• Save
Meaningful Use Risk Analysis - How to conduct comprehensive security risk analysis?
Upcoming SlideShare
Loading in...5
×
 

Meaningful Use Risk Analysis - How to conduct comprehensive security risk analysis?

on

  • 2,452 views

One of the Meaningful Use(MU) core objectives for eligible professionals, eligible hospitals and critical access hospitals is to conduct through technical risk analysis of EHR and ePHI systems. The ...

One of the Meaningful Use(MU) core objectives for eligible professionals, eligible hospitals and critical access hospitals is to conduct through technical risk analysis of EHR and ePHI systems. The primary objective of the risk analysis is to identify the key vulnerabilities in the ePHI and EHR systems and plan on mitigating the risks by fixing, transferring or accepting risks. Attestation of the risk analysis is required every year to CMS for incentive payments. EHR 2.0 risk analysis services ensures you identify the key technical risks in your areas.

Why risk analysis?
HIPAA and meaningful risk analysis is the first step in healthcare practice’s security rule compliance efforts. Risk analysis is an ongoing process that should provide the practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The key questions asked during a risk analysis are:
Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
What are the human, natural, and environmental threats to information systems that contain e-PHI?

What is the scope of the risk analysis?
The scope of risk analysis that the HIPAA security rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs,
DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.
How to inventory ePHI systems?
An healthcare organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering
techniques. The data on e-PHI gathered using these methods must be documented.

How to identify and document potential threats and vulnerabilities?
Healthcare organizations must identify and document reasonably anticipated threats to e-PHI. Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.
Contract us at info@ehr20.com

Statistics

Views

Total Views
2,452
Views on SlideShare
2,451
Embed Views
1

Actions

Likes
2
Downloads
0
Comments
0

1 Embed 1

http://www.slashdocs.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Meaningful Use Risk Analysis - How to conduct comprehensive security risk analysis? Meaningful Use Risk Analysis - How to conduct comprehensive security risk analysis? Presentation Transcript

    • Welcome to ourWebinar onMeaningful UseRisk Analysis!We will be starting in a moment …Visit us at www.ehr20.com
    • Meaningful Use RiskAnalysis
    • Webinar ObjectiveUnderstand and Perform Meaningful UseRisk Analysis that satisfies CMSincentive and attestation requirement.E-mail: info@ehr20.com 3
    • Who are we …EHR 2.0 Mission: To assist healthcareorganizations develop and implementpractices to secure IT systems and complywith HIPAA/HITECH regulations. Education(Training, Webinar & Workshops) Consulting Services Toolkit(Tools, Best Practices & Checklist)Goal: To make compliance an enjoyable and painlessexperience, while building capability and confidence.
    • Glossary1. HHS, CMS:2. NIST:3. Findings:4. Risk Analysis:5. HITECH:6. MU: 5
    • Why now? 6
    • HITECH Modifications to HIPAA Creating incentives for developing a meaningful use of electronic health records Changing the liability and responsibilities of Business Associates Redefining what a breach is Creating stricter notification standards Tightening enforcement Raising the penalties for a violation Creating new code and transaction sets (HIPAA 5010, ICD10) 7
    • CMS Meaningful Use IncentivesFor Eligible Professionals 8
    • MU Risk Analysis 9 http://www.oregon.gov/
    • For Eligible Professionals 10
    • For Eligible Hospital & CAH 11
    • Attestation Overview Attestation is to legally state that you have demonstrated and met the core objective. Potential audit by CMS and State All relevant supporting documentation (paper or electronic) Six- YearsCertified EHR system doesn’t mean that you need not perform security analysis 12
    • HIPAA Titles - Overview 13
    • HIPAA Security Rule164.308(a)(1) 14
    • HIPAA Security Management(164.308) (A) Risk analysis (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected healtha(1) Security information held by the covered entity. (B) Risk management (Required)Management Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate levelProcess to comply with §164.306(a). Implement policies and (C) Sanction policy (Required) procedures to prevent, Apply appropriate sanctions against workforce members detect, contain, and who fail to comply with the security policies and correct security procedures of the covered entity. violations. (D) Information system activity review (Required) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. 15
    • Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 16
    • PHI Health Information Individually Identifiable Health Information PHI 17
    • ePHI – 18 Elements Elements ExamplesName Max Bialystock 1355 Seasonal LaneAddress (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)Dates related to an individual Birth, death, admission, discharge 212 555 1234, home, office, mobile etc.,Telephone numbers 212 555 1234Fax numberEmail address LeonT@Hotmail.com, personal, officialSocial Security number 239-68-9807Medical record number 189-88876Health plan beneficiary number 123-ir-2222-98Account number 333389Certificate/license number 3908763 NYAny vehicle or other device serial number SZV4016Device identifiers or serial numbers Unique Medical DevicesWeb URL www.rickymartin.comInternet Protocol (IP) address numbers 19.180.240.15Finger or voice prints finger.jpgPhotographic images mypicture.jpgAny other characteristic that could uniquely 18identify the individual
    • Healthcare Infrastructure  Computers  Storage Devices  Networking devices (Routers, Switches & Wireless)  Medical Devices  Scanners, fax andAny device that photocopierselectronically stores or  VoIPtransmits information  Smart-phones, Tablets (ipad,using a software PDAs)program 19  Cloud-based services
    • Trends in Healthcare IT Informatics Collaboration Mobile EHR Computing HIE 20
    • Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical apps• 70% think it is a high priority• 1/3 use hand-held for accessing EMR/EHR 21compTIA 2011 Survey
    • EMR and EHR systems 22
    • Health Information Exchange (HIE) 23
    • Social Media How does your practice use it? Is there a way to safely use social media? Do you have policies? Have you trained your employees on social media best practices? 24
    • Cloud-based services  Public Cloud  EHR Applications HIPAA regulations  Private-label e-mail remain barriers to full cloud adoption  Private Cloud  Archiving of Images  File SharingCloud Computing is takingall batch processing, and  On-line Backupsfarming it out to a hugecentral or virtualized  Hybrid 25computers.
    • Informatics 26
    • All risk analysis are notcreated equal … Organizations Type  Small Practices, Hospitals and Specialties Organization Size  Employees, Locations, etc., Complexity of Technology  Mobile, Network, Hosted, Cloud, etc., 27
    • Conducting Risk Analysis1. Security Program Roles & Responsibilities External Parties2. Security Policy Policy and Procedures3. Risk Management &Compliance Risk Assessment and Legal Requirements4. Training & Awareness On-the-job Training5. Personnel Security Background Checks, T&C, Termination6. Physical Security Secure Area7. Network Security Access, Encryption, VA, Monitoring8. Logical Access Identify and Access Mgmt.9. Operations Management AV, Security Monitoring, Media Handling, Disposal, SOD10. Incident Management Process and Procedures11. Business Continuity 28Management Backup and DRs
    • Risk Assessment Methodology Flowchart(NIST) – Large Organizations Step 3: Step 5: Step 7: Step 8:Step 1: System Step 2: Threat Step 4: Step 6: Vulnerability Likelihood Risk ControlCharacterization Identification Control Analysis Impact Analysis Identification determination Determination Recommendation Current controls Mission impact Recommended Reports from and planned Likelihood of Hardware, analysis, asset controls previous risk controls Threat source threat Software, criticality assessments, motivation, assessment, exploitation, System any audit threat capacity, data criticality, magnitude of Interfaces, Data History of comments, Nature of data sensitivity impact, and Information, system attack, security List of current vulnerability, adequacy of People and Data from requirements, and planned current controls planned or System mission intelligence security test controls current controls agencies results Impact rating Risk and List of potential Likelihood rating Associated risk System vulnerabilities levels boundary, functions, criticality and sensitivity Threat Statement
    • Risk Analysis - Example Risk Description Risk Description /Threat and Probability Conse- Risk Risk Potential Loss of Loss quence Score ValueePHI located on Desk top in an 4 4 16 Highemployees office is not routinelybacked up.Risk = Loss of PHI(Identified in Gap Analysis)
    • Sample Risk Analysis Template Likelihood High Medium Low High Unencrypted Lack of auditing on Missing security laptop ePHI EHR systems patches on web server hosting patient informationImpact Medium Unsecured Outdated anti-virus External hard drives wireless network software not being backed up in doctor’s office Sales presentation Web server backup Weak password on Low on USB thumb tape not stored in a internal document drive secured location server 31
    • Risk Analysis for a Small Practice 32
    • Top 5 Recommendations 1. Ensure encryption or de-identification 2. Mobile device security program. 3. Awareness and training programs. 4. Complete business associate due diligence 5. Minimize sensitive data capture, storage and sharing. 33
    • Meaningful Use Stage 2 and Stage 3Security Requirements Security risk analysis with encryption assessment Secure messaging for ambulatory practices 34
    • Where do you start?Identify ePHI systems, processesand people involved Conduct Risk Assessment - Type, Size and Complexity Prioritize and Remediate - Risk Analysis template Assess and Improve - Monitor, Evaluate and adjust 35
    • Key Takeaways Risk Analysis is foundation for an effective security program ePHI elements drives risk analysis scope There is no silver bullet for risk management. It is a journey of continuous assessment and improvement 36
    • Additional Resources NIST - Risk Management Guide for Information Technology Systems SP800-30 An Introductory Resource Guide for implementing the (HIPAA) Security Rule Small Practice Security Guide 37
    • Next Steps Training Package  Risk assessment questionnaire  Sample policies and procedures  4-hour training/consulting ehr20.com/services Next Live Webinars:  Business Associate Assessment (4/25/2012)  HIPAA/HITECH Security Assessment(5/2/2012) Sign-up at ehr20.com/webinars 38
    • Questions?E-mail: info@ehr20.com Call: 802-448-2255 39
    • Thank you!! 40