Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Similar documents
Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Security and Privacy Policies & Procedures

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Putting It All Together:

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Policy and Procedure: SDM Guidance for HIPAA Business Associates

The ABCs of HIPAA Security

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

2015 HFMA What Healthcare Can Learn from the Banking Industry

Data Backup and Contingency Planning Procedure

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA 2017 Compliancy Group, LLC

HIPAA Privacy, Security and Breach Notification

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

HIPAA Compliance Assessment Module

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

HIPAA Security Rule: Annual Checkup. Matt Sorensen

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security Checklist

HIPAA Security Checklist

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Security and Privacy Governance Program Guidelines

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA & Privacy Compliance Update

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Cybersecurity and Hospitals: A Board Perspective

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Electronic Communication of Personal Health Information

What s New with HIPAA? Policy and Enforcement Update

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

HIPAA Compliance Checklist

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA SECURITY RISK ASSESSMENT

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Information Technology General Control Review

EXHIBIT A. - HIPAA Security Assessment Template -

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Security and Privacy Breach Notification

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Information Governance, the Next Evolution of Privacy and Security

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Cybersecurity and Nonprofit

HIPAA-HITECH: Privacy & Security Updates for 2015

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Healthcare Privacy and Security:

DETAILED POLICY STATEMENT

HIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Overview of Presentation

Introduction CHAPTER 1

Meeting the Meaningful Use Security and Privacy Measure

HIPAA Security Manual

HIPAA Compliance is not a Cybersecurity Strategy

Not Just Another Day of HIPAA

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA Compliance and OBS Online Backup

HIPAA Compliance. Dr. John Barker Ph.D., MIEEE MEDICAL DEVICES BUSINESS SEMINAR

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA 101: What All Doctors NEED To Know

Horizon Health Care, Inc.

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA COMPLIANCE AND

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors


David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Information Security Policy

SECURITY STATE OF THE INDUSTRY

Security Policies and Procedures Principles and Practices

SECURITY & PRIVACY DOCUMENTATION

The Security Risk Analysis Requirement for MIPS Transcript from Live Webinar

Transcription:

Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1

Disclaimer This presentation was current at the time it was published or uploaded onto the web. Medicare and Medicaid policy changes frequently, so links to source documents have been provided for your reference. This presentation was prepared as a service to the public and is not intended to grant rights or impose obligations. This presentation may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage participants to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. 2

Agenda 1. Overview of M-CEITA 2. Security Risk Assessment Overview 3. Requirements and Definitions 4. Security Risk Assessment Process 5. Questions 3

Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 4

M-CEITA Services Meaningful Use Support Technical assistance, including workflow redesign, security risk assessment and MU compliance. (e.g. patient portal and clinical quality measures) Security Risk Assessment Support meeting the requirements of MU Measure: Protect Electronic Health Information, including an assessment using our exclusive tool. Audit Preparation A review of Meaningful Use attestation documentation using our exclusive Audit File Checklist, to correct any issues before completing the process. Targeted Process Optimization (Lean) A workflow analysis and redesign of core processes using Lean principles to increase efficiency and reduce duplication. (e.g. chart prep, doc. Management) PQRS Support Technical Assistance for the Physician Quality Reporting System including measure selection/optimization as well as reporting method selection and assistance. 5

Security Risk Assessment 6

Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 7

Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 8

Patient Safety First, do no harm. 112 million medical records were breached in 2015 alone Breached medical records can have real, serious consequences for victims: Average of over 12 million identities stolen every year Average cost: $5,130 per household Other concerns, such as privacy and stigma of health information 9

Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet: 76% of consumers report willingness to seek new providers after breach Other Considerations: Increased probability of legal action against the covered entity by customers Customers less likely to share personal details with organization 10

Compliance Covered entities that suffer a breach and have not performed a Security Risk Assessment, or otherwise do not have an effective risk management program, face the steepest penalties from the Office for Civil Rights A lack of or incomplete SRA is the main reason providers fail Meaningful Use (MU) audits, resulting in loss of incentive money These costs are in addition to extra costs incurred by having ineffective security measures in place Breach victims may pursue legal action for damages Many healthcare providers have lost access to their data due to ransomware attacks or contract disputes 11

Risk is on the Rise Healthcare is the leading US industry for data breaches This is due to the relatively high value of medical records and relatively low security of their information systems (compared to, for example, banking and finance) ephi breaches are increasingly attributed to hacking attacks, but human behavior is still a crucial factor (e.g. Anthem hack due to phishing attack) How can healthcare providers protect their data going forward? Perform accurate and thorough risk assessments Manage risk continuously Increase use of encryption Train all staff and providers on how to properly protect ephi Include medical and ancillary devices in risk assessments (proper scope) 12

Requirements and Definitions 13

HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 14

Security Risk Assessment HIPAA Security Rule 45 CFR 164.308(a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Assessment (or Analysis) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity 15

Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control Security Risk Assessment / review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 16

SRA as a Meaningful Use requirement: Objective 1 Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ephi created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 17

A note about Encryption Addressable Specification found at CFR 45 164.312(a)(2)(iv)...but not optional! Under HIPAA, encrypted ephi is considered secure and therefore protected from a breach (safe harbor) Meaningful Use deliberately draws attention to encryption in the new Final Rule to emphasize its importance in securing ephi ephi must be encrypted when at rest (stored) and in transmission 18

HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 19

Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP 800-30) 20

What is at risk? Confidentiality Integrity Availability 21

Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 22

Threats and Threat Sources Hostile outsiders Theft / Sabotage External Business Associates Malicious insider Inconsistent enforcement of P&P Internal Infrastructure failures Natural disasters Staff curiosity Shadow IT 23

Business Associates All vendors who process, store, or transmit PHI are considered Business Associates and need to sign a Business Associate Agreement Business Associates have serious ramifications regarding the confidentiality, integrity and availability of ephi: Many breaches are due to business associates Disputes regarding data access and data integrity are not uncommon Malicious Outsider/Insider: Consider Edward Snowden Getting the Business Associate Agreement in place is the first step Equally important is ongoing vendor management, including security Would your vendors pass a HIPAA audit? They might have to! 24

HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2016 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from 2012-2013 pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements On-site and remote audits to be performed Covered Entities and Business Associates 25

Meaningful Use Audits vs HIPAA Audits Meaningful Use Audits Performed by Figliozzi and Co. under contract with CMS 1 / 10 MU attesting providers audited Random and based on prior audit results, if applicable Focus on timing and scope of SRA, key remediation activities (audit logs, compare previous results to current) HIPAA Audits Performed by the Department of Health and Human Services Office for Civil Rights (OCR) Comprehensive examination of organization s risk management program and security rule compliance Only a few hundred random audits per year Most OCR investigations occur following a breach 26

Security Risk Assessment Process 27

Security Risk Assessment Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 28

Attesting to Meaningful Use Risk assessment requirements Must take place during the calendar year of the EHR reporting period and no later than the provider attestation date Must assess certified EHR technology (CEHRT) and devices using ephi (e.g. laptops, desktops, tablets, smartphones) Repeat for each reporting period Do not attest until after you have conducted your Security Risk Assessment 29

How frequently do I need to do a Risk Assessment? For practices participating in Meaningful Use, a Security Risk Assessment needs to be completed or updated for every year of attestation Also, after major changes or upgrades to practice, technology, or environment For HIPAA compliance, recommendation is at least annually Risk management and assessment is a continuous process, so make sure you have documentation to support your ongoing risk assessment and management process 30

SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST frameworks (800-30r1 & 800-66) Experts work on-site with practice leadership Guide through every step of SRA process Deliver analysis, recommended plan of action, and tools to improve security and compliance 31

Risk Assessment Tool Sample Page 32

Sample Policy Breach Notification and Reporting Customizable to your practice 33

Best Practice Considerations Security is an investment in your business - all stakeholders benefit Educate employees, managers, and ownership on security threats and protocols Build a culture of security awareness from top to bottom. Start with top management and involve everyone! Implement, refine, and enhance security policies and practices Treat your business associates like insiders. Be confident you can trust them by getting the information you need to verify their security practices 34

Best Practice Considerations Compliance does not equal Security Minimum legal requirements You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level Completing an SRA for MU does not necessarily mean you are compliant with all aspects of the Security Rule Does your risk assessment process address all of the Security Rule requirements and implementation specifications? Does it include all of your ephi? 35

Final Thoughts Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing and expected to continue Practices are expected to take security seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 36

Resources CMS Security Risk Analysis Tip Sheet NIST SP 800-30r1 NIST SP 800-39 NIST SP 800-66 ONC Guide to Privacy and Security of Health Information OCR Wall of Shame OCR Audit Protocol HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 37

Questions? ADDITIONAL CONTACT INFO: MEANINGFUL USE www.mceita.org 888-MICH-EHR mceita@altarum.org SRA Security Risk Assessment Andy Petrovich 734-302-4780 andy.petrovich@altarum.org 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback