How to Prepare Your Organization for a HIPAA Security Risk Analysis

Presented by:

John Abraham Founder & Chief Security Evangelist Redspin

About Redspin
Penetration Testing
External Infrastructure Internal Infrastructure Web Applications

IT Security Controls
HIPAA FFIEC/GLBA PCI NERC

Social Engineering

About The Speaker

John Abraham Founder & Chief Security Evangelist
As Redspin's founder and Chief Security Evangelist, John is passionate about the importance of a structured information security program that enables management to focus IT resources on the most pressing security risk. John's belief is that addressing subtle issues within an organization's IT environment can yield significant business impact, so an ounce of prevention is the key operative behavior of successful risk management programs. John is one of Redspin's health IT security specialists, is a regular speaker on topics of security and healthcare ePHI risk management, and enjoys working with IT teams, compliance officers and executives on practical approaches to data security mitigation strategies.

Preparing Your Organization for a HIPAA Security Risk Analysis

What well cover today:
What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?

Why now?
Meaningful use core objective (protecting ePHI) HIPAA Compliance Risk management

Part 1 HIPAA Security Risk Analysis

1. 2. 3. 4. What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?

HIPAA Security Rule 164.308(a)(1)(ii)(A)

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

What is a Risk Analysis? (Also called: Risk Assessment)

Assessment of risk CIA: confidentiality, availability and integrity EPHI: created, received, maintained, transmitted

How is it performed? - Its an evaluation

1. 2. 3. 4. 5. Where is ePHI, what are critical apps Threats Vulnerabilities Existing controls (effective?) Determine risk (= probability * impact)

Flexibility on RA Approach
Security Rule does not prescribe a specific risk analysis methodology Methods will vary dependent on the size, complexity, and capabilities of the organization There are numerous methods of performing risk analysis There is no single method or 'best practice' that guarantees compliance with the Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010 -http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Goals and Objectives

Identify (and prioritize) risk Ensure controls are working Recommend improvements Foundation for robust security program Achieve compliance - HIPAA Security Rule & Meaningful Use

Expected Outcomes
IT transparency Executive understanding of current state of security Prioritized view of risk Provide data needed to create IT action plan

Part 2 HIPAA Security Risk Analysis

1. 2. 3. 4. What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?

Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (164.308), ...

Risk Analysis
Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

A risk analysis is foundational

The Security Rule requires entities to evaluate risks and vulnerabilities... and to implement reasonable and appropriate security measures... Risk analysis is the first step in that process.
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010 http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Part 3 HIPAA Security Risk Analysis

1. 2. 3. 4. What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?

Organizational Resources Time People

Vendor selection (2-8 weeks) Risk Analysis timeline (1-4 weeks) Vendor selection (IT, compliance, executive) During RA (1 liaison)

Budget

Varies depending on size/complexity

What about cost?

Variables

Depends on complexity, satellite locations, Web application and network penetration testing Social engineering Business associate risk

What is needed for a proposal?

What is size & complexity of IT environment
Key criteria... RFP Template

What is needed for analysis? Liaison ePHI inventory Critical business associates ISO person responsible for security Security policy Documentation (whatever is available)
- Network diagrams, audit results, system docs

Part 4 HIPAA Security Risk Analysis

1. 2. 3. 4. What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?

1
Pitfall

Waiting for network to stabilize It Never Does!

2
Pitfall

Assuming control addresses risk Existence does not equal Effective

3
Pitfall

Thinking compliance is security Compliance does not equal Security

4
Pitfall

Waiting until you implement ____

It may not be a high priority

5
Pitfall

Using a check-box approach to RA

False positives make you look bad Creates focus on less important issues, while missing critical risk Expensive mitigation Lack of context

HIPAA Security Rule

Covered entities may use any security measures that
allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

HIPAA Security Rule

In deciding which security measures to use, a covered
entity must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.

Summary HIPAA Security Risk Analysis

What is it? How does it fit into my security program? What are the preparation steps? How can I avoid pitfalls & maximize value?