11

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance | All Rights Reserved

2© Clearwater Compliance | All Rights Reserved

Solving Healthcare IT’s & Digital Health’s Cybersecurity & HIPAA Compliance Dilemma Steve Cagle, CEOJon Moore, SVP, Consulting & Chief Risk OfficerJanuary 21, 2021

33

© Clearwater Compliance | All Rights Reserved

Webinar Logistics

Slide materials – Link will be in the chat box

All attendees are in “Listen Only Mode”

Please ask content related questions in “Q&A”

In the event of technical issues, check “Chat”

Please complete the Exit Survey when you leave the webinar

Recorded version, final slides, & Certificate of Attendance will be shared with you within 48 hours

44

© Clearwater Compliance | All Rights Reserved

Today’s Presenters

• Former CEO for Moberg PharmaNorth America

• Former CEO of Alterna LLC• Former Executive at Sparta Systems, Inc.• 20+ years B2B software & professional services,

pharmaceuticals

Steve CagleChief Executive Officer

• 25+ Years Executive Leadership, Technology Consulting and Law

• 14+ Years Data Privacy & Security• 10+ Years Healthcare• Former PwC Federal Healthcare Leadership Team• Former IT Operational Leader PwC Federal Practice• BA Economics Haverford College, MS E-Commerce

Carnegie Mellon University, JD Dickinson Law Penn State University, HCISPP

• Speaker and Published Author on Security, Privacy, IT Strategy and Impact of Emerging Technologies

Jon Moore, MS, JD, HCISPPChief Risk Officer & SVP, Consulting Services

5© Clearwater Compliance | All Rights Reserved

Leading provider of cyber risk management and HIPAA compliance software and solutions for healthcare

Founded in Nashville in 2009, colleagues in 20+ states, growing rapidly

Portfolio company of Altaris Capital Partners, a healthcare PE firm with $5B under management

Approximately 400 customers, including 70 IDNs, many with multi-year enterprise programs

100% success rate when deliverables submitted to the Office For Civil Rights (OCR)

© Clearwater Compliance | All Rights Reserved

Introduction to Clearwater

66

© Clearwater Compliance | All Rights Reserved

Healthcare Technology Trends

• Pandemic further accelerated healthcare digital transformation

• Digital Health Market Value to Reach $511 Billion by 20261

• 2020 VC funding +66% over 2019, with a record $14.8 Billion raised globally2

• Healthcare data to grow at a compounded annual growth rate (CAGR) of 36% through 20253

• Increasing risks to CIA of ePHI

1 "Digital Health Market (By Technology - Telehealth, Apps, Health Analytics, mHealth, Digital Health Systems, Market By Components- Hardware, Software, Services) - Global Industry Size, Share, Trends, and Forecast 2018-2026". Acumen Research and Consulting. Nov 12, 2019.

2 Mercom Capital Q4 and Annual 2020 Digital Health (Healthcare IT) Funding and M&A Report3 Big Data to See Explosive Growth, Challenging Healthcare Organizations. Health IT Analytics. December 3, 2018.

77

© Clearwater Compliance | All Rights Reserved

Healthcare Industry Cybersecurity Trends

Since November, the healthcare industry has experienced a 45% increase in cyber attacks.

Average US Healthcare: $7.13M/Breach

Ponemon Institute/IBM 2020 Cost of Breach Study

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Confidential

88

© Clearwater Compliance | All Rights Reserved

Increased Third-Party Risk for Covered Entities

1 According to an independent report from Ponemon Institute, entitled ‘The Economic Impact of Third-Party Risk Management in Healthcare”2 U.S. Department of Health and Human Services Office for Civil Rights Breach Portal as of 12/4/20

56% of surveyed healthcare organizations said they had one or more third-party data breaches within the last two years.

99

© Clearwater Compliance | All Rights Reserved

Demands on IT Health Vendors

Comply with HIPAA

Win New Business

Business continuity & brand equity

Healthcare IT & digital health companies must treat HIPAA Compliance and Cybersecurity asmission critical capabilities to succeed in today’s healthcare environment.

Meet investors requirements

1010

© Clearwater Compliance | All Rights Reserved

Challenges In Meeting Demands

Healthcare IT companies must have mature and scalable HIPAA Compliance and cybersecurity capabilities, however, many:

• Are unsure what is required

• Lack expertise

• Have security gaps

• Don’t have resources

• Are missing tools

• Have limited funds

• Struggle with security questionnaires

1111

© Clearwater Compliance | All Rights Reserved

The DilemmaHow to establish a reasonable and appropriate HIPAA Compliance and Cybersecurity program, that meets regulatory requirements, impresses customers and investors, cost effectively and without disruption?

1212

© Clearwater Compliance | All Rights Reserved

Solving the Dilemma

To solve the dilemma we first must

understand what’s required for success.

1313

© Clearwater Compliance | All Rights Reserved

8

10 Key Areas of a HIPAA Compliance Program

Set privacy and security risk management & governance

program in place(45 CFR § 164.308(a)(1))

Develop & implement HIPAA privacy, security, and breach notification policies & procedures

(45 CFR §164.530 and 45 CFR §164.316)

Train all members of your workforce

(45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

Complete HIPAA security risk management

(45 CFR §164.308(a)(1)(ii)(B))

Complete a HIPAA security evaluation

(e.g. “compliance assessment”) (45 CFR § 164.308(a)(8))

Complete technical testing of your environment

(45 CFR § 164.308(a)(8))

Implement a strong, proactive Business Associate

management program(45 CFR §164.502(e) and 45 CFR §164.308(b))

Complete Privacy Rule and Breach Rule compliance

assessments (45 CFR §164.530 and 45 CFR §164.400)

Document and act upon a remediation plan

(45 CFR §164.530(c) and 45 CFR §164.306 (a))

1 2 3 4 5

6 7 8 9 10

Complete a HIPAA security risk analysis

(45 CFR (§164.308(a)(1)(ii)(A))

Derived from OCR Enforcement Actions. Demonstrate Reasonable Diligence.

1414

© Clearwater Compliance | All Rights Reserved

Cybersecurity & HIPAA Compliance Program Leadership

Security Leadership / CISO is critical in building and executing a mature cybersecurity and HIPAA compliance program.

1515

© Clearwater Compliance | All Rights Reserved

Governance

Polices & Procedures that meet the specific needs of your organization are foundational elements of information risk management.

1616

© Clearwater Compliance | All Rights Reserved

Compliance – HIPAA Requirements

Assess

Evaluate

Remediate

HIPAA Security

Rule

HIPAA Privacy

Rule

HIPAA Breach

Notification Rule

A non-technical evaluation of compliance with HIPAA Security Rule is required, and compliance with Privacy & Breach Notification Rules is considered a best practices.

1717

© Clearwater Compliance | All Rights Reserved

Risk Management

Assess

RespondMonitor

Frame

Risk Analysis and Risk Management results in more optimal investment on your organization’s cybersecurity program and solves one of the largest compliance risks

NIST Special Publication 800-30 Rev. 1

1818

© Clearwater Compliance | All Rights Reserved

Security Engineering & Application Security

Network SecurityApplication Security Cloud Security

Application Security

Designing and implementing security into your products will be critical to your Customers and will support sales efforts, especially if your products receive or transmit ePHI.

1919

© Clearwater Compliance | All Rights Reserved

Technical Testing

Penetration TestingVulnerability Scanning Social Engineering - Phishing

Periodically validating that controls close vulnerabilities not only required by HIPAA, but also necessary to ensure your security safeguards are implemented appropriately to reduce risk.

2020

© Clearwater Compliance | All Rights Reserved

Emergency Operations & Incident Management

Ensure you are prepared to minimize the impact of incidents and breaches on the organization.

2121

© Clearwater Compliance | All Rights Reserved

Traditional Approach & Cost of Building a Program

Expenditures Annual CostStaffing

1. Chief Information Security Officer/VP Security $150K - $250K

2. Security Analyst $60K - $80k

Subtotal Staffing $210K - $330K

Consulting Support

1. Policy and Procedures support $5K - $40K

2. Technical Testing $15K - $50K

3. Risk Analysis/Risk Management $30k - $50k

Subtotal Consulting Support $50k - $140K

Software

1. HIPAA and Security Awareness Training $1k - $5k

2. Other Security Tools $20k - $100k

Subtotal Software $21k - $105k

Total $281k - $575k

2222

© Clearwater Compliance | All Rights Reserved

Solving the Dilemma

Goals:• Better• Easier• Less Expensive

2323

© Clearwater Compliance | All Rights Reserved

ClearAdvantage® | Solution to the Cybersecurity & HIPAA Compliance Program Dilemma

Together with our Healthcare Technology customers, Clearwater designs, implements and operationalizes a cybersecurity and HIPAA compliance program that is:

• Reasonable and appropriate for your unique organization• Aligned with and facilitates your business’s strategic goals and objectives• Far less expensive than if you build it yourself

Confidential

The ClearAdvantage Program is executed over a three-year period, and aligned to each customer’s strategic objectives, priorities and resources.

2424

© Clearwater Compliance | All Rights Reserved

Benefits of Clearwater’s ClearAdvantage® Program

• Mature, best-in-class, Cyber Risk Management and HIPAA Compliance program that scales with your business

• Standards-based strategic cybersecurity roadmap that aligns with your growth objectives

• Reduced HIPAA compliance risks and potential penalties

• Critical information for executive-level cyber risk-based decisions

• Broad and deep expertise of Clearwater’s full consulting team

• Included IRM|Pro® Security, Privacy, and Risk Management Software subscription*

• 2-4x ROI over traditional approach to building a program

• Your organization distinguished as a leader in keeping protected health information secure

* Module vary by program level.Confidential

IRM|Pro®Software

Expert Consultants

Proven Methodology

2525

© Clearwater Compliance | All Rights Reserved

ClearAdvantage® Framework

Confidential

On-demand SMEs vCISO/vCPO/Program Leader Program Manager

Security Engineering

Cloud|On-Prem

Identity & Access Management Application Security Host & Network

Security Info Asset Security

IRM|Pro Media Pro PnP Toolkit Project Management

Secure File Transfer and Repository

Security Operations

Emergency Operations &

Incident Management

Program Management

Governance, Risk & Compliance

Personal & External Relationships

People

Functional Areas of Support

Software

ClearAdvantage® Framework

2626

© Clearwater Compliance | All Rights Reserved

How It Works – Illustrative Project Timeline

Year 1 Year 2 Year 3Program Leadership (vCISO, vCPO)

Program Management

Governance

Policies & Procedures

Strategic Roadmap

Strategic Roadmap

Workforce Training

Workforce Training

Workforce Training

Tech Testing

Tech Testing

Tech Testing

Tech Testing

Tech Testing

Tech Testing

Vendor Risk Management

Risk Analysis

Risk Mgmt

HIPAA Security Assessment

HIPAA Privacy & Breach

Assessment

Risk Analysis

Risk Mgmt

HIPAA Security Assessment

HIPAA Privacy & Breach

Assessment

Risk Analysis

Risk Mgmt

HIPAA Security Assessment

HIPAA Privacy & Breach

Assessment

Tech Testing

Tech Testing

Tech Testing

Tech Testing

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Quarterly Briefings

Strategic Roadmap

Confidential

2727

© Clearwater Compliance | All Rights Reserved

Case Study – Pre-revenue Health IT Startup

Value Achieved

Challenge

Solution

• HIT company was launching a healthcare technology platform targeted for large health systems. • Platform requires access to extensive amounts of ePHI from its customers.• Needed to address security requirements of large prospective customers.• Lack of adequate security and compliance expertise was holding up their sales pipeline.

• Clearwater’s ClearAdvantage program, rapidly stood-up HIPAA Compliance and Risk Management program.• Clearwater assisted Customer in migrating their platform to AWS environment and implemented security

controls relevant to Customers’ security requirements.• Clearwater’s vCISO assisted with response to Customer security evaluations.

• The company was able to win the business of marquis customers as a result of their ability to demonstrate strong cybersecurity and compliance with HIPAA

• Fully managed service allows customer to focus on business development and product delivery.

2828

© Clearwater Compliance | All Rights Reserved

Actions You Can Take Now

• Identify and communicate to leadership how your cybersecurity and HIPAA compliance capabilities directly relate to your organization’s ability to achieve its strategic goals and objectives

• Consider what the impact of a breach or ransomware attack would be to the organization and what it would mean in financial losses, and value

• Define your vision for your cybersecurity and HIPAA Compliance, and determine where key gaps or inefficiencies exist

• Consider various approaches to achieving your vision (e.g., build, outsource)

• Complete Clearwater’s free risk analysis self review

• Visit Clearwater’s Knowledge Center to access free resources

• Schedule a free consultation with our team to discuss your needs and objectives

2929

© Clearwater Compliance | All Rights Reserved

Recommended Resources

White Papers

• 10 Ways Business Associates Can Turn Their HIPAA Compliance and Cybersecurity Program Into a Competitive Advantage

• From Risk Analysis to Risk Reduction: A Step-by-Step Approach

• Let the Buyer Beware: The Need for HIPAA Risk Analysis in Healthcare M&A Transaction

Webinars

• 10 Key Elements to Effective HIPAA Compliance & Cyber Risk Management

• How Tech Leaders Are Helping Secure Healthcare’s Digital Transformation featuring Uber Health and Digital Reasoning)

OCR – HHS

• Direct liability of Business Associate – OCR Fact Sheet

Additional Resources

• ClearAdvantage Program for Health IT & Digital Health Companies

3030

© Clearwater Compliance | All Rights Reserved

Upcoming Clearwater Web Events…

Learn more and register for these webinars at https://clearwatercompliance.com/upcoming-educational-events/

3131

© Clearwater Compliance | All Rights Reserved

Clearwater Insights…

Available in digital & paperback.

Audio book coming soon!

https://www.clearwatercompliance.com/stopthecyberbleeding

3232

© Clearwater Compliance | All Rights Reserved

Thank You & Questions

Please take a moment to complete the short survey when you leave the session.

We appreciate and use your feedback!

Steve CagleSteve.cagle@clearwatercompliance.com

Jon Moore Jon.Moore@clearwatercompliance.com

33© Clearwater Compliance | All Rights Reserved

www.ClearwaterCompliance.com

800.704.3394

LinkedIn | linkedin.com/company/clearwater-compliance-llc/

Twitter | @clearwaterhipaa