© Clearwater Compliance | All Rights Reserved
1
Legal Disclaimer
The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
© Clearwater Compliance | All Rights Reserved
2
WelcomeWelcome to today’s Live Event… we will begin shortly…
Please feel free to use the “Question” area to pose any ‘burning’ questions you may have in advance…
“So you know your risks, now what?”
© Clearwater Compliance | All Rights Reserved
3
How to Conduct NIST-based Risk Response to Comply with HIPAA & Other Regulations
© Clearwater Compliance | All Rights Reserved
4
• VP of Product Innovation for Clearwater Compliance, LLC
• 30 + years in Healthcare in the provider, payer and healthcare quality improvement industries
• 20 + years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Optum
• MPA - Healthcare Policy and Administration
Jon Stone, MPA, CRISC, HCISPP, PMP
Jon Stone, MPA, CRISC, HCISPP, PMP
Vice President of Product Innovation
615-210-9612
© Clearwater Compliance | All Rights Reserved
5
Some Ground Rules1. Slide materials
A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode
5. Please complete Exit Survey, when you leave session
6. Recorded version and final slides within 48 hours
© Clearwater Compliance | All Rights Reserved
6
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
7
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
© Clearwater Compliance | All Rights Reserved
8
Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be
This empowering philosophy underpins everything we do. Commitment to educational resources for our
audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-
leadership
© Clearwater Compliance | All Rights Reserved
10
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
Outline
© Clearwater Compliance | All Rights Reserved
11
Must Do!
• Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. - 45 C.F.R. §164.308(a)(1)(i)(A)
• Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). - 45 C.F.R. §164.308(a)(1)(i)(B)
• “The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” – SEC Press release, 2007
• “PCI DSS 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP800-30” – PCI DSS 2.0)
© Clearwater Compliance | All Rights Reserved
12
Meaningful Use
...and implement security updates as neccessary and correct identified security deficiencies as part of its risk management process
Stage 2
© Clearwater Compliance | All Rights Reserved
Security Management Process - Risk Management
• Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
• Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.
§164.308(a)(1)(ii)(B): (Required) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with General Requirements
2016 Audit Protocols
© Clearwater Compliance | All Rights Reserved
14
Moving From Audit To Enforcement – Risk Response“10. Please provide evidence of XXXsecurity measures that are in place to reduce the risks to ePHI identified in the risk analysis (i.e. risk management plan and accompanying evidence).
Please be sure to submit a copy of a risk management plan(s) associated with each risk analysis requested above. These risk management plans should describe the security measures implemented by XXX to sufficiently reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level to comply with 164.308(a)(1)(ii).
Please ensure the risk management plan states the dates of implementation and/or estimated dates of completion for each security measure. Provide evidence of implementation where applicable (i.e. screenshots, business associate agreements, photographs, etc.)”
© Clearwater Compliance | All Rights Reserved
15
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
16
Risk Response Fundamentals
• All Risks Need a Response• Not All Risks Must Be Mitigated• Risk Response Requires Setting
Your Risk Threshold• Risk Response Requires Real Risk
Analysis• Risk Response is Informed
Decision Making – What’s New?
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
18
Risk Tolerance
Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organization and is a key element of the organizational risk frame.
An important risk management activity and also part of risk framing, is the determination of risk tolerance.
© Clearwater Compliance | All Rights Reserved
19
Select your Risk Threshold based on your overall tolerance for uncertainty that is acceptable to the organization.
Risk Threshold
Accepted RequireTreatment
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
21
NIST SP 800-39, pg. 43
NIST SP 800-39, pg. 42
NIST SP 800-39, pg. 43
NIST SP 800-39, pg. 44
NIST Risk Response Process
Risk Response Identification
Risk Response Implementation
Risk Response Decision
Evaluate Alternatives
Begins with determining your Risk Threshold NIST SP 800-39 pg. 2
01
02
03
04
© Clearwater Compliance | All Rights Reserved
22
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
23
Risk Response Identification
01
Risk AcceptanceRisk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. NIST SP 800-39, pg. 42
04
Risk AvoidanceRisk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk … to avoid the potential for unacceptable risk. NIST SP 800-39, pg. 42
02
Risk MitigationRisk mitigation, or risk reduction, is the
appropriate risk response for that portion of risk that cannot be accepted, avoided,
shared, or transferred. [Adding or enhancing controls or safeguards] NIST SP
800-39, pg. 42
03
Risk TransferRisk transfer shifts the risk liability from one organization to another
organization (e.g., using insurance to transfer risk from particular
organizations to insurance companies). NIST SP 800-39, pg. 43
Also known as Risk Treatment
© Clearwater Compliance | All Rights Reserved
25
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
27
Evaluate Alternatives
Effectiveness - the expected effectiveness in achieving desired risk response
Build in additional Controls
Increase the strength of a control
Feasibility - the anticipated feasibility of implementation
Don’t forget mission, legal, technical, operational considerations
Cost
© Clearwater Compliance | All Rights Reserved
28
Evaluate Alternatives - Risk Avoidance Example
Risk avoidance is the risk response technique that entails eliminating hazards, activities and
exposures that place an organization's valuable assets at risk.
© Clearwater Compliance | All Rights Reserved
29
Evaluate a course of action to reduce a risk
Evaluate Alternatives – Mitigation Example
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
31
Risk Response Decision
DocumentDocument the investment of resources
ApproveSelect a course of action
Residual Risk RatingDocument Residual Risk
Decide on the appropriate course of action for responding to risk
© Clearwater Compliance | All Rights Reserved
32
Residual risk is the projected portion of the risk that is left after risk treatment has been applied
Residual Risk and Approval
© Clearwater Compliance | All Rights Reserved
33
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
35
Essential Implementation Elements
MonitoringPlans for monitoring the effectiveness of risk response measures
EvidenceAttachments, Notes, Design Documents, Testing Artifacts, Deployment Plans
PlanningTimeline for
implementation of risk response measures
AccountabilityIndividuals responsible
for the selected risk response measures
© Clearwater Compliance | All Rights Reserved
36
Initiate Risk Response Activities as projects
Implementation Planning
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
38
Action Plan Fundamentals
NotesDocumentation of accomplishments, next steps and risks/issues/barriers
Search and FilteringView and sorting for Urgent, Past Due, On the Horizon activities
DatesDue Dates, Interim Dates,
Completion Dates
ResponsibilityOwnership and Accountability
DescriptionConcise and well
described requirements that minimize confusion
© Clearwater Compliance | All Rights Reserved
39
Manage from a Risk Action Plan (Risk Management Plan)
Risk Action Plan
© Clearwater Compliance | All Rights Reserved
41
Log Accomplishments, Next Steps and Barriers to drive progress
Risk Action Plan
© Clearwater Compliance | All Rights Reserved
Risk Response Workflow
Framing Risk Response
Documentation
Risk Threshold
Risk TreatmentApprove
Alternatives
Implementation Planning
Reports
Risk Analysis
Identified Risks
Monitoring
Audit and Metrics
Evaluate Alternatives
Risk Action Plan
Risk Reconciliation
© Clearwater Compliance | All Rights Reserved
44
Outline
• Regulations and Standards
• Risk Foundation
• Options for effective risk response
• Evaluating alternatives to reduce risks
• How to make sure risk responses get implemented
• Resources
© Clearwater Compliance | All Rights Reserved
45
Clearwater WorkShop™ Process
• Analyze Findings • Document Observations• Develop Recommendations• Present and Sign Off
Written Report
• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys
Preparation
• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS
Onsite Discovery/Assessment
Software SubscriptionPlus WorkShop™
• 2.5-hours training for as many staff as you wish
• Ongoing technical support• IRM | Analysis™ - 2 or 3-year
subscription, paid annually.• Ongoing software updates.• Ongoing Community engagement.• Professional consulting services to
complete the risk analysis process, end-to-end.
• Risk Analysis Report with Findings, Observations and Recommendations.
• Fully-populated IRM | Analysis™ software application.
Our goal at Clearwater is to help your organization become as self-sufficient as you would like to be, as quickly as you would like to be.
01
02
03
© Clearwater Compliance | All Rights Reserved
46
Get More Info…
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/liv
e-educational-webinars/
View pre-recorded Webinars like this one at:http://clearwatercompliance.com/on-
demand-webinars/
© Clearwater Compliance | All Rights Reserved
47
IRM | Analysis™ Software
Understand significant threats and vulnerabilities
Insight
Determine if you have the right controls in place
Controls
View critical risks on intuitive dashboards and
reports
Risk RatingAutomate the management of risk information across complex enterprises
Manage Complexity
Plan a course of action to reduce critical risks
Plan and Evaluate
Manage the implementation of effective safeguards
Implementation
10-Day Free Trial!
© Clearwater Compliance | All Rights Reserved
48
Jon Stone, MPA, CRISC, HCISPP, PMP
https://www.clearwatercompliance.com
Phone: 800-704-3394 or 615-210-9612
linkedin.com/in/jonstonepmp
Exit Survey, Please