What Is Security Risk Analysis? By: MedSafe


Published on

What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!

Published in: Health & Medicine
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • If an organization determines that the implementation specification
    is not reasonable and appropriate, the organization must document
    why, and adopt an equivalent measure if it is reasonable and
    appropriate to do so.
  • What Is Security Risk Analysis? By: MedSafe

    1. 1. Why Security Risk Analysis? MedSafe “The Total Compliance Solution”
    2. 2. Presentation Outline HIPAA Security Rule  Security Risk Analysis Definition  Security Risk Analysis Requirements  Security Risk Elements & Implementation 
    3. 3. PHI / ePHI SECURITY REQUIREMENTS as defined under the HIPAA Security Rule
    4. 4. What is ePHI? Electronic Protected Health Information Personally identifiable electronic protected health information that is stored, accessed, maintained, retained, destroyed, transmitted, held, used or disclosed
    5. 5. What is “unsecured” PHI? Unsecured PHI/ePHI is that Protected Health Information which is NOT: Rendered unusable, unreadable, indecipherable to unauthorized individuals
    6. 6. How do I secure PHI/ePHI? Section 13402 of Title XIII of the HITECH Law and the American Recovery and Reinvestment Act of 2009 (ARRA); Options include use of encryption technologies and proper destruction methods as defined by HHS. Once PHI has been de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and is therefore, no longer subject to the HIPAA Privacy and Security Rules.
    7. 7. Encryption Encryption is the process of securing electronic information by transforming it into code that would render it unreadable, indecipherable and unusable to any unauthorized individual. Authorized individuals possess a “key code” to decrypt and access the secure information.
    8. 8. Encryption & Breach If secured (encrypted) ePHI were stolen /accessed by an unauthorized individual, the access would NOT constitute a breach because the individual would not be able to read the ePHI without a key code. Examples of ePHI mechanisms that should be secured with encryption:  Laptops/EMR Tablets  Smart Phones  Email  Website portals / gateways  EMR interfaces, efaxing; eprescribing  Back-up tapes / CDs  External hard drives / flash drives
    9. 9. HIPAA Security Rule The final regulation under HIPAA, was published February 20, 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for Covered Entities to use to assure the confidentiality, integrity, and availability of Protected Health Information (PHI).
    10. 10. Under 45 C.F.R. § 164.302 – 318 Organizations must identify and implement the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI).
    11. 11. The Security Rule identifies Risk Analysis as the foundational element in the process of achieving compliance.
    12. 12. The very first specification in the HIPAA Security Rule is Risk Analysis: “What could happen?” Hackers broke into the United Nations computer system and hid there for two years. How do we know someone is not in our hospital computer system? Risk analysis lays the foundation for next specification in the Security Rule ……. Risk Management.
    13. 13. What do the numbers say?     39% of privacy breach incidents on the OCR “Wall of Shame” (breaches of 500 or more website) have occurred on laptop or mobile devices 88% of exposed records are mobile-media related 60%+ of breaches have a strong malicious component Business Associates are involved in over half of breaches Source, J. David Kirby, Former Director, Information Security Office, Duke University Health System
    14. 14. Covered Entities are required to:   Evaluate risks and vulnerabilities in their environments Implement security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI Risk analysis is the first step in that process.
    15. 15. (45 C.F.R. § 164.308(a)(1) The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”
    16. 16. Risk Analysis Requirement § 164.308(a)(1)(ii)(A) Conducting a risk analysis includes identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.
    17. 17. OCR RISK ANALYSIS Directive Per The Office for Civil Rights (OCR): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
    18. 18. Vulnerability…defined National Institute of Standards & Technology (NIST), US Department of Commerce, Special Publication (SP) 800-30, defines “vulnerability” as: “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
    19. 19. Vulnerabilities expanded     Vulnerabilities, whether accidental or intentional, could potentially result in a security incident, such as inappropriate access to or disclosure of e-PHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or nonexistent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.
    20. 20. Considerations for Organizations Determine the most appropriate ways to achieve compliance, taking into consideration:      the characteristics of the organization the physical environment communication methodologies technological infrastructure How ePHI is stored, shared and managed
    21. 21. Security Rule Specifications Addressable v Required (68FR 8334, 8336 (Feb. 20, 2003).) The Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).) An “addressable” implementation specification is not “optional”. The outcome of the risk analysis process is a critical factor in assessing whether implementation of addressable specifications or equivalent measures are reasonable and appropriate.
    22. 22. Risk Analysis Ongoing Risk Analysis should be performed by a qualified external professional to ensure objectivity and should include the following steps:       Physical site assessment and personnel interviewing process Identify technological infrastructure & data management Identify and document privacy & security vulnerabilities Collect documentation as proof of security measures Identify existing security measures, including encryption Implement ongoing plans of corrective action
    23. 23. ARE YOU READY? KPMG has secured a $9.2 million contract with the Office for Civil Rights (OCR) to conduct random HIPAA HITECH Audits of Covered Entities. The audits have already begun.
    24. 24. KPMG says……. After wrapping up site visits for the initial 20 compliance audits, the top HIPAA official at KPMG says Covered Entities (CEs) are failing to complete basic tasks, such as conducting a Risk Analysis and distributing a Notice of Privacy Practices.
    25. 25. Who is under the microscope?     OCR contracted the consulting firm, Booz Allen Hamilton, to “identify audit candidates” and “provide background and recommendations” for the audit program. The first 20 of those audited, were grouped by level of information technology sophistication and by type of entity, with four “levels” or tiers among them. Of the 20, 10 were providers, eight were health plans and two were clearinghouses. All Size Covered Entities Were Audited
    26. 26. Tier 1 organizations are the largest…… ...with “revenues or assets greater than $1 billion,” including health plans, provider organizations and clearinghouses with “extensive use of health information technology, complicated HIT-enabled clinical and business work streams.”
    27. 27. Tier 2 includes…. …health plans, providers and clearinghouses including hospital systems with 3 to 10 hospitals or regions, and regional insurance companies with assets valued at between $300 million and $1 billion.
    28. 28. Tier 3 includes… ….health plans & providers which could include community hospitals, outpatient surgery centers, pharmacies and “self-insured entities that don’t adjudicate their claims.” With revenues between $50 million and $300 million each, with some, but not extensive use of HIT [and] mostly paper-based workflows.”
    29. 29. Tier 4 includes... ….health plans and providers, described in OCR presentations as provider practices with 10 to 15 providers, and a community or rural pharmacy, with “little to no use of HIT, almost exclusively paper-based workflows” and “less than $50 million” in revenues.
    30. 30.   The audited entities ranged in complexity from single physician practices to complex acute care medical centers A covered entity can do its best to ensure broad compliance across all aspects of its operations, while the audit team might zero in on one department.
    31. 31. Michael Ebert, national HIPAA services leader for KPMG, which is performing the audits for OCR, stated… In addressing what covered entities should be doing in light of the audit program, Ebert said: “Do a risk analysis, risk assessment.” “I’ll tell you now, on everything we do, that’s the biggest weakness we see,” he said. Ebert added that “People need to understand that safeguarding PHI goes beyond electronic. It goes to paper and oral. So how you set up your ERs, how you set up your consultation area” matter, he said.
    32. 32. Elements of a Risk Analysis include…          Analysis of technological infrastructure Internal operations & ePHI management ePHI sharing, interfaces, communication methodology Existence of policies and procedures Provision of ongoing staff training Identification of ePHI sources & vulnerabilities PHI storage and physical PHI security ePHI preservation and operations Workstation security & internal processes
    33. 33. Compliance Checklist        Implement HIPAA/HITECH Policies & Procedures Conduct Risk Analysis Conduct ongoing employee training Collect documentation of compliance efforts Implement written plans of correction Ensure existence of data security measures Facilitate patient rights under the law
    34. 34. Accountability Security Risk Analysis establishes accountability. Covered Entities are ultimately responsible for protecting patients’ information they have been entrusted with. Risk Analysis is an important tool that helps ensure the privacy and security of the information that CEs Have promised to protect under the Law.
    35. 35. In Summary, Security Risk Analysis: ...is a requirement. ...protects Covered Entities and patients. ...reduces the potential for breach. ...improves quality measures and establishes accountability. …facilitates CEs’ receipt of CMS EHR Incentives. …establishes ongoing goals. …from an ethical standpoint, is the right thing to do.
    36. 36. MedSafe “The Total Compliance Solution” www.medsafe.com