Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Transcription

1 Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire

2 Housekeeping You may submit questions throughout the webinar using the question area in the control panel on the right side of your screen. We will address as many questions as possible during the Q&A portion of the webinar until the top of the hour. All remaining questions will be responded to via after the webinar. Attendees will receive a PDF of the slide presentation and a link to the recorded webinar. 2

3 Speaker Information Andrew Hicks MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Mr. Hicks has over 15 years of experience in IT GRC specific to IT security, risk management, audit, business continuity, disaster recovery, and regulatory compliance. He has implemented and managed IT internal control programs relative to maintaining Sarbanes-Oxley, HIPAA security, HITECH, HITRUST and PCI regulatory compliance. 3

4 Agenda Healthcare data what s the fuss? Compliance not equal to security ephi environment Beyond compliance Risk management A justified response Questions 4

5 Healthcare data what s the fuss? EHRs, clinical data warehousing, home monitoring and remote medicine huge transformation. All of this data introduces new vulnerabilities, emerging cyber threats and increased security risks. Adoption is still new for many healthcare organizations and the exchange of patient information is still evolving. Healthcare orgs face ever-increasing regulatory burdens, including compliance with the new HIPAA Omnibus Rule. 5

6 Compliance Security Risk Management Let s compare & contrast 6

7 What is compliance? Verifies your organization s conformance to policies and standards. Helps reduce organizational risk. Creates customer trust and confidence in your organization s protection of personal health information. Reduces potential for financial penalties due to reasonable cause or willful neglect. Compliance is an outcome of an effective security program 7

8 Compliance is not equal to security Complying with HIPAA does not mean your data is safe No guaranteed protection Compliance does not: Eliminate your risk Prevent a breach Eliminate penalties associated with a breach Compliance is an outcome of an effective security program 8

9 What is security? The implementation of policies, procedures and training to mitigate or avoid risk. Helps to create a baseline for standards for the secure handling of PHI and awareness of privacy and security procedures across the organization. 9

10 Today s ephi environment 10

11 Go beyond compliance & security Defense in depth Physical and logical access controls Sufficient network segmentation FIM solution SIEM solution Encryption and/or tokenization Risk Management Identify all critical assets Prioritize criticality Select controls Establish effective oversight and governance 11

12 What is risk management? Helps identify and assess data security risks to develop appropriate security controls to mitigate or avoid risk. Allows your organization to make informed decisions on how to allocate security resources to improve data protection. Resources: ONC SRA Tool HSR Toolkit HIMSS RA Toolkit NIST

13 3 strikes and you re out! Internal/external threats won t exploit your vulnerabilities PHI will never be lost or stolen My organization won t be selected for an OCR audit Is it worth accepting the risk? The Truth. 13

14 What s reasonable? Is it reasonable that your last risk assessment or compliance evaluation was 3 years ago? Is it reasonable to report that your last policy update was in 2007? Is it reasonable that your entire risk analysis program and results summary is a 2-page document? Is it reasonable that your HIPAA compliance program is validate by internal resources? 14

15 What s reasonable? (cont.) Is it reasonable to report that your last workforce training was in 2008? Is it reasonable to claim that your network is secure when mgmt. hasn t authorized pen testing or vulnerability scanning? 15

16 A 10-step program - #1 Elements of Gap/Compliance Assessments Gap Assessment Evaluates control design Sample size of 1 Reserved for newbies Minimal level of effort (low cost) Basic understanding of ephi assets Data flow diagrams recommended Compliance Assessment Assesses operating effectiveness Sample size based on population size Reserved for mature HIPAA programs High level of effort (high cost) ephi asset inventory required Data flow diagrams required 16

17 A 10-step program - #2 Risk Analysis/Risk Management Both are required per HIPAA Position your organization to claim that you ve addressed and documented each of the key elements of these programs. Leverage OCR guidance, NIST , etc. Characterize your ephi environment. 17

18 A 10-step program - #3 Meaningful Use Attestation Assess the impact of your risk analysis program on your Meaningful Use attestation processes that are planned or underway. Keep in mind that the risk analysis required for Meaningful Use ties directly to the HIPAA Security Rule requirements. 18

19 A 10-step program - #4 Evidence Library Maintain sufficient documentation of your efforts. Maintain an evidence library within a GRC tool or on a portal. It should house evidence that tells a story to an independent auditor with little or no additional explanation required. 19

20 A 10-step program - #5 Continuous monitoring/sustainable program Ensure that you have implemented a sustainable program. It must adapt to a changing environment. It should be proactive, not reactive. Put continuous monitoring plans in place. 20

21 A 10-step program - #6 Industry Development Information Stay updated on everything going on in the healthcare industry it s fast-paced with ongoing news and changes. Leverage existing guidance to the greatest extent possible in a timely manner. 21

22 A 10-step program - #7 Collaboration Work with internal audit, privacy, compliance, contracts and legal departments. (and other applicable resources) Security and privacy should be top of mind and an integral part of audit plan in some capacity. 22

23 A 10-step program - #8 Test, test, test Go beyond evaluating the design of security and privacy processes. Test their operating effectiveness. Mock data breach (to test IRP) 23

24 A 10-step program - #9 Vulnerability/penetration testing Perform regular, proactive testing. Make sure weaknesses are addressed in a timely manner. 24

25 A 10-step program - #10 Peer connections Network with your peers Share knowledge and brainstorm You re not alone in this Conferences Social media 25

26 An ounce of prevention Have you performed a compliance evaluation is the past year? Do you have a robust risk analysis process in place to monitor and address threats and vulnerabilities to your organization continuously? 26

27 is worth a pound of cure. Are you leveraging Meaningful Use efforts to bring attention to the importance of HIT? Have you implemented a sustainable program to manage risk proactively versus reactively putting out fires? 27

28 Questions Andrew Hicks Coalfire ext