Redspin February 17 2011 Webinar - Meaningful Use


Published on

· EHR Meaningful Use Incentive Program: Progress to Date

· What's New on the Security Front

· Navigating Meaningful Use Amidst a Changing Political Landscape

· Case Studies

· Mapping Your Internal Security Program for Compliance and Long Term Success

· The Challenges of Creating a Secure, Private Cloud Environment

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Redspin February 17 2011 Webinar - Meaningful Use

  1. 1. Meaningful Use and IT SecurityA Live Update from the RSA Conference in San Francisco Daniel W. Berger, Executive Vice President, Redspin, Inc. (805) 576-71582/17/2011
  2. 2. So yes, I was at RSA….2/17/2011 2
  3. 3. Agenda - EHR Meaningful Use Incentive Program Progress to Date - Navigating “Meaningful Use” Amidst a Changing Political Landscape - Assessing Your Internal Security Program for Compliance and Long Term Success - Whats New on the Security Front - The Challenges of Creating a Secure, Private Cloud Environment - Case Study: Beth Israel Deaconess Medical Ctr2/17/2011 3
  4. 4. Where Did It All Start? • American Recovery and Reinvestment Act (ARRA) – Established new Medicare and Medicaid incentives to stimulate critically needed investments in health information technology (health IT) • Two key concepts determine whether providers qualify for health IT incentives: – must make "meaningful use" of IT – use a "qualified or certified EHR" (electronic health record).2/17/2011 4
  5. 5. The ONC Mandate “Americans will benefit from electronic health records as “part of a modernized, interconnected, and vastly improved system of care delivery.” Dr. David Blumenthal, Office of National Coordinator (ONC) for Health Information Technology (Outgoing Head)2/17/2011 5
  6. 6. “Meaningful Use” – A Quick Review - Use of a certified EHR in a meaningful manner (e.g. e-prescribing) - Use of certified EHR technology for electronic exchange of health information to improve quality of health care - Use of certified EHR technology to submit clinical quality and other measures2/17/2011 6
  7. 7. Eligible Entities – Eligible professionals (EPs) – Eligible hospitals – Critical access hospitals – Certain Medicare Advantage Organizations whose affiliated EPs and hospitals are meaningful users of certified EHR technology2/17/2011 7
  8. 8. Criteria and Standards – Is the practice or hospital is making adequate use of EHRs? – Has a risk analysis been conducted? – Is their a platform for staged implementation? To achieve meaningful use, providers must: – Provide and monitor privacy and security protection of confidential PHI through operating policies, procedures, and technologies – Comply with all applicable federal and state laws and regulations – Provide transparency of data sharing to patients2/17/2011 8
  9. 9. CMS Meaningful Use Goals  Improve quality, safety, and efficiency of health care and reduce health disparities  Engage patients and families  Improve care coordination  Improve population and public health, and  Ensure adequate privacy and security protections for personal health information2/17/2011 9
  10. 10. CMS Requirements• Healthcare providers must demonstrate by the end of 2011 (September 30th for hospitals) a 90-day contiguous meaningful use of an electronic health record (EHR) for Medicare transactions• Either adopt, implement or upgrade an EHR for Medicaid also within 90 days.• Hospitals can receive payments for both, but physicians only one.2/17/2011 10
  11. 11. Show Me the Money2/17/2011 11
  12. 12. Meaningful Incentive Program Medicare EHR Medicaid EHR Participation as early as  Voluntarily offered by FY 2011 individual states EPs may receive up to  May begin as early as FY $44,000 over 5 years, plus 2011 incentive if in HSPA  EPs may receive up to Must begin by 2012 to get $63,750 over 6 years maximum  Incentives for hospitals may Incentives for hospitals begin in 2011 may begin in 2011 w/a  No payment adjustment for $2 million base payment providers who do not show Medicare EPs, hospitals meaningful use and CAHs who do not show meaningful use will have Medicare payments decrease beginning 20152/17/2011 12
  13. 13. Meaningful Use Incentive Program Progress to Date2/17/2011 13
  14. 14. Meaningful Use Incentive Program Progress to Date Jan 3, 2011 Meaningful Use registration opens Jan 5, 2011 2-physician medical group in Austin, TX received $42,500 under the Medicaid incentive program for EHR Feb 11, 2011 >18,000 providers registered under meaningful use incentive program > 40,000 providers have registered at 62 regional extension centers for assistance in meeting requirements May 1, 2011 First payments will go out to qualified Medicare providers2/17/2011 14
  15. 15. Navigating Meaningful Use Amidst a Changing Political Landscape• House vote 245-189 to repeal Patient Protection and Affordable care act (PPACA)• Spending Reduction Act HR 408 would imply rescinding funding for EHR incentives• Blumenthal’s resignation• PPACA ruled unconstitutional in a Virginia court and then again in U.S. district court in Florida2/17/2011 15
  16. 16. Keep Calm and Carry On2/17/2011 16
  17. 17. Assessing Your Internal Security Program for Compliance and Long Term Success2/17/2011 17
  18. 18. Meaningful Use Stage 1 Core ObjectiveProtect Electronic Health Information• Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.• Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.2/17/2011 18
  19. 19. 2/17/2011 19
  20. 20. Security Rule StandardsEvaluation StandardPerform a periodic technical and non-technical evaluation,based initially upon the standards and implemented under thisrule and subsequently, in response to environmental oroperational changes affecting the security of electronicprotected health information, that establishes the extent towhich an entity’s security policies and procedures meet therequirements of this subpart.” [§164.308(a)(8)] Related StandardsSecurity Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)2/17/2011 20
  21. 21. Business Associates Covered Entity (CE) A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered under the HITECH Act Business Associate (BA) Party who performs a function on behalf of a Covered Entity and has access to PHI in the performance of that function2/17/2011 21
  22. 22. .2/17/2011 22
  23. 23. HIPAA/HITECH ComplianceWhat are the objectives of aHIPAA Risk Analysis andSecurity Assessments?Compliance: a HIPAA Risk Analysisverifies compliance with the standardsdefined in the Security Rule of theAdministrative Provisions in Title II ofHIPAA.Security : Utilizes a risk-basedapproach to minimize the risk of acompromise of Electronic ProtectedHealth Information (EPHI) triggeringthe breach notification requirements. 2/17/2011 23
  24. 24. PHI/PII Risk Indication2/17/2011 24
  25. 25. Components of RiskThe assets The vulnerabilities (what you are trying to protect is PHI) (how could the threat occur?)• You need to know where it is, how it is used, and • Targeted social engineering attacks; malware how it is transported over the network. exploiting Adobe .pdf and MS office .doc vulnerabilitiesThe threats • Application vulnerabilities (e.g., SQL injection, (what are you afraid of happening?) command injection)• Sophisticated cybercriminals stealing account • Mis-configured database access controls credentials, credit card records, or medical Current mitigationhistory to file false claims. (what is currently reducing the risk?)• Hackers using application attacks to gain access • Staff to database records. • Technology• Insiders gathering inappropriate data through mis- • Processes configured access control. 2/17/2011 25
  26. 26. Some Types of Assessments Wireless Pen Web App External Pen Internal Pen Social EngineeringOther possible assessments: Controls- PCI, if credit cards- Sarbanes-Oxley- Gramm-Leach-Bliley Data Network Physical Systems Security Analysis Security Analysis 2/17/2011 26
  27. 27. Business Associate ComplianceLiability:-BAs are contractually liable to CEsfor breach of BA agreement Business Associates (BAs):-BAs are civilly and criminally liable - IT vendorsto Federal government for violations - coding vendors - outsourced call center - subcontractorsNotification: - insurance companies-BA notify CE of any breach - pharmacies-CE has obligation to notify patients - hospitalsand HHS - physicians-If 500+ persons, notify media Covered - e-prescribing ecosystemserving their area Entity (CE) - CPOE - radiology labs - HIEsRecommendations: - RHIOs-Identify BAs with highest risk - ACOs-Communicate expectations to BAs - lawyers-Automate contract and BA - CPAsagreement files - housekeeping services-Develop auditing and monitoring - etc. !!!process-Educate executives and key playerson BAs 2/17/2011 27
  28. 28. HIPAA Audit Scope Attributions2/17/2011 28
  29. 29. 2/17/2011 29
  30. 30. What’s New on the Security Front2/17/2011 30
  31. 31. 2/17/2011 31
  32. 32. 2/17/2011 32
  33. 33. 2/17/2011 33
  34. 34. Healthcare IT Challenges of creating a secure cloud environment2/17/2011 34
  35. 35. What is Cloud Computing?Many definitions, but key characteristics include:• Broad Network Access• Rapid Elasticity• Measured Service• On-Demand Service• Resource Pooling2/17/2011 35
  36. 36. Most Common Cloud Computing Deployment ModelsPublic – Available to the general public is owned by anorganization selling cloud services.Private – Operated solely for a single organization. Itmay be managed by the organization or a third party, andmay exist on-premises or off-premises.Community – Shared by several organizations andsupports a specific community that has shared concerns.It may be managed by the organizations or a third partyand may exist on-premises or off-premises.Hybrid – A composition of two or more clouds.2/17/2011 36
  37. 37. A Hybrid Model – Most Common (Diagram courtesy of Symantec)2/17/2011 37
  38. 38. Security and Compliance Challenge What should you be worried about? •Balancing Control Vs. Trust •Supporting Accessibility •Protecting the Data •Proving Your Solution is Secure 2/17/2011 38
  39. 39. Solution: PHI in Cloud ContextHow to avoid HHSs Breach List:• Where is the Data• Monitor and Log Access• Encryption in Storage and Transit• On-going Testing Program2/17/2011 39
  40. 40. Beth Israel Deaconess Medical Center CASE STUDY2/17/2011 40
  41. 41. Profile• Teaching hospital of Harvard Medical School• >750,000 patient visits annually (Boston area)• 631 licensed beds, including 429 medical / surgical beds, 77 critical care beds and 60 OB/GYN beds• Approximately 5,000 births a year• A full range of ER services including a Level 1 Trauma Center and roof-top heliport• Medical provider to Boston Red SoxSource: 41
  42. 42. The Middle of the Story - Today• Beth Israel Deaconess Medical Center (BIDMC) is first hospital nationally to meet new federal electronic health record requirements with its own software (January 26, 2011)• Technology supports all quality, safety and efficiency goals spelled out in the American Recovery and Reinvestment Act. (ARRA)Source: 42
  43. 43. The Beginning of the Story• 2+ years ago• Part of an eClinicalWorks LLC electronic health record (EHR) deployment to roughly 200 affiliated ambulatory physicians. Will be 350 by year end.• BIDMC virtualized servers on VMware• One at a time, one virtual server -- including the EHR software integrated with a practice management app and billing system -- was deployed to each practice.Source: (Jan 10, 2011)2/17/2011 43
  44. 44. The Result• Beth Israel Deaconess realized it inadvertently had built the first -- or one of the first -- private clouds• Scalable, doesnt require a huge hardware outlay or data center footprint at the start• BIDMC has many attributes that are attractive to other health care networks looking or a model to crib their own EHR infrastructure.Source: Jan 10, 20112/17/2011 44
  45. 45. In Their Own Words “We didnt go into this thinking, Hey, lets build a cloud. It was, We want a subscription-type service in which physicians could get rid of their homegrown technology and tap into Beth Israel Deaconess infrastructure with only an Internet connection and their desktop machines. - Bill Gillis BIDMC eHealth Technical DirectorSource: Jan 10, 20112/17/2011 45
  46. 46. In Their Own Words “Its probably the most complex clinical health information thing Ive ever tried to achieve --more complex than building this cloud. There are so many moving parts, so many pieces that need to work and flow. It is challenging.” - Bill Gillis BIDMC eHealth Technical DirectorSource: Jan 10, 20112/17/2011 46
  47. 47. The Future at BIDMC• First step - Let physicians within its private cloud exchange data.• Extend Hospital networks HIE project to other area hospitals and later to the whole country.• Deploy virtual desktops in a hardware-agnostic way so physicians could manage apps from their laptops, tablets and smart phones.• Interoperability combining data from various proprietary systems into a patient-accessible HER.Source: (Jan 10, 2011)2/17/2011 47
  48. 48. healthcare/index.php2/17/2011 48
  49. 49. Appendix2/17/2011 49
  50. 50. New Enforcement Efforts and Priorities HHS made changes to the HIPAA regulations to conform the enforcement component of the regulations to the statutory revisions made pursuant to the HITECH Act. • Civil Monetary Penalties • Violations categorized • Tiered ranges of civil money penalty amounts 2/17/2011 50
  51. 51. Penalties – Per Calendar Year$100 - $50K/violation, not to $10K - $50K/violation, not to exceed $25K - $1.5MM exceed $250K - $1.5MM Person did not know (and by Due to willful neglect and exercising reasonable due violation was corrected diligence) would not have known$1,000 - $50K/violation, not At least $50K/violation, not toto exceed $100K - $1.5MM exceed $1.5MM Violation due to reasonable Due to willful neglect andcause and not to willful violation was not correctedneglect 2/17/2011 51
  52. 52. Penalties – Per Calendar Year$100 - $50K/violation, not to $10K - $50K/violation, not to exceed $25K - $1.5MM exceed $250K - $1.5MM Person did not know (and by Due to willful neglect and exercising reasonable due violation was corrected diligence) would not have known$1,000 - $50K/violation, not At least $50K/violation, not toto exceed $100K - $1.5MM exceed $1.5MM Violation due to reasonable Due to willful neglect andcause and not to willful violation was not correctedneglect 2/17/2011 52