Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Risk Analysis

First HIPAA Security Risk Analyst
"Whatsoever things I see or hear
concerning the life of men, in my
attendance on the sick or even
apart therefrom, which ought not
to be noised abroad, I will keep
silence thereon, counting such
things to be as sacred as secrets."
- Hippocratic Oath, 4th Century, B.C.E.
Welcome to today’s Live Event… we will begin shortly…
Please feel free to use “Chat” or “Q&A” to tell us any
‘burning’ questions you may have in advance
© 2010-11
2010-12 Clearwater Compliance LLC | All Rights Reserved
1
How to Conduct a
Meaningful Use / HIPAA
Security Risk Analysis
April 17, 2012
Bob Chaput, MA, CISSP, CHP, CHSS, MCSE
615-656-4299 or 800-704-3394
bob.chaput@ClearwaterCompliance.com
Clearwater Compliance LLC
© 2010-11
2010-12 Clearwater Compliance LLC | All Rights Reserved
2
Bob Chaput
CISSP, MA, CHP, CHSS, MCSE
•
•
•
•
•
•
•
•
President – Clearwater Compliance LLC
30+ years in Business, Operations and Technology
20+ years in Healthcare
Executive | Educator |Entrepreneur
Global Executive: GE, JNJ, HWAY
Responsible for largest healthcare datasets in world
Numerous Technical Certifications (MCSE, MCSA, etc)
Expertise and Focus: Healthcare, Financial Services, Legal
•
Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP,
Chambers, Boards
http://www.linkedin.com/in/BobChaput
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
3
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. HIPAA and HITECH is dynamic!
3. Lots of different interpretations!
So there!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
4
5 Actions to Take Now
1. Formally establish and charter a Privacy
and Security Risk Management Council
and establish a Security Management
Process per 45 CFR §164.308(a)(1).
2. Complete an Evaluation per 45 CFR
§164.308(a)(8) to assess Security Rule
“black letter” compliance and to
understand the complete regulation; the
Security Rule is the ultimate checklist.
3. Complete a Risk Analysis per 45 CFR §164.308(a)(1)(ii)(A) to assess risk
and determine the CE’s security posture and initiate a corrective action plan.
4. Complete an assessment of compliance with the Privacy Rule using per
45 CFR §164.530 Administrative Requirements as a guide.
5. Document and act upon a corrective action plan for Security Rule
compliance, Privacy Rule compliance, and overall Risk Management per 45
CFR §164.308(a)(1)(ii)(B).
Demonstrate Good Faith Effort
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
5
Session Objectives
1. Review Regulatory
Requirements and HHS/OCR
Final Guidance
2. Understand Risk Analysis
Essentials
3. Learn how to Complete a Risk
Analysis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
6
HITECH meets HIPAA …
at Meaningful Use
Risk
Analysis
45 CFR
164.308(a)(1)(ii)
(A)
HIPAA Security
Final Rule
Meaningful Use
Final Rule
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
7
Two Dimensions of HIPAA
Security Business Risk Management
Compliance
45 CFR 164.308(a)(8)
Security
45 CFR
164.308(a)(1)(ii)(A)
Overall Business Risk Management Program;
Not “an IT project”
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
8
Security Evaluation v. Risk Analysis
45 C.F.R. §164.308(a)(8)
Standard: Evaluation. Perform a periodic technical and non-technical
evaluation, based initially upon the standards implemented under this rule
and subsequently, in response to environmental or operational changes
affecting the security of electronic protected health information, which
establishes the extent to which an entity's security policies and
procedures meet the requirements of this subpart.
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process
(1)(i) Standard: Security management process. Implement policies and
procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health
information held by the covered entity.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
9
EP Meaningful Use - Core
Eligible Professionals 15 Core Objectives
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Computerized provider order entry (CPOE)
E-Prescribing (eRx)
Report ambulatory clinical quality measures to
CMS/States
Implement one clinical decision support rule
Provide patients with an electronic copy of their health
information, upon request
Provide clinical summaries for patients for each office
visit
Drug-drug and drug-allergy interaction checks
Record demographics
Maintain an up-to-date problem list of current and
active diagnoses
Maintain active medication list
Maintain active medication allergy list
Record and chart changes in vital signs
Record smoking status for patients 13 years or older
Capability to exchange key clinical information among
providers of care and patient-authorized entities
electronically
15. Protect electronic health information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
EH & CAH Meaningful Use
EHs and CAHs 14 Core Objectives
1. Use CPOE for medication orders directly entered by any licensed healthcare professional who
can enter orders into the medical record per State, local, and professional guidelines.
2. Implement drug-drug and drug-allergy interaction checks.
3. Maintain an up-to-date problem list of current and active diagnoses
4. Maintain active medication list.
5. Maintain active medication allergy list.
6. Record specific set of demographics
7. Record and chart specific changes in the certain vital
8. Record smoking for patients 13 years old or older
9. Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals,
the States.
10. Implement one clinical decision support rule related to a high priority hospital condition along
with the ability to track compliance with that rule.
11. Provide patients with an electronic copy of their health information (including diagnostic test
results, problem list, medication lists, medication allergies, discharge summary, procedures),
upon request.
12. Provide patients with an electronic copy of their discharge instructions at time of discharge,
upon request.
13. Capability to exchange key clinical information (for example, problem list, medication list,
medication allergies, and diagnostic test results), among providers of care and patient
authorized entities electronically.
14.Protect electronic health information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
…from HHS/OCR Final Guidance
Regardless of the risk analysis methodology employed…
1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits
must be included in the risk analysis. (45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45
C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§
164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity
uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into
account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the
“criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to
the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2),
164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific
format. (See 45 C.F.R. § 164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In
order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct
continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
12
Risk Management Guidance
Guidance on Risk Analysis Requirements under the
HIPAA Security Rule Final
•
•
•
•
•
•
NIST SP800-30 Revision 1 Guide for Conducting Risk
Assessments – DRAFT
NIST SP800-34 Contingency Planning Guide for Federal
Information Systems
NIST SP800-37, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life
Cycle Approach
NIST SP800-39-final_Managing Information Security Risk
NIST SP800-53 Revision 3 Final, Recommended controls for
Federal Information Systems and Organizations
NIST SP800-53A, Rev 1, Guide for Assessing the Security
Controls in Federal Information Systems and Organizations:
Building Effective Security Assessment Plans
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
13
Session Objectives
1. Review Regulatory Requirements
and HHS/OCR Final Guidance
2. Understand Risk Analysis
Essentials
3. Learn how to Complete a Risk
Analysis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
14
Risk Analysis is Not Easy
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
15
What A Risk Analysis Is Not
•
•
•
•
•
•
A network vulnerability scan
A Risk Analysis IS the process of
A penetration
test prioritizing, and estimating
identifying,
risks to organizational operations
A configuration
audit
(including
mission, functions, image,
reputation), organizational assets,
A network diagram
review
individuals,
other organizations, …,
resulting from the operation of an
A questionnaire
information system. Part of risk
incorporates threat and
Informationmanagement,
system
activity
review
vulnerability analyses, and considers
mitigations provided by security controls
planned or in place.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
16
NOT Risk Management
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
17
Risk Analysis and Risk
Management
1. What is our exposure
of our information
assets (e.g., ePHI)?
2. What do we need to do
to treat or manage
risks?
Both Are Required in MU and HIPAA
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
18
Security Risk Management Process
Risk
Management
Approach
Asset
Inventory
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis
Risk
Treatment
Docu
mentation
19
What is Risk?
Risk = Impact * Likelihood
Overall Risk Value
Impact
HIGH
Medium
High
Critical
MEDIUM
Low
Medium
High
LOW
Low
Low
Medium
LOW
MEDIUM
HIGH
Likelihood
Goal = Understand What Risks Exist and Into
What Category They Fall
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
20
Risk Analysis “Algebra”
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
21
Threat Sources
1. Adversarial
• Individual-Outsider, -Insider,
Group-Ad hoc,-Established…
2. Accidental
• Ordinary User, Privileged
User
3. Structural
• IT Equipment, Environmental
Controls, Software
4. Environmental
• Natural or man-made
disaster (fire, flood,
hurricane), Unusual natural
event, Infrastructure
failure/outage (telecomm,
power)
… An adapted definition of threat Source, from NIST SP *00-30, is “The intent and method
targeted at the intentional exploitation of a vulnerability or a situation and method that may
accidentally exploit a vulnerability...”
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
22
Vulnerabilities
1.
2.
3.
4.
5.
6.
7.
Lack of strong password
Lack of personal firewall
Lack of data backup
Lack of policies
Failure to follow policies
Lack of training
Lack of encryption on
laptops with ePHI…
8. …and on and on …
NIST Special Publication (SP) 800-30 as “Weakness in an information system,
system security procedures, internal controls, or implementation that could be
exploited by a threat source.”
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
23
Controls Help Address Vulnerabilities
Threat Source
Vulnerabilities
Controls
• Burglar who may
steal Laptop with
ePHI
•
•
•
•
•
•
•
•
•
•
•
Information Asset
• Laptop with ePHI
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Device is portable
Weak password
ePHI is not encrypted
ePHI is not backed up
Policies & Procedures
Training & Awareness
Cable lock down
Strong passwords
Encryption
Remote wipe
Data Backup
24
Risk =
f([Assets+Threats+Vulnerabilities+Controls]
* [Likelihood * Impact])
Likelihood
Impact
Risks
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Not Applicable
RareBased on
Unlikely
threat,
vulnerabilities
Moderate
and current
Likely
controls in
Almost
Certain
place
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Not Applicable
Insignificant
Based on size,
Minor
sensitivity
Moderate
and effort or
Majorcost of
remediation
Disastrous
Financial
Political
Legal
Regulatory
Operational impact
Reputational
25
Establishing a Risk Value
Risk = Likelihood * Impact
Likelihood
Rank
0
1
2
3
4
5
Description
Not Applicable
Rare
Unlikely
Moderate
Likely
Almost Certain
Example
Will never happen
May happen once every 10 years
May happen once every 3 years
May happen once every 1 year
May happen once every month
May happen once every week
Impact
Rank
0
1
2
3
4
5
Description
Not Applicable
Insignificant
Minor
Moderate
Major
Disastrous
Example
Does not apply
Not reportable; Remediate within 1 hour
Not reportable; Remediate within 1 business day
Not reportable; Remediate within 5 business days
Reportable; Less than 1,000 records compromised
Reportable; Greater than 1,000 records compromised
•
•
•
•
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Critical = 25
High = 15-24
Medium = 8-14
Low = 0-7
26
Simplified Risk Analysis Example
Asset
Laptop
Likelihood
(1-5)
Impact
(1-5)
Risk
( L * I)
Device is portable
4
3
12
Weak password
2
4
8
ePHI is not encrypted
3
5
15
ePHI is not backed up
1
2
2
Threat
Theft
Vulnerability
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
27
The Process
Risk Approach
Asset
Inventory
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis
Docu-
Risk
Treatment
mentation
28
Criteria For Accepting Risks


Score Range: 0-25
Risk Values




Critical = 25
High = 15-24
Medium = 8-14
Low =
0-7
Example:
• Acceptable level of risk: 14
• Value of risk A: 9 – no treatment is needed
• Value of risk B: 17 – risk treatment is needed
29
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Treatment
• Risk Management = making informed decisions
about treating risks
1.
2.
3.
4.
5.
Avoid
Accept
Mitigate
Transfer
Share
• Not all Risks need “mitigation”
• All Risks need “treatment”
30
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Management
Risks of all types & sizes exist
Risk Identification 
Risk Treatment
Avoid / Transfer Risks
Mitigate / Transfer Risks
Accept Risks
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
31
Risk Mitigation Example
Before
Asset
Threat
Laptop Theft
Vulnerability
Likelihood
(1-5)
Impact
(1-5)
Risk
( L * I)
Device is portable
4
3
12
ePHI is not encrypted
3
5
15
After
Asset
Threat
Vulnerability
Likelihood (15)
Impact (15)
Residual
Risk
( L * I)
Cable lock
down
1
3
3
ePHI is not Full Disk
encrypted Encryption
1
5
5
Laptop Theft Device is
portable
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
New Control
32
Session Objectives
1. Review Regulatory Requirements
and HHS/OCR Final Guidance
2. Understand Risk Analysis
Essentials
3. Learn how to Complete a Risk
Analysis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
33
The Process
Risk Approach
Asset
Inventory
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Risk Analysis
Docu-
Risk
Treatment
mentation
34
The Risk Analysis Dilemma
Assets and Media
Backup Media
Desktop
Disk Array
Electronic Medical
Device
Laptop
Pager
Server
Smartphone
Storage Area Network
Tablet
Third-party service
provider
Etcetera…
Threat Sources
ADVERSARIAL
-Individual
-Groups
ACCIDENTAL
-Ordinary user
-Privileged User
STRUCTURAL
-IT Equipment
-Environmental
-Software
ENVIRONMENTAL
-Natural or man-made
-Unusual Natural
Event
-Infrastructure failure
Threat Actions
Burglary/Theft
Corruption or
destruction of
important data
Data Leakage
Data Loss
Denial of Service
Destruction of
important data
Electrical damage to
equipment
Fire damage to
equipment
Information leakage
Etcetera…
Over 10 million Permutations 
Potential Risk-Controls
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
NIST SP 800-53 Controls
Vulnerabilities
Anti-malware
Vulnerabilities
Destruction/Disposal
Vulnerabilities
Dormant Accounts
Endpoint Leakage
Vulnerabilities
Excessive User
Permissions
Insecure Network
Configuration
Insecure Software
Development Processes
Insufficient Application
Capacity
Insufficient data backup
Insufficient data validation
Insufficient equipment
redundancy
Insufficient equipment
shielding
Insufficient fire protection
Insufficient HVAC
capability
Insufficient power
capacity
Insufficient power
shielding
Etcetera…
PS-6 a The organization ensures that
individuals requiring access to
organizational information and
information systems sign appropriate
access agreements prior to being
granted access.
PS-6 b The organization
reviews/updates the access
agreements [Assignment:
organization-defined frequency].
AC-19 a The organization establishes
usage restrictions and implementation
guidance for organization-controlled
mobile devices.
AC-19 b The organization authorizes
connection of mobile devices meeting
organizational usage restrictions and
implementation guidance to
organizational information systems.
AC-19 c The organization monitors for
unauthorized connections of mobile
devices to organizational information
systems.
AC-19 d The organization enforces
requirements for the connection of
mobile devices to organizational
information systems.
AC-19 e The organization disables
information system functionality that
provides the capability for automatic
execution of code on mobile devices
without user direction; Issues specially
configured mobile devices to
individuals traveling to locations that
the organization deems to be of
significant risk in accordance with
organizational policies and
procedures.
Etcetera…570
35
Software Design Basis
• HHS / OCR Final Guidance on Risk Analysis
• NIST SP800-30 Revision 1 Guide for Conducting Risk
Assessments – DRAFT
• NIST SP800-34 Contingency Planning Guide for
Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk
Management Framework to Federal Information
Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security
Risk
• NIST SP800-53 Revision 3 Final, Recommended
controls for Federal Information Systems and
Organizations
• NIST SP800-53A, Rev 1, Guide for Assessing the
Security Controls in Federal Information Systems
and Organizations: Building Effective Security
Assessment Plans
36
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security
Risk Analysis™
Educate | Assess | Respond
Monitor| Document
https://HIPAASecurityRiskAnalysis.com/
37
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How Risk Analysis Software
Helps You
Risk Approach
• Approach
rigorously based
on OCR & NIST
Guidance
• Semi-quantitative
• Comprehensive
• Flexible for
Setting Risk
Appetite
Asset
Inventory
Risk Analysis
• Captures
essential
documentation
• Includes 9
essential
elements
• Identifies
underlying media
• Serves as
‘wizard’ to guide
detailed process
• Creates
database for
deletes / adds /
changes
• Comprehensive
documentation
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
• Assures
consistency,
repeatability
• Ratings facilitate
dynamic risk
ranking
Docu-
Risk
Treatment
mentation
• Reporting
facilitates
informed
decision making
• Produces and
houses all
essential
documentation
• “Notes” facilitate
critical
documentation
re: Risk
treatment
decisions
• Provides “living,
breathing risk
management
repository”
• Enables easier,
future
incremental
38 analyses
Asset Inventory List
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
39
Risk Questionnaire Form
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
40
Risk Rating Report
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
41
Sample Export – Asset Inventory
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
42
Risk Analysis WorkShop™ Process
High Value – High Impact
I. PREPARATION
A. Plan / Gather
B. Read Ahead
C. Complete QuickScreen™
II. ONSITE SESSION
A. Facilitate
B. Educate
C. Evaluate
III. CONSULTATION
A. E-mail
B. Telephone
C. Web Meetings
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
43
Summary and Next Steps







Risk Analysis is a Critical, Foundational Step
Consider Assessing the Forest as Well
Completing a Risk Analysis is key to HIPAA
compliance
 But, is not your only requirement…
Stay Business Risk Management-Focused
Don’t Call The Geek Squad
Large or Small: Get Help (Tools, Experts, etc)
Consider tools and templates
44
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
June 25, 2012 | Chicago, IL
Clearwater HIPAA Audit Prep BootCamp™
Take Your
HIPAA
Compliance
Program to a
Better Place,
Faster
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Expert Instructors
Jim Mathis, JD, CHC, CHP
Healthcare Industry Attorney
HIPAA Consultant
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
James C. Pyles
Principal
Powers Pyles Sutter & Verville PC
Bob Chaput, CISSP, CHP, CHSS, MCSE
CEO
Clearwater Compliance
46
Get Smart!
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED:
1. http://AboutHIPAA.com/about-hipaa/resources/
2. http://AboutHIPAA.com/webinars/
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
47
Contact
Bob Chaput, CISSP
http://www.ClearwaterCompliance.com
bob.chaput@ClearwaterCompliance.com
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
48
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
49
Why Now? –
What We’re Hearing
“Our business partners (health plans) are
demanding we become compliant…” – large
national care management company (BA)
“We did work on Privacy, but have no idea where
to begin with Security” – 6-Physician Pediatric
Practice (CE)
“We want to proactively market our services by
leveraging our HIPAA compliance status …” -large regional fulfillment house (BA)
“With all the recent changes and meaningful use requirements, we need to make sure we
meet all The HITECH Act requirements …” – large family medicine group practice (CE)
“We need to have a way to quickly take stock of where we are and then put in place a
dashboard to measure and assure our compliance progress…” – national research
consortium (BA)
“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a
gap analysis done quickly and efficiently…” – seniors care management company (BA)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
50
What Our
Customers Say…
“The WorkShop™ process made a very complicated process and
subject matter simple. The ToolKit™ itself was excellent and
precipitated exactly the right discussion we needed to have.” –
outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a
comprehensive approach that effectively guided our
organization’s performance against HIPAA-HITECH Security
requirements.” -- SVP and Chief Compliance, national hospice
organization
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program,
began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound
investment for the company, and I can't think of a better framework upon which to launch compliance
efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared learning experience
and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started
than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and
resources creating this spreadsheet, we would never complete our compliance program on time…”
— Director, Quality Assurance & Regulatory Affairs
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
51
Related documents
Experian PO Box 2002 Allen, TX 75013 I dispute the reporting of the
Experian PO Box 2002 Allen, TX 75013 I dispute the reporting of the
Your_Solutions_LLC_-_New_Business3[1]
Your_Solutions_LLC_-_New_Business3[1]
Business Plan Basics - The Controllership Group
Business Plan Basics - The Controllership Group
strategic vision - City of Clearwater
strategic vision - City of Clearwater
The High Cost of Poor Communication:
The High Cost of Poor Communication:
Download