Hipaa risk analysis_1.4

© 2013 SISA Information Security Inc.

About SISA:

SISA Information Security was founded in 2003 and has over 300 customers

ranging from healthcare, insurance, banks, hospitality and information technology.

SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for

HIPAA compliance.

HIPAA Risk Analysis

www.sisainfosec.com


© 2013 SISA Information Security Inc.© 2013 SISA Information Security Inc.

Dharshan Shanthamurthy,CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized

Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA

• CEO of SISA Information Security Inc

• Two decades of information security experience and specialist on formal

risk assessment methodologies.

• Conducted around 120 workshops in over 13 countries on topics

ranging from Risk Assessment, HIPAA, PCI and ISO.

• Trained at CERT Coordination Center on Risk Assessment and

recognized as authorized trainer/advisor for SEI in 2003.

• Author of the Certified Information Security Risk Assessor Program

(training dedicated towards formal methodologies)

• PCI DSS Special Interest Group Proposer and Lead for Risk

Assessment.

LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy

http://www.sisainfosec.com/

http://www.linkedin.com/in/dharshanshanthamurthy


Agenda

• Definition

• Background

• Current environment

• Common Risk Analysis Process

• Questions

Objective: Step-by-step approach to HIPAA Risk Analysis


Risk Assessment

Risk assessment is the cornerstone of any

information security program, and it is the fastest

way to gain a complete understanding of an

organization's security profile – its strengths and

weaknesses, its vulnerabilities and exposures.

“IF YOU CAN’T MEASURE IT

…YOU CAN’T MANAGE IT!”


• Formal risk analysis (or risk assessment)

- Essential component of HIPAA compliance

- Can help organizations identify their most critical

exposures vulnerabilities and — more importantly —

safeguard overall privacy and security

- Forms a basis for determining how risks should be

managed

• Add value by ensuring that resources are directed at the

areas that are most important to management and

governance.

Background


HIPAA and Risk AnalysisAdministrative Safeguard

Security Management Process

• “Conduct an accurate and thorough assessment of the

potential risks and vulnerabilities to the confidentiality,

integrity, and availability of EPHI held by the covered entity.”

• “Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level to

comply with §164.306(a). “


Risk Analysis: Why is it so critical?

• Control optimization: Protect everything or do RISK Analysis to

know what need to be protected

• Treat helps to prioritize the mitigation process

• Be secure, not just compliant: Effective and Efficient control

deployment

• Was secure yesterday but is it true today? Analyze the

effectiveness of existing control on ongoing basis

• Helps organization to take right decision at the right time


Current Environment

• 80% of the organizations don’t have a consistent manner in

assessing risk.

• 4/5 of the organizations have no formal risk appetite defined.

• 47/49 providers, 20/35 health plans and 2/7 of clearing houses

did not have basic formal risk assessment

Source: NIST-OCR 2013

Source: 2013 KPMG Survey


Common misconceptions

• Vulnerability Assessment = Risk Analysis

• Risk Analysis = Audit

• Risk Analysis does not require any specific skill

• Risk Analysis is black or white.

• We already know the risk so why conduct formal Risk

Analysis?

• Risk Analysis has no business value and is required only

for compliance purposes just before the audit

• Risk Analysis does not require formal approach. Let me

devise my own.


Common Risk Analysis Flow

Risk Treatment

Risk Analysis: Risk Identification

Risk Analysis: Risk Estimation and

Evaluation

General Description of ISRA

SISA Assistant

Risk Profiling

Threat

Vulnerabilities

Scope

Asset

Results Documentation

Risk Treatment Plan


1. General Description of ISRA

• Basic Criteria

• Scope and

Boundaries

• Organization for

ISRM

Identify, Describe

(quantitatively or

qualitatively) and

Prioritize Risks

Assessed risks

prioritized according

to Risk Evaluation

Criteria.

Risk EvaluationRisk Analysis:

Risk IdentificationRisk Analysis:

Risk Estimation

General

Description

of ISRA


2. Risk Analysis: Risk Identification

Identification of Assets

Scope and

Boundaries

Asset owners

Asset Location

Asset function

Assets are defined

List of Assets.

List of associated

business processes.


Risk Estimation

Risk

Analysis:

Risk

Identification

General

Description of

ISRA



Identification of Threats

Threat Information

from

• Review of

Incidents

• Asset Owners

• Asset Users, etc.

Threats are defined

• Threats

• Threat source

• Threat type


Risk Estimation

Risk

Analysis:

Risk

Identification

General

Description of

ISRA



Identification of Existing

Controls

• Documentation of

controls

• RTP

Existing and planned

controls are defined

• Existing and

planned controls

• Implementation

status

• Usage status


Risk Estimation

Risk

Analysis:

Risk

Identification

General

Description of

ISRA



Identification of Vulnerabilities

• Identified Assets

• Identified Threats

• Identified Existing

Controls

Vulnerabilities are

identified

• Vulnerabilities

related to assets,

threats, controls.

• Vulnerabilities not

related to any

threat.


Risk Estimation

Risk

Analysis:

Risk

Identification

General

Description of

ISRA



Identification of Consequences

• Assets and

business

processes

• Threats and

vulnerabilities

The impact of the

loss of CIA is

identified

• Incident scenarios

with their

consequences

related to assets

and business

processes


Risk Estimation

Risk

Analysis:

Risk

Identification

General

Description of

ISRA


3. Risk Analysis: Risk Estimation

Risk Estimation Methodologies

(a) Qualitative Estimation: High, Medium, Low

(b) Quantitative Estimation: $, hours, etc.

Risk Evaluation

Risk

Analysis:

Risk

Estimation

General

Description of

ISRA

Risk Analysis:

Risk Identification



Assessment of consequences

Risk Evaluation

Risk

Analysis:

Risk

Estimation

General

Description of

ISRA

Risk Analysis:

Risk Identification

• Assets and

business

processes

• Threats and

vulnerabilities


The business impact

from information

security incidents is

assessed.

Assessed

consequences of an

incident scenario

expressed in terms of

assets and impact

criteria.



Level of Risk Estimation

Risk Evaluation

Risk

Analysis:

Risk

Estimation

General

Description of

ISRA

Risk Analysis:

Risk Identification


with their

consequences

• Their likelihood

(quantitative or

qualitative).

Level of risk is

estimated for all

relevant incident

scenarios

List of risks with value

levels assigned.



Level of Risk Estimation

General Description

of ISRA

Risk Analysis:

Risk Identification

• Risks with value

levels assigned and

risk evaluation

criteria.

Level of risk is

compared against

risk evaluation

criteria and risk

acceptance criteria

Risks prioritized

according to risk

evaluation criteria in

relation to the incident

scenarios.

Risk

Evaluation

Risk Analysis:

Risk Estimation


Scope

Physical Location – building,

room, etc.

Data Center

Business Process

Business DivisionRisk Profiling

Threat

Vulnerabilities

Scope

Asset


Risk Treatment Plan


Asset Review

Admin Processes

Clinical Processes

Electronic Health

Records System

Risk Profiling

Vulnerabilities

Scope


Risk Treatment Plan

Threat

Asset


Threat Review

smart-ra.com

Hacker exploits insecure

communication channels

Theft /destruction of

media or documents

Corruption of data

CSRF Attack

Risk Profiling

Vulnerabilities

Scope


Risk Treatment Plan

Asset

Threat


Vulnerability Review

Employee Disclosure

EPHI is stored unencrypted

No quarterly review of firewall

rules

XSS Vulnerability

Risk Profiling

Threat

Scope


Risk Treatment Plan

Asset

Vulnerabilities


Risk Profiling

Risk Score = f( Asset Value, LHOT,

LOV)

•Calculated after taking Risk

Evaluation and Risk Acceptance

Criteria into account

Revised Risk Score = Risk Score

after

•Evaluating Existing Controls

•Applying New Controls

Vulnerabilities

Threat

Scope


Risk Treatment Plan

Asset

Risk Profiling


Risk Treatment Plan

Vulnerabilities

Threat

Scope


Risk Profiling

Asset

Risk Treatment Plan

Treat/Tolerate/Terminate/Transfer

Take Action if Treat/Transfer

Take Approval if Tolerate/Terminate



smart-ra.com

Vulnerabilities

Threat

Scope

Risk Profiling

Risk Treatment Plan

Asset


Document A-T-V Combination with the

associated Risk

Calculation of Risk

RTP

Action Taken


Scenario – Threat Profiling

We have had people moving from one

department to another and it seems like

some of them continue to have their

previous access rights both to the network

and to the lab area. Consequently PHI is

accessible to more people than required.


Questions

Email: [email protected]

About SISA:

SISA Information Security was founded in 2003 and has over 300 customers

ranging from healthcare, insurance, banks, hospitality and information technology.

SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for

HIPAA compliance. Sign up on our website to get a FREE 30 day trial.

www.sisainfosec.com

LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy

Hipaa risk analysis_1.4

Healthcare

hipaa risk assessment

hipaa risk analysis

formal risk analysis

components of risk assessment

word risk analysis

iso risk analysis

information security

study formal risk assessments