Clearwater Compliance: Reinforcing Cybersecurity in Healthcare

Steve Cagle, CEO & Director
Over the years, malware such as WannaCry, Upatre, and Cerber are consistently catching the attention of numerous companies small to large. Digging deeper, a study by FortiGuard Labs states that healthcare organizations experience more than twice the number of attacks on average as compared to organizations in other vertical market categories. This is because patient records and research assets are more critical than any other data and its value is much higher in the black market. Also, the healthcare industry is more vulnerable than other sectors because networks in the system are increasingly interconnected—between doctors’ offices, hospitals, insurance companies, contract workers, suppliers, and other entities. The interconnectivity increases the industry’s exposure to breaches through lost or stolen devices. This is why the HIPAA Security Rule requires that healthcare business associates and covered entities do a good job looking at their audit trails and access records, especially for electronic protected health information. It is really important to monitor and review those systems logs to see over time when these attacks occur. Offering robust healthcare compliance and cyber risk management solutions, Clearwater Compliance enables healthcare providers to navigate the ever-evolving threat landscape while meeting HIPAA requirements. Endorsed by the American Hospital Association, Clearwater Compliance has been instrumental in mitigating healthcare cyber risks for over 400 customers.

The company’s backstory began in 2009 when thought leaders in healthcare privacy and security, Bob and Mary Chaput determined to empower healthcare organizations to become and remain compliant with HIPAA rules. Soon after Clearwater Compliance’s inception, the founders observed the rapid development of new technology and electronic protected healthcare information (ePHI) and decided to offer a full range of cyber risk management solutions. In response to this, the company developed its Information Risk Management Pro (IRM|Pro) software, an enterprise cyber risk management system to empower its clients in developing and maturing their information risk management platforms. Built by healthcare experts, the solution exhibits the unmatched experience of its founders in delivering privacy and security. Many organizations struggle to become compliant with regulatory requirements and to build strong security programs. “Organizations cannot afford to underestimate the scale and potential cost of cyber threats and security breaches,” says Steve Cagle, CEO and director of Clearwater Compliance.

Simplifying HIPAA Compliance

Clearwater Compliance offers powerful, web-based software services to operationalize the client’s privacy, security, compliance and cyber risk management programs. As the first step in the process of ensuring effective cybersecurity, Clearwater Compliance’s IRM|Pro is a scalable SaaS solution empowering healthcare firms to underpin their cyber risk management programs. In its recent launches, the solution now offers new CyberIntelligence dashboards that allow clients to gain actionable insights into vulnerabilities and their remediation. At the same time, the dashboard provides real-time updates on the risk analysis progress, control deficiencies for identifying areas where actions need to be taken. Further, the platform enables seamless enterprise collaboration by allowing clients to assign various tasks such as risk mitigation actions, track the performance and get reports on the progress. All in all, Clearwater Compliance’s IRM|Pro solution offers increased operational efficiency to clients along with an intuitive interface to navigate the risk scenario, exposures and run analytics in real time.

Clearwater Compliance’s Information Risk Management Pro (IRM|Pro) suite of software comprises of five modules– IRM|Analysis, IRM|Security, IRM|Privacy, IRM|Framework and IRM|Maturity. “The major benefit that we provide through the IRM|Pro suite is that we fundamentally assist organizations in avoiding monetary losses,” states Cagle. The IRM|Security and IRM|Privacy modules identify the compliance gaps by detecting the missing and outdated policies, and automatically generating specific remediation paths and strategies. The modules then facilitate execution of plans, provide dashboards that reflect the client’s current status, and serve as a document repository which houses all the policies, procedures, laws, evidence, and reports, accounting for an effective compliance program. Besides, Clearwater Compliance provides HIPAA security assessment workshop to its clients to comply with HIPAA security rules.
The workshop combines the IRM|Security solution with an expert team who offer hands-on training and support to safeguard sensitive information. Through the workshop, Clearwater Compliance evaluates the client’s compliance with the requirements with detailed assessments and prepares a remediation plan to maintain compliance status.

As a key constituent of the cyber risk management system, the IRM|Analysis enables clients to assess, monitor, and report on all its risks and risk mitigation actions. Clients can easily catalog their asset inventory information through data upload and guided data entry. With IRM|Analysis’ preset out-of-the-box settings, clients can gain insights into their risk profile. Further, the solution automates the conventional process outlined in the National Institute of Standards and Technology (NIST) SP 800-39 which is the basis of the HHS/OCR guidance on performing risk analysis. As a highly scalable software solution, IRM|Analysis provides a very detailed and systematic industry standard approach to information risk management with extensive automation features. Using the solution’s CyberIntelligence dashboards, clients can get actionable insights into critical vulnerabilities with real-time updates on risk analysis procedures and risk mitigation status.

Clearwater Compliance also assists clients in adopting the NIST cybersecurity framework through its IRM|Framework that helps capture current profile and tier information to identify a target profile and create an action plan. At the same time, the solution enables clients to evaluate the progress and status of adoption. Finally, the IRM|Maturity module allows healthcare providers to assess core IRM capabilities and establish the required level of maturity for their IRM programs. Through the solution, clients can monitor the progress of their IRM progress and create plans to boost its maturity.

Preparing for the Future of Risk Management

Illustrating the effectiveness of the IRM|Pro software is Encompass Health, one of the largest providers of post-acute healthcare services. The healthcare company required to establish an accurate and comprehensive, OCR-quality risk analysis process to serve as an enterprise-wide security risk management program. By implementing Clearwater Compliance’s IRM|Analysis from the IRM|Pro software suite to implement and automate OCR-compliant risk analysis process. Along with the completion of Encompass Health’s risk assessment report, Clearwater Compliance’s NIST-based software and process led to additional positive outcomes such as centralized risk data, real-time risk analysis, simplified report generation and risk tolerance adjustments. “It’s been a very collaborative relationship. Clearwater Compliance has been very responsive to our needs and supportive in helping us achieve our risk assessment objectives,” says Mitch Thomas, Chief Security Officer, Encompass Health.

As the helmsman of Clearwater Compliance, Cagle brings his extensive experience in the healthcare and technology businesses to steer the growth plans for the company down the road. Under his leadership, the company is moving towards new growth channels. From a go-to-market perspective, Clearwater Compliance will remain focused on cyber risk management in the healthcare space. For almost a decade now, the company has applied unmatched experience in delivering security solutions in the healthcare space while enhancing its IRM|Pro software suite. As opportunities emerge, the firm envisions expanding and serving other industries with superior quality products, concierge-level customer service, and cost-effective solutions. Today, it’s IRM|Analysis, which is agnostic of the industry and type of sensitive data, can be used to automate the NIST SP800-39 information risk management process for any organization. “We will continue to make investments in areas related to the NIST approach, and enhance our products and services in the healthcare industry,” concludes Cagle.

Clearwater Compliance

Nashville, TN

Steve Cagle, CEO & Director

Provides healthcare compliance and cyber risk management solutions to empower hospitals and health systems to manage evolving cybersecurity risks and ensure patient safety successfully

Clearwater Compliance