Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Similar documents
ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Support for the HIPAA Security Rule

EXHIBIT A. - HIPAA Security Assessment Template -

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

HIPAA Security and Privacy Policies & Procedures

Physician Office Name Ambulatory EHR Security Risk Analysis

HIPAA Security Checklist

HIPAA Security Checklist

Information Security Policy

Checklist: Credit Union Information Security and Privacy Policies

Start the Security Walkthrough

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

ISSP Network Security Plan

HIPAA Security Rule s Technical Safeguards - Compliance

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

A Security Risk Analysis is More Than Meaningful Use

The Common Controls Framework BY ADOBE

Juniper Vendor Security Requirements

Physical and Environmental Security Standards

Employee Security Awareness Training Program

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Department of Public Health O F S A N F R A N C I S C O

HIPAA Federal Security Rule H I P A A

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Data Backup and Contingency Planning Procedure

Healthcare Privacy and Security:

Vendor Security Questionnaire

GM Information Security Controls

eprost System Policies & Procedures

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SECURITY & PRIVACY DOCUMENTATION

Security Architecture

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

SECURITY PRACTICES OVERVIEW

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Recommendations for Implementing an Information Security Framework for Life Science Organizations

HIPAA Regulatory Compliance

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

Let s get started with the module Ensuring the Security of your Clients Data.

Data Protection Policy

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Office Name: Enterprise Risk Management Questions

HIPAA / HITECH Overview of Capabilities and Protected Health Information

ClientNet. Portal Admin Guide

Best Practices Guide to Electronic Banking

Canadian Access Federation: Trust Assertion Document (TAD)

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

HIPAA Compliance Checklist

HIPAA Security Rule Policy Map

Identity Theft Prevention Policy

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

NRG Oncology and VisionTree Optimal Care (VTOC) Frequently Asked Questions

1) Are employees required to sign an Acceptable Use Policy (AUP)?

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Physical Safeguards Policy July 19, 2016

HIPAA Compliance Assessment Module

Morningstar ByAllAccounts Service Security & Privacy Overview

CSP & PCI DSS Compliance on HPE NonStop systems

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Department of Public Health O F S A N F R A N C I S C O

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Trust Services Principles and Criteria

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Texas Health Resources

Access Control Procedure

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Sparta Systems TrackWise Solution

Standard CIP 007 3a Cyber Security Systems Security Management

Integrated Cloud Environment Security White Paper

Standard CIP Cyber Security Systems Security Management

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

HIPAA Controls. Powered by Auditor Mapping.

Facility Security Policy

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Security Audit What Why

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Security Standards for Electric Market Participants

Computerized Central Records System

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Web Cash Fraud Prevention Best Practices

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

System Security Features

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Sparta Systems TrackWise Digital Solution

Information Security Data Classification Procedure

Element Finance Solutions Ltd Data Protection Policy

Transcription:

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice because of EHRs? Where will that electronic health information reside? Who in my office (employees, other providers, etc.) will have access to EHRs, and the electronic health information contained within them? Should all employees with access to EHRs have the same level of access? Will I permit my employees to have electronic health information on mobile computing/storage equipment? If so, do they know how, and do they have the resources necessary, to keep electronic health information secure on these devices? The data is stored in a secure hosted environment by Bizmatics that meets all the ONC-ACTB security criteria. Clinic needs to make sure that PHI information is not saved locally or have security controls implemented in clinic to protect the PHI. Clinic has to define users for PrognoCIS access with specific set of access rights. PrognoCIS provides role/user-based access controls. Based on clinic's size and workflow, user roles and access rights can be configured in the system. Each user will have a specific set of permissions that govern the availability of features in PrognoCIS. Data is secured in hosted environment by Bizmatics and no PHI is saved locally except for the below conditions: - Scanned documents saved on local machine need to be uploaded to the web EHR system. Once uploaded, local copy of scanned documents should be deleted. - If received faxes are saved locally then needs to be deleted once uploaded in web EHR Clinic has to define a process to make sure none of the PHI is saved locally or if saved then followed security guidelines. 2

How will I know if electronic health information has been accidentally or maliciously disclosed to an unauthorized person? When I upgrade my computer storage equipment (e.g., hard drives), will electronic health information be properly erased from the old storage equipment before I dispose of it? PrognoCIS provides an option to track every activity through an audit trail function. A detailed report of such transactions can be generated within the application at any time based on the requirement. Clinic has to make sure audit options are enabled. An authorized person in the clinic should review the Audit Log periodically. No PHI is stored locally while accessing web EHR except: - Scanned documents saved on a local machine need to be uploaded to the web EHR system. Once uploaded, local copy of scanned documents should be deleted. - If received faxes are saved locally then needs to be deleted once uploaded in web EHR - If clinic has explicitly downloaded and saved data Are my backup facilities secured (computers, tapes, offices, etc., used to backup EHRs and other health IT)? Will I be sharing EHRs, or electronic health information contained in EHRs with other health care entities through a HIO? If so, what security policies do I need to be aware of? Clinic has to define a process to make sure none of the PHI is saved locally or if saved then followed security guidelines. Bizmatics takes care of all data backup. No local backup needed for clinic. Currently PrognoCIS does not have interface to export data to HIE. 3

If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal), am I familiar with the security requirements that will protect my patients electronic health information before I implement that feature? Will I communicate with my patients electronically (e.g., through a portal or email)? Are those communications secured? If I offer my patients a method of communicating with me electronically, how will I know that I am communicating with the right patient? PrognoCIS has a powerful patient portal module which is also ONC-ACTB certified and follows all security rules & regulation. All patient communication through portal is secured and follows ONC- ACTB security guidelines PrognoCIS provides unique user name and password to each patient to login on portal. Patient authentication is done on login to portal. 4

Integrity Risk Analysis Example Answers/Help Status Who in my office will be permitted to create or modify an EHR, or electronic health information contained in the EHR? How will I know if an EHR, or the electronic health information in the EHR, has been altered or deleted? If I participate in a HIO, how will I know if the health information I exchange is altered in an unauthorized manner? If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal) and I implement that feature, will my patients be permitted to modify any of the health information within their record? If so, what information? Clinic has to provide access to their users. Only authorized users with access rights/permission can modify the EHR information. PrognoCIS provides option to track each and every activity through audit trail function. Detailed report of audit can be generated any time based on the requirement. It gives detailed information on user, date time, action performed, patient record number etc. Report is generated in human readable format. Clinic has to make sure to turn on Audit trail and do periodically review of audit log. PrognoCIS allows you to import data from HIO which is tracked via import Log. PrognoCIS Patient Portal does not allow a user to modify PHI. 5

Risk Analysis Example Answers/Help Status How will I ensure that electronic health information, regardless of where it resides, is readily available to me and my employees for authorized purposes, including after normal office hours? Do I have a backup strategy for my EHRs in the event of an emergency, or to ensure I have access to patient information if the power goes out or my computer crashes? PrognoCIS is web based EHR which can be accessed anywhere, anytime using browser, internet and user credentials to login. PrognoCIS being web based EHR can be accessed through any computer any time by authorized user If I participate in a HIO, does it have performance standards regarding network availability? If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal) and I implement that feature, will I allow 24/7 access? The PrognoCIS is a cloud based system run on secured servers. Patient Portal is web based application and is available 24/7. 6

Identifying Safeguards Identifying Safeguards Example Answers/Help Status Have I updated my internal information security processes to include the use of EHRs, connectivity to HIOs, offering portal access to patients, and the handling and management of electronic health information in general? Have I trained my employees on the use of EHRs? Other electronic health information related technologies that I plan to implement? Do they understand the importance of keeping electronic health information protected? Have I identified how I will periodically assess my use of health IT to ensure my safeguards are effective? As employees enter and leave my practice, have I defined processes to ensure electronic health information access controls are updated accordingly? Have I developed a security incident response plan so that my employees know how to respond to a potential security incident involving electronic health information (e.g., unauthorized access to an EHR, corrupted electronic health information)? Clinic has to perform periodic review of risk analysis with comment/sign/date for each item included in risk analysis Bizmatics provides onsite/online/webinar training on how to use PrognoCIS. Clinic has to implement training process for their employees on protection/importance of PHI. Clinic should do periodic review of inhouse policy, and conduct review of Identifying Safeguards. Clinic has to maintain the record with Check / sign / date each item to document. Clinic Administrator has to activate/deactivate user account in EHR Clinic should implement process for example: 1. Clinic can reset the password or deactivate the user 2. Audit Logs can be reviewed to find out details 3. Clinic should notify the patients whose records were breached within 30 days 7

Have I developed processes that outline how electronic health information will be backed-up or stored outside of my practice when it is no longer needed (e.g., when a patient moves and no longer receives care at the practice)? Have I developed contingency plans so that my employees know what to do if access to EHRs and other electronic health information is not available for an extended period of time? Have I developed processes for securely exchanging electronic health information with other health care entities? Have I developed processes that my patients can use to securely connect to a portal? Have I developed processes for proofing the identity of my patients before granting them access to the portal? Do I have a process to periodically test my health IT backup capabilities, so that I am prepared to execute them? If equipment is stolen or lost, have I defined processes to respond to the theft or loss? Patient can be flagged as Inactive if patient is no longer with the clinic. Data is still maintained in EHR. In case EHR is not available for some time then clinical staff maintains the patient s record on paper which can be later on entered in to EHR. External electronic data exchange occurs only through PrognoCIS which is certified by ONC-ACTB for security. Clinic has to verify identity of patient before providing login credential to the patient. PrognoCIS runs on secured servers. Data backup is done centrally, and no local backup of data is needed. Since no PHI is available on local computers, the loss or theft of equipment won t affect the PHI except certain equipments were used for local PHI storage like scan/fax. Clinic has to define process for loss of such equipment. 8

Identifying Physical Safeguards Example Answers/Help Status Do I have basic office security in place, such as locked doors and windows, and an alarm system? Are they being used properly during working and non-working hours? Are my desktop computing systems in areas that can be secured during non-working hours? Are my desktop computers out of the reach of patients and other personnel not employed by my practice during normal working hours? Is mobile equipment (e.g., laptops), used within and outside my office, secured to prevent theft or loss? Do I have a documented inventory of approved and known health IT computing equipment within my practice? Will I know if one of my employees is using a computer or media device not approved for my practice? Do my employees implement basic computer security principles, such as logging out of a computer before leaving it unattended? Clinic has to implement the process and verify it periodically. PrognoCIS provides time out after a period of inactivity. Clinic has to follow a process where entire desktop computing system should be Locked or set for inactivity at the end of a work session. Clinic needs to make sure that screens are not visible by unauthorized person. PrognoCIS provides time out after a period of inactivity. However, the entire computer desktop should be shut down or hibernated at the end of working hours. It is good business practice for clinic to document in-house equipment inventory. Clinic should have a practice to lock the computer if the user is not at the desk and turn off the computer at the end of working hours. 9

Identifying Technical Safeguards Have I configured my computing environment where electronic health information resides using best-practice security settings (e.g., enabling a firewall, virus detection, and encryption where appropriate)? Am I maintaining that environment to stay up to date with the latest computer security updates? Are their other types of software on my electronic health information computing equipment that are not needed to sustain my health IT environment (e.g., a music file sharing program), which could put my health IT environment at risk? Is my EHR certified to address industry recognized/bestpractice security requirements? Are my health IT applications installed properly, and are the vendor recommended security controls enabled (e.g., computers, inactivity timeouts)? Is my health IT computing environment up to date with the most recent security updates and patches? Have I configured my EHR application to require my employees to be authenticated (e.g., username/password) Example Answers/Help Data is secured in hosted environment by Bizmatics and no PHI is saved locally except for the below conditions: - Scanned documents saved on local machine, need to be uploaded to the web EHR system. Once uploaded, local copy of scanned documents should be deleted. - If received faxes are saved locally then needs to be deleted once uploaded in web HER - Clinic has to implement a process where locally saved PHI should be properly secured. There is no limitation to other software installed on the client machine. PrognoCIS is ONC-ACTB Certified for security requirements PrognoCIS can work on a computer with internet connection. No other application are required. Clinic has to do periodically security update on clinic devices. Clinic has to make sure that authorized Administrator should provide role/access rights for each user in the clinic. Status 10

before gaining access to the EHR? And have I set their access privileges to electronic health information correctly? If I have or plan to establish a patient portal, do I have the proper security controls in place to authenticate the patient (e.g., username/password) before granting access to the portal and the patient s electronic health information? Does the portal s security reflect industry bestpractices? If I have or plan to set up a wireless network, do I have the proper security controls defined and enabled (e.g., known access points, data encryption)? Have I enabled the appropriate audit controls within my health IT environment to be alerted of a potential security incident, or to examine security incidents that have occurred? Patients are provided user name and password to login to Patient Portal & only authenticate user can access the PHI Secure wireless connection should be used to access EHR. Clinic has to do periodic review of audit log to confirm the security of PHI data. I verify that all of the items checked above have been completed: Name: Date: 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback