AT&T Security Consulting Risk Analysis for Meaningful use

AT&T Security
Consulting
Risk Analysis for
Meaningful Use
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meaningful Use Overview
Vision & Goals
Vision
• Enable improvements in population health
through a transformed health care delivery
system
Goals
• Quality, safety and efficiency
• Engaging patients and their families
• Care coordination
• Population and public health
• Privacy and security protections
2
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meaningful Use
Security and Privacy
Objectives
• Provide and monitor privacy and
security protection of confidential
protected health information through
operating policies, procedures and
technologies
• Respect applicable federal and state
laws and regulations
• Provide transparency of data sharing
to patients disruption of clinical and
administrative processes
Measures
• Governance Model
• Security program components/
regulatory requirements (HIPAA
Privacy and Security, Breach
Notification Laws, HITECH, Red Flags
Rule, State laws)
• Risk Assessment and Mitigation
Processes
• Security Program Evaluation
• Risk Assessment and Risk
Management
• Privacy and Security Awareness
and Training
• Incident Reporting and Response
• Accounting of Disclosures
3
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Best Practices for Achieving
the Goal Of Meaningful Use
• Review existing governance of privacy and security programs
• Help implement security governance processes
• Include privacy and security as primary components of the
organization’s strategic planning process
• Enhance internal controls for compliance with privacy and security
requirements (HIPAA and other federal and state regulations)
• Conduct regular evaluations and audits of compliance with
HIPAA and new requirements included in HITECH (e.g., breach
notification, accounting of disclosures, sale of PHI for
marketing and fundraising). Understand the gaps and prioritize
improvement efforts
• Develop an ongoing and documented process for evaluating the
privacy and security programs. This is not a one-time process,
but rather a regular recurring assessment to consider changes
in the environment and regulatory requirements.
• Include privacy and security risk assessment in the enterprise-wide
risk assessment and management (EWRA) processes
• Develop new and enhanced training programs in privacy and
security for management, board, staff and all those considered to
be part of the organization’s workforce (e.g., medical students,
residents, fellows, volunteers, contractors, etc.).
4
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meeting New Requirements
for Privacy/Security
EHR-Enabled Process
HITECH Privacy
and Security
2011
• Comply with HIPAA and
HITECH Act
• Comply with National
Privacy and Security
Framework
• Conduct a security risk
assessment
2013
• Provide summarized
or de-identified
information when
reporting health data
for external use to
minimize privacy risk
• Implement security
updates as necessary
5
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2015
• Upon patient request,
provide an accounting
of PHI disclosures for
treatment, payment
and healthcare
operations
• Incorporate and utilize
technology to segment
sensitive data
Meeting New Requirements
for Privacy/Security
What is Involved
• Despite 10 years since the passage
of HIPAA
– Nearly weekly news reports of lax security
practices involving sensitive patient information
– The public and regulators receive these
constant reminders that more protection is
needed
• Hospitals still struggle to maintain
information security and privacy programs
that are in compliance
• HITECH raises the bar on expectations:
the National Privacy and Security
Framework
Common HIPAA Violations
Found in Compliance
Audits in 2008
• HIPAA Security Policies and
Procedures
• Business Associate Agreements
• Encryption of ePHI on mobile devices
• HIPAA Security Training
http://www.cms.hhs.gov/Enforcement/Download
s/HIPAAComplianceReviewSumtopost508.pdf
• The recent consolidation of responsibility
for privacy and security in one agency
(the Office of Civil Rights) could lead to
stepped up enforcement of compliance
6
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meeting New Requirements
for Privacy/Security
Getting There
•
Conduct a security risk assessment and develop and implement a remediation plan
ASAP
– Follow all CMS recommendations/requirements
– Include elements of the National Privacy and
Security Framework
– Cover all of the new systems, system upgrades and physical relocations of IT assets for
meaningful use
– Lax practices are typically a bigger threat
than hackers
•
Do not wait until 2015 to move data from the desktop and incorporate encryption in
data management
– More patient data online = more responsibility to ramp up the protections that technology can
afford
– Incorporate as part of the roll-out for meaningful use
– Critical for device selection and the user transition
•
HITECH encourages hospitals to participate in
HIE of patient data
– Your responsibility travels with your data after it crosses your corporate boundaries
7
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
AT&T Security Consulting Meaningful Use
Risk Assessments
Information
Gathering
Review
& Analyses
Reporting
Staff
Interviews &
Documentation
Review
Governance,
Policy,
Management,
& Risk
Tolerance
Project
Initiation
Discovery
ePHI Mapping
& Supporting
Business
Processes
Assessment
Report
Business
Drivers
Security &
Privacy
Requirements
Technical
Vulnerability
Testing /
Results
8
Objectives &
Controls
Risk / Gap
Analysis
Information
& Technology
Environment
Regulatory
Requirements
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Management
Presentation
Assessment Scope
Two types of assessment scope
• Full HIPAA / HITECH / EHR Risk Assessment
– Recommended for organizations which have not
recently conducted an enterprise (or those areas within
the organization that are in scope) risk assessment
– Larger in scope than the EHR risk analysis; cost is
dependent on the maturity of the information security
program
– Based upon the HIPAA, HITECH and Meaningful Use
security requirements
• Risk assessment limited to the implementation
of the EHR
– Recommended for organizations that consistently conduct
enterprise HIPAA risk assessment
– Assessment environment limited in scope
– Focused on the EHR Meaningful Use Risk Analysis
requirements and appropriate management controls to
check that not only are the specific controls implemented
at a risk level acceptable to the organization, but that the
controls are assessed and treated continually
9
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Risk Analysis Methodology
Threat
Assessment
Exposure
Identification
Threats-From
Determination
Vulnerability
Determination
Risk
Determination
Threats
Threats-To
Determination
General IT
Control
Determination
Exposures
Risk
Determination
Likelihood
Likely Attacks
& Attack
Vectors
Exposures
Threats
10
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Risk Analysis Methodology
Preparation
Asset
Identification
Threat
Assessment
Risk
Assessment
Recommendation
Identify Business
Objectives
Identify
Assets
Identify
Threats
Identify Expected
Safeguards
Identify
Unacceptable Risks
Understand Business
Operations
Categorize Assets
Assess
Likelihood
Assess Existing
Safeguards
Identify Mitigating
Controls
Determine
Scope
Asset Subgroups
Assess
Impact
Determine
Control Gaps
Assess
Projected Risk
Develop
Methodology
Assign
Threat Values
Identify Remediation
Projects
Compute
Residual Risk
NIST Based
Threat Model
Getting
Organized
11
Asset List
Prioritized
Threat List
Control
Gaps
Gathering and
Analyzing Data
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Prioritized List
of Residual Risks
Roadmap
Communicating
Findings and
Recommendations
HIPAA / HITECH / Meaningful Use
Risk Assessment
Value
• Incorporates Meaningful
Use requirements
into overall HIPAA Risk
Assessment
• Provides an enterprise view
of risk associated with the
security and privacy of PHI
Scope
• Includes HIPAA / HITECH /
EHR Meaningful Use
• Provides enterprise
coverage and sampling of
facilities that store, process
and transmit PHI
• Gains the SureSeal
certification letter
12
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Scope and Pricing Considerations
Scoping Factors
• Type (e.g., Health Plan, Medical Facility/
Hospital, Pharmacy, Third Party Processor)
and size of the organization (e.g., hospitals
can be measured by number of beds)
• Geographical Factors
– State, Multi-state, Offshore
• System Factors
– Quantity and types of devices, systems and
applications that store, process or transit PHI
– Additional risk factors such as whether the in
scope systems are Internet-accessible,
accessible by third parties, business partner
connections and mobile devices are used in the
environment
• Security Program Maturity
13
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meaningful Use Risk Analysis
Requirement
• Conduct or review a security risk analysis,
remediate identified risks, as appropriate,
and continually improve controls
Specific Requirements around:
• Access Control
• Emergency Access
• Automatic Log-off
• Audit Log
• Integrity
• Authentication
• Encryption
• Accounting of Disclosures
AT&T Consulting includes additional
management controls
14
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
AT&T SureSealSM Certification Letter and Logo
Certification Letter
This one page summary report will
present AT&T Consulting test scope
of the risk analysis and summary
findings in a manner that can be
presented to third parties.
Logo
You will be granted certification and
will be given the use of the AT&T
SureSealSM logo to be used on your
website for a one-year period.
15
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Sample Certification Customer Logo Display
You can display the logo on your website and
other official materials for a one-year period
16
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
17
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.