Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Stage 2 Meaningful Use: The Next Step in Security Risk Analysis

426
views

Published on

A brief overview of changes in stage 2 meaningful use.

A brief overview of changes in stage 2 meaningful use.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
426
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Stage 2 Meaningful Use: The Next Step in Security Risk AnalysisAt first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear tohave changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with onenotable addition highlighted below:“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1),includingaddressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part ofthe provider’s risk management process.Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their securityrisk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule.Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism toencrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,”it is not specifically mandated.As part of Stage 2 Meaningful Use, encryption of “data at rest” must be considered as an addressable control. Assuch, providers need a process by which they evaluate whether the control is “reasonable and appropriate” and wouldlikely contribute to protecting its health information. If the control is deemed “reasonable and appropriate,” thenit must be implemented. However, if the provider decides “encryption of data at rest” is not reasonable and appropriate,then it must 1) document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure ifreasonable and appropriate. Despite a little remaining wiggle room, it has become increasingly difficult to justify notencrypting ePHI under the “reasonable and appropriate” caveat.Turning to the new rules for EHR software certification, Stage 2 also requires the main software application ‘to be able todemonstrate the capacity to encrypt [data on] mobile devices in circumstances where the EHR technology manages thedata flow on the mobile device,” In our view, these provisions stop just short of a mandate. Determining reasonableness isnot just about the cost of hardware and software or the complexity of implementation. It is more about whether or not theorganization can execute the requirement consistently and effectively.Given that the majority of significant breaches to date have been the result of lost or stolen devices containingunencrypted data, and the increasing mobility of data itself, it will be difficult to find “equivalent alternative measures.” Thatsaid, Redspin can provide a framework for considering the issue within our overall SRA roadmap and expert guidance onhow to reasonably and effectively protect patient information. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

×