Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Risk Assessment

advertisement 
Meaningful Use:
Security Risk Assessments
Nathan Gibson, CISA, CISSP
Agenda







Meaningful Use
RA Guidance
RA Tools
Risk Assessment
Prioritizing Risks
Attesting
Summary
Meaningful Use
 Core Objective
– Protect electronic health information created or maintained by
the certified EHR technology through the implementation of
appropriate technical capabilities
 Measure
– Conduct or review a security risk analysis in accordance with
the requirements under 45 CFR 164.308(a)(1) and implement
security updates as necessary and correct identified security
deficiencies as part of its risk management process.
HIPAA Security Rule
 45 CFR 164.308(a)(1)
–
–
–
–
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
 Risk Analysis
– Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by the covered entity.
RA Guidance
 OCR
– HIPAA Security Standards: Guidance on Risk Analysis
– http://www.hhs.gov/ocr/privacy/hipaa/administra
tive/securityrule/radraftguidance.pdf
 NIST
– NIST 800-66: HIPAA Security Rule Guidance
– NIST 800-30: Risk Management
RA Process









Scope the Assessment
Gather Information
Identify Realistic Threats
Identify Potential Vulnerabilities
Assess Current Security Controls
Determine the Likelihood and Impact
Determine the Level of Risk
Recommend Security Controls
Document the Risk Assessment Results
NIST SP 800-30
RA Tool
 ONC Security Risk Assessment Questionnaire
– Excel spreadsheet
– Follows NIST guidance (800-30 & 800-66)
– People/Processes and Technology (upcoming slide)
 REC Version
–
–
–
–
Practice Summary tab
Simplifies the process
Additional guidance
Risk management
RA Tool
TVS###
 Threat-Vulnerability Statement (TVS)
–
–
–
–
Risk Assessment Tool (ONC & REC versions)
Information Security Policy Template
EHR Security Assessment
Privacy and Security Checklist (HIPAA/HITECH)
RA Tool
People and Processes vs. Technology

Encryption (TVS012)
– People/Processes (2a)
• Policies and procedures for how PHI is protected during electronic messaging
with third parties.
– Technology (2b)
• Technology used when protecting and monitoring PHI. There could also be
vulnerabilities within that technology which need to be assessed.

DRP & Backups (TVS026)
– People/Processes (2a)
• DR Planning including notification lists, evacuation plans, and business
continuity
• Also includes processes associated with technology DR. ie. You have
backups, but what are you going to do with those backups in the event of
a disaster?
– Technology (2b)
• How are you performing backups? Onsite vs. offsite? Are they encrypted?
Risk Assessment
 Closer look…
Prioritizing Risks
Risk Rating
 Risk Likelihood
–

Risk Impact
–

How likely an 'Undesirable Event', such as power
outage or fire, are to occur to the medical practice.
In the event that an 'Undesirable Event' such as a
power outage, fire, or lost backup tape occurs, what
is the level of impact to the practice?
Contributing Factors
–
–
–
–
Patient & Employee Safety
Number of Patient Records
• Backup Tapes
• USB Thumb drives
• Laptops
State & Federal Regulatory Requirements
• HIPAA
• Breach Notification
Ability to See Patients (conduct business)
Attesting
 Risk assessment
– Prior to or during the 90-day reporting period
– Must be of the certified EHR technology
– Yearly updates (minimum)
 When to attest
– Conducted your security risk assessment
– Corrected any identified deficiencies
ONC Guide to Privacy and Security of Health Information
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Summary




REC Version of the Security Risk Assessment tool
People/Processes and Technology
PHI stored & transmitted
Accept, Transfer or Mitigate risk
– Reasonable and appropriate
 Document, document, document!
– Security Rule Requirement (45 CFR 164.316(b))
 Information Security Policy Template
– Formally adopt within the practice
Have a question, comment, or suggestion?
Contact Nathan Gibson at:
ngibson@wvmi.org
304-346-9864 ext. 2236
Related documents
Section 3 Directives & Best Practices
Section 3 Directives & Best Practices
HIPAA 2013 Compliance Checklist
HIPAA 2013 Compliance Checklist
“You have the Right”
“You have the Right”
Presentation Slides
Presentation Slides
Understanding HIPAA Compliance
Understanding HIPAA Compliance
NDPPS Template Guide - Global Health Care, LLC
NDPPS Template Guide - Global Health Care, LLC
marks_pre
marks_pre
HIPAA & State Confidentiality Provisions for PHI (40k doc)
HIPAA & State Confidentiality Provisions for PHI (40k doc)
NIST 800-30 Risk Assessment Steps
NIST 800-30 Risk Assessment Steps
Privacy, Security, and Your Practice: HIPAA Refresher
Privacy, Security, and Your Practice: HIPAA Refresher
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
HIPAA Steering Committee - East Carolina University
HIPAA Steering Committee - East Carolina University
Confidentiality Policy - Indiana University Kokomo
Confidentiality Policy - Indiana University Kokomo
HIPAA Factsheet
HIPAA Factsheet
HIPAA Annual Training
HIPAA Annual Training
Module 9-Confidentiality & HIPAA
Module 9-Confidentiality & HIPAA
Emergency Department FAQs
Emergency Department FAQs
Security of Health Information
Security of Health Information
A Guide to Compliant Data Management
A Guide to Compliant Data Management
POP QUIZ!!
POP QUIZ!!
Principles and Practice of Information Security
Principles and Practice of Information Security
HIPAA Gap Assessment/Risk Analysis
HIPAA Gap Assessment/Risk Analysis
Download
advertisement