1 / 31

Risk Assessment

Risk Assessment. Robert Morris VP Business Services Ion IT Group, Inc. www.IonITGroup.com. Who I am. Robert Morris, VP of Business Services 20 years healthcare experience Sr healthcare information technologist in engineering and applications 18 years HIPAA security specialist

glenna-hunt
Download Presentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com

  2. Who I am Robert Morris, VP of Business Services • 20 years healthcare experience • Sr healthcare information technologist in engineering and applications • 18 years HIPAA security specialist • VP Innovation TNHIMSS Previously employed by • ONC/TNREC • Community Health Systems • Healthstation • IBM • Numerous Ambulatory Providers/CAH’s www.IonITGroup.com

  3. Nashville www.IonITGroup.com

  4. Not my intent

  5. After our talk today you will be able to: 1. Confidently review your facilities Privacy & Security Risk Assessment 2. Help prepare your environment for data sharing 3. Risk Assessment tools www.IonITGroup.com

  6. www.IonITGroup.com

  7. Most every provider has the goal of…. • Improving the Health Status of our Community • Reducing Health Care Costs • Improving the Patient Experience • Enriching the Lives of Caregivers www.IonITGroup.com

  8. So how exactly do you actually become compliant with HIPAA, HITECH, Meaningful Use, Omnibus? www.IonITGroup.com

  9. News from HIMSS 2014

  10. In summary what is…. • Was the establishment of Privacy and Security Rules for PHI. • Privacy- Definition, Use & Disclosure of PHI, Notice of rights, how you handle PHI • Security- Definitions, How you secure PHI, physically, technically, organization cares for it and the risk assessment.

  11. In summary what is…. In summary what is…. In summary what is…. HITECH Health Information Technology for Economic and Clinical Health Act • It widen the scope of Privacy and Security Rules • It increased legal liability • It provides/created more specific enforcement of certain parts of the rule: • Breach notification • Created the vehicle for state enforcement • Created the vehicle for financial penalties • Created mandatory penalties for “willful neglect”

  12. In summary what is…. Meaningful Use and Risk Assessment Objective: Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. www.IonITGroup.com

  13. In summary what is…. Meaningful Use asks if your managing PHI by performing a risk assessment? OMNIBUS HITECH HIPAA www.IonITGroup.com

  14. Tools from HHS

  15. Tools from HHS

  16. We live in a complicated world. .. www.IonITGroup.com

  17. Healthcare Partner Services Transitional • Hospital Discharge • Skilled Care • Home Visits • Patient is Referred to Clinical Health Partner • Hospital Discharge • Emergency Room Visit • Referred by physician • Patient self-referral Ambulatory / Extended • Long Term Care • Emergency Room • Wellness Coaching • Disease Management Social Services • “Life” Resources • “Family” Resources • Psychosocial Needs • Community Resources www.IonITGroup.com

  18. “Covered entities and business associates have the burden of proof to demonstrate that data is managed and protected.“ Source: Ponemon Institute 3rd Annual Benchmark Study Data Survey 2012 www.IonITGroup.com

  19. What they found was troubling: 1. Minimal Protection: A number of organizations lacked even rudimentary safeguards to protect their networks. 2. Poor Data Management: Many covered entities did not have a handle on where their data ‘lived.’ Some of it was in spreadsheets, some on individual workstations and much of it was—as expected—in core clinical applications 3. Lack of Oversight: Overall, the OCR discovered a general lack of monitoring and audit control. No one was minding the store, and breaches often went undetected. www.IonITGroup.com

  20. Recent penalties in the news

  21. How can a network breech happen? Internet Secure Network Firewall/Router/SwitchNerd stuff PHI Host www.IonITGroup.com

  22. Preparing for data sharing • Inpatient stay • Lab results • Billing • Care Transition • Surgical Centers • Business Associate • Hospice • Home Health • Ambulatory Care • Health Information Exchange • Referral • On and on and on… www.IonITGroup.com

  23. How to help your organization with compliance. www.IonITGroup.com

  24. Accounting for Disclosures Accounting for Disclosures • Always indicate why treatment, payment, or authorization information is being disclosed. • Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” www.IonITGroup.com

  25. Tasks for the IT Dept • Role-Based Access: Manage who gets access to what. • Firewall Review: Make sure that communication with the outside world is secure. • Wireless Security: Manage who gets WiFiaccess, is it secure. • Antivirus:Manage software to keep viruses and malware at bay. • Server/Workstation Updates: Make sure all software AND hardware gets appropriate updates to mitigate problems. Replace antiquated non supported hardware whenever possible. No longer Supported. No security updates. www.IonITGroup.com

  26. Tasks for the IT Dept • Backup: Keep a backup of all data • Backup Encryption: Make backup data unreadable to snoopers. • Recovery: Have an operation and data recover plan in case disaster strikes! www.IonITGroup.com

  27. Tasks for the IT Dept Heartbleed Open SSL Vulnerability is serious! www.IonITGroup.com

  28. For More information/Additional Resources: Penalties and Enforcement http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html Privacy and Security Guide from ONC http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf Breach Notification/ Who do I notify? http://ocrnotifications.hhs.gov/

  29. Thank you for your time today! Robert Morris RMorris@IonITGroup.com 615.351.4796 www.IonITGroup.com

More Related