Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire



Similar documents
Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

HIPAA and HITRUST - FAQ

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

InfoGard Healthcare Services InfoGard Laboratories Inc.

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

What can HITRUST do for me?

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Consolidated Audit Program (CAP) A multi-compliance approach

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

HITRUST CSF Assurance Program

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

An Independent Member of Baker Tilly International

Sustainable Compliance: A System for Ongoing Audit Readiness

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

ALERT LOGIC FOR HIPAA COMPLIANCE

HIPAA COMPLIANCE PLAN FOR 2013

Data Breach Response Planning: Laying the Right Foundation

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Bridging the HIPAA/HITECH Compliance Gap

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Lessons Learned from HIPAA Audits

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Conducting Your HIPAA Risk Analysis Top Ten Steps

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Overview of the HIPAA Security Rule

The HIPAA Audit Program

CSF Support for HIPAA and NIST Implementation and Compliance

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Securing Patient Portals

SECURITY RISK MANAGEMENT

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

HIPAA: Compliance Essentials

SECURETexas Health Information Privacy & Security Certification Program FAQs

Security Is Everyone s Concern:

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Business Continuity in Healthcare

The Impact of HIPAA and HITECH

HITRUST CSF Assurance Program

HIPAA and HITECH Compliance for Cloud Applications

Security Controls What Works. Southside Virginia Community College: Security Awareness

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

What is required of a compliant Risk Assessment?

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

2016 OCR AUDIT E-BOOK

Managing Cybersecurity Risk in a HIPAA-Compliant World

FACT SHEET: Ransomware and HIPAA

CORL Dodging Breaches from Dodgy Vendors

Healthcare and IT Working Together KY HFMA Spring Institute

Guided HIPAA Compliance

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

HIPAA Security & Compliance

Obtaining CSF Certification Lessons Learned and Why Do It

Our Commitment to Information Security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Frequently Asked Questions about the HITRUST Risk Management Framework

Transcription:

Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire

Housekeeping You may submit questions throughout the webinar using the question area in the control panel on the right side of your screen. We will address as many questions as possible during the Q&A portion of the webinar until the top of the hour. All remaining questions will be responded to via email after the webinar. Attendees will receive a PDF of the slide presentation and a link to the recorded webinar. 2

Speaker Information Andrew Hicks MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Mr. Hicks has over 15 years of experience in IT GRC specific to IT security, risk management, audit, business continuity, disaster recovery, and regulatory compliance. He has implemented and managed IT internal control programs relative to maintaining Sarbanes-Oxley, HIPAA security, HITECH, HITRUST and PCI regulatory compliance. 3

Agenda Healthcare data what s the fuss? Compliance not equal to security ephi environment Beyond compliance Risk management A justified response Questions 4

Healthcare data what s the fuss? EHRs, clinical data warehousing, home monitoring and remote medicine huge transformation. All of this data introduces new vulnerabilities, emerging cyber threats and increased security risks. Adoption is still new for many healthcare organizations and the exchange of patient information is still evolving. Healthcare orgs face ever-increasing regulatory burdens, including compliance with the new HIPAA Omnibus Rule. 5

Compliance Security Risk Management Let s compare & contrast 6

What is compliance? Verifies your organization s conformance to policies and standards. Helps reduce organizational risk. Creates customer trust and confidence in your organization s protection of personal health information. Reduces potential for financial penalties due to reasonable cause or willful neglect. Compliance is an outcome of an effective security program 7

Compliance is not equal to security Complying with HIPAA does not mean your data is safe No guaranteed protection Compliance does not: Eliminate your risk Prevent a breach Eliminate penalties associated with a breach Compliance is an outcome of an effective security program 8

What is security? The implementation of policies, procedures and training to mitigate or avoid risk. Helps to create a baseline for standards for the secure handling of PHI and awareness of privacy and security procedures across the organization. 9

Today s ephi environment 10

Go beyond compliance & security Defense in depth Physical and logical access controls Sufficient network segmentation FIM solution SIEM solution Encryption and/or tokenization Risk Management Identify all critical assets Prioritize criticality Select controls Establish effective oversight and governance 11

What is risk management? Helps identify and assess data security risks to develop appropriate security controls to mitigate or avoid risk. Allows your organization to make informed decisions on how to allocate security resources to improve data protection. Resources: ONC SRA Tool HSR Toolkit HIMSS RA Toolkit NIST 800-30 12

3 strikes and you re out! Internal/external threats won t exploit your vulnerabilities PHI will never be lost or stolen My organization won t be selected for an OCR audit Is it worth accepting the risk? The Truth. 13

What s reasonable? Is it reasonable that your last risk assessment or compliance evaluation was 3 years ago? Is it reasonable to report that your last policy update was in 2007? Is it reasonable that your entire risk analysis program and results summary is a 2-page document? Is it reasonable that your HIPAA compliance program is validate by internal resources? 14

What s reasonable? (cont.) Is it reasonable to report that your last workforce training was in 2008? Is it reasonable to claim that your network is secure when mgmt. hasn t authorized pen testing or vulnerability scanning? 15

A 10-step program - #1 Elements of Gap/Compliance Assessments Gap Assessment Evaluates control design Sample size of 1 Reserved for newbies Minimal level of effort (low cost) Basic understanding of ephi assets Data flow diagrams recommended Compliance Assessment Assesses operating effectiveness Sample size based on population size Reserved for mature HIPAA programs High level of effort (high cost) ephi asset inventory required Data flow diagrams required 16

A 10-step program - #2 Risk Analysis/Risk Management Both are required per HIPAA Position your organization to claim that you ve addressed and documented each of the key elements of these programs. Leverage OCR guidance, NIST 800-30, etc. Characterize your ephi environment. 17

A 10-step program - #3 Meaningful Use Attestation Assess the impact of your risk analysis program on your Meaningful Use attestation processes that are planned or underway. Keep in mind that the risk analysis required for Meaningful Use ties directly to the HIPAA Security Rule requirements. 18

A 10-step program - #4 Evidence Library Maintain sufficient documentation of your efforts. Maintain an evidence library within a GRC tool or on a portal. It should house evidence that tells a story to an independent auditor with little or no additional explanation required. 19

A 10-step program - #5 Continuous monitoring/sustainable program Ensure that you have implemented a sustainable program. It must adapt to a changing environment. It should be proactive, not reactive. Put continuous monitoring plans in place. 20

A 10-step program - #6 Industry Development Information Stay updated on everything going on in the healthcare industry it s fast-paced with ongoing news and changes. Leverage existing guidance to the greatest extent possible in a timely manner. 21

A 10-step program - #7 Collaboration Work with internal audit, privacy, compliance, contracts and legal departments. (and other applicable resources) Security and privacy should be top of mind and an integral part of audit plan in some capacity. 22

A 10-step program - #8 Test, test, test Go beyond evaluating the design of security and privacy processes. Test their operating effectiveness. Mock data breach (to test IRP) 23

A 10-step program - #9 Vulnerability/penetration testing Perform regular, proactive testing. Make sure weaknesses are addressed in a timely manner. 24

A 10-step program - #10 Peer connections Network with your peers Share knowledge and brainstorm You re not alone in this Conferences Social media 25

An ounce of prevention Have you performed a compliance evaluation is the past year? Do you have a robust risk analysis process in place to monitor and address threats and vulnerabilities to your organization continuously? 26

is worth a pound of cure. Are you leveraging Meaningful Use efforts to bring attention to the importance of HIT? Have you implemented a sustainable program to manage risk proactively versus reactively putting out fires? 27

Questions Andrew Hicks Coalfire 877.224.8077 ext. 5310 andrew.hicks@coalfire.com www.hipaacentral.com 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information