Legal Disclaimer - Clearwater Compliance · assessment methodologies include but are not limited to OCTAVE, ISO 27005 and ... Risk Response Workflow Framing Risk Response Documentation

© Clearwater Compliance | All Rights Reserved

1

Legal Disclaimer

The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.


2

WelcomeWelcome to today’s Live Event… we will begin shortly…

Please feel free to use the “Question” area to pose any ‘burning’ questions you may have in advance…

“So you know your risks, now what?”


3

How to Conduct NIST-based Risk Response to Comply with HIPAA & Other Regulations


4

• VP of Product Innovation for Clearwater Compliance, LLC

• 30 + years in Healthcare in the provider, payer and healthcare quality improvement industries

• 20 + years of strategic leadership for compliance and Healthcare information technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Optum

• MPA - Healthcare Policy and Administration

Jon Stone, MPA, CRISC, HCISPP, PMP


Vice President of Product Innovation

[email protected]

615-210-9612

http://clearwatercompliance.com/our-team/jon-stone-vice-president/

mailto:[email protected]


5

Some Ground Rules1. Slide materials

A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode

5. Please complete Exit Survey, when you leave session

6. Recorded version and final slides within 48 hours


6

Our Passion

We’re excited about what we do because…

…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!


7

Awards and Recognition

2015 & 2016

Exclusive

Industry Resource Provider

Software Used by NSA/CAEs

Sole Source Provider

#11 – 2015 & 2016


8

Our Goal Is To Help You Become As Self-Sufficient As You Wish To Be

This empowering philosophy underpins everything we do. Commitment to educational resources for our

audiences Ongoing support and training for our customers Thought-, service-, methodology- and software-

leadership


9

Clearwater Information Risk Management Life Cycle


10

• Regulations and Standards

• Risk Foundation

• Options for effective risk response

• Evaluating alternatives to reduce risks

• How to make sure risk responses get implemented

• Resources

Outline


11

Must Do!

• Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. - 45 C.F.R. §164.308(a)(1)(i)(A)

• Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). - 45 C.F.R. §164.308(a)(1)(i)(B)

• “The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” – SEC Press release, 2007

• “PCI DSS 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP800-30” – PCI DSS 2.0)


12

Meaningful Use

...and implement security updates as neccessary and correct identified security deficiencies as part of its risk management process

Stage 2


Security Management Process - Risk Management

• Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?

• Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.

§164.308(a)(1)(ii)(B): (Required) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with General Requirements

2016 Audit Protocols


14

Moving From Audit To Enforcement – Risk Response“10. Please provide evidence of XXXsecurity measures that are in place to reduce the risks to ePHI identified in the risk analysis (i.e. risk management plan and accompanying evidence).

Please be sure to submit a copy of a risk management plan(s) associated with each risk analysis requested above. These risk management plans should describe the security measures implemented by XXX to sufficiently reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level to comply with 164.308(a)(1)(ii).

Please ensure the risk management plan states the dates of implementation and/or estimated dates of completion for each security measure. Provide evidence of implementation where applicable (i.e. screenshots, business associate agreements, photographs, etc.)”


15

Outline


• Risk Foundation




• Resources


16

Risk Response Fundamentals

• All Risks Need a Response• Not All Risks Must Be Mitigated• Risk Response Requires Setting

Your Risk Threshold• Risk Response Requires Real Risk

Analysis• Risk Response is Informed

Decision Making – What’s New?


Risk Response Workflow

Framing Risk Response

Documentation

Risk Threshold

Risk TreatmentApprove

Alternatives

Implementation Planning

Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics

Evaluate Alternatives

Risk Action Plan

Risk Reconciliation


18

Risk Tolerance

Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organization and is a key element of the organizational risk frame.

An important risk management activity and also part of risk framing, is the determination of risk tolerance.


19

Select your Risk Threshold based on your overall tolerance for uncertainty that is acceptable to the organization.

Risk Threshold

Accepted RequireTreatment




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


21

NIST SP 800-39, pg. 43

NIST SP 800-39, pg. 42

NIST SP 800-39, pg. 43

NIST SP 800-39, pg. 44

NIST Risk Response Process

Risk Response Identification

Risk Response Implementation

Risk Response Decision


Begins with determining your Risk Threshold NIST SP 800-39 pg. 2

01

02

03

04


22

Outline


• Risk Foundation




• Resources


23


01

Risk AcceptanceRisk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. NIST SP 800-39, pg. 42

04

Risk AvoidanceRisk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk … to avoid the potential for unacceptable risk. NIST SP 800-39, pg. 42

02

Risk MitigationRisk mitigation, or risk reduction, is the

appropriate risk response for that portion of risk that cannot be accepted, avoided,

shared, or transferred. [Adding or enhancing controls or safeguards] NIST SP

800-39, pg. 42

03

Risk TransferRisk transfer shifts the risk liability from one organization to another

organization (e.g., using insurance to transfer risk from particular

organizations to insurance companies). NIST SP 800-39, pg. 43

Also known as Risk Treatment


24



25

Outline


• Risk Foundation




• Resources




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


27


Effectiveness - the expected effectiveness in achieving desired risk response

Build in additional Controls

Increase the strength of a control

Feasibility - the anticipated feasibility of implementation

Don’t forget mission, legal, technical, operational considerations

Cost


28

Evaluate Alternatives - Risk Avoidance Example

Risk avoidance is the risk response technique that entails eliminating hazards, activities and

exposures that place an organization's valuable assets at risk.


29

Evaluate a course of action to reduce a risk

Evaluate Alternatives – Mitigation Example




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


31

Risk Response Decision

DocumentDocument the investment of resources

ApproveSelect a course of action

Residual Risk RatingDocument Residual Risk

Decide on the appropriate course of action for responding to risk


32

Residual risk is the projected portion of the risk that is left after risk treatment has been applied

Residual Risk and Approval


33

Outline


• Risk Foundation




• Resources




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


35

Essential Implementation Elements

MonitoringPlans for monitoring the effectiveness of risk response measures

EvidenceAttachments, Notes, Design Documents, Testing Artifacts, Deployment Plans

PlanningTimeline for

implementation of risk response measures

AccountabilityIndividuals responsible

for the selected risk response measures


36

Initiate Risk Response Activities as projects





Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


38

Action Plan Fundamentals

NotesDocumentation of accomplishments, next steps and risks/issues/barriers

Search and FilteringView and sorting for Urgent, Past Due, On the Horizon activities

DatesDue Dates, Interim Dates,

Completion Dates

ResponsibilityOwnership and Accountability

DescriptionConcise and well

described requirements that minimize confusion


39

Manage from a Risk Action Plan (Risk Management Plan)

Risk Action Plan


40Maintain documentation

Risk Action Plan


41

Log Accomplishments, Next Steps and Barriers to drive progress

Risk Action Plan


42

What Comes After Risk Response?




Documentation

Risk Threshold


Alternatives


Reports

Risk Analysis

Identified Risks

Monitoring

Audit and Metrics


Risk Action Plan

Risk Reconciliation


44

Outline


• Risk Foundation




• Resources


45

Clearwater WorkShop™ Process

• Analyze Findings • Document Observations• Develop Recommendations• Present and Sign Off

Written Report

• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys

Preparation

• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS

Onsite Discovery/Assessment

Software SubscriptionPlus WorkShop™

• 2.5-hours training for as many staff as you wish

• Ongoing technical support• IRM | Analysis™ - 2 or 3-year

subscription, paid annually.• Ongoing software updates.• Ongoing Community engagement.• Professional consulting services to

complete the risk analysis process, end-to-end.

• Risk Analysis Report with Findings, Observations and Recommendations.

• Fully-populated IRM | Analysis™ software application.

Our goal at Clearwater is to help your organization become as self-sufficient as you would like to be, as quickly as you would like to be.

01

02

03


46

Get More Info…

Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/liv

e-educational-webinars/

View pre-recorded Webinars like this one at:http://clearwatercompliance.com/on-

demand-webinars/

http://clearwatercompliance.com/live-educational-webinars/

http://clearwatercompliance.com/on-demand-webinars/


47

IRM | Analysis™ Software

Understand significant threats and vulnerabilities

Insight

Determine if you have the right controls in place

Controls

View critical risks on intuitive dashboards and

reports

Risk RatingAutomate the management of risk information across complex enterprises

Manage Complexity

Plan a course of action to reduce critical risks

Plan and Evaluate

Manage the implementation of effective safeguards

Implementation

10-Day Free Trial!


48


https://www.clearwatercompliance.com

[email protected]

Phone: 800-704-3394 or 615-210-9612

linkedin.com/in/jonstonepmp

Exit Survey, Please

http://www.clearwatercompliance.com/

mailto:[email protected]


49


50

WWW.CLEARWATERCOMPLIANCE.COM

106 WINDWARD PTHENDERSONVILLE, TN 37075-5108

(800) 704-3394

http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance