Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Transcription

1 Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

2 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice because of EHRs? Where will that electronic health information reside? Who in my office (employees, other providers, etc.) will have access to EHRs, and the electronic health information contained within them? Should all employees with access to EHRs have the same level of access? Will I permit my employees to have electronic health information on mobile computing/storage equipment? If so, do they know how, and do they have the resources necessary, to keep electronic health information secure on these devices? The data is stored in a secure hosted environment by Bizmatics that meets all the ONC-ACTB security criteria. Clinic needs to make sure that PHI information is not saved locally or have security controls implemented in clinic to protect the PHI. Clinic has to define users for PrognoCIS access with specific set of access rights. PrognoCIS provides role/user-based access controls. Based on clinic's size and workflow, user roles and access rights can be configured in the system. Each user will have a specific set of permissions that govern the availability of features in PrognoCIS. Data is secured in hosted environment by Bizmatics and no PHI is saved locally except for the below conditions: - Scanned documents saved on local machine need to be uploaded to the web EHR system. Once uploaded, local copy of scanned documents should be deleted. - If received faxes are saved locally then needs to be deleted once uploaded in web EHR Clinic has to define a process to make sure none of the PHI is saved locally or if saved then followed security guidelines. 2

3 How will I know if electronic health information has been accidentally or maliciously disclosed to an unauthorized person? When I upgrade my computer storage equipment (e.g., hard drives), will electronic health information be properly erased from the old storage equipment before I dispose of it? PrognoCIS provides an option to track every activity through an audit trail function. A detailed report of such transactions can be generated within the application at any time based on the requirement. Clinic has to make sure audit options are enabled. An authorized person in the clinic should review the Audit Log periodically. No PHI is stored locally while accessing web EHR except: - Scanned documents saved on a local machine need to be uploaded to the web EHR system. Once uploaded, local copy of scanned documents should be deleted. - If received faxes are saved locally then needs to be deleted once uploaded in web EHR - If clinic has explicitly downloaded and saved data Are my backup facilities secured (computers, tapes, offices, etc., used to backup EHRs and other health IT)? Will I be sharing EHRs, or electronic health information contained in EHRs with other health care entities through a HIO? If so, what security policies do I need to be aware of? Clinic has to define a process to make sure none of the PHI is saved locally or if saved then followed security guidelines. Bizmatics takes care of all data backup. No local backup needed for clinic. Currently PrognoCIS does not have interface to export data to HIE. 3

4 If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal), am I familiar with the security requirements that will protect my patients electronic health information before I implement that feature? Will I communicate with my patients electronically (e.g., through a portal or )? Are those communications secured? If I offer my patients a method of communicating with me electronically, how will I know that I am communicating with the right patient? PrognoCIS has a powerful patient portal module which is also ONC-ACTB certified and follows all security rules & regulation. All patient communication through portal is secured and follows ONC- ACTB security guidelines PrognoCIS provides unique user name and password to each patient to login on portal. Patient authentication is done on login to portal. 4

5 Integrity Risk Analysis Example Answers/Help Status Who in my office will be permitted to create or modify an EHR, or electronic health information contained in the EHR? How will I know if an EHR, or the electronic health information in the EHR, has been altered or deleted? If I participate in a HIO, how will I know if the health information I exchange is altered in an unauthorized manner? If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal) and I implement that feature, will my patients be permitted to modify any of the health information within their record? If so, what information? Clinic has to provide access to their users. Only authorized users with access rights/permission can modify the EHR information. PrognoCIS provides option to track each and every activity through audit trail function. Detailed report of audit can be generated any time based on the requirement. It gives detailed information on user, date time, action performed, patient record number etc. Report is generated in human readable format. Clinic has to make sure to turn on Audit trail and do periodically review of audit log. PrognoCIS allows you to import data from HIO which is tracked via import Log. PrognoCIS Patient Portal does not allow a user to modify PHI. 5

6 Risk Analysis Example Answers/Help Status How will I ensure that electronic health information, regardless of where it resides, is readily available to me and my employees for authorized purposes, including after normal office hours? Do I have a backup strategy for my EHRs in the event of an emergency, or to ensure I have access to patient information if the power goes out or my computer crashes? PrognoCIS is web based EHR which can be accessed anywhere, anytime using browser, internet and user credentials to login. PrognoCIS being web based EHR can be accessed through any computer any time by authorized user If I participate in a HIO, does it have performance standards regarding network availability? If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal) and I implement that feature, will I allow 24/7 access? The PrognoCIS is a cloud based system run on secured servers. Patient Portal is web based application and is available 24/7. 6

7 Identifying Safeguards Identifying Safeguards Example Answers/Help Status Have I updated my internal information security processes to include the use of EHRs, connectivity to HIOs, offering portal access to patients, and the handling and management of electronic health information in general? Have I trained my employees on the use of EHRs? Other electronic health information related technologies that I plan to implement? Do they understand the importance of keeping electronic health information protected? Have I identified how I will periodically assess my use of health IT to ensure my safeguards are effective? As employees enter and leave my practice, have I defined processes to ensure electronic health information access controls are updated accordingly? Have I developed a security incident response plan so that my employees know how to respond to a potential security incident involving electronic health information (e.g., unauthorized access to an EHR, corrupted electronic health information)? Clinic has to perform periodic review of risk analysis with comment/sign/date for each item included in risk analysis Bizmatics provides onsite/online/webinar training on how to use PrognoCIS. Clinic has to implement training process for their employees on protection/importance of PHI. Clinic should do periodic review of inhouse policy, and conduct review of Identifying Safeguards. Clinic has to maintain the record with Check / sign / date each item to document. Clinic Administrator has to activate/deactivate user account in EHR Clinic should implement process for example: 1. Clinic can reset the password or deactivate the user 2. Audit Logs can be reviewed to find out details 3. Clinic should notify the patients whose records were breached within 30 days 7

8 Have I developed processes that outline how electronic health information will be backed-up or stored outside of my practice when it is no longer needed (e.g., when a patient moves and no longer receives care at the practice)? Have I developed contingency plans so that my employees know what to do if access to EHRs and other electronic health information is not available for an extended period of time? Have I developed processes for securely exchanging electronic health information with other health care entities? Have I developed processes that my patients can use to securely connect to a portal? Have I developed processes for proofing the identity of my patients before granting them access to the portal? Do I have a process to periodically test my health IT backup capabilities, so that I am prepared to execute them? If equipment is stolen or lost, have I defined processes to respond to the theft or loss? Patient can be flagged as Inactive if patient is no longer with the clinic. Data is still maintained in EHR. In case EHR is not available for some time then clinical staff maintains the patient s record on paper which can be later on entered in to EHR. External electronic data exchange occurs only through PrognoCIS which is certified by ONC-ACTB for security. Clinic has to verify identity of patient before providing login credential to the patient. PrognoCIS runs on secured servers. Data backup is done centrally, and no local backup of data is needed. Since no PHI is available on local computers, the loss or theft of equipment won t affect the PHI except certain equipments were used for local PHI storage like scan/fax. Clinic has to define process for loss of such equipment. 8

9 Identifying Physical Safeguards Example Answers/Help Status Do I have basic office security in place, such as locked doors and windows, and an alarm system? Are they being used properly during working and non-working hours? Are my desktop computing systems in areas that can be secured during non-working hours? Are my desktop computers out of the reach of patients and other personnel not employed by my practice during normal working hours? Is mobile equipment (e.g., laptops), used within and outside my office, secured to prevent theft or loss? Do I have a documented inventory of approved and known health IT computing equipment within my practice? Will I know if one of my employees is using a computer or media device not approved for my practice? Do my employees implement basic computer security principles, such as logging out of a computer before leaving it unattended? Clinic has to implement the process and verify it periodically. PrognoCIS provides time out after a period of inactivity. Clinic has to follow a process where entire desktop computing system should be Locked or set for inactivity at the end of a work session. Clinic needs to make sure that screens are not visible by unauthorized person. PrognoCIS provides time out after a period of inactivity. However, the entire computer desktop should be shut down or hibernated at the end of working hours. It is good business practice for clinic to document in-house equipment inventory. Clinic should have a practice to lock the computer if the user is not at the desk and turn off the computer at the end of working hours. 9

10 Identifying Technical Safeguards Have I configured my computing environment where electronic health information resides using best-practice security settings (e.g., enabling a firewall, virus detection, and encryption where appropriate)? Am I maintaining that environment to stay up to date with the latest computer security updates? Are their other types of software on my electronic health information computing equipment that are not needed to sustain my health IT environment (e.g., a music file sharing program), which could put my health IT environment at risk? Is my EHR certified to address industry recognized/bestpractice security requirements? Are my health IT applications installed properly, and are the vendor recommended security controls enabled (e.g., computers, inactivity timeouts)? Is my health IT computing environment up to date with the most recent security updates and patches? Have I configured my EHR application to require my employees to be authenticated (e.g., username/password) Example Answers/Help Data is secured in hosted environment by Bizmatics and no PHI is saved locally except for the below conditions: - Scanned documents saved on local machine, need to be uploaded to the web EHR system. Once uploaded, local copy of scanned documents should be deleted. - If received faxes are saved locally then needs to be deleted once uploaded in web HER - Clinic has to implement a process where locally saved PHI should be properly secured. There is no limitation to other software installed on the client machine. PrognoCIS is ONC-ACTB Certified for security requirements PrognoCIS can work on a computer with internet connection. No other application are required. Clinic has to do periodically security update on clinic devices. Clinic has to make sure that authorized Administrator should provide role/access rights for each user in the clinic. Status 10

11 before gaining access to the EHR? And have I set their access privileges to electronic health information correctly? If I have or plan to establish a patient portal, do I have the proper security controls in place to authenticate the patient (e.g., username/password) before granting access to the portal and the patient s electronic health information? Does the portal s security reflect industry bestpractices? If I have or plan to set up a wireless network, do I have the proper security controls defined and enabled (e.g., known access points, data encryption)? Have I enabled the appropriate audit controls within my health IT environment to be alerted of a potential security incident, or to examine security incidents that have occurred? Patients are provided user name and password to login to Patient Portal & only authenticate user can access the PHI Secure wireless connection should be used to access EHR. Clinic has to do periodic review of audit log to confirm the security of PHI data. I verify that all of the items checked above have been completed: Name: Date: 11