Legal Disclaimer · webcast! Reserve your seat! This webinar is designed to help covered entities and business associates understand and act on specific Risk Analysis requirements

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1

© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

Clearwater Customer Council Meeting

February 19, 2019

© Clearwater Compliance LLC | All Rights Reserved

3

Agenda

Introduction

Educational Content:

Adam Nunn | Principal Consultant

“Rethinking Cybersecurity Policy Governance ”

Feedback and Suggestions


4

About Your Hosts

Jon Stone, SVP, Product Innovation MPA, PMP, HCISPP, CRISC• 25+ years in Healthcare in the compliance, provider, payer and healthcare quality

improvement fields

• Innovator | Strategic Program Manager | Consultant | Executive

• 15+ years of strategic leadership for compliance and Healthcare information technology

projects involving sensitive ePHI for companies such as CIGNA, Healthways and

OPTUMInsight

• PMP, MPA - Healthcare Policy and Administration

• Business Passion: Driving business and technology solutions for improving healthcare

operations and outcomes

• Play Passion: Cycling and Oil Painting

[email protected]

615-210-9612


5

Lori Hessey, Director Customer Success

• 10 + years of Customer Support in Healthcare• 5 + years experience in SaaS Startup Companies • 5 + years Sales & Business Development• Responsible for customer implementation, training, marketing and quality assurance• Manages the Clearwater Customer Success and Support Team

[email protected]

615-823-5190

About Your Hosts


6

Purpose of the Customer Community

Where Clearwater customers go to get additional value and benefits

Customer Council Meetings• Complimentary educational content• A place for customers to interact and learn from each other


7

• All attendees on mute • Type in Q&A section with a question or

comment• We will be watching the Q&A section

like a hawk and will make sure your comment or question gets addressed!

Meeting Logistics: Audio Control Panel

This Photo by Unknown Author is licensed under CC BY-SA

http://commons.wikimedia.org/wiki/file:chat_bubbles.svg

https://creativecommons.org/licenses/by-sa/3.0/

© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

‘Rethinking Cybersecurity Policy Governance’

Adam Nunn, Principal Consultant [email protected]

mailto:[email protected]


9

About Your Presenter Adam Nunn, Principal Consultant• Twenty-three years in healthcare cybersecurity and regulatory compliance.

• As internal Chief Compliance Officer and Chief Information Security Officer, directly

administered programs for hospitals and healthcare service organizations, including

clinics, laboratories, pharmacies, business associates, and health plans.

• Cybersecurity and regulatory compliance experience in a wide range of

organizational structures, from start-ups to multi-billion dollar enterprises,

including venture-capital, private-equity, not for profit, and publicly-traded

organizations.

• CISSP from 2003-2013 with an ISSMP concentration.

• Former member of the HITRUST Leadership Roundtable.

• Former Officer of Middle Tennessee Chapter of the Information Systems Security

Association.

• Active member of the Health Care Compliance Association and Information

Systems Security Association.


10

What we’re going to discuss

• Common Questions and Comments Often Heard about Policy

• Cybersecurity Policy Defined• Effectiveness of Cybersecurity Policy• Principle-Based Policy Governance

Introduction• Example of Principle-Based Policy Governance• Requirements for Implementation


11

Common Questions and Statements about Policy

• We have policies, but…• We missed our deadline…• We have established

policies, but they…• Our policy doesn’t match

the….• The Board of Directors

must approve all policy changes, but...


12

Common Questions and Statements

• Policy expectations…• Having a policy that’s

not implemented…• We established some

policies, but …• We’re not sure who

is…• We lack support to…


13

What is Cybersecurity Policy?

What do the regulations require?

Some examples…

✓ Prevent, detect, and contain

✓ Sanctions

✓ System activity

✓ Security official

✓ Appropriate access


14


Cybersecurity policies establish expectations for the protection

of information against deliberate and accidental

threats and vulnerabilities.


15


Policies within

organizations are

at a various state

of complexity and

maturity.


16

How effective are cybersecurity policies?

Organizations struggle with embedding

security expectations

into day-to-day operations.


17


Board and senior leadership level expectations may not

always translate into actionable, trackable, and

continually maintained cybersecurity policy and

procedure.


18



19

Potential Policy Governance Maturation- Is there a better way?

How might this look?


20

Principle Based Governance?


21


Principle 1. Identify- Our organization understands cybersecurity risks to systems, people, assets, data, and capabilities. We understand the business context and risks relating to cybersecurity and identify appropriate resources within a prioritized risk management strategy to support critical functions.

Principle 2: Protect- We develop and implement appropriate safeguards to ensure delivery of critical services. These safeguards support the organization's ability to limit or contain impact of potential cybersecurity events.


22


Principle 4: Respond- We continually develop and implement procedures to take action when cybersecurity incidents and events are detected. These processes support our ability to contain the impact of potential cybersecurity events and incidents.

Principle 5: Recover- Our organization regularly develops and implements activities and plans for resilience and to restore any capabilities or services that are impaired due to cybersecurity events or incidents. These functions support timely recovery to normal operations and reduce the impact of cybersecurity incidents and events.

Principle 3: Detect- Our organization continually develops and implements appropriate activities that identify cybersecurity events. These functions enable the timely discovery of cybersecurity events without our environment that impact us, our customers, and partners.


23

Example- How might this be accomplished?

Principle 1. Identify- Our organization understands cybersecurity risks to systems, people, assets, data, and capabilities. We understand the business context and risks relating to cybersecurity and identify appropriate resources within a prioritized risk management strategy to support critical functions.

ID.AM-1 [Policy Statement] Physical devices and systems within the organization are inventoried.

[Security Standard] Inventories of physical and virtual information systems are accurately maintained.

[Maturity Level 1] [Procedure] Assigned Owner: [Workstation Administration Manager] Define within the 'Workstation Inventory Procedures and Standards’, requirements for how workstation inventories are maintained, where inventory information is stored, the contents of the inventory, and requirements for how often the inventory is updated.

[Maturity Level 2] [Procedure] Assigned Owner: [Workstation Administration] Implement the requirements as defined within the 'Workstation Inventory Procedures and Standards' document.

[Maturity Level 3] [Procedure] Assigned Owner: [Workstation Administration Manager] Annual Task- Perform a review and update as necessary of the 'Workstation Inventory Procedures and Standards'.

[Maturity Level 4] [Procedure] Assigned Owner: [Workstation Administration Manager] Annual Task- Perform an audit, by sampling, to validate the requirements of the 'Workstation Inventory Procedures and Standards' and quarterly inventory reconciliations were appropriately complied with in the previous year.


24

Requirements

A principle-based policy governance approach such as this would require:

• A top-down culture

• An organizationally selected cybersecurity control framework

• A process management engine


25

Summary

We are using a legacy policy

structure that was developed prior to widely available

security standards and process

automation tools.


26

Summary

Can we replace our traditional policies with a framework

based on now widely available

cybersecurity control standards?


27

What we discussed

• Common Questions and Comments Often Heard about Policy

• Cybersecurity Policy Defined• Effectiveness of Cybersecurity Policy• Principle-Based Policy Governance

Introduction• Example of Principle-Based Policy Governance• Requirements for Implementation


28

Click to edit Master text styles












Questions?

Adam Nunn, Principal Consultant [email protected]

References and Links to Additional Information:

Dr. Gary Hinson PhD MBA CISSP, noticebored.com- I credit Gary with first exposing me to Principle-Based Policy Governance.


http://noticebored.com/html/policy_manual.html


29

Upcoming Events

Don’t miss Breakfast & Breaches!

Join us for this special LIVE Expert Panel Discussion, in town hall format, with Illinois OCR investigators, as we tackle critical subjects, including HIPAA & Cyber Risk Management readiness, recovery, and current requirements.

Be our guest onsite at Lockton Companies in Chicago or join us via LIVE video webcast! Reserve your seat!

This webinar is designed to help covered entities and business associates understand and act on specific Risk Analysis requirements. We will share a step-by-step methodology based on OCR and NIST guidance.

Reserve your seat!

https://clearwatercompliance.com/events/breakfast-and-breaches/

https://clearwatercompliance.com/upcoming-webinars/tutorial-on-ocr-quality-risk-analyses-february-21-2019/


www.ClearwaterCompliance.com

LINKEDIN | www.linkedin.com/company/clearwater-compliance-llc/

TWITTER | @clearwaterhipaa

EMAIL | [email protected]

PHONE | 800-704-3394

Thank You.


http://www.linkedin.com/company/clearwater-compliance-llc/


Documents

Legal Disclaimer · webcast! Reserve your seat! This webinar is designed to help covered entities and business associates understand and act on specific Risk Analysis requirements