Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2017 | Buch

Not If, but When Kapitel lesen Erstes Kapitel lesen

Building a HIPAA-Compliant Cybersecurity Program

Using NIST 800-30 and CSF to Secure Protected Health Information

verfasst von: Eric C. Thompson

Verlag: Apress

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Use this book to learn how to conduct a timely and thorough Risk Analysis and Assessment documenting all risks to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI), which is a key component of the HIPAA Security Rule. The requirement is a focus area for the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) during breach investigations and compliance audits. This book lays out a plan for healthcare organizations of all types to successfully comply with these requirements and use the output to build upon the cybersecurity program.

With the proliferation of cybersecurity breaches, the number of healthcare providers, payers, and business associates investigated by the OCR has risen significantly. It is not unusual for additional penalties to be levied when victims of breaches cannot demonstrate that an enterprise-wide risk assessment exists, comprehensive enough to document all of the risks to ePHI.

Why is it that so many covered entities and business associates fail to comply with this fundamental safeguard? Building a HIPAA Compliant Cybersecurity Program cuts through the confusion and ambiguity of regulatory requirements and provides detailed guidance to help readers:

Understand and document all known instances where patient data exist

Know what regulators want and expect from the risk analysis process

Assess and analyze the level of severity that each risk poses to ePHI

Focus on the beneficial outcomes of the process: understanding real risks, and optimizing deployment of resources and alignment with business objectivesWhat You’ll Learn

Use NIST 800-30 to execute a risk analysis and assessment, which meets the expectations of regulators such as the Office for Civil Rights (OCR)

Understand why this is not just a compliance exercise, but a way to take back control of protecting ePHILeverage the risk analysis process to improve your cybersecurity programKnow the value of integrating technical assessments to further define risk management activitiesEmploy an iterative process that continuously assesses the environment to identify improvement opportunities

Who This Book Is For

Cybersecurity, privacy, and compliance professionals working for organizations responsible for creating, maintaining, storing, and protecting patient information

Inhaltsverzeichnis

Frontmatter

Why Risk Assessment and Analysis?

Frontmatter
Chapter 1. Not If, but When
Abstract
Over the last three years, the number of breaches, lost medical records, and settlements of fines is staggering. During this span, nearly 140 million medical records were involved in a privacy breach.
Eric C. Thompson
Chapter 2. Meeting Regulator Expectations
Abstract
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA and investigates breaches, responds to patient complaints, and establishes resolution agreements, where necessary. Patients expect that safeguards designed to secure the confidentiality, integrity, and availability of healthcare records are in place. Briefly, HIPAA has been in existence since 1996. Enforcement of the HIPAA Privacy Rule took effect in April 2003, and Security Rule enforcement took effect in April 2005. Breach investigations are not new. In January 2013, the Final Omnibus Rule established several provisions of the HITECH Act and added several others.
Eric C. Thompson
Chapter 3. Selecting Security Measures
Abstract
The risk assessment process requires management to select security measures designed to reduce risks to an acceptable level and protect ePHI, in accordance with the HIPAA Security Rule. No specific measures are prescribed by HHS or the OCR. Rather, it is up to the entity to define the measures that meet those objectives. Successful identification and implementation of security controls requires entities to consider the following
Eric C. Thompson

Assessing and Analyzing Risk

Frontmatter
Chapter 4. Inventory Your ePHI
Abstract
Documenting all instances of ePHI, everywhere it is in use, in motion and at rest, is the one risk assessment and analysis activity that elicits the most fear and anxiety. It’s been touched on before, but it is worth repeating. Cybersecurity and compliance professionals develop anxiety about attaching their names to an activity that they feel will fall short. It’s a fear of being held accountable for every crazy thing end users do with patient data. If a breach occurs owing to misuse of data unknown to the entity, and that risk scenario is not documented on the risk assessment, it is quite possible that regulators may cite this as a cause of the breach. It is not possible to predict what conclusions regulators may come to when investigating a breach. What is predicable is this: when nothing is done to analyze risk, additional penalties, including steeper monetary settlements, additional corrective actions, and the appointment of independent monitors to oversee those corrective actions, often result. It’s more productive to assess the risk that a malicious insider could misuse ePHI, causing another threat to steal, modify, or render the data unavailable. Next, quantify the risk and try to mitigate it as best as possible. This allows the practitioner to assess the environment, based on all known characteristics, and reasonably anticipate impermissible uses and disclosures.
Eric C. Thompson
Chapter 5. Who Wants Health Information?
Abstract
Threats represent the individuals, groups, and events that create adverse situations affecting the confidentiality, integrity, and availability of patient information. The human elements include state-sponsored groups, organized cybercriminals, other malicious outsiders, including hacktivists, and malicious insiders. Nonhuman elements include natural disasters or other human-made occurrences, such as terrorist attacks. The process of documenting threats requires the risk analyst to think about the actors and scenarios that threaten ePHI. These actors and scenarios take advantage of vulnerabilities that can lead to a privacy or security incident.
Eric C. Thompson
Chapter 6. Weaknesses Waiting to Be Exploited
Abstract
Vulnerabilities represent weaknesses in technology, controls, processes, capabilities, and human activities that can be exploited by a threat actor and lead to a breach. Owing to limitations in resources, the need to conduct business, and the human element, most entities have dozens of vulnerabilities to document and evaluate. The key to a comprehensive and successful risk analysis lies in analyzing the environment thoroughly enough to collect a comprehensive list of vulnerabilities from across the organization. Several methods can be used to uncover these weaknesses. One way to start is by reviewing recent assessments for issues found, including any of the following
Eric C. Thompson
Chapter 7. Is It Really This Bad?
Abstract
Now comes the step in the process in which all the risks (there’s that word again) have to be measured in terms of how each could impact all the ePHI identified earlier in the analysis. This is a thoughtful process that can, and should, take some time. It is also not a task that should be completed entirely by one person but, rather, should have input from others in the organization. This input can come when documenting and analyzing the risks or when reviewing the list, once complete. The desired outcome of this phase is knowledge of all the risks to ePHI and how severe each is to the confidentiality, integrity, and availability to ePHI, so that management can implement risk mitigations that reduce risk severity to acceptable levels.
Eric C. Thompson
Chapter 8. Increasing Program Maturity
Abstract
The process of reducing risk is achieved by mapping each risk to a security measure meant to mitigate or reduce the risk and focusing on increasing the maturity and capabilities of the cybersecurity control. Earlier, each of the NIST cybersecurity subcategories had an internal cybersecurity control designed to meet the subcategory objective. The program discussed in Chapter 3 is in its infancy and, therefore, on the low end of the maturity scale. Initially, the focus is on getting the cybersecurity control maturity of each subcategory to a 3, on the 1-to-5 scale. A 3 represents a control that is operational, which is good enough to comply with the HIPAA Security Rule Standards and protect ePHI. Once each subcategory is operational, focus can turn to reaching higher levels, 4s and 5s, where resource investment makes sense, based on the risk landscape and objectives of the cybersecurity program.
Eric C. Thompson
Chapter 9. Targeted Nontechnical Testing
Abstract
To this point, the execution of the risk analysis was executed by conducting through inquiry and the examination of such methods as policies, previous assessment results, and audit reports. A limited amount of current, tangible information derived through direct testing was incorporated into the analysis thus far. This is not atypical for the initial phase of the analysis and assessment. Establishing baseline risks, as shown in Figure 9-1, through documenting and correlating current information and known capabilities into a list of risks needing treatment, is the first step. As the chapter title states, the nontechnical testing executed is chosen based on the value the test brings to the risk assessment and analysis. These specific tests are chosen because there is confirmation necessary to ensure that the risks as documented are accurately reflected.
Eric C. Thompson
Chapter 10. Targeted Technical Testing
Abstract
The execution of the risk analysis thus far was based on inquiry and examination of methods, including policies, previous assessment results, and audit reports. Additionally, nontechnical testing of several key risk areas was also executed. This generated more current and tangible information to incorporate into the risk analysis. Solidifying the risk analysis, as shown in Figure 10-1, through cybersecurity program and control management and targeted testing, enriches the risk information used in decision making. Technical tests were chosen based on the need for detailed context regarding the risks identified.
Eric C. Thompson

Applying the Results to Everyday Needs

Frontmatter
Chapter 11. Refreshing the Risk Register
Abstract
Now comes the step in the process in which all the risks (there’s that word again) have to be measured in terms of how each could impact all the ePHI identified earlier in the analysis. This is a thoughtful process that can, and should, take some time. It is also not a task that should be completed entirely by one person but, rather, should have input from others in the organization. This input can come when documenting and analyzing the risks or when reviewing the list, once complete. The desired outcome of this phase is knowledge of all the risks to ePHI and how severe each is to the confidentiality, integrity, and availability to ePHI, so that management can implement risk mitigations that reduce risk severity to acceptable levels.
Eric C. Thompson
Chapter 12. The Cybersecurity Road Map
Abstract
After focusing on identifying and measuring risks to ePHI, the next two chapters focus on laying out short- and long-term plans for the cybersecurity program. Risk analysis and assessment guides cybersecurity leaders toward protecting the most sensitive and important assets and gives clarity to the current state of the program. The key objective of cybersecurity leaders inside healthcare providers, payers, and business associates is protecting ePHI. This is accomplished by reducing cyber risk, assisting the organization in complying with the HIPAA Security Rule, and identifying new risks. To set the program up for success, those in charge of cybersecurity need a clear idea of what the program should ultimately look like. In The 7 Habits of Highly Effective People (Free Press, 1989), Stephen R. Covey refers to this as to “beginning with the end in mind,” and David Allen, in his book Getting Things Done (Penguin, 2001), describes it as outcome-focused thinking. It is nearly impossible to be successful without some idea of what the program should look like in three to five years; however, thinking five years out in the cybersecurity world is nearly impossible. Effective road maps focus on a balance of best-in-class capabilities, combined with investments focused on the greatest amount of risk reduction.
Eric C. Thompson

Continuous Improvement

Frontmatter
Chapter 13. Investing for Risk Reduction
Abstract
Limited resources are a fundamental concept of economics, and tough decisions about how to deploy those resources must be made. Examples can include choosing one technology over another, or choosing between technology and head count. This is especially true for cybersecurity programs at healthcare providers, insurance payers, and business associates, where budgets and resources are often limited. This shines a light on why conducting regular risk analysis and assessment exercises is important. Decisions on how to utilize limited resources must focus risk-based deployment. Some choices are made because of the effect on reducing multiple risks, others because a significant risk is reduced by the investment.
Eric C. Thompson
Chapter 14. Third-Party Risk: Beyond the BAA
Abstract
Of all the ways to apply risk-based cybersecurity principles, analyzing risks to ePHI related to engaging third parties is very important. Failing to evaluate cyber risk at service providers is dangerous, and recent examples, such as the breach reported by Anthem in August of 2017, and risks to ePHI resulting from these relationships must be included on the risk register as well. In terms of patient data, business associates (BAs) are entities that perform services on behalf of covered entities and have access to ePHI. Business associates also engage third parties, establishing downstream BA arrangements. Regulations require that business associate agreements (BAAs) be executed for all such arrangements, establishing requirements for BAs to operate under. Included are permissible uses and disclosures of PHI and the expectation to protect PHI by adhering to safeguards required under the HIPAA Security Rule. BAAs also include provisions for notification when breaches occur. BAAs, however, should not be relied on for due diligence and information protection assurance. Managing third-party risk is not the sexiest aspect of cybersecurity; however, mismanaging third-party risk can be very damaging and lead to headlines. It is understood that BAAs are obtained any time a third party has access to, or is in possession of, ePHI. The focus of this chapter is to analyze and either accept or address the cyber risks to ePHI, prior to executing a business agreement and in addition to obtaining the signed BAA.
Eric C. Thompson
Chapter 15. Social Media, BYOD, IOT, and Portability
Abstract
Social media, Bring Your Own Device (BYOD), and the Internet of Things (IoT) are potential headaches and cybersecurity risks. Data moves so freely in the age of digitization that it places vast amounts of ePHI at risk in new and complicated ways. The diverse social media risks cover more than the typical concern over posting of sensitive information on these sites. End users often share sufficient intelligence about the companies they work at that attackers may not have to dig as much during the reconnaissance stage. Social media is a repository for attackers attempting to discover ways to exploit end users. Managing BYOD risks has come a long way in recent years, but risks still exist when allowing the workforce to use personal phones or tablets during the workday. Finally, the recent explosion surrounding IoT also creates risks that many practitioners are just beginning to understand. The volume of data collected is exploding, and entities are unsure of how to manage the protection, storage, and disposition of this data.
Eric C. Thompson
Chapter 16. Risk Treatment and Management
Abstract
During the risk analysis and assessment process, risks specific to the entity’s governance, processes, and capabilities were documented. Risks associated with engaging a third-party service provider and risks due to the use of social media were discovered and added during the testing phase. These risks range in severity from low to very high, based on the likelihood and impact to the confidentiality, integrity, and availability of ePHI if an adversary exploits one of them. Selecting security measures as a means of risk reduction or mitigation is an important step in the process, but it is not possible to eliminate the risk. That is where risk treatment and management come into play. When selecting security measures, entity management must choose the security measures, risk treatments, that reduce each risk to an acceptable level.
Eric C. Thompson
Chapter 17. Customizing the Risk Analysis
Abstract
Risk analysis is customizable, if the required elements exist. It is thorough and covers the entire enterprise. Here, it is possible to show an example of a risk analysis customized using Monte Carlo simulations when assigning values to the likelihood and impact ratings for given risks. Risk analysis is part art, part science. The art to risk analysis is to achieve results that reflect the true state of the environment. Qualitative risk assessments can suffer if careful thought is not given to assigning likelihood and impact values, yet it is not possible to be 100% quantitative. Evidence must be interpreted by the person doing the analysis. Monte Carlo simulations allow the risk practitioner to use his or her judgment to determine a range of possible values, agree on a likely value, and use a simulation to assign likelihood and impact values.
Eric C. Thompson
Chapter 18. Think Offensively
Abstract
Executing and continuously updating the risk analysis is a challenging task. Things change daily in the cybersecurity world, including an entity’s risk profile. Healthcare providers, payers, and business associates collectively struggle with assessing and keeping up to date a comprehensive and thorough risk analysis. Analyzing and assessing risk are not only required by the HIPAA Security Rule but are necessary to build an effective cybersecurity program. There are many challenges. Situational awareness and knowledge of all places in which ePHI is in use, in motion, and at rest is a big concern. Understanding the application of risk analysis guidance in a way that meets regulatory requirements is another. The last is how to conduct the risk analysis in a way that brings value to the entity. Organizations that accept these challenges and face them one step at a time can build cybersecurity programs that are compliant with HIPAA, invest resources where risk exists, and focus on continuous improvement.
Eric C. Thompson
Backmatter
Metadaten
Titel
Building a HIPAA-Compliant Cybersecurity Program
verfasst von
Eric C. Thompson
Copyright-Jahr
2017
Verlag
Apress
Electronic ISBN
978-1-4842-3060-2
Print ISBN
978-1-4842-3059-6
DOI
https://doi.org/10.1007/978-1-4842-3060-2