Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1
Disclaimer This presentation was current at the time it was published or uploaded onto the web. Medicare and Medicaid policy changes frequently, so links to source documents have been provided for your reference. This presentation was prepared as a service to the public and is not intended to grant rights or impose obligations. This presentation may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage participants to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. 2
Agenda 1. Overview of M-CEITA 2. Security Risk Assessment Overview 3. Requirements and Definitions 4. Security Risk Assessment Process 5. Questions 3
Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 4
M-CEITA Services Meaningful Use Support Technical assistance, including workflow redesign, security risk assessment and MU compliance. (e.g. patient portal and clinical quality measures) Security Risk Assessment Support meeting the requirements of MU Measure: Protect Electronic Health Information, including an assessment using our exclusive tool. Audit Preparation A review of Meaningful Use attestation documentation using our exclusive Audit File Checklist, to correct any issues before completing the process. Targeted Process Optimization (Lean) A workflow analysis and redesign of core processes using Lean principles to increase efficiency and reduce duplication. (e.g. chart prep, doc. Management) PQRS Support Technical Assistance for the Physician Quality Reporting System including measure selection/optimization as well as reporting method selection and assistance. 5
Security Risk Assessment 6
Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 7
Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 8
Patient Safety First, do no harm. 112 million medical records were breached in 2015 alone Breached medical records can have real, serious consequences for victims: Average of over 12 million identities stolen every year Average cost: $5,130 per household Other concerns, such as privacy and stigma of health information 9
Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet: 76% of consumers report willingness to seek new providers after breach Other Considerations: Increased probability of legal action against the covered entity by customers Customers less likely to share personal details with organization 10
Compliance Covered entities that suffer a breach and have not performed a Security Risk Assessment, or otherwise do not have an effective risk management program, face the steepest penalties from the Office for Civil Rights A lack of or incomplete SRA is the main reason providers fail Meaningful Use (MU) audits, resulting in loss of incentive money These costs are in addition to extra costs incurred by having ineffective security measures in place Breach victims may pursue legal action for damages Many healthcare providers have lost access to their data due to ransomware attacks or contract disputes 11
Risk is on the Rise Healthcare is the leading US industry for data breaches This is due to the relatively high value of medical records and relatively low security of their information systems (compared to, for example, banking and finance) ephi breaches are increasingly attributed to hacking attacks, but human behavior is still a crucial factor (e.g. Anthem hack due to phishing attack) How can healthcare providers protect their data going forward? Perform accurate and thorough risk assessments Manage risk continuously Increase use of encryption Train all staff and providers on how to properly protect ephi Include medical and ancillary devices in risk assessments (proper scope) 12
Requirements and Definitions 13
HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 14
Security Risk Assessment HIPAA Security Rule 45 CFR 164.308(a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Assessment (or Analysis) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity 15
Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control Security Risk Assessment / review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 16
SRA as a Meaningful Use requirement: Objective 1 Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ephi created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 17
A note about Encryption Addressable Specification found at CFR 45 164.312(a)(2)(iv)...but not optional! Under HIPAA, encrypted ephi is considered secure and therefore protected from a breach (safe harbor) Meaningful Use deliberately draws attention to encryption in the new Final Rule to emphasize its importance in securing ephi ephi must be encrypted when at rest (stored) and in transmission 18
HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 19
Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP 800-30) 20
What is at risk? Confidentiality Integrity Availability 21
Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 22
Threats and Threat Sources Hostile outsiders Theft / Sabotage External Business Associates Malicious insider Inconsistent enforcement of P&P Internal Infrastructure failures Natural disasters Staff curiosity Shadow IT 23
Business Associates All vendors who process, store, or transmit PHI are considered Business Associates and need to sign a Business Associate Agreement Business Associates have serious ramifications regarding the confidentiality, integrity and availability of ephi: Many breaches are due to business associates Disputes regarding data access and data integrity are not uncommon Malicious Outsider/Insider: Consider Edward Snowden Getting the Business Associate Agreement in place is the first step Equally important is ongoing vendor management, including security Would your vendors pass a HIPAA audit? They might have to! 24
HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2016 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from 2012-2013 pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements On-site and remote audits to be performed Covered Entities and Business Associates 25
Meaningful Use Audits vs HIPAA Audits Meaningful Use Audits Performed by Figliozzi and Co. under contract with CMS 1 / 10 MU attesting providers audited Random and based on prior audit results, if applicable Focus on timing and scope of SRA, key remediation activities (audit logs, compare previous results to current) HIPAA Audits Performed by the Department of Health and Human Services Office for Civil Rights (OCR) Comprehensive examination of organization s risk management program and security rule compliance Only a few hundred random audits per year Most OCR investigations occur following a breach 26
Security Risk Assessment Process 27
Security Risk Assessment Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 28
Attesting to Meaningful Use Risk assessment requirements Must take place during the calendar year of the EHR reporting period and no later than the provider attestation date Must assess certified EHR technology (CEHRT) and devices using ephi (e.g. laptops, desktops, tablets, smartphones) Repeat for each reporting period Do not attest until after you have conducted your Security Risk Assessment 29
How frequently do I need to do a Risk Assessment? For practices participating in Meaningful Use, a Security Risk Assessment needs to be completed or updated for every year of attestation Also, after major changes or upgrades to practice, technology, or environment For HIPAA compliance, recommendation is at least annually Risk management and assessment is a continuous process, so make sure you have documentation to support your ongoing risk assessment and management process 30
SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST frameworks (800-30r1 & 800-66) Experts work on-site with practice leadership Guide through every step of SRA process Deliver analysis, recommended plan of action, and tools to improve security and compliance 31
Risk Assessment Tool Sample Page 32
Sample Policy Breach Notification and Reporting Customizable to your practice 33
Best Practice Considerations Security is an investment in your business - all stakeholders benefit Educate employees, managers, and ownership on security threats and protocols Build a culture of security awareness from top to bottom. Start with top management and involve everyone! Implement, refine, and enhance security policies and practices Treat your business associates like insiders. Be confident you can trust them by getting the information you need to verify their security practices 34
Best Practice Considerations Compliance does not equal Security Minimum legal requirements You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level Completing an SRA for MU does not necessarily mean you are compliant with all aspects of the Security Rule Does your risk assessment process address all of the Security Rule requirements and implementation specifications? Does it include all of your ephi? 35
Final Thoughts Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing and expected to continue Practices are expected to take security seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 36
Resources CMS Security Risk Analysis Tip Sheet NIST SP 800-30r1 NIST SP 800-39 NIST SP 800-66 ONC Guide to Privacy and Security of Health Information OCR Wall of Shame OCR Audit Protocol HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 37
Questions? ADDITIONAL CONTACT INFO: MEANINGFUL USE www.mceita.org 888-MICH-EHR mceita@altarum.org SRA Security Risk Assessment Andy Petrovich 734-302-4780 andy.petrovich@altarum.org 38