Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
11
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
2© Clearwater Compliance | All Rights Reserved
Solving Healthcare IT’s & Digital Health’s Cybersecurity & HIPAA Compliance Dilemma Steve Cagle, CEOJon Moore, SVP, Consulting & Chief Risk OfficerJanuary 21, 2021
33
© Clearwater Compliance | All Rights Reserved
Webinar Logistics
Slide materials – Link will be in the chat box
All attendees are in “Listen Only Mode”
Please ask content related questions in “Q&A”
In the event of technical issues, check “Chat”
Please complete the Exit Survey when you leave the webinar
Recorded version, final slides, & Certificate of Attendance will be shared with you within 48 hours
44
© Clearwater Compliance | All Rights Reserved
Today’s Presenters
• Former CEO for Moberg PharmaNorth America
• Former CEO of Alterna LLC• Former Executive at Sparta Systems, Inc.• 20+ years B2B software & professional services,
pharmaceuticals
Steve CagleChief Executive Officer
• 25+ Years Executive Leadership, Technology Consulting and Law
• 14+ Years Data Privacy & Security• 10+ Years Healthcare• Former PwC Federal Healthcare Leadership Team• Former IT Operational Leader PwC Federal Practice• BA Economics Haverford College, MS E-Commerce
Carnegie Mellon University, JD Dickinson Law Penn State University, HCISPP
• Speaker and Published Author on Security, Privacy, IT Strategy and Impact of Emerging Technologies
Jon Moore, MS, JD, HCISPPChief Risk Officer & SVP, Consulting Services
5© Clearwater Compliance | All Rights Reserved
Leading provider of cyber risk management and HIPAA compliance software and solutions for healthcare
Founded in Nashville in 2009, colleagues in 20+ states, growing rapidly
Portfolio company of Altaris Capital Partners, a healthcare PE firm with $5B under management
Approximately 400 customers, including 70 IDNs, many with multi-year enterprise programs
100% success rate when deliverables submitted to the Office For Civil Rights (OCR)
© Clearwater Compliance | All Rights Reserved
Introduction to Clearwater
66
© Clearwater Compliance | All Rights Reserved
Healthcare Technology Trends
• Pandemic further accelerated healthcare digital transformation
• Digital Health Market Value to Reach $511 Billion by 20261
• 2020 VC funding +66% over 2019, with a record $14.8 Billion raised globally2
• Healthcare data to grow at a compounded annual growth rate (CAGR) of 36% through 20253
• Increasing risks to CIA of ePHI
1 "Digital Health Market (By Technology - Telehealth, Apps, Health Analytics, mHealth, Digital Health Systems, Market By Components- Hardware, Software, Services) - Global Industry Size, Share, Trends, and Forecast 2018-2026". Acumen Research and Consulting. Nov 12, 2019.
2 Mercom Capital Q4 and Annual 2020 Digital Health (Healthcare IT) Funding and M&A Report3 Big Data to See Explosive Growth, Challenging Healthcare Organizations. Health IT Analytics. December 3, 2018.
77
© Clearwater Compliance | All Rights Reserved
Healthcare Industry Cybersecurity Trends
Since November, the healthcare industry has experienced a 45% increase in cyber attacks.
Average US Healthcare: $7.13M/Breach
Ponemon Institute/IBM 2020 Cost of Breach Study
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Confidential
88
© Clearwater Compliance | All Rights Reserved
Increased Third-Party Risk for Covered Entities
1 According to an independent report from Ponemon Institute, entitled ‘The Economic Impact of Third-Party Risk Management in Healthcare”2 U.S. Department of Health and Human Services Office for Civil Rights Breach Portal as of 12/4/20
56% of surveyed healthcare organizations said they had one or more third-party data breaches within the last two years.
99
© Clearwater Compliance | All Rights Reserved
Demands on IT Health Vendors
Comply with HIPAA
Win New Business
Business continuity & brand equity
Healthcare IT & digital health companies must treat HIPAA Compliance and Cybersecurity asmission critical capabilities to succeed in today’s healthcare environment.
Meet investors requirements
1010
© Clearwater Compliance | All Rights Reserved
Challenges In Meeting Demands
Healthcare IT companies must have mature and scalable HIPAA Compliance and cybersecurity capabilities, however, many:
• Are unsure what is required
• Lack expertise
• Have security gaps
• Don’t have resources
• Are missing tools
• Have limited funds
• Struggle with security questionnaires
1111
© Clearwater Compliance | All Rights Reserved
The DilemmaHow to establish a reasonable and appropriate HIPAA Compliance and Cybersecurity program, that meets regulatory requirements, impresses customers and investors, cost effectively and without disruption?
1212
© Clearwater Compliance | All Rights Reserved
Solving the Dilemma
To solve the dilemma we first must
understand what’s required for success.
1313
© Clearwater Compliance | All Rights Reserved
8
10 Key Areas of a HIPAA Compliance Program
Set privacy and security risk management & governance
program in place(45 CFR § 164.308(a)(1))
Develop & implement HIPAA privacy, security, and breach notification policies & procedures
(45 CFR §164.530 and 45 CFR §164.316)
Train all members of your workforce
(45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Complete HIPAA security risk management
(45 CFR §164.308(a)(1)(ii)(B))
Complete a HIPAA security evaluation
(e.g. “compliance assessment”) (45 CFR § 164.308(a)(8))
Complete technical testing of your environment
(45 CFR § 164.308(a)(8))
Implement a strong, proactive Business Associate
management program(45 CFR §164.502(e) and 45 CFR §164.308(b))
Complete Privacy Rule and Breach Rule compliance
assessments (45 CFR §164.530 and 45 CFR §164.400)
Document and act upon a remediation plan
(45 CFR §164.530(c) and 45 CFR §164.306 (a))
1 2 3 4 5
6 7 8 9 10
Complete a HIPAA security risk analysis
(45 CFR (§164.308(a)(1)(ii)(A))
Derived from OCR Enforcement Actions. Demonstrate Reasonable Diligence.
1414
© Clearwater Compliance | All Rights Reserved
Cybersecurity & HIPAA Compliance Program Leadership
Security Leadership / CISO is critical in building and executing a mature cybersecurity and HIPAA compliance program.
1515
© Clearwater Compliance | All Rights Reserved
Governance
Polices & Procedures that meet the specific needs of your organization are foundational elements of information risk management.
1616
© Clearwater Compliance | All Rights Reserved
Compliance – HIPAA Requirements
Assess
Evaluate
Remediate
HIPAA Security
Rule
HIPAA Privacy
Rule
HIPAA Breach
Notification Rule
A non-technical evaluation of compliance with HIPAA Security Rule is required, and compliance with Privacy & Breach Notification Rules is considered a best practices.
1717
© Clearwater Compliance | All Rights Reserved
Risk Management
Assess
RespondMonitor
Frame
Risk Analysis and Risk Management results in more optimal investment on your organization’s cybersecurity program and solves one of the largest compliance risks
NIST Special Publication 800-30 Rev. 1
1818
© Clearwater Compliance | All Rights Reserved
Security Engineering & Application Security
Network SecurityApplication Security Cloud Security
Application Security
Designing and implementing security into your products will be critical to your Customers and will support sales efforts, especially if your products receive or transmit ePHI.
1919
© Clearwater Compliance | All Rights Reserved
Technical Testing
Penetration TestingVulnerability Scanning Social Engineering - Phishing
Periodically validating that controls close vulnerabilities not only required by HIPAA, but also necessary to ensure your security safeguards are implemented appropriately to reduce risk.
2020
© Clearwater Compliance | All Rights Reserved
Emergency Operations & Incident Management
Ensure you are prepared to minimize the impact of incidents and breaches on the organization.
2121
© Clearwater Compliance | All Rights Reserved
Traditional Approach & Cost of Building a Program
Expenditures Annual CostStaffing
1. Chief Information Security Officer/VP Security $150K - $250K
2. Security Analyst $60K - $80k
Subtotal Staffing $210K - $330K
Consulting Support
1. Policy and Procedures support $5K - $40K
2. Technical Testing $15K - $50K
3. Risk Analysis/Risk Management $30k - $50k
Subtotal Consulting Support $50k - $140K
Software
1. HIPAA and Security Awareness Training $1k - $5k
2. Other Security Tools $20k - $100k
Subtotal Software $21k - $105k
Total $281k - $575k
2222
© Clearwater Compliance | All Rights Reserved
Solving the Dilemma
Goals:• Better• Easier• Less Expensive
2323
© Clearwater Compliance | All Rights Reserved
ClearAdvantage® | Solution to the Cybersecurity & HIPAA Compliance Program Dilemma
Together with our Healthcare Technology customers, Clearwater designs, implements and operationalizes a cybersecurity and HIPAA compliance program that is:
• Reasonable and appropriate for your unique organization• Aligned with and facilitates your business’s strategic goals and objectives• Far less expensive than if you build it yourself
Confidential
The ClearAdvantage Program is executed over a three-year period, and aligned to each customer’s strategic objectives, priorities and resources.
2424
© Clearwater Compliance | All Rights Reserved
Benefits of Clearwater’s ClearAdvantage® Program
• Mature, best-in-class, Cyber Risk Management and HIPAA Compliance program that scales with your business
• Standards-based strategic cybersecurity roadmap that aligns with your growth objectives
• Reduced HIPAA compliance risks and potential penalties
• Critical information for executive-level cyber risk-based decisions
• Broad and deep expertise of Clearwater’s full consulting team
• Included IRM|Pro® Security, Privacy, and Risk Management Software subscription*
• 2-4x ROI over traditional approach to building a program
• Your organization distinguished as a leader in keeping protected health information secure
* Module vary by program level.Confidential
IRM|Pro®Software
Expert Consultants
Proven Methodology
2525
© Clearwater Compliance | All Rights Reserved
ClearAdvantage® Framework
Confidential
On-demand SMEs vCISO/vCPO/Program Leader Program Manager
Security Engineering
Cloud|On-Prem
Identity & Access Management Application Security Host & Network
Security Info Asset Security
IRM|Pro Media Pro PnP Toolkit Project Management
Secure File Transfer and Repository
Security Operations
Emergency Operations &
Incident Management
Program Management
Governance, Risk & Compliance
Personal & External Relationships
People
Functional Areas of Support
Software
ClearAdvantage® Framework
2626
© Clearwater Compliance | All Rights Reserved
How It Works – Illustrative Project Timeline
Year 1 Year 2 Year 3Program Leadership (vCISO, vCPO)
Program Management
Governance
Policies & Procedures
Strategic Roadmap
Strategic Roadmap
Workforce Training
Workforce Training
Workforce Training
Tech Testing
Tech Testing
Tech Testing
Tech Testing
Tech Testing
Tech Testing
Vendor Risk Management
Risk Analysis
Risk Mgmt
HIPAA Security Assessment
HIPAA Privacy & Breach
Assessment
Risk Analysis
Risk Mgmt
HIPAA Security Assessment
HIPAA Privacy & Breach
Assessment
Risk Analysis
Risk Mgmt
HIPAA Security Assessment
HIPAA Privacy & Breach
Assessment
Tech Testing
Tech Testing
Tech Testing
Tech Testing
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Quarterly Briefings
Strategic Roadmap
Confidential
2727
© Clearwater Compliance | All Rights Reserved
Case Study – Pre-revenue Health IT Startup
Value Achieved
Challenge
Solution
• HIT company was launching a healthcare technology platform targeted for large health systems. • Platform requires access to extensive amounts of ePHI from its customers.• Needed to address security requirements of large prospective customers.• Lack of adequate security and compliance expertise was holding up their sales pipeline.
• Clearwater’s ClearAdvantage program, rapidly stood-up HIPAA Compliance and Risk Management program.• Clearwater assisted Customer in migrating their platform to AWS environment and implemented security
controls relevant to Customers’ security requirements.• Clearwater’s vCISO assisted with response to Customer security evaluations.
• The company was able to win the business of marquis customers as a result of their ability to demonstrate strong cybersecurity and compliance with HIPAA
• Fully managed service allows customer to focus on business development and product delivery.
2828
© Clearwater Compliance | All Rights Reserved
Actions You Can Take Now
• Identify and communicate to leadership how your cybersecurity and HIPAA compliance capabilities directly relate to your organization’s ability to achieve its strategic goals and objectives
• Consider what the impact of a breach or ransomware attack would be to the organization and what it would mean in financial losses, and value
• Define your vision for your cybersecurity and HIPAA Compliance, and determine where key gaps or inefficiencies exist
• Consider various approaches to achieving your vision (e.g., build, outsource)
• Complete Clearwater’s free risk analysis self review
• Visit Clearwater’s Knowledge Center to access free resources
• Schedule a free consultation with our team to discuss your needs and objectives
2929
© Clearwater Compliance | All Rights Reserved
Recommended Resources
White Papers
• 10 Ways Business Associates Can Turn Their HIPAA Compliance and Cybersecurity Program Into a Competitive Advantage
• From Risk Analysis to Risk Reduction: A Step-by-Step Approach
• Let the Buyer Beware: The Need for HIPAA Risk Analysis in Healthcare M&A Transaction
Webinars
• 10 Key Elements to Effective HIPAA Compliance & Cyber Risk Management
• How Tech Leaders Are Helping Secure Healthcare’s Digital Transformation featuring Uber Health and Digital Reasoning)
OCR – HHS
• Direct liability of Business Associate – OCR Fact Sheet
Additional Resources
• ClearAdvantage Program for Health IT & Digital Health Companies
3030
© Clearwater Compliance | All Rights Reserved
Upcoming Clearwater Web Events…
Learn more and register for these webinars at https://clearwatercompliance.com/upcoming-educational-events/
3131
© Clearwater Compliance | All Rights Reserved
Clearwater Insights…
Available in digital & paperback.
Audio book coming soon!
https://www.clearwatercompliance.com/stopthecyberbleeding
3232
© Clearwater Compliance | All Rights Reserved
Thank You & Questions
Please take a moment to complete the short survey when you leave the session.
We appreciate and use your feedback!
Steve [email protected]
Jon Moore [email protected]
33© Clearwater Compliance | All Rights Reserved
www.ClearwaterCompliance.com
800.704.3394
LinkedIn | linkedin.com/company/clearwater-compliance-llc/
Twitter | @clearwaterhipaa