Meaningful Use: Security Risk Assessments Nathan Gibson, CISA, CISSP Agenda Meaningful Use RA Guidance RA Tools Risk Assessment Prioritizing Risks Attesting Summary Meaningful Use Core Objective – Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Measure – Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. HIPAA Security Rule 45 CFR 164.308(a)(1) – – – – Risk Analysis Risk Management Sanction Policy Information System Activity Review Risk Analysis – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. RA Guidance OCR – HIPAA Security Standards: Guidance on Risk Analysis – http://www.hhs.gov/ocr/privacy/hipaa/administra tive/securityrule/radraftguidance.pdf NIST – NIST 800-66: HIPAA Security Rule Guidance – NIST 800-30: Risk Management RA Process Scope the Assessment Gather Information Identify Realistic Threats Identify Potential Vulnerabilities Assess Current Security Controls Determine the Likelihood and Impact Determine the Level of Risk Recommend Security Controls Document the Risk Assessment Results NIST SP 800-30 RA Tool ONC Security Risk Assessment Questionnaire – Excel spreadsheet – Follows NIST guidance (800-30 & 800-66) – People/Processes and Technology (upcoming slide) REC Version – – – – Practice Summary tab Simplifies the process Additional guidance Risk management RA Tool TVS### Threat-Vulnerability Statement (TVS) – – – – Risk Assessment Tool (ONC & REC versions) Information Security Policy Template EHR Security Assessment Privacy and Security Checklist (HIPAA/HITECH) RA Tool People and Processes vs. Technology Encryption (TVS012) – People/Processes (2a) • Policies and procedures for how PHI is protected during electronic messaging with third parties. – Technology (2b) • Technology used when protecting and monitoring PHI. There could also be vulnerabilities within that technology which need to be assessed. DRP & Backups (TVS026) – People/Processes (2a) • DR Planning including notification lists, evacuation plans, and business continuity • Also includes processes associated with technology DR. ie. You have backups, but what are you going to do with those backups in the event of a disaster? – Technology (2b) • How are you performing backups? Onsite vs. offsite? Are they encrypted? Risk Assessment Closer look… Prioritizing Risks Risk Rating Risk Likelihood – Risk Impact – How likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. In the event that an 'Undesirable Event' such as a power outage, fire, or lost backup tape occurs, what is the level of impact to the practice? Contributing Factors – – – – Patient & Employee Safety Number of Patient Records • Backup Tapes • USB Thumb drives • Laptops State & Federal Regulatory Requirements • HIPAA • Breach Notification Ability to See Patients (conduct business) Attesting Risk assessment – Prior to or during the 90-day reporting period – Must be of the certified EHR technology – Yearly updates (minimum) When to attest – Conducted your security risk assessment – Corrected any identified deficiencies ONC Guide to Privacy and Security of Health Information http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf Summary REC Version of the Security Risk Assessment tool People/Processes and Technology PHI stored & transmitted Accept, Transfer or Mitigate risk – Reasonable and appropriate Document, document, document! – Security Rule Requirement (45 CFR 164.316(b)) Information Security Policy Template – Formally adopt within the practice Have a question, comment, or suggestion? Contact Nathan Gibson at: ngibson@wvmi.org 304-346-9864 ext. 2236