privacy & security process and tools overview
DESCRIPTION
Privacy & Security Process and Tools Overview. Scott C Pettigrew Practice Consultant. The Approach. Prepare: Gather the knowledge, organizational information, and expertise to successfully perform a Privacy & Security audit. . Gather Knowledge. Research Am I a Covered Entity (CE)? - PowerPoint PPT PresentationTRANSCRIPT
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Scott C PettigrewPractice Consultant
Privacy & Security Process and Tools Overview
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
The Approach
2
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
3
Prepare Identify Prioritize Mitigate
Prepare:
Gather the knowledge, organizational information, and expertise to successfully
perform a Privacy & Security audit.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Gather KnowledgeResearch
Am I a Covered Entity (CE)? How do the Privacy & Security rules affect your organization? What are the possible implications if a breach occurs?
Perform Site Inventory What technology is used in your practice?
• Do these items transmit, process, or store EPHI? Do you have a set of relevant policies and procedures?
• Where are they located? • When were they last updated?• When did you last review them with your staff?
4
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Assemble Your TeamInternal Resources
Who are your designated Privacy/Security Officers? Who in your organization has the most knowledge about
technology and how it’s used?
External Resources IT Vendor Parent or Affiliate Organization IT Security Staff EHR Vendor Regional Extension Center Security Organizations
5
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: PreparationREC-Provided Document:
Privacy & Security Preparation: Necessary Resources
6
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: PreparationONC-Provided Document:
HIT Security Risk Assessment Questionnaire:Inventory Assets (Preparation)
7
Prepare Identify Prioritize Mitigate
http://www.healthit.gov/providers-professionals/core-measure-15
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Soapbox: Encryption
• Lost /stolen devices are a major cause of reported security breaches!
• How would you prove what patient records were on a missing device? (Hint: If you don’t do daily backups, this is nearly impossible!)
8
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Soapbox: Encryption
• Encryption is not necessarily expensive!
• Free Alternatives:• PC: Microsoft EFS, BitLocker, TrueCrypt• Apple OSX: FileVault, TrueCrypt
9
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: PreparationREC-Provided Document:
Computer & Mobile TechnologyEncryption Log
10
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
11
Prepare Identify Prioritize Mitigate
Identify:
Assess each functional area and technology resource where EPHI is processed, stored, or
transmitted to find areas of vulnerability.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Facility Walkthrough
Tools: Identification
12
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: IdentificationRisk Assessment Questionnaire:
Screening Questions (Step 1)
13
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
14
Prepare Identify Prioritize Mitigate
Prioritize:
Examine each possible vulnerability, honestly rating the current systems’ effectiveness, likelihood of breaches, and the impact a
breach would have.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: PrioritizationRisk Assessment Questionnaire:
People & Processes (Step 2a)
15
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: PrioritizationRisk Assessment Questionnaire:
Technology (Step 2b)
16
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
17
Prepare Identify Prioritize Mitigate
Mitigate:
For each identified area of vulnerability, maximize the effectiveness of existing
controls, and minimize both the possibility of breach and the extent of damage should an
unavoidable breach take place.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: MitigationRisk Assessment Questionnaire:
Findings – Remediation (Step 3)
18
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: MitigationREC-Provided Document:
Identified Vulnerability Action Plan
19
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
20
Prepare Identify Prioritize Mitigate
Prepare:
Continue to gather the knowledge, organizational information, and expertise to
successfully review and update your Privacy & Security audit on a yearly basis.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Prepare Now In Case of Audit!CMS recommends the following documentation be retained:
21
Prepare Identify Prioritize Mitigate
Source: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf
Meaningful Use Objective Audit Validation Suggested Documentation
Protect Electronic Health Information
Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period
Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Tools: PreparationREC-Provided Document:
Policy Review Log
22
Prepare Identify Prioritize Mitigate
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services
Contact Us!• Visit us online at www.tristaterec.org
• Email us at [email protected]
• Call us at 513-469-7222, ext. 3
• Follow us on Twitter: @HealthBridgeHIO
• Like us on Facebook: www.facebook.com/pages/Cincinnati-OH/HealthBridge/128672340540952
23