privacy & security process and tools overview

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Scott C PettigrewPractice Consultant

Privacy & Security Process and Tools Overview

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

The Approach

2

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

3

Prepare Identify Prioritize Mitigate

Prepare:

Gather the knowledge, organizational information, and expertise to successfully

perform a Privacy & Security audit.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Gather KnowledgeResearch

Am I a Covered Entity (CE)? How do the Privacy & Security rules affect your organization? What are the possible implications if a breach occurs?

Perform Site Inventory What technology is used in your practice?

• Do these items transmit, process, or store EPHI? Do you have a set of relevant policies and procedures?

• Where are they located? • When were they last updated?• When did you last review them with your staff?

4

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Assemble Your TeamInternal Resources

Who are your designated Privacy/Security Officers? Who in your organization has the most knowledge about

technology and how it’s used?

External Resources IT Vendor Parent or Affiliate Organization IT Security Staff EHR Vendor Regional Extension Center Security Organizations

5

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: PreparationREC-Provided Document:

Privacy & Security Preparation: Necessary Resources

6

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: PreparationONC-Provided Document:

HIT Security Risk Assessment Questionnaire:Inventory Assets (Preparation)

7

Prepare Identify Prioritize Mitigate

http://www.healthit.gov/providers-professionals/core-measure-15

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Soapbox: Encryption

• Lost /stolen devices are a major cause of reported security breaches!

• How would you prove what patient records were on a missing device? (Hint: If you don’t do daily backups, this is nearly impossible!)

8

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Soapbox: Encryption

• Encryption is not necessarily expensive!

• Free Alternatives:• PC: Microsoft EFS, BitLocker, TrueCrypt• Apple OSX: FileVault, TrueCrypt

9

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: PreparationREC-Provided Document:

Computer & Mobile TechnologyEncryption Log

10

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

11

Prepare Identify Prioritize Mitigate

Identify:

Assess each functional area and technology resource where EPHI is processed, stored, or

transmitted to find areas of vulnerability.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Facility Walkthrough

Tools: Identification

12

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: IdentificationRisk Assessment Questionnaire:

Screening Questions (Step 1)

13

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

14

Prepare Identify Prioritize Mitigate

Prioritize:

Examine each possible vulnerability, honestly rating the current systems’ effectiveness, likelihood of breaches, and the impact a

breach would have.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: PrioritizationRisk Assessment Questionnaire:

People & Processes (Step 2a)

15

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: PrioritizationRisk Assessment Questionnaire:

Technology (Step 2b)

16

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

17

Prepare Identify Prioritize Mitigate

Mitigate:

For each identified area of vulnerability, maximize the effectiveness of existing

controls, and minimize both the possibility of breach and the extent of damage should an

unavoidable breach take place.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: MitigationRisk Assessment Questionnaire:

Findings – Remediation (Step 3)

18

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: MitigationREC-Provided Document:

Identified Vulnerability Action Plan

19

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

20

Prepare Identify Prioritize Mitigate

Prepare:

Continue to gather the knowledge, organizational information, and expertise to

successfully review and update your Privacy & Security audit on a yearly basis.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Prepare Now In Case of Audit!CMS recommends the following documentation be retained:

21

Prepare Identify Prioritize Mitigate

Source: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf

Meaningful Use Objective Audit Validation Suggested Documentation

Protect Electronic Health Information

Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period

Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Tools: PreparationREC-Provided Document:

Policy Review Log

22

Prepare Identify Prioritize Mitigate

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services

Contact Us!• Visit us online at www.tristaterec.org

• Email us at rec@healthbridge.org

• Call us at 513-469-7222, ext. 3

• Follow us on Twitter: @HealthBridgeHIO

• Like us on Facebook: www.facebook.com/pages/Cincinnati-OH/HealthBridge/128672340540952

23