Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan

Transcription

1 Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan Shane Eaker Director, Information Security Encompass Health Rich Curtiss Managing Consultant Clearwater June 12, 2018

2 About Encompass Health is one of the nation's largest providers of postacute healthcare services, offering both facility-based and homebased post-acute services in 36 states and Puerto Rico through its network of inpatient rehabilitation hospitals, home health agencies, and hospice agencies. 2

3 Industry Recognition Highlights 2018 #11: EXCLUSIVE ENDORSEMENT INDUSTRY COLLABORATOR INDUSTRY RESOURCE PROVIDER SOLE SOURCE PROVIDER SOFTWARE USED BY NSA/CAEs 3

4 Our Challenge Encompass Health sought to establish an accurate, comprehensive, OCR-quality risk analysis process to serve as the foundation for the organization s enterprise-wide security risk management program. I ve found that performing a comprehensive, HIPAAcompliant risk assessment in a large healthcare organization is easier said than done. Mitch Thomas - CISO Encompass Health 4

5 Three Information Risk Management Objectives Operationally Assist in Completing Bona Fide, Comprehensive OCR- Quality Risk Analysis and Risk Response Strategically Assist in Making IRM a Meaningful C-Suite / Board Agenda item Tactically Assist in Establishing, Implementing and Maturing IRM Program 5

6 Discussion Flow 1. Problem 2. Best Practices 3. OCR-Quality Risk Assessment 4. Resources 6

7 55 OCR Enforcement Actions Need to Address All These Issues Organizations Struggling with Basic Information Risk Analysis / Management Not asset-based systems / apps / technology that create, receive, maintain or transmit ephi Not comprehensive enough - every asset in every LOB in every facility in every location Not detailed enough - not considering every asset-threat-vulnerability scenario Not following OCR/NIST guidance / 9 essential elements Not enough documentation / evidence of vibrant ongoing program 7

8 By the Numbers Total dollars collected by OCR $78.7MM Total Resolution Agreements/CAPs 54 Total ephi Cases 41 Total Adverse Risk Analysis Findings 37 Total Adverse Risk Management Findings 35 Risk Analysis and Risk Management focus continues! 8

9 2016 Phase 2 Audit Results 1 = Meets 2 = Substantially Meets 3 = Minimally Meets 4 = Negligible Efforts 5 = No Serious Effort to Comply 57%, 4s and 5s 86%, 3s, 4s and 5s 9

10 OCR s Breadth and Depth Re: Risk Analysis Information Asset Types = Breadth Traditional IT Assets Medical Devices Networking Infrastructure Components Third-party Services and Providers Other IoT Integrated Devices or Equipment OCR- Quality Review = Depth 45 CFR (a) 45 CFR (a)(1)(ii)(A) Guidance on Risk Analysis Requirements under the HIPAA Security Rule "OCR Audit Protocol Updated April 2016" "OCR Resolution Agreements / Corrective Action Plans" NIST SP Guide for Conducting Risk Assessments 10

11 Discussion Flow 1. Problem 2. Best Practices 3. OCR-Quality Risk Assessment 4. Resources 11

12 Best Practices Lessons Learned Lessons learned while designing and implementing a corporate security risk management program 1. Importance of establishing a risk registry 2. Adapt to the business 3. Challenges of scaling a program 4. Importance of choosing the right tools It s critically important to align risk management activities with business strategy and objectives. 12

13 Best Practices Establish a Risk Registry Ensure policies and procedures are in place regarding risk management and acceptance. 1. Create one or more points of accountability CIO and business leader oversight combined with implementation responsibility. 2. Prioritize and track identified risks Establish options, budgets, timelines for remediation. Evaluate inputs from not only HIPAA risk analysis but all risk management efforts (e.g. vulnerability management). Identify opportunities to solve multiple issues with single remediation steps (e.g. address policy gaps). 3. Document compensating controls Education/awareness/training/layered security controls. A good risk registry will readily demonstrate ongoing progress in reducing risks in alignment with business objectives. 13

14 Best Practices Adapt to Changing Business Objectives Challenges are going to pop-up in the course of business: 1. Moving data centers Realize that significant changes will a burn-in period Some assets won t make the transition/some will be entirely new must re-assess following move 2. Acquisitions Engage early to address/assess tactical risks Isolate risks in place and then migrate into standardized architecture overtime which can result in many projects Schedule full assessment/work into next assessment cycle 3. Greenfield assets e.g. new headquarters Make sure these are identified in the registry Document the removal of retired assets A good risk registry will demonstrate that assets are tracked and align with the history and current structure of the business. 14

15 Best Practices Scale The Program Managing risk on a few hundred assets at one facility is one challenge; managing risk on tens of thousands of assets dispersed over large geographic areas has unique challenges. 1. Fully assess everything but maintain focus on higher risk items Establish and document the organizations risk threshold Minimize cycles on lower risk activities, focus resources towards higher risk activities 2. Automate where possible Consider tools with good workflow but, be careful of solutions that add significant overhead 3. Minimize the places to document findings and track status Tracking status in multiple places can waste a lot of time and lead to inconsistencies in reporting Rapid extraction of relevant information is critical A good risk management program will scale well to the size and maturity of the organization. 15

16 Best Practices Choose the Right Tools Being able to filter data sets and conduct analysis on relevant assets without getting bogged down in extraneous data can be challenging. 1. Evidence of risk analysis Have to be able to quickly extract relevant information Use templates 2. Periodic review and reporting It s not a one time activity Process needs to allow for continuous and demonstrate periodic re-assessment 3. Movement from OCR Lost devices The right tools and practices will keep relevant information in front of analysts, decisionmakers, and regulators. 16

17 Discussion Flow 1. Problem 2. Best Practices 3. OCR-Quality Risk Assessment 4. Resources 17

18 To Solve the Problem 1. What are ALL the exposures of our ALL our information assets (e.g., ephi)? 2. What decisions do we need we need to make to treat or manage risks? Risk Assessment Risk Response Both Are Required in Federal Regulations AND As the Basis for any Respectable Information Security Program in Any Industry! 18

19 Lots of Good Assessments, Only One Bona Fide Risk Analysis! External Security Assessment Architecture Assessment Internal Security Assessment Security Rule Compliance Assessment Wireless LAN Security Validation Information Security Program Assessment Meaningful Use EHR Technical Controls Assessment Social Engineering Assessment OWASP Web Application Assessments NIST CSF Current Profile Assessment 10-Point Tactical HIPAA and Cyber Risk Management Assessment Strategic Enterprise IRM Program Maturity Assessment Today s Focus ETC Bona Fide, Comprehensive Risk Analysis Required at 45 CFR (a)(1)(ii)(A) MEANS OCR Guidance and NIST SP800-30! 19

20 Rx: Your Review Plan OCR Risk Analysis Guidance Regardless of the risk analysis methodology employed 1. Scope of the Analysis 2. Data Collection 3. Identify and Document Potential Threats and Vulnerabilities 4. Assess Current Security Measures 5. Determine the Likelihood of Threat Occurrence 6. Determine the Potential Impact of Threat Occurrence 7. Determine the Level of Risk 8. Finalize Documentation 9. Periodic Review and Updates to the Risk Assessment 10.Meet Emerging OCR Standard of Care (added by Clearwater) 20

21 Determining Type and Number of Entities With ephi Clinics Hospitals LTC Facility ASC CHC Hospice Insurance Home Health EMS Rehab Clinic Imaging Center Rural Clinic Dialysis Clinic Behavioral Research 21

22 Must Examine All Reasonably Anticipated Asset-Threat- Vulnerability Combinations No Assets No Risk No Threats No Risk No Vulnerabilities No Risk Risk exists when and only when an Asset, a Threat and a Vulnerability are present It s about saving your assets, not about someone else's controls checklist 22

23 Asset Threat Source / Action Vulnerability Likelihood Impact Risk Rating Laptop Burglar steals laptop No encryption High (5) High (5) 25 Laptop Burglar steals laptop Weak passwords High (5) High (5) 25 Laptop Burglar steals laptop No tracking High (5) High (5) 25 Laptop Careless User Drops No data backup Medium (3) High (5) 15 Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3) 3 Laptop Lightning Strike No surge protection Low (1) High (5) 5 Etc. Determine the Level of Risk at Granular Level 23

24 Discussion Flow 1. Problem 2. Best Practices 3. OCR-Quality Risk Assessment 4. Resources 24

25 Key Resources Sample - HIPAA Security Risk Analysis FOR Report Guidance on Risk Analysis Requirements under the HIPAA Security Rule NIST SP Revision 1 Guide for Conducting Risk Assessments NIST SP final_Managing Information Security Risk NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach The Clearwater Definition of an Information Asset Additional Resources NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and Organizations NIST SP Technical Guide to Information Security Testing and Assessment NIST SP Contingency Planning Guide for Federal Information Systems MU Stage 2 Hospital Core 7 Protect Electronic Health Info NIST Risk Management Framework