Meaningful Use Risk Assessment Template

16,212 views

Published on

One of the Meaningful Use (MU) core objectives for eligible professionals is to conduct or review security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. The primary goal of this questionnaire is to help small healthcare practices identify the key vulnerabilities in EHR environment and build a plan to mitigate the risks. This initial meaningful use risk analysis questionnaire has been designed to support the requirements of the Center for Medicaid and Medicare (CMS) for Meaningful Use (MU) risk analysis for a small practice EHR environment. It is used as a discovery mechanism to assist in identifying risks in an EHR setup.

Published in: Health & Medicine

Meaningful Use Risk Assessment Template

  1. 1. Meaningful Use Security Risk Assessment Report August 26 2016 Client Name is enlisting EHR 2.0 as a third-party security agency to conduct independent security and HIPAA audits. EHR 2.0 follows a standards-based risk assessment program (i.e., NIST) to ensure security, privacy, and administrative processes required under HIPAA are met by its clients. Assessments are conducted based on point-in-time analysis of systems and existing processes. Client Name has provided details about their operation to the best of their knowledge, and EHR 2.0 is not claiming responsibility for any inaccuracies reported, for instance due to a change in processes, people, and technology. Technical Security Assessment Client Contact: Client Name EHR 2.0 Name Consultant name Title Title Contact Details Contact Details
  2. 2. Security Risk Analysis (v 1.4) August 29, 2016 This report was based on the OiRA Tool 'Security Risk Analysis (v 1.4)' of revision date May 5, 2016. 1 Contents Summary ......................................................................................................................................2 Risks that have been identified, evaluated and have an Action Plan.............................................2 1 EHR/EMR System ..............................................................................................................2 2 Desktops/Laptops ................................................................................................................. 4 Mobile Devices ..................................................................................................................... 7 Other Systems...................................................................................................................... 9 General/Administrative.......................................................................................................... Problems that have been managed or are not present in your organization..................................4 1 EHR/EMR System ..............................................................................................................4 2 Desktops/Laptops ................................................................................................................. 3 Networking Devices .............................................................................................................. 4 Mobile Devices ..................................................................................................................... 5 Multi-function Printers ........................................................................................................... 6 Removable Media................................................................................................................. 7 Other Systems...................................................................................................................... 8 System/Device Categories Not Listed................................................................................... 9 General/Administrative.......................................................................................................... Consultation of staff .................................................................................................................
  3. 3. Security Risk Analysis (v 1.4) August 29, 2016 This report was based on the OiRA Tool 'Security Risk Analysis (v 1.4)' of revision date May 5, 2016. 2 Summary Security Risk Assessment for Client Name Associates has been reviewed by EHR 2.0 according to current regulatory requirements and best practices. Details about policies and procedures are made available to administrators and staff members in the Information Security Policy document. Client Name is to maintain documentation necessary to prove these policies and procedures are being carried out. Based on their Security Risk Assessment, EHR 2.0 has determined the following areas for recommendations to improve compliance: - Frequency of User Account Review and Password Changes - Consistency of Automatic Signout Upon Inactivity - Timely Patching and Configuration Across All Systems - Encryption of E-mail and Texting Platforms to Prevent Potential User Error - Visual Screen Privacy - USB Lockdown Wherever Not Used/Necessary - Centralized Mobile Device Management DISCLAIMER - Information provided by Client Name for this assessment was not independently verified by EHR 2.0; the practice has provided details about their operation to the best of their knowledge. These reports and recommendations are for evaluation purposes only and not intended to be construed as legal advice. Client Name is advised to consult with attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on the company and/or its personnel. Risks that have been identified, evaluated and have an Action Plan 1 EHR/EMR System 1.2 Your EHR might not automatically disconnect users whose sessions have been idle for a significant amount of time. The longer a session is left open, the greater the possibility that it will become compromised through a cross-site scripting attack, malware-related activity, viewing
  4. 4. by unauthorized individual(s), or a user leaving the premises without properly locking their desktop/laptop. This is a risk_priority_medium priority risk. Automatically disconnect users whose sessions have been idle for a significant amount of time (usually around 5-10 min). Automatic disconnect should consist of invalidating their session and redirecting their idle session to a blank authentication screen. A web browser or software application displaying a screen of a practice's PHI is still a risk even if further attempts to browse those sessions would redirect the user to a login screen. Timeout is updated to be approximately around 30 minutes. For work from home users timeout should be set to less than 10 minutes to reduce risks. The timeout parameter for tools needs to be reviewed as well. Measure General approach (to eliminate or reduce the risk) Enable the session timeout parameter within the EHR system to sign users off within at most 10 minutes of inactivity across all systems. Specific action(s) required to implement this approach Under security settings the EHR/EMR vendor should include an option for timeout parameters, if users are idle for a certain time. Level of expertise and/or requirements needed Who is responsible? Budget Planning start August 26, 2016 Planning end February 26, 2017 1.3 You might not have applied EHR vendor recommended security patches and configuration. Your firm also might not have an automatic alerting system to get notified by the EHR vendor on critical security patches and configuration setup. This is a risk_priority_medium priority risk. Browse the EHR vendor websites for any recent high risk security patches with suggested configuration changes. Review the application and its change management system to see if the vendor recommended configuration changes have occurred and are properly documented. Make sure you have selected to receive automatic alerts for critical security notifications. All of practice systems are cloud hosted except toolname which is hosted locally. All cloud hosted systems are updated automatically with vendor-provided critical patches. Toolname to be migrated to cloud-based provider to reduce local footprints (work in progress). Measure General approach (to eliminate or reduce the risk) Review the vendor's website for released security patches; install any new patches and confirm selected to receive automatic updates if available. Specific action(s) required to implement this approach EHR/EMR vendors release security updates regularly to correct the identified
  5. 5. vulnerabilities; ensure you are on the latest patch version. Also institute a policy to periodically recheck and confirm you are on the latest version. Level of expertise and/or requirements needed Who is responsible? Budget Planning start August 26, 2016 Planning end February 26, 2017 1.8 You might not have a process to periodically review and adjust EHR user accounts and related access on the EHR system. Users without a business need to have a certain level of PHI access, including those who left the company, were terminated, or had access level changed, may still able to view/update patient data. This is a risk_priority_low priority risk. Problems that have been managed or are not present in your organization 1 EHR/EMR System 1.1 Have you assigned roles and security attributes in EHR forms based on employees' areas of responsibility? This is a risk_priority_low priority risk. A record is maintained in the practice's EHR which lists all active users and what their privileges are. User access control is provisioned based on employees' responsibilities which are set by security groups. In addition, tool accounts are to be reviewed for appropriate roles and responsibilities at least every 3 months. 1.4 Have you encrypted PHI being stored in the EHR database? This is a risk_priority_low priority risk. Data stored on cloud is encrypted according to HIPAA/HITECH requirements. The data stored on tool is secured by the practice. 1.5 Have you encrypted patient data sent to all external recipients? This is a risk_priority_medium priority risk. Data shared with external recipients are encrypted by the vendors.
  6. 6. To complete your comprehensive meaningful use security risk analysis contact us today at info@ehr20.com or call us at 866-276-8309 or visit us at ehr20.com

×