ehr privacy & security. missouri’s federally-designated regional extension center university...
TRANSCRIPT
Introduction and Welcome:
Nancie McAnaugh, MSWCenter for Health PolicyMO HIT Assistance Center
Presenter:
Rebecca Thurmond FowlerSystem Security Analyst-PrincipalUniversity of Missouri Division of Information Technology
EHR Privacy & Security
MO HIT Assistance CenterMissouri’s Federally-designated Regional Extension Center
University of Missouri: Department of Health Management and Informatics Center for Health Policy Department of Family and Community Medicine Missouri School of Journalism
Partners: EHR Pathway Hospital Industry Data Institute (Critical Access Hospitals) Missouri Primary Care Association Missouri Telehealth Network Primaris
Assist Missouri's health care providers in using electronic health records to improve the access and quality of health services; to reduce inefficiencies and avoidable costs; and to optimize the health outcomes of Missourians
Vision
For providers who do not have a certified EHR system - We help you choose and implement one in your office
For providers who already have a system - We help eligible providers meet the Medicare or Medicaid criteria for incentive payments
4
What is our role?
Cerner and the University of Missouri Health System have an independent strategic alliance to provide unique support for the Tiger Institute for Health Innovation, a collaborative venture to promote innovative health care solutions to drive down cost and dramatically increase quality of care for the state of Missouri. The Missouri Health Information Technology Assistance Center at the University of Missouri, however, is vendor neutral in its support of the adoption and implementation of EMRs by health care providers in Missouri as they move toward meaningful use.
Disclosures
This regional extension center is funded through an award from the Office of the National Coordinator for Health Information Technology, Department of Health and Human Services Award Number 90RC0039/01
Information Security Risk Assessment Process
Becky Thurmond FowlerSystem Security Analyst –Principal
Division of IT, University of Missouri
Why Are We Doing This?
Increased focus on security & privacy in society
Federal and state laws and regulations
Heard of a little thing called HIPAA?
HIPAA
Covered Entities (CE’s) and Business Associates of CE’s must comply with the HIPAA Security Rule, including:
◦Due diligence◦Good business practices◦Analysis of risk◦Creation of appropriate safeguards◦Documentation
The Process – An Overview
1. Identify key relevant systems2. Conduct a risk assessment3. Implement a risk management program4. Acquire IT systems and services as
necessary5. Create and deploy policies and procedures6. Develop and implement a sanction policy7. Develop and deploy the information
system activity review process
Risk Assessment Process
Identify key relevant systems
◦Categorize the sensitivity of the data
◦Which information systems are involved?
◦Perform inventory – who owns?
◦Configuration management and documentation
Risk Assessment Process
Conduct a risk assessment◦Variety of checklists and procedures to help you
through the process
◦Document what you’re doing, do what you’re documenting!
◦Answers to questions raised in your risk assessment can help you determine where your data is vulnerable
Risk Assessment Cheat Sheet
Section 1: Organizational Information
◦Definition of Personally Identifiable Information (PII)
What kind of PII does your organization have, and what do you do with it?
Risk Assessment Cheat Sheet
Section II: Access to Work Area
Objective: To control unauthorized access to work areas where confidential or sensitive information is held or utilized
Risk Assessment Cheat Sheet
Section III: Access to Work Equipment/Information/Materials
Objective: To control unauthorized access to confidential or sensitive materials and work equipment
Risk Assessment Cheat Sheet
Section IV: Information Systems Security & Access
Objective: To appropriately manage confidential and sensitive electronic files and IT resources
Risk Assessment Cheat Sheet
Section IV: (continued)
◦This section will require close work with your Information Technology folks. Technical reviews Application and server level controls Networking Disaster Recovery and Business Continuity
Risk Assessment Cheat Sheet
Section V: Access to Waste Materials
Objective: To ensure paper and electronic files and media are properly destroyed when appropriate
Risk Assessment Cheat Sheet
Section VI: Organizational Procedures & Employee Training
Objective: To set expectations and raise awareness among employees who handle confidential and sensitive information
Risk Assessment Process
Implement Risk Management program
◦Thoughtfully choose security measures to reduce risks.
◦Qualitative vs. quantitative
Looking to:◦Reduce risk◦Transfer risk◦Accept risk◦Avoid risk
Risk Assessment Process
Acquire IT systems and services as necessary
◦Security isn’t free!
What is your desired end result?
Risk Assessment Process
Create and deploy policies and procedures
Develop and implement a sanction policy
Develop and deploy the information system activity review process (rinse & repeat)
If you do not wish to ask a question, please press * 6 to mute your phone.
Your Phone Line is Now Open!
Meaningful Use & Physician Quality Reporting System (PQRS)Wednesday, November 9th
Presenter:
Sandra PogonesProgram Manager
Primaris
Upcoming Webinars:
Contact MO HIT Assistance Center for details and pricing
MO HIT Assistance Center Now Serves
Large Practices & Specialists
Website: http://ehrhelp.missouri.edu
E-Mail:◦ [email protected]
Phone:◦ 1-877-882-9933
For More Information: