Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Firehost Webinar: Getting Hipaa Compliant
1. 6 May 2014
Getting HIPAA Compliant:
Cutting Through the Clutter
Kurt Hagerman, CISO
2. Today’s Speaker
Kurt Hagerman
Chief Information
Security Officer
Kurt Hagerman oversees all compliance
related and security initiatives. He is
responsible for leading FireHost in attaining
ISO, PCI, HIPAA and other certifications
which allow FireHost customers to more
easily achieve their own compliance
requirements. He regularly speaks and
writes on information security topics in the
payments and healthcare spaces, as well as
on cloud security.
Getting HIPAA Compliant
4. Demystifying HIPAA Compliance
• Review last webinar:
info.firehost.com/HIPAA-101-part2-webinar-record.html
• What does it meant to be
HIPAA compliant?
• Put a security controls program in place
that addresses the risks and threats on
how your organization handles PHI
• There is no easy button
for HIPAA compliance
• How to get started
Getting HIPAA Compliant
5. Getting Secure
1. Assessing Your Risk
2. Developing Your Mitigation Strategies
3. Choose Approach: Treat / Accept / Transfer
Getting HIPAA Compliant
6. • Risk assessments strengthen
your security posture
• Security Rule requires
annual risk analysis
• OCR audits showed widespread
lack of or poor risk assessments
• Use existing frameworks:
NIST 800-30, FAIR, OCTAVE
• Assess your organizational
risk and threats
• Don’t forget: include your
Business Associates
Security Step 1:
Risk Assessment
Getting HIPAA Compliant
7. Review: Risk Assessments
Not just an IT exercise – get all stakeholders involved
• Elements of proper risk assessment:
• Identify the flow and all sources of ePHI
• Identify threats and vulnerabilities
• Evaluate impact and likelihood
of threats and vulnerabilities
being exploited
• Assign risk levels and identify
mitigation options
• Determine which options
to implement
Getting HIPAA Compliant
8. • Evaluate impact and likelihood
of threats and vulnerabilities
being exploited
• Assign risk levels
• Prioritize based on risk levels
• Identify mitigation
options & their costs
• Determine how to treat your risks
Security Step 2: Prioritization
Getting HIPAA Compliant
9. • Treat – implement controls
to mitigate risk
• Select controls that match up with the
maturity of your organization
• Transfer – find a provider who
will handle risk for you
• Insurance
• 3rd party service providers
• Accept – what you can’t treat
or transfer you must accept
as a cost of doing business
Security vs. Compliance
http://info.firehost.com/vid-compliance-v-security-webinar.html
Security Step 3: The 3 Approaches to Risk
Getting HIPAA Compliant
10. Getting HIPAA Compliant
HealthData Repository™ Deconstructed
June 4, 2014
• Challenges in healthcare IT
• Keeping healthcare information secure in the cloud
• Lowering the risk and scope of HIPAA compliance with
FireHost’s HealthData Repository™
• Register Today info.firehost.com/hdr-repo-webinar
What’s next?
12. Getting HIPAA Compliant
Thank You
Email
Phone
Kurt Hagerman
Chief Information Security Officer
kurt.hagerman@firehost.com
877 262 3473 x8073
Notas del editor
Moderator:
Hello and welcome to the third webinar in our series on HIPAA compliance. Today we’ll be cutting through all the clutter around HIPAA compliance and talking about what it really takes to get compliant. We’ll leave some time at the end to take your questions, and you can also submit questions during the webinar through the chat feature. To mute your phone, <instructions>.
Moderator: I’d like to introduce our speaker today. I’m <XX> and I’ll be moderating our discussion. Kurt Hagerman, FireHost’s Chief Information Security Officer, will be leading today’s session on HIPAA compliance.
.
Moderator:
Now let’s take a look at our agenda today. We’ll be talking about demystifying HIPAA compliance, and what it really takes to achieve it. We’ll also go through the three steps you need to build a strong security program that addresses compliance: conducting risk assessments, prioritization and the three options for dealing with risk: treat, accept, and transfer. And as always, we’ll take some time for your questions at the end.
Moderator:
Kurt, I’ll turn the discussion over to you. Let’s get started by demystifying HIPAA compliance.
Kurt:
Thanks, <moderator>.
On our last HIPAA webinars, we talked about myths and misperceptions people have around HIPAA – so if you didn’t see those, I’d suggest visiting them at the link shown.
Today we’re going to focus on some of the smoke and mirrors around compliance. HIPAA is more of a manifesto than a set of prescriptions so there’s naturally some confusion on what it truly means to be HIPAA compliant. Unfortunately many providers take advantage of that and make bold and outrageous claims about HIPAA – basically they say “Hey, if you use us, we’ve got you covered. We guarantee compliance.” It’s pure snake oil - they are trivializing HIPAA compliance.
So let’s talk the truth here. You need to put a security controls program in place that addresses the risks and threats to how your organization handles PHI. There’s no easy button you can press, no silver bullet or miracle product or service that’s going to render you HIPAA compliant.
But that’s not a bad thing. Doing the work to get HIPAA compliant offers considerable benefits - you’ll find out a lot about how your business operates and find ways to make it stronger and more efficient.
Moderator:
Kurt, you mentioned security – so let’s talk now about what it really means for a healthcare organization to get secure.
Kurt:
Thanks. Security is the heart of healthcare IT, and it’s the fundamental basis of compliance. As we said, HIPAA isn’t that prescriptive, so people don’t always know how to get secure. That’s what we’ll talk about today – specifically we’ll talk about the steps you need to take, which are:
Assessing your risk – conducting a thorough risk assessment that looks at your threats and vulnerabilities
Mitigation strategies – creating ways to mitigate or reduce your vulnerabilities and strengthen your security posture
Risk – deciding whether to treat it, accept it or transfer it
So let’s take a closer look at each of those.
Moderator:
Kurt, we’ve talked before about how the Office of Civil Rights conducted a series of audits in 2012 and found a widespread lack of assessments. Why are they so important?
Kurt:
That’s correct, Will. And they’re important for several reasons.
One is that they strengthen your security posture. Remember, compliance is just part of your larger security – and a risk assessment can mitigate or prevent the repercussions of a real breach.
Another is that HIPAA’s Security Rule requires you to periodically conduct a thorough risk analysis. Not only do you need to evaluate your risk and vulnerabilities but you have to implement adequate safeguards against those risks. This is a mandatory part of protecting the integrity of ePHI.
So let’s talk about how to do it. First, consider using an Assessment Framework like NIST 800-30, FAIR or OCTAVE.
Next, assess your organizational risk and threats. Look at what kind of PHI your organization is receiving, storing and transmitting.
Finally, remember to include your providers and business associates in this. You may have multiple third parties involved, which can make it more difficult. But ultimately working through the assessment for your organization and your providers will eradicate any compliance gaps.
Moderator:
Ok, Kurt, thanks for that recap. Can we have a quick review of risk assessments?
Kurt:
Absolutely.. Let’s walk through the elements of a proper risk assessment.
First of all, this isn’t just an IT exercise. You need to get all stakeholders involved.
You want to identify all sources and flows of ePHI and identify possible threats – that includes natural threats such as floods or earthquakes; intentional human attacks, accidents or malicious software; and finally environmental threats such as power outages or leakages. Start with the biggest threats.
Then you want to evaluate the risks you face. Assess the likelihood of an actual threat occurrence. After that, you want to assess what impact any of these occurrences, weaknesses and flaws could potentially have on your environment. This should include the number of people impacted, the financial cost of the impact, any impact on patient care, and the impact to your reputation.
This will help you assign risk levels based on the likelihood and frequency of the potential occurrence, and the severity of the impact. Expect your risk areas to vary; one threat might carry a higher likelihood of occurrence but with a lower impact, while another threat could be the opposite. For instance, if you live in a high-wind area prone to tornadoes, that’s going to have a high risk factor you must consider. But if you live in an area that rarely has tornadoes, it’ll be a low likelihood, high-impact risk.
After you’ve created your risk matrix, it’s time to come up with strategies and corrective actions to mitigate each risk.
Moderator: Kurt, that was a great overview of doing a risk assessment. Once someone has identified risk, what’s the next step?
Kurt:
The next step is coming up with mitigation strategies.
By now you should have a good idea of the risks you’re facing. So now you assess the likelihood of an actual threat occurrence. You want to do this for all of the possible threats you identified above. After that, you want to assess what impact any of these occurrences, weaknesses and flaws could potentially have on your environment.
After assigning risk levels, it’s time to come up with mitigation options and their costs. That includes developing controls and strategies for non-digital threats, like the effect of a fire on your paper files. Your mitigation strategies must be all encompassing and cover all possibilities.
Moderator:
Thanks, Kurt. We’ve talked about how to identify risk, but can you fill us in on the different approaches people take to deal with their risk?
Kurt:
Sure. It’s important to know that you have options for dealing with your organizational risk – it’s not just something you’re stuck dealing with on your own.
You have three basic options:
You can go it alone and treat your risk yourself by implementing controls to mitigate risk. You’ll need to select controls that match up with the maturity of your organization.
You can also transfer your risk by finding a provider who will handle the risk for you. This reduces your responsibility and scope and lightens your overall burden. It also lets you focus on your core business activities.
You’ll need to consider insurance finding a vendor who has already been independently validated. If you find a vendor well-versed in healthcare compliance, that vendor already performs thorough risk assessments designed to both optimize cloud protection and meet HIPAA requirements.
But be careful – when the OCR conducted their 2012 audits, they found that both healthcare organizations and their vendors fell short in this area. In other words, many healthcare entities are putting their trust in vendors who aren’t delivering the compliance and security they deserve. So it’s important to really evaluate potential vendors before signing on the dotted line.
Ask vendors how they handle patient data privacy, and about their security measures regarding firewalls, data encryption, audits and multi-factor authentication. Also be sure to check their compliance certifications. While you obviously want a vendor who’s HITRUST-certified, look for other certifications like PCI and ISO 27001 that show your vendor has a proven track record in compliance and security. Considering asking abut cyber risk assurance also.
Finally, whatever risk you can’t treat or transfer, you must accept as the cost of business.
Kurt:
Next month, we’ll have another webinar on <details.>
Moderator, back to you.
Moderator:
Now that we’ve taken a look at what it really means to be HIPAA compliant, let’s hear your questions. We’ll talk about what you need to do. Just use the chat feature to submit your questions.
Moderator:
Thank you for joining us today. We hope our webinar on HIPAA was helpful and that we answered all of your questions. Within a day or so, you’ll receive a recording of this webinar in an email. To learn more, please visit us at firehost.com – and don’t forget to attend our next webinar on <xx>, which will take place <date>. We look forward to seeing you again.