AT&T Security Consulting Risk Analysis for Meaningful Use © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Overview Vision & Goals Vision • Enable improvements in population health through a transformed health care delivery system Goals • Quality, safety and efficiency • Engaging patients and their families • Care coordination • Population and public health • Privacy and security protections 2 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Security and Privacy Objectives • Provide and monitor privacy and security protection of confidential protected health information through operating policies, procedures and technologies • Respect applicable federal and state laws and regulations • Provide transparency of data sharing to patients disruption of clinical and administrative processes Measures • Governance Model • Security program components/ regulatory requirements (HIPAA Privacy and Security, Breach Notification Laws, HITECH, Red Flags Rule, State laws) • Risk Assessment and Mitigation Processes • Security Program Evaluation • Risk Assessment and Risk Management • Privacy and Security Awareness and Training • Incident Reporting and Response • Accounting of Disclosures 3 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Best Practices for Achieving the Goal Of Meaningful Use • Review existing governance of privacy and security programs • Help implement security governance processes • Include privacy and security as primary components of the organization’s strategic planning process • Enhance internal controls for compliance with privacy and security requirements (HIPAA and other federal and state regulations) • Conduct regular evaluations and audits of compliance with HIPAA and new requirements included in HITECH (e.g., breach notification, accounting of disclosures, sale of PHI for marketing and fundraising). Understand the gaps and prioritize improvement efforts • Develop an ongoing and documented process for evaluating the privacy and security programs. This is not a one-time process, but rather a regular recurring assessment to consider changes in the environment and regulatory requirements. • Include privacy and security risk assessment in the enterprise-wide risk assessment and management (EWRA) processes • Develop new and enhanced training programs in privacy and security for management, board, staff and all those considered to be part of the organization’s workforce (e.g., medical students, residents, fellows, volunteers, contractors, etc.). 4 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meeting New Requirements for Privacy/Security EHR-Enabled Process HITECH Privacy and Security 2011 • Comply with HIPAA and HITECH Act • Comply with National Privacy and Security Framework • Conduct a security risk assessment 2013 • Provide summarized or de-identified information when reporting health data for external use to minimize privacy risk • Implement security updates as necessary 5 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 2015 • Upon patient request, provide an accounting of PHI disclosures for treatment, payment and healthcare operations • Incorporate and utilize technology to segment sensitive data Meeting New Requirements for Privacy/Security What is Involved • Despite 10 years since the passage of HIPAA – Nearly weekly news reports of lax security practices involving sensitive patient information – The public and regulators receive these constant reminders that more protection is needed • Hospitals still struggle to maintain information security and privacy programs that are in compliance • HITECH raises the bar on expectations: the National Privacy and Security Framework Common HIPAA Violations Found in Compliance Audits in 2008 • HIPAA Security Policies and Procedures • Business Associate Agreements • Encryption of ePHI on mobile devices • HIPAA Security Training http://www.cms.hhs.gov/Enforcement/Download s/HIPAAComplianceReviewSumtopost508.pdf • The recent consolidation of responsibility for privacy and security in one agency (the Office of Civil Rights) could lead to stepped up enforcement of compliance 6 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meeting New Requirements for Privacy/Security Getting There • Conduct a security risk assessment and develop and implement a remediation plan ASAP – Follow all CMS recommendations/requirements – Include elements of the National Privacy and Security Framework – Cover all of the new systems, system upgrades and physical relocations of IT assets for meaningful use – Lax practices are typically a bigger threat than hackers • Do not wait until 2015 to move data from the desktop and incorporate encryption in data management – More patient data online = more responsibility to ramp up the protections that technology can afford – Incorporate as part of the roll-out for meaningful use – Critical for device selection and the user transition • HITECH encourages hospitals to participate in HIE of patient data – Your responsibility travels with your data after it crosses your corporate boundaries 7 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Meaningful Use Risk Assessments Information Gathering Review & Analyses Reporting Staff Interviews & Documentation Review Governance, Policy, Management, & Risk Tolerance Project Initiation Discovery ePHI Mapping & Supporting Business Processes Assessment Report Business Drivers Security & Privacy Requirements Technical Vulnerability Testing / Results 8 Objectives & Controls Risk / Gap Analysis Information & Technology Environment Regulatory Requirements © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Management Presentation Assessment Scope Two types of assessment scope • Full HIPAA / HITECH / EHR Risk Assessment – Recommended for organizations which have not recently conducted an enterprise (or those areas within the organization that are in scope) risk assessment – Larger in scope than the EHR risk analysis; cost is dependent on the maturity of the information security program – Based upon the HIPAA, HITECH and Meaningful Use security requirements • Risk assessment limited to the implementation of the EHR – Recommended for organizations that consistently conduct enterprise HIPAA risk assessment – Assessment environment limited in scope – Focused on the EHR Meaningful Use Risk Analysis requirements and appropriate management controls to check that not only are the specific controls implemented at a risk level acceptable to the organization, but that the controls are assessed and treated continually 9 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Risk Analysis Methodology Threat Assessment Exposure Identification Threats-From Determination Vulnerability Determination Risk Determination Threats Threats-To Determination General IT Control Determination Exposures Risk Determination Likelihood Likely Attacks & Attack Vectors Exposures Threats 10 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Risk Analysis Methodology Preparation Asset Identification Threat Assessment Risk Assessment Recommendation Identify Business Objectives Identify Assets Identify Threats Identify Expected Safeguards Identify Unacceptable Risks Understand Business Operations Categorize Assets Assess Likelihood Assess Existing Safeguards Identify Mitigating Controls Determine Scope Asset Subgroups Assess Impact Determine Control Gaps Assess Projected Risk Develop Methodology Assign Threat Values Identify Remediation Projects Compute Residual Risk NIST Based Threat Model Getting Organized 11 Asset List Prioritized Threat List Control Gaps Gathering and Analyzing Data © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Prioritized List of Residual Risks Roadmap Communicating Findings and Recommendations HIPAA / HITECH / Meaningful Use Risk Assessment Value • Incorporates Meaningful Use requirements into overall HIPAA Risk Assessment • Provides an enterprise view of risk associated with the security and privacy of PHI Scope • Includes HIPAA / HITECH / EHR Meaningful Use • Provides enterprise coverage and sampling of facilities that store, process and transmit PHI • Gains the SureSeal certification letter 12 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Scope and Pricing Considerations Scoping Factors • Type (e.g., Health Plan, Medical Facility/ Hospital, Pharmacy, Third Party Processor) and size of the organization (e.g., hospitals can be measured by number of beds) • Geographical Factors – State, Multi-state, Offshore • System Factors – Quantity and types of devices, systems and applications that store, process or transit PHI – Additional risk factors such as whether the in scope systems are Internet-accessible, accessible by third parties, business partner connections and mobile devices are used in the environment • Security Program Maturity 13 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Risk Analysis Requirement • Conduct or review a security risk analysis, remediate identified risks, as appropriate, and continually improve controls Specific Requirements around: • Access Control • Emergency Access • Automatic Log-off • Audit Log • Integrity • Authentication • Encryption • Accounting of Disclosures AT&T Consulting includes additional management controls 14 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T SureSealSM Certification Letter and Logo Certification Letter This one page summary report will present AT&T Consulting test scope of the risk analysis and summary findings in a manner that can be presented to third parties. Logo You will be granted certification and will be given the use of the AT&T SureSealSM logo to be used on your website for a one-year period. 15 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Sample Certification Customer Logo Display You can display the logo on your website and other official materials for a one-year period 16 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 17 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.