Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Size: px

Start display at page:

Download "Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use"

Edith Pope
6 years ago
Views:

1 Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, /21/

2 Disclaimer This presentation was current at the time it was published or uploaded onto the web. Medicare and Medicaid policy changes frequently, so links to source documents have been provided for your reference. This presentation was prepared as a service to the public and is not intended to grant rights or impose obligations. This presentation may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage participants to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. 2

3 Agenda 1. Overview of M-CEITA 2. Security Risk Assessment Overview 3. Requirements and Definitions 4. Security Risk Assessment Process 5. Questions 3

4 Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 4

M-CEITA Services Meaningful Use Support Technical assistance, including workflow

, security risk assessment and MU compliance. (e.g.

the requirements of MU Measure: Protect Electronic Health Information, including an

Audit Preparation A review of Meaningful Use attestation documentation using our

Targeted Process Optimization (Lean) A workflow analysis and of core processes using

5 M-CEITA Services Meaningful Use Support Technical assistance, including workflow redesign, security risk assessment and MU compliance. (e.g. patient portal and clinical quality measures) Security Risk Assessment Support meeting the requirements of MU Measure: Protect Electronic Health Information, including an assessment using our exclusive tool. Audit Preparation A review of Meaningful Use attestation documentation using our exclusive Audit File Checklist, to correct any issues before completing the process. Targeted Process Optimization (Lean) A workflow analysis and redesign of core processes using Lean principles to increase efficiency and reduce duplication. (e.g. chart prep, doc. Management) PQRS Support Technical Assistance for the Physician Quality Reporting System including measure selection/optimization as well as reporting method selection and assistance. 5

6 Security Risk Assessment 6

7 Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 7

8 Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 8

9 Patient Safety First, do no harm. 112 million medical records were breached in 2015 alone Breached medical records can have real, serious consequences for victims: Average of over 12 million identities stolen every year Average cost: $5,130 per household Other concerns, such as privacy and stigma of health information 9

Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will

10 Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet: 76% of consumers report willingness to seek new providers after breach Other Considerations: Increased probability of legal action against the covered entity by customers Customers less likely to share personal details with organization 10

Compliance Covered entities that suffer a breach and have not performed a Security Risk Assessment, or otherwise do not have an effective risk management program, face the steepest penalties from the

11 Compliance Covered entities that suffer a breach and have not performed a Security Risk Assessment, or otherwise do not have an effective risk management program, face the steepest penalties from the Office for Civil Rights A lack of or incomplete SRA is the main reason providers fail Meaningful Use (MU) audits, resulting in loss of incentive money These costs are in addition to extra costs incurred by having ineffective security measures in place Breach victims may pursue legal action for damages Many healthcare providers have lost access to their data due to ransomware attacks or contract disputes 11

Risk is on the Rise Healthcare is the leading US industry for data breaches This is due to the relatively high value of medical records and relatively low security of their information systems

12 Risk is on the Rise Healthcare is the leading US industry for data breaches This is due to the relatively high value of medical records and relatively low security of their information systems (compared to, for example, banking and finance) ephi breaches are increasingly attributed to hacking attacks, but human behavior is still a crucial factor (e.g. Anthem hack due to phishing attack) How can healthcare providers protect their data going forward? Perform accurate and thorough risk assessments Manage risk continuously Increase use of encryption Train all staff and providers on how to properly protect ephi Include medical and ancillary devices in risk assessments (proper scope) 12

13 Requirements and Definitions 13

14 HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 14

15 Security Risk Assessment HIPAA Security Rule 45 CFR (a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Assessment (or Analysis) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity 15

16 Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control Security Risk Assessment / review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 16

17 SRA as a Meaningful Use requirement: Objective 1 Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the security (to include encryption) of ephi created or maintained by CEHRT in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 17

A note about Encryption Addressable Specification found at CFR 45 164.312(a)(2)(iv)...but not optional!

18 A note about Encryption Addressable Specification found at CFR (a)(2)(iv)...but not optional! Under HIPAA, encrypted ephi is considered secure and therefore protected from a breach (safe harbor) Meaningful Use deliberately draws attention to encryption in the new Final Rule to emphasize its importance in securing ephi ephi must be encrypted when at rest (stored) and in transmission 18

19 HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 19

vulnerability being exploited by a threat that would

20 Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP ) 20

21 What is at risk? Confidentiality Integrity Availability 21

22 Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 22

23 Threats and Threat Sources Hostile outsiders Theft / Sabotage External Business Associates Malicious insider Inconsistent enforcement of P&P Internal Infrastructure failures Natural disasters Staff curiosity Shadow IT 23

Business Associates All vendors who process, store, or transmit PHI are considered Business Associates and need to sign a Business Associate Agreement Business Associates have serious ramifications

24 Business Associates All vendors who process, store, or transmit PHI are considered Business Associates and need to sign a Business Associate Agreement Business Associates have serious ramifications regarding the confidentiality, integrity and availability of ephi: Many breaches are due to business associates Disputes regarding data access and data integrity are not uncommon Malicious Outsider/Insider: Consider Edward Snowden Getting the Business Associate Agreement in place is the first step Equally important is ongoing vendor management, including security Would your vendors pass a HIPAA audit? They might have to! 24

HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR

with Security, Privacy, and Breach Rules will be audited Most

or incomplete SRA Unaware of Security Rule requirements On-site

25 HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2016 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements On-site and remote audits to be performed Covered Entities and Business Associates 25

26 Meaningful Use Audits vs HIPAA Audits Meaningful Use Audits Performed by Figliozzi and Co. under contract with CMS 1 / 10 MU attesting providers audited Random and based on prior audit results, if applicable Focus on timing and scope of SRA, key remediation activities (audit logs, compare previous results to current) HIPAA Audits Performed by the Department of Health and Human Services Office for Civil Rights (OCR) Comprehensive examination of organization s risk management program and security rule compliance Only a few hundred random audits per year Most OCR investigations occur following a breach 26

27 Security Risk Assessment Process 27

Security Risk Assessment Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat

28 Security Risk Assessment Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 28

Attesting to Meaningful Use Risk assessment requirements Must take place during the calendar year of the EHR reporting period and no later than the provider attestation date Must assess certified EHR

29 Attesting to Meaningful Use Risk assessment requirements Must take place during the calendar year of the EHR reporting period and no later than the provider attestation date Must assess certified EHR technology (CEHRT) and devices using ephi (e.g. laptops, desktops, tablets, smartphones) Repeat for each reporting period Do not attest until after you have conducted your Security Risk Assessment 29

30 How frequently do I need to do a Risk Assessment? For practices participating in Meaningful Use, a Security Risk Assessment needs to be completed or updated for every year of attestation Also, after major changes or upgrades to practice, technology, or environment For HIPAA compliance, recommendation is at least annually Risk management and assessment is a continuous process, so make sure you have documentation to support your ongoing risk assessment and management process 30

SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST frameworks (800-30r1 & 800-66) Experts work on-site with practice

31 SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST frameworks (800-30r1 & ) Experts work on-site with practice leadership Guide through every step of SRA process Deliver analysis, recommended plan of action, and tools to improve security and compliance 31

32 Risk Assessment Tool Sample Page 32

33 Sample Policy Breach Notification and Reporting Customizable to your practice 33

Best Practice Considerations Security is an investment in your business - all stakeholders benefit Educate employees, managers, and ownership on security threats and protocols Build a culture of

34 Best Practice Considerations Security is an investment in your business - all stakeholders benefit Educate employees, managers, and ownership on security threats and protocols Build a culture of security awareness from top to bottom. Start with top management and involve everyone! Implement, refine, and enhance security policies and practices Treat your business associates like insiders. Be confident you can trust them by getting the information you need to verify their security practices 34

Best Practice Considerations Compliance does not equal Security Minimum legal requirements You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and

35 Best Practice Considerations Compliance does not equal Security Minimum legal requirements You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level Completing an SRA for MU does not necessarily mean you are compliant with all aspects of the Security Rule Does your risk assessment process address all of the Security Rule requirements and implementation specifications? Does it include all of your ephi? 35

Final Thoughts Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing and expected to continue Practices are expected to take

36 Final Thoughts Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing and expected to continue Practices are expected to take security seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 36

37 Resources CMS Security Risk Analysis Tip Sheet NIST SP r1 NIST SP NIST SP ONC Guide to Privacy and Security of Health Information OCR Wall of Shame OCR Audit Protocol HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 37

38 Questions? ADDITIONAL CONTACT INFO: MEANINGFUL USE MICH-EHR SRA Security Risk Assessment Andy Petrovich

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is