Legal Disclaimer - Cybersecurity and HIPAA Compliance

© Clearwater Compliance | All Rights Reserved

1

Legal Disclaimer

The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

October 13, 2016

Harnessing the Power of the NIST | Your Practical Guide to Effective Cyber Risk Management

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US615-656-4299 or 800-704-3394

[email protected]

mailto:[email protected]


3

MA, CISSP, HCISPP, CRISC, CIPP/US

Bob Chaput

• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Healthcare Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities

and Business Associates• Member: ACAP, CHIME/AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,

ISACA, HCCA• CHIME Foundation Member• AEHIS Advisory Board Member

http://www.linkedin.com/in/BobChaput

http://hipaasecurityassessment.com/



4

Some Ground Rules1. Slide materials

A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you

leave session6. Recorded version and final slides within 48

hours


5

Our Passion

We’re excited about what we do because…

…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!


6

Awards and Recognition

2015 & 2016

Exclusive

Industry Resource Provider

Software Used by NSA/CAEs

Sole Source Provider

#11 – 2015 & 2016


7

01

03

02

Three Cyber Risk Management Agenda Items About Which I Am Very Passionate…

TacticallyAssisting in Establishing,

Implementing and Maturing Cybersecurity

Program

OperationallyAssisting in Completing Bona

Fide, Comprehensive Cybersecurity Risk Analysis

and Risk Response

StrategicallyAssisting in Making

Cybersecurity a Meaningful C-Suite / Board Agenda item


8

Best Choose

Many Organizations Struggle to Establish,

Implement and Mature their Cyber Risk

Management Programs …

The Single Biggest Decision Your Organization will Make Regarding Cyber Risk Management is…… How Your Organization will Conduct Cyber Risk Management …


9

Learning Outcomes… Practical Actionable Steps To:

Implement the NIST IRM Process: Framing, Assessing, Responding to and Monitoring Risk

Mature your IRM program to proactively protect your organization’s sensitive information

Ultimately, make higher quality decisions about information /

cyber risks by adopting the NIST approach

Leverage the NIST Cybersecurity Framework to

better manage and reduce cybersecurity risk

Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials &

the recorded webinar


10

Pause and Quick Poll

Poll #1 – Is this the first Clearwater Compliance webinar you have attended?


11

Pause and Quick Poll

Poll #2 - What type of organization do you represent?

Hospital / Health System

BAHybrid

Don’t Know

Other CE


12

Clearwater Supports the NIST Approach

Framework + Maturity Model+ Process

NIST SP800-39

IRM|Maturity™IRM|Pro™IRM|Capability™


13

Benefits of NIST Approach: From Chaos to Order | Process | Discipline

Tactical

Technical

Spot-Welding

Strategic

Business

Architectural

Start the Conversation | Change the Conversation


14

Discussion Flow1. NIST Cybersecurity Framework

1. Problem We’re Trying to Solve2. NIST Cybersecurity Framework (NIST CSF)3. How to Adopt the NIST CSF

2. NIST Risk Management Process1. Framing Risk2. Assessing Risk3. Responding to Risk4. Monitoring Risk

3. Maturing Your Risk Management Program1. Maturity Models and IRMCAM™2. How to Access and Use IRMCAM™


15

Changing Landscape Driving Cybersecurity

Data Aggregation & Amount of

Valuable Data

Number of Connected

People

Cybersecurity risk management program must keep pace with the evolving threat landscape.

Shadow IT


16

What is the Risk Problem We’re Trying to Solve?

What if my Sensitive Information is not

complete, up-to-date and accurate?

What if my Sensitive Information is shared?

What if my Sensitive Information is not there when it is needed?

AVAILABILITY

Don’t Compromise

C-I-A!

ePHI, PIIPCI Data,

MNPI, Trade Secrets, Business Plans,

Software Code, Etc.


17

Clearwater Supports the NIST Approach+ Maturity Model+ Process

NIST SP800-39


Framework


18

Sidebar: Framework Versus Process

• Framework … Tends to set overall architecture Provides structure and guidance Think: WHAT

• Process … Tends to be specific and repeatable Provides well defined set of steps Think: HOW

• Framework: Clinical Research• Process: Detailed Steps


19

Feb 12, 2013Executive Order 13636

“Improving Critical Infrastructure Cybersecurity”


20

Critical Infrastructure Sectors1

• Chemical Sector• Commercial Facilities Sector ***• Communications Sector• Critical Manufacturing Sector• Dams Sector• Defense Industrial Base Sector• Emergency Services Sector• Energy Sector• Financial Services Sector• Food and Agriculture Sector• Government Facilities Sector• Healthcare and Public Health Sector• Information Technology Sector• Nuclear Reactors, Materials, and Waste Sector• Sector-Specific Agencies• Transportation Systems Sector• Water and Wastewater Systems Sector

1 http://www.dhs.gov/critical-infrastructure-sectors

http://www.dhs.gov/critical-infrastructure-sectors


http://www.dhs.gov/chemical-sector

http://www.dhs.gov/commercial-facilities-sector

http://www.dhs.gov/communications-sector

http://www.dhs.gov/critical-manufacturing-sector

http://www.dhs.gov/dams-sector

http://www.dhs.gov/defense-industrial-base-sector

http://www.dhs.gov/emergency-services-sector

http://www.dhs.gov/energy-sector

http://www.dhs.gov/financial-services-sector

http://www.dhs.gov/food-and-agriculture-sector

http://www.dhs.gov/government-facilities-sector

http://www.dhs.gov/healthcare-and-public-health-sector

http://www.dhs.gov/information-technology-sector

http://www.dhs.gov/nuclear-reactors-materials-and-waste-sector

http://www.dhs.gov/sector-specific-agencies

http://www.dhs.gov/transportation-systems-sector

http://www.dhs.gov/water-and-wastewater-systems-sector



21

NIST CSF Overview• Provides standard measurement that

organizations can use to measure risk and improve security

• Calls for senior management and Board understanding of cyber risk

• Currently voluntary, but likely the de-facto standard in event of a breach

• Common language, not “government speak”• Maps to COBIT, ISO, NIST SP800-53, HIPAA

Security Rule, etc.• Includes steps for “Establishing or Improving a

Cybersecurity Program”• Framework, not a risk management Process• Framework, not a Maturity Model

Creates a Common Language for Cybersecurity


22

5 Core Functions

& 22 Categories & 98 Sub-Categories

What assets need protection?

What safeguards are available?

What techniques can identify incidents?

What techniques can contain impacts of incidents?

What techniques can restore capabilities?


23

Harness Power of Five Internationally Recognized Standards

COBIT 51 CCS CSC2 IEC624433 ISO 270014 NIST 800-535

IdentifyFive Key

Processes of Enterprise IT

Management, including RISK

IT

SANS Top 20 Critical

Security Controls

Concepts

IACS Security Program

Security Technologies

Secure Development

Information security

management system (ISMS)

ClausesControlsControl

Objectives

18 ControlFamilies

Security and Privacy

ManagerialTechnicalPhysical

Protect

Detect

Respond

Recover1Control Objectives for Information and Related Technology (COBIT)2Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC)3ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program and ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels4ISO/IEC 27001, Information technology --Security techniques --Information security management systems --Requirements:5NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014)

http://www.isaca.org/COBIT/Pages/default.aspx

http://www.counciloncybersecurity.org/

http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDisplay.cfm&ProductID=10243

http://www.isa.org/Template.cfm?Section=Standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=13420

http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534

http://dx.doi.org/10.6028/NIST.SP.80053r4


24

This Just In

1. Update security guidance for covered entities and business associates to ensure that the guidance addresses implementation of controls described in the NIST Cybersecurity Framework;

2. Update technical assistance that is provided to covered entities and business associates to address technical security concerns;

3. Revise the current enforcement program to include following up on the implementation of corrective actions;

4. Establish performance measures for the OCR audit program; and

5. Establish and implement policies and procedures for sharing the results of investigations and audits between OCR and CMS to help ensure that covered entities and business associates are in compliance with HIPAA and the HITECH Act.

http://www.gao.gov/assets/680/679260.pdf



25

NIST CSF Adoption• DoD abandons DIACAP in favor of the NIST risk management framework March 18, 2014 |

By David Perera

• A Different Kind of “Virus”: FDA Follows NIST Framework in Cybersecurity Guidance for Medical Devices October 8th, 2014 | By Cynthia Larose

• OCR Crosswalk Connects HIPAA Security Rule, NIST Framework February 24, 2016 By Elizabeth Snell

• Post-market Management of Cybersecurity in Medical Devices January 22, 2016

• Analytic Report: Executive Order 13636 Cybersecurity Incentives Study June 12, 2013

• Federal Agency Adoption = 82%

• HHS Cybersecurity Task Force – too early too call; how not?

http://www.fiercegovernmentit.com/story/dod-abandons-diacap-favor-nist-risk-management-framework/2014-03-18

https://www.privacyandsecuritymatters.com/2014/10/a-different-kind-of-virus-fda-follows-nist-framework-in-cybersecurity-guidance-for-medical-devices/

http://healthitsecurity.com/news/ocr-crosswalk-connects-hipaa-security-rule-nist-framework

http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf

https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf


26

HHS Action is Underway

HHS Moving Closer & Closer to NIST CSFhttp://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf

http://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf




http://www.phe.gov/preparedness/planning/CyberTF/Pages/default.aspx

http://www.phe.gov/preparedness/planning/CyberTF/Pages/default.aspx



27

Seven Steps To Implementing the NIST CSFStep 1: Prioritize

and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze and

Prioritize Gaps

Step 7: Implement Action Plan

Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved.

Completing Current Profile May Serve As A Great Starting Point


28

Dashboards and Trends Facilitate CPI

Current Profile = 2.72 between Tier 2: Risk Informed - Tier 3: Repeatable


29

Why Should I Care if Not Mandated, Only Voluntary?

1. Leverage a key “free of charge” ingredient for a successful information / cyber risk management program (Framework + Process + Maturity Model)

2. Harness the power of NIST and five international open standards (not something closed, made up!)

3. Change the conversation on cybersecurity and information risk management using an understandable tool helps in determining appropriate spending

4. Utilize “no prerequisites” / “not-one-size fits all” approach5. Hedge possibility that NIST CSF becomes a legal standard of due care, if

not mandated framework6. Take the Gartner bet: “By 2020, more than 50% of organizations will use

the NIST Cybersecurity Framework, up from the current 30% in 2015.”7. Help safeguard our national digital assets!


30

Voluntary, So Not Really Enforceable… However!...

RICHARD RAYSMAN and JOHN ROGERS, The NIST Cybersecurity Framework, Practical Law The Journal | Transactions & Business | June 2015

• “In the event of a cybersecurity incident, an organization that has implemented the Framework can also:• Have concrete documentation that it implemented a recognized industry

standard in assessing, designing and improving its cybersecurity program.• Argue that it followed NIST’s recommendations, perhaps avoiding a

determination by regulators or courts that it was negligent in its cybersecurity efforts in the event of a breach or an investigation.”


31

Voluntary, So Not Really Enforceable… However!...

• Rodney Brown, Cyber-Security Standards for Major Infrastructure, InformationWeek::reports, Jan. 2014.

“The Cybersecurity Framework is likely to become the liability floor, much like Sarbanes-Oxley has become.”

• Jon W. Burd, Cybersecurity Developments: Does the NIST “Voluntary” Framework Portend New Requirements for Contractors? Fall 2013 | Government Contracts Issue Update, Wiley Rein, LLP.

“The framework is intended to complement existing business and cybersecurity operations for organizations with formal existing plans and policies, or to serve as a template for organizations that create new programs.”

“For government contractors, in particular, one “incentive” agencies could adopt—either through formal rulemaking or on an ad hoc basis—is a preference for framework participants in competitions for federal information technology (IT) or cyber-related contracts.”


32

Polling Question

Poll #3 - Has your organization selected an overall framework for managing cyber / information security risks?


33

Discussion Flow

1. NIST Cybersecurity Framework1. Problem We’re Trying to Solve2. NIST Cybersecurity Framework (NIST CSF)3. How to Adopt the NIST CSF




34



NIST SP800-39



35

To Solve the Cyber Risk Problem

1. What is our exposure of our information assets (e.g., ePHI)?

2. What decisions do we need we need to make to treat or manage risks?

Both Are Required in Federal Regulations AND Serve As the Basis for any Respectable Information Security Program in Any Industry!

Risk Response

Risk Assessment


36

And, then there were 41…10 so far in 2016


37

Information Risk Management Definition1

“Risk management is a comprehensive process that requires organizations to:

(i) frame risk (i.e., establish the context for risk-based decisions);

(ii) assess risk;

(iii) respond to risk once determined; and

(iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.

Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.1”

1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf

http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf




38

NIST Risk Management Process1

1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf





391Adopted from NIST SP800-39 - http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf

Clearwater Information Risk Management Life Cycle1



40

Polling Question

Poll #4 - Has your organization chosen an information risk management process such as that described in NIST SP800-39?


41

NIST Risk Framing Process

Set Forth Risk Assumptions

Enumerate Priorities & Tradeoffs

Establish Risk Appetite

Document Risk Constraints

01

02

03

04

Scope, Sequence, Rigor, Thoroughness, Outcomes IRM Strategy


42

Risk Threshold (a.k.a., Risk Appetite)

20

15

10

0

25

5

Our Risk Appetite or Threshold is 12 We Will (Initially) Accept All Risks Below 12. We Will Avoid, Mitigate and/or Transfer All Risks 12 or Above.

HIGH

MEDIUM

LOW

CRITICAL


43

Risk Framing Fundamentals• Executives and BOD Must Be Engaged• Risk Framing Sets the Stage for Overall Risk

Management Program• Basic Assumptions Must Be Made: Scope,

Information Assets, Threats, Vulnerabilities, Likelihood, Impact

• Business and Risk Management Constraints Must Be Defined

• Risk Tolerance or Appetite Must Be Set• Must Consider Five Key Practice Areas• Risk Framing Informs All Other Steps• Critical Output: Risk Management Strategy and

Framework


44

NIST Risk Assessment Process

Finalize Information Asset Inventory

Determine Risk Level

Determine Likelihood & Impact

Identify Threats & Vulnerabilities

01

02

03

04

What Are All the Possible Ways in Which We May Compromise Sensitive Information?


• Adversarial• Accidental• Structural• Environmental

Owners

Assets

Controls & Safeguards

Threat Sources

Threats

value

Risks (Loss or Harm)

wish to minimize

that exist in protecting

to reduce

may be reduced by

that may possess

may be aware of

wish to or may abuse, harm and / or damage

that increase

Vulnerabilities

give rise to

that exploitleading to

implement

“Speaking Risk”

give rise to


46

HIPAA and OCR Require Tier 3 “Information Systems” Risk Management1

1NIST SP800-39-final_Managing Information Security Risk

http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

https://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf


47

Determine Level of Risk

Asset Threat Source / Action Vulnerability Likelihood Impact Risk Level

Laptop Burglar steals laptop No encryption High (5) High (5) 25

Laptop Burglar steals laptop Weak passwords High (5) High (5) 25

Laptop Burglar steals laptop No tracking High (5) High (5) 25

Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3) 3

Laptop Careless User Drops No data backup Medium (3) High (5) 15

Laptop Lightning Strike No surge protection

Low (1) High (5) 5

etc


48

• Must be possible to have loss or harm• Must have asset-threat-vulnerability to

have risk• Risk is a likelihood issue• Risk is an impact issue• Risk is a derived value (like speed is a

derived value = distance / time)• Fundamental nature of Risk is universal• Risk assessment informs all other steps• Not “once and done”• Critical Output: Risk Register

Risk Assessment Fundamentals


49

What A Risk Analysis Report Looks Like…Show you’ve identified all risks!

Generally, Avoid, Mitigate or Transfer

Generally, Accept


50

Polling Question

Poll #5 - Has your organization completed a comprehensive “risk assessment” and produced a documented Information Risk Register that will meet OCR requirements?


51

NIST Risk Response Process

Identify Risk Responses

Implement Risk Response

Make Risk Response Decision

Evaluate Alternatives

01

02

03

04

What decisions do we need we need to make to treat or manage risks?


52

Decide on Response or Treatment


53

Risk Response Plan

Must show that identified risks will be treated!


54

• Real Risk Response Requires Real Risk Analysis

• All Risks Need a Response• Not All Risks Must Be Mitigated• Risk Response Requires Setting Your Risk

Appetite• Risk Response Requires Real Risk Framing• Risk Management is Informed Decision

Making – What’s New?• Risk Response Informs All Other Steps• Critical Output: Risk Management Plan

Risk Response Fundamentals


55

NIST Risk Monitoring Process

Set Risk Monitoring Strategy

Monitor Organizational Environment and Systems

01

02

How Do I Ensure I am Doing the Right Things and That They’re Working?


56

• Three Key Considerations: Compliance, Effectiveness & Change

• Informs All Other Process Steps: Frame, Assess, Respond

• Need to Balance Investment With Value Derived… Of Course

• Needs to Occur At All Tiers: Board, Executive Team, Systems Owners

• Think Plan-Do-Check-Act• Risk Monitoring Informs All Other

Steps• Critical Output: Risk Monitoring Plan

Risk Monitoring Fundamentals


57

Discussion Flow1. NIST Cybersecurity Framework

1. Problem We’re Trying to Solve2. NIST Cybersecurity Framework (NIST CSF)3. How to Adopt the NIST CSF




58



NIST SP800-39



59

Risk Management and Baseball

• Is Little League good enough?• How good does your team have to

play? • How mature does your Information

Risk Management Process need to be?

• Are you making conscious, informed decisions about your required level of maturity?


60

INFORMATION RISK MANAGEMENT MATURITY LEVEL Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5

Governance, Awareness of

Benefits and Value

People, Skills, Knowledge & Culture

Process, Discipline, & Repeatability

Use of Standards,Technology Tools /

Scalability

Engagement, Delivery & Operations

Have framework & active when time permits

Some (ad hoc), Insufficient resources

None Becoming a Formal program

Embedded in decision making,

CPIFormal program

KEY

RISK

MAN

AGEM

ENT

CAPA

BILI

TIES

Unsure of benefits; no

executive focus

Aware of risk, but not clear on

benefits

Aware of some benefits

Incorporated into business planning

and strategic thinking

Aware of most benefits; value

realized

Aware of benefits and

deployed across the organization

Little knowledgeSome risk skills training in parts of organization

Good understanding across parts of organization

Knowledge across most of organization

High degree of knowledge; refinement

Sound knowledge of discipline and

value

No PnPs, formal practices

Some execution, no

records or docs.

Some PnPs, docs; not consistently

followed

Formal PnPs and doc, widely

followed

Formal, continuous

process improvement

Robust, widely adopted PnPs

Not Using Aware but Not Formalized Use Using selectively

Using, repeatable

results

Sound understanding,

consistent use of tools

Regular use, outcomes consistent


61

Information Risk Management Capability Advancement Model™ (IRMCAM™)?

• Like baseball teams, mature risk-aware organizations are different from immature risk-aware organizations

• IRMCAM™ strives to capture and describe these differences

• IRMCAM™ strives to create organizations that are “mature”, or more mature than before applying IRMCAM™

• Describes six levels of Risk Management process maturity

• Includes lots of detail about each level – we will look at some of it

Not One Size Fits All


62

Assessing PracticesIn each capability area, we present a series of practices that, if implemented, would serve as evidence of progress in establishing and improving that capability. Consideration of these practices may also translate into an action plan for improvement. We rate each practice on a six-point rating scale using the Deming "plan-do-check-act" cycle:• Not started adopted, implemented or achieved (0% or

maturity 0)• Planning to adopt, implement or achieve (20% or

maturity 1)• Planning and doing (40% or maturity 2)• Planning, doing and checking (60% or maturity 3)• Planning, doing, checking, acting (80% or maturity 4)• Planning, doing, checking, acting & optimizing (100% or

maturity 5)

Please Use It / Provide Feedbackhttp://www.surveygizmo.com/s3/2162655/Clearwater-IRMCAM-Assessment-V5-3

http://www.surveygizmo.com/s3/2162655/Clearwater-IRMCAM-Assessment-V5-3





63

Polling Question

Poll #6 - Has your organization chosen maturity model to help your information risk management process continuously improve?


64



NIST SP800-39



65

Getting Started – Cyber Risk Management

I. Strategically Complete an IRM Program Maturity Assessment

II. Tactically Complete NIST CSF Current Profile

III. Operationally Complete Risk Assessment


66

Download Whitepaper

Harnessing the Power of NIST

Your Practical Guide to Effective Information Risk

Management

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-

of-the-nist-framework/

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-nist-framework/


67

NIST CSF and Related Resources• Framework for Improving Critical Infrastructure Cybersecurity

(NIST Cybersecurity Framework)

• Cybersecurity Framework Industry Resources

• Cybersecurity Framework Frequently Asked Questions

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk

• Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management (Clearwater White Paper)

• Information Risk Management Capability Advancement Model™ (IRMCAM™) (Clearwater White Paper)

• GAO Report to the Committee on Health, Education, Labor and Pensions | Electronic Health Information | HHS Needs to Strengthen Security and Privacy Guidance and Oversight

http://www.nist.gov/cyberframework

http://nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm

http://nist.gov/cyberframework/cybersecurity-framework-faqs.cfm

http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-nist-framework/

http://clearwatercompliance.com/thought-leadership/irmcam/



68

IRM|Capability™

Upload Documentation

Dashboards

Upload and store all cyber security documentation

Readily available for progress and management reporting

Reports

Display period to period Current State | Future State progress

Against all NIST CSF Core Functions, Categories and Sub

Categories

Current Profile

Automated expert remediation Plan

Recommendations

Managed accountability and due dates

Assign Work

IRM|Capability™

IRM|Capability™

Determine Current Profile and Address NIST CSF Gaps

All inclusive, best in breed software for completing a NIST CSF Current Profile: All 5 Functions, 22 Categories, 98 Sub Categories are assessed

Exclusively Endorsed by AHA


69

Industry-leading HIPAA compliance software:

Gap AssessmentAgainst all HIPAA Security Standards

Audit SimulationAgainst HHS Audit protocols

Automated expert remediation planRecommendations

Managed accountability and due datesAssign Work

Dashboards & ReportsDisplay period-to-period compliance progress

Understand significant threats and vulnerabilitiesInsight

Determine if you have the right controls in placeControls

View critical risks on intuitive dashboards and reportsRisk Rating

Automate the management of risk information across complex enterprises

Manage Complexity

Plan a course of action to reduce critical risks Plan and Evaluate

Against all HIPAA Privacy standardsGap Assessment

Compliance w/Breach Notification under HITECHBreach Preparation

Audit SimulationAgainst HHS Audit protocols

Automated expert remediation planRecommendations

Dashboards & ReportsDisplay period-to-period compliance progress

All Exclusively Endorsed by AHA

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-security/

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-security/

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-analysis/

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-analysis/

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-privacy/

https://clearwatercompliance.com/hipaa-solutions/hipaa-compliance-software/irm-privacy/


70

Clearwater HIPAA and Cybersecurity BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn up to 10.8 CPE Credits!

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.

Join us for our next virtual, web-based events…Three, 3hr sessions:

• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017





71

Other Upcoming Clearwater Events

Visit ClearwaterCompliance.com for more info!

October 13, 2016 Complimentary

WebinarHow to Adopt

the NIST Cybersecurity

Framework (CSF) October 27, 2016

Complimentary Webinar

HIPAA 101

November 2, 2016Complimentary

Webinar

OCR’s Phase 2 Audits and How Best to Prepare November 9, 2016

Complimentary Webinar

How to Implement a Strong Proactive

Business Risk Management

Program

http://www.clearwatercompliance.com/


72

1. You Cannot Check-List Your Way to Cyber Risk Management Success

2. Adopt a Framework + Process + Maturity Model; We Recommend NIST

3. Embrace a Maturity Model Approach

4. Must Establish, Operationalize and Mature an Information Risk Management Program

5. Take Advantage of Resources Provided

Key Points to Remember


73

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/UShttp://[email protected]

Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC

Contact

Exit Survey, Please


http://www.clearwatercompliance.com/

mailto:[email protected]


74

What About HITRUST versus NIST?References / Articles for Your Own Due Diligence

• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security

• An Open Letter to the HITRUST Alliance (PartI) (Part II) (Part III)

• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt

• Should Business Associates Be HiTrust Certified?

• HITRUST, CSF and Mandatory Certification

• A Simpler and Better Alternative to the HITRUST Mandate For Third Party Risk Management In Healthcare

• 20+ Due Diligence Questions about the HITRUST Certification

• Research HITRUST Board companies on: HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page

We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”

As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on

the HHS Wall of Shame, with responsibility for 122MM of

156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for

complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.

http://www.rsaconference.com/blogs/hitrust-or-high-risk-the-health-information

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-kamal-govindaswamy-cissp-cipp-us-ccsp

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-part-ii-govindaswamy-cissp-cipp-us-ccsp

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-part-iii-kamal

http://www.hipaaone.com/hitrust-breaches-lay-the-welcome-mat-for-hackers/

http://www.govinfosecurity.com/should-bas-be-hitrust-certified-a-8366

https://www.linkedin.com/pulse/hitrust-csf-mandatory-certification-heather-havens

https://goo.gl/QmkEl0

https://www.linkedin.com/pulse/simpler-better-alternative-hitrust-mandate-third-risk-kamal

https://goo.gl/QmkEl0

https://clearwatercompliance.com/blog/20-due-diligence-questions-about-the-hitrust-certification/

https://hitrustalliance.net/about-us/board-directors/

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://projects.propublica.org/hipaa/


75

“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an

external organization does not preclude HHS from subsequently finding a security violation.”

HHS FAQ on 3rd Party Certifications

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html

Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.




Documents

Legal Disclaimer - Cybersecurity and HIPAA Compliance