1 / 14

Meaningful Use: Security Risk Assessments

Meaningful Use: Security Risk Assessments. Nathan Gibson, CISA, CISSP. Agenda. Meaningful Use RA Guidance RA Tools Risk Assessment Prioritizing Risks Attesting Summary. Meaningful Use. Core Objective

maik
Download Presentation

Meaningful Use: Security Risk Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Meaningful Use: Security Risk Assessments Nathan Gibson, CISA, CISSP

  2. Agenda • Meaningful Use • RA Guidance • RA Tools • Risk Assessment • Prioritizing Risks • Attesting • Summary

  3. Meaningful Use • Core Objective • Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities • Measure • Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

  4. HIPAA Security Rule • 45 CFR 164.308(a)(1) • Risk Analysis • Risk Management • Sanction Policy • Information System Activity Review • Risk Analysis • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

  5. RA Guidance • OCR • HIPAA Security Standards: Guidance on Risk Analysis • http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf • NIST • NIST 800-66: HIPAA Security Rule Guidance • NIST 800-30: Risk Management

  6. RA Process • Scope the Assessment • Gather Information • Identify Realistic Threats • Identify Potential Vulnerabilities • Assess Current Security Controls • Determine the Likelihood and Impact • Determine the Level of Risk • Recommend Security Controls • Document the Risk Assessment Results NIST SP 800-30

  7. RA Tool • ONC Security Risk Assessment Questionnaire • Excel spreadsheet • Follows NIST guidance (800-30 & 800-66) • People/Processes and Technology (upcoming slide) • REC Version • Practice Summary tab • Simplifies the process • Additional guidance • Risk management

  8. RA ToolTVS### • Threat-Vulnerability Statement (TVS) • Risk Assessment Tool (ONC & REC versions) • Information Security Policy Template • EHR Security Assessment • Privacy and Security Checklist (HIPAA/HITECH)

  9. RA ToolPeople and Processes vs. Technology • Encryption (TVS012) • People/Processes (2a) • Policies and procedures for how PHI is protected during electronic messaging with third parties. • Technology (2b) • Technology used when protecting and monitoring PHI. There could also be vulnerabilities within that technology which need to be assessed. • DRP & Backups (TVS026) • People/Processes (2a) • DR Planning including notification lists, evacuation plans, and business continuity • Also includes processes associated with technology DR. ie. You have backups, but what are you going to do with those backups in the event of a disaster? • Technology (2b) • How are you performing backups? Onsite vs. offsite? Are they encrypted?

  10. Risk Assessment • Closer look…

  11. Prioritizing Risks Risk Rating Risk Likelihood How likely an 'Undesirable Event', such as power outage or fire, are to occur to the medical practice. Risk Impact In the event that an 'Undesirable Event' such as a power outage, fire, or lost backup tape occurs, what is the level of impact to the practice? Contributing Factors Patient & Employee Safety Number of Patient Records Backup Tapes USB Thumb drives Laptops State & Federal Regulatory Requirements HIPAA Breach Notification Ability to See Patients (conduct business)

  12. Attesting • Risk assessment • Prior to or during the 90-day reporting period • Must be of the certified EHR technology • Yearly updates (minimum) • When to attest • Conducted your security risk assessment • Corrected any identified deficiencies ONC Guide to Privacy and Security of Health Informationhttp://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

  13. Summary • REC Version of the Security Risk Assessment tool • People/Processes and Technology • PHI stored & transmitted • Accept, Transfer or Mitigate risk • Reasonable and appropriate • Document, document, document! • Security Rule Requirement (45 CFR 164.316(b)) • Information Security Policy Template • Formally adopt within the practice

  14. Have a question, comment, or suggestion? • Contact Nathan Gibson at: • ngibson@wvmi.org • 304-346-9864 ext. 2236

More Related