and welcome to today's webinar quick wins to optimize hipa compliance management using service now irm this is certainly top of mind for all of our healthc care customers we appreciate you spending time with us today as we talk through ways to improve your hippo compliance experience couple of quick housekeeping notes before we get started all lines have been placed on mute we will be monitoring the zoom Q&A for questions we do ask that you post your questions in the Q&A as a posted the chat as it will allow us to ensure that all of the questions have been answered this webinar is being recorded and will be shared along with today's slide deck following today's event you will be receiving a very short survey if you don't mind we would appreciate you taking a couple of moments to complete as this feedback is helpful to ensure that we are always providing valuable content by way of introductions my name is Christy drinski everyone calls me Drew I am a RIS solution sales executive covering service now's Healthcare accounts I've been with service now for just under nine years and I'm based out of New York City I am joined by Barb and Hunter from our Elite partner edile a Whi company Barb would you mind introducing yourself sure thanks for having me here today I'm Barb Johnson I'm a managing director at whpr Pro an agile company and I lead our risk and compliance transformation practice with a focus on service now I have a background in healthcare and that's why I'm very excited to be here today because Healthcare is near and dear to my heart over to you Hunter great thank you Barb good afternoon everybody my name is Hunter Freeman I'm a senior manager with the whippo agile team working with Barb in our risk and compliance transformation practice I'm specifically our technical go to market leader uh helping to educate our customers on how they can best leverage service now and other solutions to enable their program objectives and prior to uh coming over to the sales side I previously implemented these solutions for about six years pleasure to speak with everyone today thanks sure all right thank you Hunter thank you vve from an agenda perspective Barb will Begin by walking us through a very brief overview of HIPPA as well as service integrated risk management solution and agile's art content and how all of these can be used together to drive efficiencies as it relates to your Hippa compliance program barbell also talked through a case study of a customer Journey that was delivered by edile from there we will turn it over to Hunter who will provide a live demonstration and last but certainly not least we will leave a few minutes at the end for Q&A and wrap up before we get started we have a quick poll question that we would love to gather some information from the audience what are some of the challenges that you face with your Hippa security rule analysis today and Drew while I'm seeing some answers come in I know teams I've worked with in the past um have definitely faced challenges with single Source at truth um both for the safeguards as well as lack of cmdb or just too many things to try and assess so I'm seeing some good results come in here all right almost have a tie yeah for number one it's like we are ready okay so it looks like manual processes and lack of single source of Truth for Save cards we're definitely in the lead so appreciate everyone's participation there Barb if you're ready I'll turn it over to you to talk through review of tippa absolutely so I know if you're on this call uh you likely understand or um know a bit about Hippa so I don't need to um go into too much detail and and I won't won't uh pontificate up here uh to you all today but just wanted to provide a brief overview and focus on the key areas for why um we feel that it can be complicated when figuring out what needs to be included in scope and how teams can address um their assessments as it relates to the security and privacy rule particularly the security rule so hit um was established in 96 and is focused really on Epi I know the teams uh really want to focus on Phi overall um and it's important to do so um but the teams um most likely aligned under the ceso organization are really going to be focusing in on that electronic uh protected health information this applies to Health Plans Healthcare Clearing Houses Healthcare Providers and then covered entities and business associates there can be some really complicated gray area in what those entities look like depending on joint ventures and all different types of legal arrangements so getting your legal team and compliance team involved in in that type of um decision making and where it applies is really important and we won't get into that today but the types of controls and how best to approach the assessment is where we want to focus so the types of controls that are included administrative physical technical whether that's termination of users um or administ ative controls um and looking at passwords all of that is included within 45 CFR 164 in those sections listed on the screen the good news um in the hipos security rule is that there is a section around a flexibility of approach and so what this allows health plans and providers and Clearing Houses to do is you can take a approach that makes sense to you and your organization based on your size complexity what EMR you have um as well as what resources you have to conduct assessments as long as you document that approach and it makes sense if you just document we're not going to do an assess assment OCR is probably not going to like that but if you document a Sound Logic to why you're scoping only certain areas of your health care System um I think that's a valid approach um although please run that by your compliance and legal team but that flexibility approach is there for a reason and then the last piece here required versus addressable there are two different types of safeguards noted and again this allows the team um to have a different view as they're walking through those safeguards um so required not a lot of wiggle room but addressable um gives you the option to say that Safeguard or control isn't right for our environment and so you need to document why um but you could have a compensating control um or approach it with another lens to meet the need but what that means and how that creates a challenge is that it is not a clearcut um regulatory requirement as some of the other regulatory requirements or Frameworks that you see out in industry are um so you're not going to see anywhere in Hip security rule um a certain number of password characters or length of time before passwords need to be reset that's just not um the level of um detail that this gets into so how should teams approach that so what what we recommend um and oh I'm sorry before we get into what we recom commend we have another polling question so want to know how teams are managing their risk assessments today um like we talked about there's lots of complexity want to understand how you and your teams are handling that um Teresa if we can kick that off give us one second here I think it looks like it's been launched already okay so maybe we need to go ahead and with the presentation and I will get this fixed and we can do it a little bit later okay all right sounds good well there are a variety of ways to conduct your risk assessment but what we're going to talk through today is how you can use irm and service now and advanced risk to do so so when we look at the landscape and service now particularly in risk and security operations thinking through what rolls up in a ceso organization um we think about starting with governance and oversight what are the regulatory requirements that the team is going to be focused on and needs to report up to and one of those things in healthcare being Hippa and then integrated risk management being a good tool and module to uh answer that need and requirement so then if we drill down a layer deeper we can see that within the governance and oversight we're able to pull in specific laws and regulations as well as maybe our own um Healthcare provider policies and standards we're able to have a risk register that the teams can report out to the executives and SE Suite um and be able to make strategy decisions from and then moving into the integrated risk management space we're able to conduct surveys and attestations do control and control testing as well as reporting out findings and remediations this is all very important uh when thinking about the hipper risk assessment process because you can keep it all within one um contiguous module and Report out from there with an audit uh mindset so all of that documentation is going to be retained um for the length of time you need it to be um I know certain Auditors particularly in the government space when we're thinking about maybe Medicare Medicaid um have up to seven years to come back and look at the hipa risk assessments and then as we think about business continuity management vulnerability response and some of these other modules there may be data within there that is helpful when answering the surveys and attestations for a hip risk assessment moving on to how do we go about implementing it so first you want to start by planning for Success so what coverage do you need to have what should our program be doing are we only focused on Hippa or do we need to cover off on PCI maybe because we're accepting credit cards within the gift shop or cafeteria um and what is that population are we looking at just the hospitals are we also looking at the ambulatory locations and then moving into design how are we going to work through all of that and deliver the coverage needed um to meet the ask next we think about capacity do we have the resources it's going to take to deliver all of that um do we need more staff on the team or do we need more automation included in the workflow and irm is a great tool to add that workflow automation so you maybe don't need to add more people to the team particularly if um your answer to that last poll question would have been that you're performing these assessments manually with Excel uh or Word documents or interviews things like that and then the last piece here is the service model so when we think about the structure on the right hand side of the screen what governance should we have over the program what roles and responsibilities is everybody playing in this so certainly the information security team um can't do this alone need either legal compliance privacy to weigh in depending on the structure of your organization what are the documented processes and procedures um and how can we make that cyclical what reporting should be in place so everybody knows when we're done what came out of the assessment and then the technology to support this to to make it easier training and awareness to make sure the team is able to be as efficient as they can be and then what assurances do we have to make sure we're performing as effectively and efficient as we can be so then moving on uh it's easy to get overwhelmed by how much should or could be done so we like to think of this as a phased approach with integrated risk management the hip a risk assessment you only have a limited number of resources and each team is going to have a detailed um requirement for how precise they need to be so your team is going to drive what level of confidence you want to achieve on this five pass model that decision shouldn't be made in a silo in my opinion so you want to involve again your legal compliance or privacy team depending on your organizational structure and from there you can say we want a moderate level of competence so we should work through not just the risk register and the risk assessments but we should make sure we're doing a touch of control documentation um and documenting policy exceptions things like that all right from there um you're may be thinking okay I understand how we're going to do irm but how are we going to understand everything that there is to know within Hippa being that it's so um subjective or it's not subjective I should say so we have uh what we call the art content and that provides different regulatory uh compliance uh and Frameworks that we have taken and pulled together in a harmonized fashion and it's available for 20 Industries but today obviously we're going to focus on Healthcare life sciences and it leverages a three-prong compliance approach so we have the source content that we're monitoring and updating so if CIS or nist um CSF comes out with a new version that's going to get updated on a quarterly basis and that comes with a source change notification and then there will be compliance reporting and what this looks like in practice is that there are 850 Authority documents parsed out into 7,000 plus citations and those are verbatim line item citations so we haven't taken an interpretation of HIPPA which I think is really important um because when you start to interpret what hippo means um that's maybe something best suited for uh a legal or compliance team and so those citations are verbatim but they have been mapped to control objectives and risk statements and so those control objectives and risk statements can be tested by your team or conduct risk assessments against those um and that's where you can gain the additional efficiencies so if we use this picture as an example your team may have to um work to meet Hippa but may also have to comply um with PCI requirements and so if you have uh password standards you need to look at under Hippa as well as under PCI PCI is going to dictate that you have X number of characters within that password hip has not um but here uh as we harmonize those Authority docs into the citations and then one harmonized risk statement and control objective you can do the test once and apply many approach for your emrs um Etc now that integrated password requirement um is maybe not as applicable for a data center or an me if we're thinking PCI but PCI may have requirements to keep those locations um secure depending on how you've structured U your PCI environment so this is a way to pull in the content have it available and readily available to your teams in that citation format and then harmonize it and use it in that assess one Supply menu within your service now irm environment and so rolling into the case study what we were able to do for a customer of ours is Implement service now irm Advanced risk within a 12-week implementation cycle starting with the risk register and moving into entity types and entities we helped them develop assessments for key assets that contained Epi their primary EMR their secondary EMR that they used for the ambulatory locations as well as um a data center assessment and a a secondary physical site assessment and then they were able to perform risk analysis based on those assessments we created and configured in their environment and those risk uh assessments were performed uh with the level of Automation in their workflow to allow for automated issues to be generated when the risk tolerance was breached that helped the team spend less time in the weeds and more time focused on the issues that were above their risk appetite and then lastly that um overall implementation helped them see the bigger picture with reporting because they had a dashboard with a heat map that they were able to walk through with their executive level team and present to the board ultimately and then I don't know if if all of you refer to um the reporting as being needed for an assessment binder but I've seen it several healthc care um locations and providers that uh because it used to be a physical binder that you would stick everything into when it used to be called meaningful use that that term has carried over um so the reporting can be generated per entity um within service now irm and those PDFs can be saved in what is now a virtual assessment binder um for promoting interoperability or whatever you need that for uh to continue uh meeting your regulatory requirements there were several very key benefits for this team they were able to decrease the time needed to complete the assessments they had audit log of all assessment activities ready and available in case um any regulatory body came to audit their activities they were able to complete more pardon me remote assessments which in the postco world is really key um and they were able to conduct more assessments so even though they followed that flexibility of approach methodology they were able to increase the number of ambulatory locations they were assessing um and see more um in the field to understand where some key risks were for them that needed to be corrected and they were also able to increase their ability to track risks and issues with um notifications to help their subject matter experts respond to those risks and issues in a more timely fashion so uh overall I think the the team was very happy with what they had with the implementation and they were able to optimize without adding an additional team member or members to to the bench so with that I will pass it over to Hunter for the demo so while you're getting the uh demo ready Hunter would you like to launch would you all like to launch the the next poll and see what we find out from customers here about their assessments today oh perfect timing Teresa all right let's see what they have to say perfect I'll maybe just give a minute on this Teresa and we will get into the system here right I see a few things coming out yeah manual service now a few other Solutions right I think they're slowing down let's go ahead and end the poll and we can share the results manual is a high again lots of manual processes I've definitely been in those sho and understand uh the challenges Associated all right well I'll turn it over to Hunter now thanks Teresa great thank you Teresa so what I wanted to demonstrate today is really just take folks through an example of what operating your hipper risk assessment process can look like in service now and how we apply some of those Lessons Learned and and good practices that barb was mentioning uh during the presentation and really bring those to life so first what we like to start is just with an example of what the riskmanagement workspace and service now can look like and so I'm logged in right now as a a risk manager for my healthc Care Organization and right at the top here I'm able to select my Hippa risk assessment so the methodology I'm employing to perform my annual risk assessment and by choosing this I can get at a glance summary statistics AC Ross my environment specifically for my Hippa risk profile in this case so I can see that from past assessments I've completed maybe last year's results I've got a breakdown of my risks in terms of low through uh very high and we can even start to get into heat map reporting we'll take a deeper dive into what some of this reporting can look like but there's a lot of value for me as a risk manager in just having all of this information at my fingertips on my homepage and it's not just limited reporting but also giving me a quick view you know what activities what tasks what work do I need to get done maybe those are risk assessments I need to complete as part of this year's campaign or what's pending in my group's cue and we can also start to get into summary information so what are the highest risks in our environment where do we have perhaps open issues because we breached that risk tolerance and we need to go and do something about that or if we have overdue test hopefully not, 1400 overdue tasks but items that we need folks attention on really just surfacing all this information for me as a user so I can effectively manage my program but what I want to show the team next is just a quick example of that Arc content uh that barb was mentioning how we can tie this out to various uh different sources in our environment and then use this as the basis for risk register and go forward with a a risk assessment campaign within service now so I'm looking at what's called a control objective and this is effectively a uh control within my compliance framework in this case or control I require around management approval of privilege assignment and looking at this control objective again I'm going to get summary information about how how does this control look across our environment I have six controls derived from this so overall I know that I'm 8 % compliant against this objective and it turns out that that 20% difference perhaps is because I have one failed control test related to my Acme care EMR that we'll be using as our example today but really where the power of this comes in is when we look at these citations and so I've filtered my list here slightly but this is the key concept where service now enables us to link our controls or compliance Frameworks against all of our relevant regulatory mandates so not just Hippa but that broader world of sources that we may need to address and so I can see I do have two subsections from Hippa mapped here where we're talking about the need to have sign off on our privileges before they are provisioned but I can also get accessory information so maybe if I want to consult n853 as a additional Source on what is actually expected how might I go about implementing this control we can link all of information here in one place and really start to use that as the basis of our program we're starts to get even more exciting is our ability to do truly integrated risk and compliance so while of course I need to implement controls to comply with hipa we're here today to talk about our risk assessment and so I can link the controls in my framework against their corresponding risk statements which would comprise what I might think of as my risk register so if we just drill into this linked risk statement we're again going to get summary information I've assessed this risk in various places in my environment as part of my hipa risk assessment methodology I can see that overall I've got a moderate residual risk what's driving that from the specific underlying risks that I've assessed and even start to get information such as you know where are the top risks in my environment as I maybe start to scale this program I want to drill in and focus on those what is my overall approximate control Effectiveness for the controls in place to mitigate this risk wherever it applies in our environment there is a lot of power here for me as a risk or compliance manager to just surface the information and help understand where do I need to focus to ensure my organization is best meeting its obligations but when we think about these risk statements and how we apply them into our hipper risk assessment really one of the key Concepts we're going to have is our ability to set our risk appetite and our risk tolerance and so as an organization for whatever I'm using as my risk register the ability to Define these appetite in tolerance levels and have that automated in the system as we'll see come through in the risk assessment really helps me start to drive more efficiency and Automation in the program because as I'm doing these risk assessments I'll know in real time if I'm stepping outside of my organization's appetite or breaching our tolerance for these risks wherever we're assessing them and we can use that to more efficiently Drive action and just focus where we need to put our attention to get the biggest return in our investment because we do have limited resources we know we're all struggling with scale and scope we'll come back to that risk appetite topic and what it looks like in practice but the last thing I want to mention in terms of you know how do we set the stage with service now to go do our risk assessment is going to be this concept service now gives us of a entity type and our entities fundamentally when we talk about service now or how we run any risk and compliance program we need to Define our scope what are those things that we are going to go manage risk and compliance for and then what are the risks and controls that apply to those things service now answers this question through our entity types and and our entities think of an entity type as a collection of risks and controls from our risk register and control framework that we need to manage for a given type of thing in our environment so I've defined an entity type that's going to cover my EMR systems and I'm saying here that these are the 22 risks and 22 controls that I expect to address with any EMR in my environment and we know there may be multiple uh but with Acquisitions and m&a activities going on Non-Stop we want to be consistent and scale so these entity types help us to be consistent anywhere I have an EMR in my environment which will model as an entity I simply apply this entity type and they inherit our 22 risks and controls effectively scoping what we need to go address within that EMR and while we won't get into detail on it today we can of course automate this through service now if I'm ing my emrs in my configuration management database on service now then let's go ahead and automatically generate this entity and assign these controls anytime we know there's an EMR in our cmdb so maybe we bring a new one on board through acquisition activity let's make sure we don't miss a step and use this automation to close that Loop now with that where we really want to go next is what does the actual risk assessment look like so if I just drill into one of my entities here we'll look at Acme care or hypothetical EMR today there's a few key points we want to make again I'm going to get summary on my compliance and my risk position based on assessments I've completed perhaps in my last year but more interestingly I can see that Universe of risks we notice here I've got a few more uh than the 22 risks that we assigned through our entity type and that's because we can put put these entities into a hierarchy and I think a common challenge we hear from our customers is there's so many things I need to assess the inner relationships are complicated I have an EMR that's used by multiple care facilities maybe across multiple regions I'm managing but not everybody uses the same EMR how do we start to reflect and model the complexity of our environment and then how do we create a true holistic risk picture reflecting those dependencies and so through service now we can take these entities and start arranging them into a hierarchy create those relationships and all of our risk and compliance information coming out of our assessments is going to start to roll up along this hierarchy so if I just look at what's directly related Upstream I can see that my acne care EMR is used at the Sentry medical complex in St Thomas's Hospital similarly if I look at what's Downstream I know that my EMR in this instance is running out of my Eastern Data Center and my Midwest data center so by creating all of these relationships now when we go look at the risk or compliance profile for say St Thomas's Hospital information on the controls and risks we've assessed around acne care are going to be reflected in St Thomas's overall risk profile and if we take that a step further and look at everything that's Upstream we know that St Thomas in in fact is rolling up to our acne Midwest region so all of this information is filtering up and it's giving me that ability to answer nuanced risk and compliance questions at an individual entity basis be that my acne care EMR or St Thomas's hospital but also at an Enterprise or an organizational Viewpoint reflecting all of this underlying information so I could even start to look at just within my Midwest region if that's a business unit how is all of this risk and compliance information rolling up to affect that slice of my organization okay so with an understanding of our entities our entity types and our ability to put a structure in place this really forms the foundation for us to go perform our risk assessment and so the next piece I want to touch on is really how can we start to automate the scheduling of our risk assessment and really uh hold ourselves accountable and make sure we're looking at the right things so through advanced risk we have a built-in solution for our assessment scheduling that's going to take us through just a couple easy steps so what methodology am I going to use I'm going to use my hipper risk assessment what are the entities the scope that I'm going to put into my hipper risk assessment so here I've defined five entities representing my EMR some data centers and Facilities but this is really where we perform that scoping exercise once we defined what we're going to look at we can very quickly say who needs to respond to risk assessments if we're going to require approval on them let's go ahead and reflect that to make sure we get the right sign off and last but not least let's set a consistent calendar-based frequency I need to perform my risk assessment annually but let's define this scope once and then kick that off on an annual basis and get automation working for us and last of course I and set expectations for our teams in the field about how long we need or have to respond to these risk assessments and gather our data to make sure we're staying on our assessment schedule with all that information to find it's a simple matter for me to initiate all of my risk assessments across my inscope assets which we've already done in this instance but then we'll also be able to get real-time feedback through this record of how is the risk assessment for this year shaping up so I can see I've got a good amount of pending Assessments in my Midwest region but we've also got quite a few that have been uh completed or that are actively being responded to all that information is here to help me manage the scoping of my annual risk assessment campaign all right so what we want to look at next is an example of a actual risk assessment as a user all my risk assessments live in my workspace under my tasks if I've been assigned one and I have here a risk assessment we initiated for acting care EMR on that management approval of privilege assignment risk we'll go ahead and pick up our risk assessment here and we're going to see there's a lot of flexibility here this can of course be configured to your organization's risk methodology but we're going to use a simple common structure inherent or control Effectiveness and then an output of a residual risk rating so I give a simple series of questions to the user in this case what's the inherent impact of this risk and I've got my statement of the risk right up top here to guide the user as far as what we're asking them and if we have any related information maybe we already know there's an issue related to this risk or if we want to dig deeper into the details all of this context is available to me immediately in the sidebar and since we do this on a recurring basis I can even see what were the results last year or last time we completed an assessment of this risk so all this context is here to help me get through this more efficiently and make sure I have the right information available to inform my responses but we'll go through and complete it perhaps from an inherent risk perspective if we're not having appropriate approval we're going to say that could be a Major Impact if we don't have any controls folks are going to get too much access or the wrong access and it's almost guaranteed that we're going to see some event resulting from that you'll notice as I'm choosing these answers my risk rating is updating in real time and so too is my appetite status right now I know I'm outside of my risk tolerance but we've only done the inherent assessment for our next step we'll look at the control assessment I mentioned that our risks and control Frameworks can be linked and sure enough our risks and controls directly linked so I can add in here what controls do we have in place to mitigate this risk and maybe I want to add more it's a simple click of a button to pull up my related list of controls and add them in and create these associations on the fly but I can see here we have a control it's been determined to be non-compliant and actually if we again look at that contextual information I can see I've got a high-risk issue and a failed control test on my compensating control here the last year when we completed this we said this control was partially effective but perhaps now uh we have a little more information maybe we still want to claim it's partially effective or maybe we're going to even revise this and say you know what this isn't effective we know there's issues with this control if at any point we want to provide context on our decisions we can add these comments in in live and let everybody know maybe that reviewer why did we pick the answers that we picked all right so once our control assessments complete we'll move on to our residual risk in this case my residual risk is automatically calculated off my inherent and control Effectiveness so we can get a little more of that automation working for us but we always have the option to sub subjectively override that risk score maybe I want to say this is actually just high and I can give a justification for that but I am still breaching my risk tolerance and so the system is going to mandate that I give a comment about why are we outside our risk tolerance so we identified an issue we know that exists and we'll move on our last step here is an inbuilt capability to generate a risk response our traditional mitigate transfer accept avoid so because I am outside of my tolerance here we set a rulle to say that a risk response must be put in place we cannot allow you to leave this unresponded given that we have breached our tolerance we'll choose that we're going to mitigate here and with that we'll go ahead and review and submit our risk assessment going to get that summary result everything we just put in any comments we included throughout this are going to be presented and now I can go ahead and submit this risk assessment provide any comments to that approver if we're requiring that and send it off now my example I'm not requiring an approval but we can of course have an approval workflow if you want that secondary uh Assurance QA and oversight it's very simple for us to put that into the workflow here and with that we've completed a risk assessment we've identified that it's outside tolerance and we know that there's going to be something that needs to be done about it the last piece of automation I wanted to show today is that based on that risk breaching our tolerance or rather I breached my tolerance and previous risk assessment of that same risk the system has been set up to automatically generate an issue I know that my management approval of privilege assignment has a breach of risk tolerance therefore let's put an issue in place and use the workflows service now higher and provides us to go and resolve that issue we're not going to step through the whole issue in remediation workflow today but this is really a key Point as we think about how we're addressing our hpoc compliance we breached our risk tolerance automatically generated an issue to show that we're aware of this problem and now we're going to have this workflow in place to document what that issue is that's its impact on our environment and go put corrective actions or remediation tasks in place to show that we have a plan to respond to that fail failure and bring that risk tolerance back within our appetite the last item I want to touch on today going to be of course some examples of what we can do from a reporting perspective and this is all out of the box with service now so what I've opened up here is what we call our heat map workbench and so right off the bat I'm seeing here a heat map structured along my impact and likelihood scales with all the risks that I've assessed across my environment through that exact same risk assessment we just looked at and what's really powerful for me as a user here is my ability to filter and update this report on the Fly maybe right now I'm looking at an inherent risk view but I'm really more interested in my residual risk view as I move it here the system is going to call out things so these flagged risks up here that indicates to me that those risks are outside my tolerance probably require some manner of attention you'll notice our management approval privilege assignment risk we just assessed is one such risk or we'll get this little warning sign indicating we have a risk that is outside of our appetite we haven't breached tolerance yet but we're outside our appetite let's put a yellow flag out there and go focus on this but we can take this a step further maybe I just want to see my top 10 risks residually within the organization a few clicks of a button and there we go that's my viewpoint maybe I want to see the top 20 risks and last but not least because we have this concept of entities I can start to filter this report on the fly to see a risk profile of a given entity so maybe I just want to know for the acne care EMR what does this disposition look like there's my top 20 risks residually across a heat map for my acne care EMR with that I'm going to wrap up to the demo for today and I'll hand it back to Drew to close us out with some Q&A but I hope this has been educational for everybody and helped you to understand how you can use service now to both power your risk assessment process as well as start to produce really powerful Dynamic reporting go tell your hippo risk assessment story both to your internal teams and potentially to your Regulators so Drew over to yourself sorry I'm gonna steal it from Drew real quick Hunter can you go back to your last tab on the issues can we just highlight how the issue is tied to the risk there was a question about that oh absolutely I'm apologize that I missed that no no you're watching the chat while you're demoing service now gives us a great amount of we can relate just about anything to anything so we know this issue was automatically Associated against our risk on on that acne care EMR system and this all happened without any manual intervention we completed the risk assessment the system generated the issue and it linked everything up for us so not just the risk that was impacted but knowing it was on our acne care EMR and any other data that we may start to have over time if we create remediation tasks all of that's going to be accessible to me through my lists across the top here uh to give us that context as we're working through okay great thank you now we'll um pass it back to Drew for questions all right thanks Hunter thanks Barb so I know that there was two questions that were still outstanding in the Q&A that we intentionally left for discussion at the end um so I know that we only have a couple of moments left but uh one of the questions was how would you compare and contrast the service now provided UCF versus The Arc content provided by agile so I don't know if Hunter you wouldn't mind taking that one yeah absolutely thanks for the question Samina so conceptually uh UCF and Arc are similar we are talking about integrated compliance Frameworks that are harmonizing together multiple Authority documents um so conceptually similar but we would say where Arc differentiates a little bit is that it's addressing both integrated risk and compliance whereas to my understanding UCF tends to be focused more exclusively on the compliance aspect uh control objectives in service now terminology Arc is going to give you that integrated control framework and risk register so that we can really start to speak to both sides of the coin and how we are addressing the inter relationship between risk and compliance the second point I would call out from a a key different standpoint is uh UCF tends to have a larger number of controls I won't comment on what the exact number is it varies but we're typically talking about a significant volume for most of our healthc care customers who use our Arc content that ultimate control framework let's call it is going to be comprised of somewhere between 250 and 300 controls as opposed to a potential order of magnitude more uh said differently we think it helps scale a little bit better and keep the number of controls and risks ultimately need to manage in your environment to something a little more sustainable for your teams all right perfect thanks Hunter and one other thing to knowe while the UCF content is available for download on the service now it's not specifically provided by service now so that was just one other thing to note um it's leveraged by the unified compliance framework so one other outstanding question um coming from Cheryl do best practice for Assessments in irm are to have multiple assessment types we are trying to roll up niss and Hippa into one risk assessment for all of our business applications it's not been very successful so Barb do you have any insight into that question sure uh I completely understand uh how teams can get stuck in that analysis paralysis it can be overwhelming looking at nist and Hippa trying to consolidate that's where I think Arc uh can come in and and help facilitate that and what Hunter was just talking about where the harmonization of those controls and risks down to a smaller hopefully more manageable number um is what we have tried to accomplish and where we are hopefully helping teams in that manner happy to talk um about that in your use case uh one-on-one I know everybody has unique challenges and and why things maybe aren't successful um but the the goal of Arc or any content pack really um UCF as well is to help harmonize nist and Hippa and trying to go at it alone can be challenging but in in terms of answering the best practice piece of your question I would say uh it's a worthwhile exercise because audit and assessment fatigue is real um and so it's a meaningful and worthwhile exercise all right um thanks Barb appreciate it so just to quickly wrap up if any of you have additional questions or would like to spend more time talking with service now or agile we are certainly happy to extend those conversations please do not hesitate to reach out to Barb hunter or myself additionally we have provided links to connect with us by way of service now's website and I believe that Teresa from our marketing team has also posted some of this to the chat um our community where our customers are having open dialogue and collaborating service now's YouTube playlist where we have posted a number of helpful OnDemand videos we also encourage you to participate in future events and we have provided a link here where we keep our event calendar updated with that thank you so much everyone for your time today I would also like to extend a very sincere thank you to Barb and Hunter at agile for your collaboration and continued partnership in today's webinar again please feel free to reach out to us to continue conversations and we are looking forward to seeing you in upcoming events hope everyone has a great day