Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Size: px

Start display at page:

Download "Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use"

Clarence Berry
6 years ago
Views:

1 Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, /1/

2 Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THETRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 2

live on EHR 3,000+ have achieved Meaningful Use standards

3 M-CEITA's Performance 5,000+ providers enrolled for M-CEITA support, impacting over 2 million patients 4,100+ providers are live on EHR 3,000+ have achieved Meaningful Use standards Latest survey shows 99% of M-CEITA customers are satisfied with services 3

4 M-CEITA Subsidized Services for Providers M CEITA Service Delivery Engagement Establish baseline performance, educate EHR Selection (if needed) Guidance for 2014 certified products Planning Develop transition plans Identify key process changes Implementation Establishing timelines for project mgmt. PCP (Medicare/caid) Specialists (Medicaid Only) Meaningful Use Support MU objectives Assist with registration & attestation 4

5 M-CEITA s Services Our services are highly subsidized for qualified physicians. These Health IT services include: Meaningful Use Support Security Risk Assessment Targeted Process Optimization (Lean) Attestation/Audit Preparation 5

6 Security Risk Assessment 6

7 Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 7

Physical Safeguards Technical Safeguards Organizational

8 HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 8

SRA as part of the HIPAA Security Rule 45 CFR 164.

9 SRA as part of the HIPAA Security Rule 45 CFR (a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 9

SRA as a Meaningful Use requirement: Core Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical

10 SRA as a Meaningful Use requirement: Core Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 10

11 HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 11

12 Top 10 Most Common Privacy/Security Violations 10. Incomplete HIPAA authorization forms 9. Exclusion of a right to revoke clause 8. Failure to establish contract with business associates 7. Release of information after the authorization period has expired 6. Errors in paper file storage and disposal 5. Failure to release patient information in a timely manner 4. Computer hacking 3. The loss of backup disks or portable drives 2. Employees inappropriately accessing, using, or transmitting PHI 1. Storing unencrypted patient information on laptops How many of these does an organization have direct control over? 12

13 Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 13

14 Patient Safety First, do no harm. Medical records of as many as 67.7 million people have been breached since 2009 Average of 11.5 million identities stolen every year Average cost: $4,930 per household 14

EHR 60% of patients believe that EHR use will result in more information

15 Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet 15

Risk is on the Rise HIPAA Breaches increased 138% from 2012 2013 Healthcare is now the leading US industry for data breaches This is despite increased awareness of the

16 Risk is on the Rise HIPAA Breaches increased 138% from Healthcare is now the leading US industry for data breaches This is despite increased awareness of the HIPAA Security Rule due to Meaningful Use programs Factors resulting in increased risk: Increased EHR adoption Legislation (Meaningful Use, ACA) Changing landscape (ACO, HIE) 16

vulnerability being exploited by a threat that would

17 Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP ) 17

18 Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 18

19 Threats and Threat Sources Question: Do the majority of healthcare data breaches stem from an internal or external source? Often there is overlap of Internal & External sources 19

20 What is at risk? Confidentiality Integrity Availability 20

21 Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control SRA review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 21

22 Good Faith Effort Compliance isn t enough You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level The expectation is for organizations to put forth a good faith effort 22

HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2014 Provider compliance with Security, Privacy, and

23 HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2014 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements 23

24 HIPAA Audit Program: Recent Updates Delayed indefinitely (for now) More on-site audits Fewer remote audits On-site audits to verify that policies and procedures are in place and followed! 24

SRA Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step

25 SRA Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 25

SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST guidance (800-30 & 800-66) Work on-site with

26 SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST guidance ( & ) Work on-site with practice leaders Guide through every step of SRA process Deliver analysis and recommended plan of action to improve compliance 26

27 Risk Assessment Tool Sample Page 27

28 Sample Policy Breach Notification and Reporting Customizable to your practice! 28

29 Attesting to Meaningful Use Risk assessment Best performed during the 90-day reporting period CMS has allowed exceptions to this due to the CEHRT flexibility rule changes (2014 only) Must assess certified EHR technology Repeat for each reporting period Attest after you have conducted your Security Risk Assessment You do not have to correct deficiencies identified in the SRA before you attest to Meaningful Use 29

30 How frequently do I need to do an SRA? Recommended at least annually Significant changes to practice, technology, or environment Example: Internet Explorer and Windows XP Every year of Meaningful Use attestation 30

31 Conclusion Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing Practices are expected to take compliance seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 31

32 Resources NIST SP NIST SP NIST SP ONC Guide to Privacy and Security of Health Information OCR Wall of Shame HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 32

33 Questions? M-CEITA Contact Info: MICH-EHR 33

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer