1

1Adopted from NIST SP800-39-final_Managing Information Security Risk

http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf


12

Learning Outcomes… Attendees Will Be Able To:Describe the fundamentals of Information Risk Management

Define fundamental risk terminology – assets, threats, vulnerabilities, controls, etc

Explain why risk analysis is a core foundational step and describe the key steps

Cite general regulatory requirements for ongoing

risk assessments

Describe how/when the new Civil Money Penalty System may be

applied if risk assessments are not performed

Explain the difference between compliance

and security

Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar


13

Discussion Flow

1. Problem2. NIST-Based Risk Assessment3. Resources

Clearwater Information Risk Management

Life Cycle


14

The Challenge At Hand, Then…1. Few organizations are doing it properly

1. 68% of 2012 OCR Phase I Audits Failed Risk Analysis (80% of Providers)2. 68% of 37 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses

2. There’s a general lack of executive engagement1. Current state: Tactical – Technical – Spot-Welding2. Future state: Strategic – Business - Architectural

3. It’s not just a HIPAA or SOX or PCI or GLBA or FERPA enforceable compliance requirement…with big penalties…1. It’s a Patient Safety / Quality of Care / customer experience issue2. Cyber / Privacy risks ‘bleeding into” medical malpractice

4. There’s a Failure to Appreciate that Risk Assessments are a Basic Foundational Step1. Few people understand risk; even many of the CISSPs2. SecOps : Risk Analysts :: Accountants : Financial Analysts

Governance | People | Process | Technology | Maturity


15

And, then there were 37…


16

The Risk Problem We’re Trying to Solve

What if my Sensitive Information is not

complete, up-to-date and accurate?

What if my Sensitive Information is shared?

With whom? How?

What if my Sensitive Information is not there when it is needed?

AVAILABILITY

Don’t Compromise

C-I-A!

ePHI, PII, PCI Data,

MNPI, Trade Secrets, Business Plans,

Software Code, Etc.


17

To Solve the Problem

1. What is our exposure of our information assets (e.g., ePHI)?

2. What decisions do we need we need to make to treat or manage risks?

Both Are Required in Federal Regulations AND As the Basis for any Respectable Information Security Program in Any Industry!

Risk Response

Risk Assessment


18

Pause and Quick Poll

At this time in our webinar, do you believe has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register that will meet OCR requirements?


19

Discussion Flow



Life Cycle


20

Lots of Good Assessments, Only One Bona Fide Risk Analysis!• External Security Assessment• Architecture Assessment• Internal Security Assessment• Security Rule Compliance Assessment• Wireless LAN Security Validation• Information Security Program Assessment• Meaningful Use EHR Technical Controls Assessment• Social Engineering Assessment• OWASP Web Application Assessments• NIST CSF Current Profile Assessment• 10-Point Tactical HIPAA and Cyber Risk Management Assessment• Strategic Enterprise IRM Program Maturity Assessment • ETC…

Bona Fide, Comprehensive Risk Analysis Required at 45 CFR §164.308(a)(1)(ii)(A) MEANS OCR Guidance and NIST SP800-30!

Today’s Focus

http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf


21

Recent OCR Follow Up We’ve Seen

"OCR has determined that the risk analysis submitted by your organization as part of its recent response does not meet the requirement set forth at 45 CFR §164.308(a)(1)(ii)(A). Please review OCR’s guidance on the Security Rule’s risk analysis requirement located athttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html. For additional information, you may also wish to consult the National Institute of Standards and Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments,” located athttp://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf”

Recommend You Follow OCR Guidance and NIST SP800-30

http://www.ecfr.gov/cgi-bin/text-idx?SID=e2091bf747d776049b8cafc869203407&mc=true&node=se45.1.164_1308&rgn=div8

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html

http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf


22

HIPAA and OCR Require Tier 3 “Information Systems” Risk Management1

1NIST SP800-39-final_Managing Information Security Risk

http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

https://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf


23

• Adversarial• Accidental• Structural• Environmental

Owners

Assets

Controls & Safeguards

Threat Sources

Threats

value

Risks

wish to minimize

that exist in protecting

to reduce

may be reduced by

that may possess

may be aware of

wish to or may abuse, harm and / or damage

to

that increase

Vulnerabilities

give rise to

that exploitleading to

implement

“Parlez-vous Risk?”


24

Key Steps in NIST SP800 30-Based Risk Assessment1

1. Include all Sensitive Information in Scope of the Analysis 2. Collect and Document Data About All Information Assets3. Identify and Document Potential Threats and Vulnerabilities4. Assess Current Security Measures5. Determine the Likelihood of Threat Occurrence6. Determine the Potential Impact of Threat Occurrence7. Determine the Level of Risk8. Finalize Documentation 9. Periodically Review and Update the Risk Assessment

1http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf



http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf


25

1. & 2. Scope and Collect Data

Think: Information

Asset Inventory


26

Asset Inventory List

Where is all the ePHI?


27

Asset Inventory List

27

Seriously! …Where? How Much? What for? Who owns? Etc.


28

3. Identify Threats & Vulnerabilities

Think: Threat Sources, Threat

Actions, Weaknesses


29

Identify Threat Sources, Threat Actions and Vulnerabilities

Threat Sources

Threat Actions

Vulnerabilities

Much to Consider


30

4. Assess Current Security Measures

Think: Safeguards,

Countermeasures Already in Place


31

Controls Help Address Vulnerabilities

Controls• Policies & Procedures• Training & Awareness• Cable lock down• Strong passwords• Encryption• Remote wipe• Data Backup

Threat Source• Burglar who may steal

Laptop with ePHI

Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up

Threat Action• Steal Laptop

Information Asset• Laptop with ePHI


32

Assess Security Controls In Place

Detailed Analysis and Cross Walk

What controls do you have in place?


33

What A Risk Analysis Process Looks Like…


34

5. & 6. Determine Likelihood & Impact

Think: Probability of Bad Thing

Happening and, were it to happen,

Impact


35

Likelihood

Chance that bad thing will happen?


36

Impact

Harm or loss if bad thing happens?


37

Determine Likelihood and Impact

Asset Threat Source / Action

Vulnerability Likelihood Impact

Laptop Burglar steals laptop No encryption High (5) High (5)

Laptop Burglar steals laptop Weak passwords High (5) High (5)

Laptop Burglar steals laptop No tracking High (5) High (5)

Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)

Laptop Careless User Drops No data backup Medium (3) High (5)

Laptop Lightning Strike hits home

No surge protection Low (1) High (5)

etc


38

7. Determine Level of Risk

Think: Probability of Bad Thing

Happening and, were it to

happen, Impact


39

Determine Level of RiskAsset Threat Source /

ActionVulnerability Likelihood Impact Risk Level

Laptop Burglar steals laptop No encryption High (5) High (5) 25

Laptop Burglar steals laptop Weak passwords

High (5) High (5) 25

Laptop Burglar steals laptop No tracking High (5) High (5) 25

Laptop Shoulder Surfer views No privacyscreen

Low (1) Medium (3) 3

Laptop Careless User Drops No data backup Medium (3) High (5) 15

Laptop Lightning Strike No surge protection

Low (1) High (5) 5

etc


40

Really?

You Must Get Specific on Media, Threat Sources, Threat Actions, Vulnerabilities, etc.


41

Establishing a Risk Value

Considering asset/media, threat, vulnerability & controls…


42

Establishing a Risk Value

Think Likelihood * Impact

Rank Description Example0 Not Applicable Will never happen1 Rare May happen once every 10 years2 Unlikely May happen once every 3 years3 Moderate May happen once every 1 year4 Likely May happen once every month5 Almost Certain May happen once every week

Impact

Likelihood

Rank Description Example0 Not Applicable Does not apply1 Insignificant Not reportable; Remediate within 1 hour2 Minor Not reportable; Remediate within 1 business day3 Moderate Not reportable; Remediate within 5 business days4 Major Reportable; Less than 500 records compromised5 Disastrous Reportable; Greater than 500 records compromised

• Critical = 25• High = 15-24• Medium = 8-14• Low = 0-7


43

Risk Appetitea.k.a. Risk Threshold

“Risk appetite is the level of risk that organizations are willing to accept in pursuit of strategic goals and objectives.”1

20

15

10

0

25

5

Our Risk Appetite or Threshold is 10 We Will (Initially) Accept All Risks Below 10. We Will Avoid, Mitigate and/or Transfer All Risks 10 or Above.

HIGH

MEDIUM

LOW

CRITICAL


44

Example: Risk Threshold Set at 10

Generally, Avoid, Mitigate or Transfer

Generally, Accept


45

8. Finalize Documentation

Think: Best Basis for Decision

Making & Report Package for

Auditors


46

Asset Inventory Report

Show that you know where all the ePHI lives!


47

Risk Analysis Method - HHS OCR Guidance on Risk Analysis• Scope of the Analysis - all ePHI must be included in risk analysis• Data Collection – it must be documented

Identify and Document Potential Threats and Vulnerabilities

Assess Current Security Measures

Determine the Likelihood of Threat Occurrence

Determine the Impact of Threat Occurrence

Determine the Level of Risk

The System Enables-• Finalize Documentation• Periodic Review and Updates

Show your work!

https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


48

What A Risk Analysis Report Looks Like…Show you’ve identified all risks!

Generally, Avoid, Mitigate or Transfer

Generally, Accept


49

Risk Assessment Fundamentals

• Must be possible to have loss or harm in order to have risk

• Must have asset-threat-vulnerability to have risk

• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like speed is a

derived value = distance / time)• Fundamental nature of Risk is

universal• Critical Output: Risk Register


50

9. Periodic Review & Updates to RA

Think: Journey, Not Destination

… Not a Once and Done!


51

Ongoing, Mature Business Process

Show your Ongoing Effort!


Pause and Quick PollOn second thought, has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register that will meet OCR requirements?


53

Discussion Flow



Life Cycle


54

Complimentary HIPAA Risk Analysis Review

https://clearwatercompliance.com/hipaa-risk-analysis-review/




55

IRM | Analysis™ Software

Our unique risk analysis software1 solution facilitates the WorkShop™ allows your organization to be as self-sufficient as you choose! … And, to

operationalize your Information Risk Management Program

Understand significant threats and vulnerabilities

Insight

Determine if you have the right controls in place

Controls

View critical risks on intuitive dashboards and

reports

Risk RatingAutomate the management of risk information across complex enterprises

Manage Complexity

Plan a course of action to reduce critical risks

Plan and Evaluate

Manage the implementation of effective safeguards

Implementation

1Guided Tour of IRM|Analysis™ – the Clearwater Risk Analysis Software

30-Day Free Trial!

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-analysis/


56

Clearwater WorkShop™ Process

Proven Methodology, Continuously Improved Over Years• Overall Program Management• Used for Both Risk Analyses and Compliance

Gap Assessments (Security, Privacy & Breach Notification)

• Leverages Basecamp Project Management tool for secure collaboration and communication

• Methodology ensures consistency of approach across all work streams in the engagement

• Leverages IRM|Pro™ Software Suite• Major deliverables from each WorkShop™

• Fully-Provisioned Software with analysis / assessment results

• Trained Team in methodology and software• Findings, Observations & Recommendations

Reports• Analyze Findings• Document Observations• Develop Recommendations• Present and Sign Off

Written Report (t+2)03

• Plan / Gather / Schedule• Gather / Review Documentation• Provide SaaS Subscription/Train• Administer Surveys

Preparation (t-4)

01

• Facilitate & Discover• Educate & Equip• Interview & Document• Gather & Populate SaaS

Onsite Discovery/Assessment (t=0)

02


57

Key Resources• Sample - HIPAA Security Risk Analysis FOR Report• Guidance on Risk Analysis Requirements under the HIPAA Security Rule• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal

Information Systems: A Security Life Cycle Approach

Additional Resources• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and

Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information

Systems and Organizations: Building Effective Security Assessment Plans• NIST SP800-115 Technical Guide to Information Security Testing and Assessment• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05• NIST Risk Management Framework 2009

https://clearwatercompliance.com/wp-content/uploads/2016/01/Sample-Risk-Analysis-FOR-Report-V2.2.pdf

https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

https://clearwatercompliance.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

https://clearwatercompliance.com/wp-content/uploads/2015/07/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf

https://clearwatercompliance.com/wp-content/uploads/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf

https://clearwatercompliance.com/wp-content/uploads/2016/01/sp800-34-rev1_errata-Nov11-2010.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/MU_Stage-2_Hospital-Core_7_Protect-Electronic-Health-Info_2012-11-051.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-Risk-Management-Framework-2009.pdf


58

Download Whitepaper

30-Minute Guide to Hiring The Best Risk Analysis

Company | What to Look for in a HIPAA Risk Analysis Company & Solution

https://clearwatercompliance.com/industry-insights/white-papers/

https://clearwatercompliance.com/industry-insights/white-papers/


59

Download Whitepaper

Harnessing the Power of NIST

Your Practical Guide to Effective Information Risk

Management

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-

power-of-the-nist-framework/

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-nist-framework/


60

Educational Resources


61

Other Upcoming Clearwater Events

Visit ClearwaterCompliance.com for more info!

July 14, 2106 Complimentary

WebinarOCR’s Phase 2 Audits

and How Best to Prepare

August 3, 2106 Complimentary

WebinarHow to Adopt the NIST Cybersecurity

Framework

July 21, 2016Complimentary

WebinarThe Critical

Difference: HIPAA Security Evaluation

v HIPAA Security Risk Analysis

July 28, 2106 Complimentary

WebinarHIPAA 101

http://www.clearwatercompliance.com/


62

AHA Solutions Signature Learning Series™

Register Now: http://ow.ly/b0cX301LkDb

+

OCR’s Phase 2 HIPAA Security Audits and How Best to PrepareLearn how to prepare for Phase 2 OCR audits — direct from experts on OCR audit preparedness and a former OCR HIPAA

investigator.

This webinar is only available to AHA members.

Virtual Web Based Training Wednesday, July 27th, 2016

12:00-1:00 CDT

http://ow.ly/b0cX301LkDb

http://aehis.org/


63

Clearwater HIPAA and Cybersecurity BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn up to 10.8 CPE Credits!

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.

Join us for our next virtual, web-based events…Three, 3hr sessions:

• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017




64

Key Points to Remember1. Few organizations are doing it properly

1. 68% of 2012 OCR Phase I Audits Failed Risk Analysis (80% of Providers)2. 68% of 37 OCR Resolution Agreements / CAPs Cite Failed Risk Analyses

2. There’s a general lack of executive engagement1. Current state: Tactical – Technical – Spot-Welding2. Future state: Strategic – Business - Architectural

3. It’s not just a HIPAA or SOX or PCI or GLBA or FERPA enforceable compliance requirement…with big penalties…1. It’s a Patient Safety / Quality of Care / customer experience issue2. Cyber / Privacy risks ‘bleeding into” medical malpractice

4. There’s a Failure to Appreciate that Risk Assessments are a Basic Foundational Step1. Few people understand risk; even many of the CISSPs2. SecOps : Risk Analysts :: Accountants : Financial Analysts

Start By Getting Risk Analysis Right!


65

Questions Provided in Advance1. I‘ve heard you say “bona fide risk analysis” many times in the past. Why?2. Can you explain the difference between risk analysis and risk assessment,

which I often hear?3. If my organization needs to meet PCI DSS and HIPAA risk assessment

requirements, can I approach this using the same method?4. What are my chances of being audited by OCR? I really believe that’s low

risk?5. If I am audited by OCR, what will they request as proof that I am doing

bona fide risk assessments?6. Do our business associates have to do risk assessments with the same

level of rigor?7. We completed technical testing (pen testing, vulnerability scans, etc.); can

you tell me one more time why this is not acceptable as a risk assessment?8. Why can’t we just load up on cyber liability insurance and not worry about

this stuff? We’re trying to serve patients not become IT security gurus! 9. If we become HITRUST Certified, will that meet all our HIPAA and security

requirements?


66

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US

https://www.clearwatercompliance.com

[email protected]

Phone: 800-704-3394 or 615-656-4299

linkedin.com/in/BobChaput

Exit Survey, Please

http://www.clearwatercompliance.com/

mailto:[email protected]



67

What About HITRUST versus NIST?References / Articles for Your Own Due Diligence

• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security

• An Open Letter to the HITRUST Alliance (PartI) (Part II) (Part III)

• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt

• Should Business Associates Be HiTrust Certified?

• HITRUST, CSF and Mandatory Certification

• A Simpler and Better Alternative to the HITRUST Mandate For Third Party Risk Management In Healthcare

• 20+ Due Diligence Questions about the HITRUST Certification

• Research HITRUST Board companies on: HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page

We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”

As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on

the HHS Wall of Shame, with responsibility for 122MM of

156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for

complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.

http://www.rsaconference.com/blogs/hitrust-or-high-risk-the-health-information

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-kamal-govindaswamy-cissp-cipp-us-ccsp

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-part-ii-govindaswamy-cissp-cipp-us-ccsp

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-part-iii-kamal

http://www.hipaaone.com/hitrust-breaches-lay-the-welcome-mat-for-hackers/

http://www.govinfosecurity.com/should-bas-be-hitrust-certified-a-8366

https://www.linkedin.com/pulse/hitrust-csf-mandatory-certification-heather-havens

https://goo.gl/QmkEl0

https://www.linkedin.com/pulse/simpler-better-alternative-hitrust-mandate-third-risk-kamal

https://goo.gl/QmkEl0

https://clearwatercompliance.com/blog/20-due-diligence-questions-about-the-hitrust-certification/

https://hitrustalliance.net/about-us/board-directors/

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://projects.propublica.org/hipaa/


68

“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an

external organization does not preclude HHS from subsequently finding a security violation.”

HHS FAQ on 3rd Party Certifications

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html

Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.




69

Regulatory Requirements

1http://www.ecfr.gov/cgi-bin/text-idx?SID=547a457f5304d286d3e9e0b241b76848&mc=true&node=se45.1.164_1308&rgn=div82https://clearwatercompliance.com/wp-content/uploads/2014/11/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

3http://ithandbook.ffiec.gov/it-booklets/information-security/introduction/coordination-with-glba-section-501%28b%29.aspx#cite-ref-0-0

http://www.ecfr.gov/cgi-bin/text-idx?SID=547a457f5304d286d3e9e0b241b76848&mc=true&node=se45.1.164_1308&rgn=div8

https://clearwatercompliance.com/wp-content/uploads/2014/11/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

http://ithandbook.ffiec.gov/it-booklets/information-security/introduction/coordination-with-glba-section-501(b).aspx#cite-ref-0-0


70

Risk Analysis §164.308(a)(1)(ii)(A): (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information

2012Inquire of management if formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.

Evidence of risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment.

Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

2016Does the entity have policies and procedures in place regarding a risk management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?

Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?

Obtain and review policies and procedure related to risk management. Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.

Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment.

Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.


71

Security Management Process - Risk Management

§164.308(a)(1)(ii)(B): (Required) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with General Requirements

• Does the entity have policies and procedures in place regarding a risk management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?

• Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?

• Obtain and review policies and procedure related to risk management. Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.

• Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment.

• Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.

WWW.CLEARWATERCOMPLIANCE.COM

(800) 704-3394 http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance

Documents

Legal Disclaimer - Clearwater