© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to

© Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved “… what we’re seeing over and over again is the failure to do a thorough risk analysis…” “… risk analysis will be one of the areas of focus… [in the 2014 OCR audits]” -- September 23, 2013 | HIMSS Media Health Privacy & Security Forum

© Clearwater Compliance LLC | All Rights Reserved Instructional Module 9: Instructional Module 9: How to Complete the HIPAA Security Rule Risk Analysis and Technical Testing Requirements 4

© Clearwater Compliance LLC | All Rights Reserved Module 9. Overview 5 1.“How to Complete the HIPAA Security Rule Risk Analysis and Technical Testing Requirements” 2.Instructional Module Duration = 45 minutes 3.Learning Objectives Addressed In This Module – Understand the explicit HIPAA Security Rule requirements for Ongoing Assessments – Explain the difference between compliance and security – Cite the specific HIPAA regulatory requirements and HHS/OCR Guidance for “technical evaluation”, “non- technical evaluation” and risk analysis – Define fundamental risk terminology – Explain why risk analysis is a core foundational step – Describe the fundamentals of a Risk Analysis

© Clearwater Compliance LLC | All Rights Reserved Policy defines an organization’s values & expected behaviors; establishes “good faith” intent People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls ( including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Balanced Compliance Program Four Critical Dimensions Clearwater Compliance Compass™ 6

© Clearwater Compliance LLC | All Rights Reserved 9 Actions to Take Now 7 4.Complete a HIPAA Security Risk Analysis (45 CFR § (a)(1)(ii)(A)) 5.Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § (a)(8)) 6.Complete Technical Testing of Your Environment (45 CFR § (a)(8)) 7.Implement a Strong, Proactive Business Associate / Management Program (45 CFR § (e) and 45 CFR § (b)) 8.Complete Privacy Rule and Breach Rule compliance assessments (45 CFR § and 45 CFR § ) 9.Document and act upon a remediation plan 1.Set Privacy and Security Risk Management & Governance Program in place (45 CFR § (a)(1)) 2.Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR § and 45 CFR § ) 3.Train all Members of Your Workforce (45 CFR § (b) and 45 CFR § (a)(5)) Demonstrate Good Faith Effort!

© Clearwater Compliance LLC | All Rights Reserved 8 Some OCR Corrective Action Plans Corrective Action Plan (CAP) Requirement $150K AP DERM $1.2 M AHP $1.7 M WLP $400K ISU $50K HONI $1.5M MEEI $2.3 M CVS $1.0 M Rite- Aid $1.5M BCBS TN $1.0 M MGH $100K PHX $865K UCLA $1.7M AK DHSS Establish a Comprehensive Information Security Program xxx Designate an accountable Security Owner xx Develop Privacy and Security policies and procedures xx xxxxxx Document authorized access to ePHI x Distribute and update policies and procedures xxxxxxx Document Process for responding to security incidents X x xx xxxxxx Implement training and sanctions for non- compliance xxxxxxx Conduct Risk Analysis / Establish Risk Management Process xxx xxxxxxxxxx Implement Reasonable Safeguards to control risks xxxxxxxxxx Regularly review records of information system activity x Implement reasonable steps to select service providers x Testing and monitor security controls following changes xxxxxxxx Obtain assessments from qualified independent 3rd party xxxxxxxx Retain required documentation xxxxxxxxxx $13.5+M

© Clearwater Compliance LLC | All Rights Reserved Mega Session Objective Help You Understand and Address TWO Very Specific AND Different HIPAA- Security Rule Assessment Requirements… 9

© Clearwater Compliance LLC | All Rights Reserved All Three (3) are Required! 10

© Clearwater Compliance LLC | All Rights Reserved 11 Other Helpful Resources HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis Blog Post Recorded Webinars at webinars / webinars / How To Conduct a Bona Fide HIPAA Security Risk Analysis How To Conduct a Bona Fide HIPAA Security Risk Analysis How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule What Business Associates Need to Know about HIPAA What Business Associates Need to Know about HIPAA

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 1. Understand Compliance Assessment Essentials 2. Review specific HIPAA Security Assessment Regulations 3. Learn how to Complete HIPAA Security Assessments 12

© Clearwater Compliance LLC | All Rights Reserved Assessments and Audits Are Central to Compliance Establishing great policies and procedures is not enough… Training the Workforce is not enough… Deploying leading reasonable and appropriate safeguards is not enough… 13 Regular assessments are crucial in establishing and maintaining effective compliance

© Clearwater Compliance LLC | All Rights Reserved 14 Systematic, Sustainable Programmatic Approach: Reenergize and operationalize your HIPAA-HITECH Compliance Program Ongoing Support and Guidance Re-Inventory PHI & ePHI Re-Inventory BAs Redo-Assessments Remediation Plans Policies & Procedures Review Business Associate Management Training Update Think Program, Not Project! Start Year 1 Year 2 Oversight Inventory PHI & ePHI Inventory BAs Assessments Remediation Plans Policies & Procedures Business Associate Management Training Re-Inventory PHI & ePHI Re-Inventory BAs Redo-Assessments Remediation Plans Policies & Procedures Review Business Associate Management Training Update Assessments NOT Once and Done

© Clearwater Compliance LLC | All Rights Reserved Types of Assessments 1.Compliance Assessments ( Security Evaluation - Non-Technical, at 45 CFR § (a)(8)) – Where do we stand? – How well are we achieving ongoing compliance? 2.Risk Assessment (Risk Analysis, at 45 CFR § (a)(1)(ii)(A)) – What is the exposure to information assets (e.g., ePHI)? – What do we need to do to mitigate risks? 3.Technical Assessments ( Security Evaluation – Technical, at 45 CFR § (a)(8)) – How effective are the safeguards we have implemented? – Are the safeguards working? 4.Risk-of-Harm Breach Risk Assessment (Breach-related, in HITECH parlance) – Have we caused legal, reputational, etc harm? – Is there low probability of compromise of PHI? Each Assessment Has Its Role and Proper Time 15

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 1. Understand Compliance Assessment Essentials 2. Review specific HIPAA Security Assessment Regulations 3. Learn how to Complete HIPAA Security Assessments 16

© Clearwater Compliance LLC | All Rights Reserved Security Evaluation v. Risk Analysis 45 C.F.R. § (a)(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart C.F.R. § (a)(1)(i) Standard: Security Management Process (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. NOT SUFFICIENT TO CALL THE ‘GEEK SQUAD’ TO RUN A VULNERABILITY SCAN OR PENETRATION TEST…

© Clearwater Compliance LLC | All Rights Reserved 2. Security 45 CFR (a)(1)(ii)(A) Three Dimensions of HIPAA Security Business Risk Management 1. Compliance 45 CFR (a)(8) Test & Audit 45 CFR (a)(8) & OCR Audit Protocol

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 1. Understand Compliance Assessment Essentials 2. Review specific HIPAA Security Assessment Regulations 3. Learn how to Complete HIPAA Security Assessments 19

© Clearwater Compliance LLC | All Rights Reserved 2. Security 45 CFR (a)(1)(ii)(A) Three Dimensions of HIPAA Security Business Risk Management 1. Compliance 45 CFR (a)(8) Test & Audit 45 CFR (a)(8) & OCR Audit Protocol

© Clearwater Compliance LLC | All Rights Reserved Risk Analysis 2.What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised? 21 Identify, Rate and Prioritize All Risks 1.What is our exposure of our information assets (e.g., ePHI)?

© Clearwater Compliance LLC | All Rights Reserved Thinking Like a Risk Analyst Threat (Actor) CAN EXPLOIT Vulnerability (Weakness) AND CAUSE Impact (Cost) Security Risk exists when…. 22 …in controls, protecting an asset…. Risk Analysis IS the process of identifying, prioritizing, and estimating risks … considers mitigations provided by security controls planned or in place 1 1 NIST SP800-30

© Clearwater Compliance LLC | All Rights Reserved Number Of Vulnerabilities Increase Radically With Emergence Of Wireless, Mobile, Cloud, BYOD Exploding and Interconnected Digital Universe 33% of all new business software spending will be Software as a Service 1 billion workers will be remote or mobile 1 trillion connected objects (cars, appliances, cameras)  1B Mobile Internet users  30% growth of 3G devices Embracing New Technologies, Adopting New Business Models Mobility Cloud / Virtualization Social Business Bring Your Own IT Employees, customers, contractors, outsourcers 30 billion RFID tags (products, passports, buildings, animals) 23

© Clearwater Compliance LLC | All Rights Reserved Controls or Safeguards 24 Once one understands Risks (each Asset-Threat- Vulnerability triple) to Information… Controls or safeguards must be in place to secure information from threats and ensure confidentiality, integrity & availability through: – Deterrent controls – Preventive controls – Detective controls – Corrective controls – Compensating controls Compliance regulations/standards often require specific named controls Warning: RA is not just checking controls!

© Clearwater Compliance LLC | All Rights Reserved HIPAA & HITECH Aside… FISMA Control Families NIST Control Families ISO Control Families 25

© Clearwater Compliance LLC | All Rights Reserved Controls Help Address Vulnerabilities 26 Controls Policies & Procedures Training & Awareness Cable lock down Strong passwords Encryption Remote wipe Data Backup Threat Source Burglar who may steal Laptop with ePHI Vulnerabilities Device is portable Weak password ePHI is not encrypted ePHI is not backed up Threat Action Steal Laptop Information Asset Laptop with ePHI

© Clearwater Compliance LLC | All Rights Reserved What A Risk Analysis Is… 27 1 NIST SP A Risk Analysis IS the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place 1.

© Clearwater Compliance LLC | All Rights Reserved …from HHS/OCR Final Guidance 28 HHS / OCR Required by HITECH Act to provide guidance July 14, 2010 “Guidance on Risk Analysis Requirements” Not a news flash Required since April 2005 Nine (9) Essential Elements

© Clearwater Compliance LLC | All Rights Reserved Regardless of the risk analysis methodology employed… 1.Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § (a)). 2.Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ (a)(1)(ii)(A) and (b)(1).) 3.Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ (a)(2), (a)(1)(ii)(A) and (b)(1)(ii).) …from HHS/OCR Final Guidance 4.Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ (b)(1), (a)(1)(ii)(A), and (b)(1).) 5.Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § (b)(2)(iv).) 6.Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § (b)(2)(iv).) 7.Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ (a)(2), (a)(1)(ii)(A), and (b)(1).) 8.Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § (b)(1).) 9.Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ (e) and (b)(2)(iii).) 29

© Clearwater Compliance LLC | All Rights Reserved Determine Likelihood and Impact 30

© Clearwater Compliance LLC | All Rights Reserved Actions to Conduct Bona Fide Risk Analysis & Risk Management 1.Become familiar with what the exact requirements are in the Security Rule and the HHS OCR Final Guidance on Risk Analysis 2.Learn the terminology of risk and risk analysis; Read supplemental material 3.Be absolutely clear on what is NOT a risk analysis 4.Select the methodology you will follow and study it carefully 5.Complete your risk analysis 6.Build and execute your risk management plan 7.Update your risk analysis at least once a year

© Clearwater Compliance LLC | All Rights Reserved 32 Owners Assets Controls & Safeguards Threat Sources Threat Sources Threats Adversarial Accidental Structural Environmental value Risks wish to minimize that exist in to reduce may be reduced by that may possess may be aware of wish to abuse and / or damage to that increase Vulnerabilities give rise to that exploit leading to implement Understand Risk

© Clearwater Compliance LLC | All Rights Reserved Choose Risk Analysis Methodology OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University OCTAVE ISACA's RISK IT (now part of COBIT 5)RISK IT ISO 27005:2011 Information technology -- Security techniques -- Information security risk managementInformation security risk management Factor Analysis of Information Risk (FAIR)FAIR NIST SP Revision 1 Guide for Conducting Risk Assessments NIST SP Revision 1 Guide for Conducting Risk Assessments 33

© Clearwater Compliance LLC | All Rights Reserved Risk Management Guidance Guidance on Risk Analysis Requirements under the HIPAA Security Rule Final 34 NIST SP Revision 1 Guide for Conducting Risk Assessments NIST SP Revision 1 Guide for Conducting Risk Assessments NIST SP Contingency Planning Guide for Federal Information Systems NIST SP Contingency Planning Guide for Federal Information Systems NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP final_Managing Information Security Risk NIST SP Revision 3 Final, Recommended controls for Federal Information Systems and Organizations NIST SP Revision 3 Final, Recommended controls for Federal Information Systems and Organizations NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

© Clearwater Compliance LLC | All Rights Reserved 35 What a Real Risk Analysis Looks Like

© Clearwater Compliance LLC | All Rights Reserved 36 Risk Rating Report

© Clearwater Compliance LLC | All Rights Reserved 37 Pause & Quick Poll Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR § (a)(1)(ii)(A))?

© Clearwater Compliance LLC | All Rights Reserved 2. Security 45 CFR (a)(1)(ii)(A) Three Dimensions of HIPAA Security Business Risk Management 1. Compliance 45 CFR (a)(8) Test & Audit 45 CFR (a)(8) & OCR Audit Protocol

© Clearwater Compliance LLC | All Rights Reserved External Network Vulnerability Assessment & Penetration Testing Internal Network Vulnerability Assessment & Penetration Testing Web Application Assessment Wireless Security Assessment Security Awareness Assessment Sensitive Data Discovery Scans 39 ALL IMPORTANT – AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS HIPAA Security Technical Evaluation

© Clearwater Compliance LLC | All Rights Reserved Reference NIST SP A 40 content/uploads/2014/01/NIST-SP800-53A-rev1- final_Guide_for_Assessing_the_Security_Controls _in_Federal_Information_Systems_and_Organizat ions-Building_Effective_SAPs.pdf “Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”

© Clearwater Compliance LLC | All Rights Reserved Resource 41 “The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk- based decisions. Providing a plan for security control ensures that the process runs smoothly.

© Clearwater Compliance LLC | All Rights Reserved Reference NIST SP content/uploads/2013/12/SP Technical- Guide-to-Information-Security-Testing-and- Assessment.pdf Basis of Technical Evaluations – Pen Testing – Vulnerability Scans – Post Testing Activities

© Clearwater Compliance LLC | All Rights Reserved 43 Pause & Quick Poll Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § (a)(8))?

© Clearwater Compliance LLC | All Rights Reserved 2. Security 45 CFR (a)(1)(ii)(A) Three Dimensions of HIPAA Security Business Risk Management 1. Compliance 45 CFR (a)(8) Test & Audit 45 CFR (a)(8) & OCR Audit Protocol

© Clearwater Compliance LLC | All Rights Reserved Supplemental Materials 9-1. NIST SP NIST SP NIST SP800-53A 9-4. Federal Risk Authorization Management Program (FedRAMP) Security Assessment Plan template (Word) 9-5. ONC Guide to Privacy and Security of Health Information 9-6. Clearwater HIPAA Risk Analysis Report Example w examples (PDF) 9-7. HIPAA Risk Analysis Buyer's Guide Checklist - What to Look for in a HIPAA Risk Analysis Firm_V3.0 (PDF) 45

© Clearwater Compliance LLC | All Rights Reserved Questions? 46