how to finish the hipaa security risk analysis and ... · required meaningful use core measure •...
TRANSCRIPT
How to Finish theHIPAA Security Risk Analysis
and Meaningful Use Risk
Assessment
Risk & Security LLC
Caroline [email protected]
As channeled by Dr. HIPAA
http://healthit.hhs.gov/portal/server.pt/community/healthit_hh s_gov__regulations_and_guidance/1496
Meaningful UseThe American Recovery and Reinvestment Act of 2009 (Recovery Act)
authorizes the Centers for Medicare & Medicaid Services (CMS) to provide reimbursement incentives for eligible professionals and hospitals who are successful in becoming "meaningful users" of certified electronic health
record (EHR) technology.
Meaningful Use of Electronic Health Records Final Rule This rule provides guidelines to health professionals and hospitals on how to adopt and use electronic health record technology in a meaningful way to help improve
the quality, safety, and efficiency of patient care. The rule also provides guidelines on how providers can qualify for the Medicare and Medicaid EHR Incentive
Programs.
Required Meaningful Use Core Measure
• Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
#1 Deficiency in HIPAA Security Rule Compliance AND #1 Reason for Not Completing Meaningful Use!
Have Not Conducted the REQUIRED Risk analysis!
RISK ANALYSIS (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by the [organization].
• FindingsDid not perform a risk assessmentDid not have a formalized, documented risk assessment processHad outdated risk assessmentsDid not address all potential areas of risk
• RecommendationsDevelop formal risk analysis program that is comprehensiveMaintain accurate inventory of where EPHI & PHI residesIdentify threats & vulnerabilitiesAssess the level of riskDevelop a Corrective Action Plan for gaps identified
From the KPMG Audits, June, 2012• At the Healthcare Financial Management Association’s National Institute,
June 24-27 in Las Vegas, two KPMG officials walked through the audit process. It covers the full range of health care organizations, from mom and pop practices to large delivery systems, says Mark Higdon, a co-presenter and a partner in KPMG’s healthcare advisory unit.
• Every provider needs to initiate an internal risk assessment now, Higdon advises. If they wind up being audited, “That will go a long way toward smoothing the audit,” he adds.
LESSONS LEARNED from HIPAA Risk Analyses in the Field
1. Risk Analyses not up to Date, or never done
2. Analyses too concentrated on technical elements
3. Input for the analysis are too limited – often to just the IT security staff.
4. Business Associates are not included in the analyses.
5. Analyses don’t follow NIST 800-66 guidance.An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
6. Analyses haven’t been updated.
7. Didn’t include paper records protection
MEGA-HIPAA RULE WILL BE RELEASED SOON
• The mega rule combines four separate rulemakings: • the changes to HIPAA's privacy and security rules mandated
by the HITECH Act; • the new enforcement requirements and higher penalty
requirements; • the final regulations of HITECH's breach notification rule; and • changes to HIPAA to incorporate the Genetic Information
Nondiscrimination Act (GINA). • OCR also will release guidance to help entities implement the
changes, including an updated business associate agreement.• OCR helped the National Institute of Standards and Technology
(NIST) develop an electronic tool to help entities comply with HIPAA's security rule.
Defining a Risk and Compliance Program with the HIPAA Risk Analysis
“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the HIPAA Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail..”
(Office of Civil Rights Guidance, July 2010)
In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications.
(Office of Civil Rights Guidance, July 2010)
Why Haven’t Organizations Met The HIPAA Risk Analysis Requirement?
• Lots of work - Lots of numbers
• Must meet audit requirements for risk assessment
• Voluminous content is hard to keep updated
• How to administer Web-based surveys? And involve management and the user community.
• How do you do the Risk Calculation and QUANTIFY RISK?
• How to quickly put reports together for management?
California Fines for Breaches Average Cost Per Record - $2766.00
1. Community Hospital of San Bernardino: $250,000 fine; unauthorized access of 204 patients’ medical information by 1 employee
2. Community Hospital of San Bernardino: $75,000 fine; unauthorized access of 3 patients’ medical information by 1 employee
3. Enloe Medical Center: $130,000 fine; unauthorized access of 1 patient’s medical information by 7 employees
4. Rideout Memorial Hospital: $100,000 fine; unauthorized access of 33 patients’ medical information by 17 employees
5. Ronald Reagan UCLA Medical Center: $95,000 fine; unauthorized access of 1 patient’s medical information by 4 employees
6. San Joaquin Community Hospital: $25,000 fine; unauthorized access of 3 patients’ medical information by 2 employees
Elements of an OCRRisk Analysis Approach
Assets/Values
Threats/Risks
Vulnerabilities/Weaknesses
Losses
Controls/Safeguards
Data Aggregation & AnalysisLoss
Delays & Denials
Fines
Disclosure
Modification
Direct Loss
AssetApplications
Database
Financial Data
Hardware
System
Software
ThreatDisclosure
Hackers
Fraud
Viruses
Network Attack
Loss of Data
Embezzlement
VulnerabilityAcceptable Use
Disaster Recovery
Authentication
Network Controls
No Security Plan
Accountability
Privacy
Access Control
Patient Info.
Fines
Disclosure
Modification
Fraud
Loss of Data
Acceptable Use
Authentication
Privacy
Access Control
Software can Automatically Analyze the Over 3 Million Potential Linking Relationships
Risk = Asset Loss Threat Vulnerability
Creation of Risk Analysis Reports
• Include an Executive Summary.
• Include information about each individual who answered survey questions.
• Include relevant spreadsheets that detail the calculations and Return On Investment (ROI).
• Compare data from year to year.
• Tailor report for management, and make it easy to understand.
Include Recommended Controls By Return On Investment
0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0
Security Plan
File/Program Control
Risk Assessment
Contingency Plan
Application Controls
Security Policy
Technical Surveillance
Documentation
Training
Audit Trails
Commercially Available Tools Can Make it Easier to Stay in Compliance and Validate the
HIPAA Security Decision Process
Regulators are dictating how to do the HIPAA Risk Analysis and it is MORE than a technical process.
The HIPAA Risk Analysis is the best way to prepare for a potential audit. Ensure that all HIPAA Security Rule standards are met.
Risk & Security LLC
Caroline Hamilton
Direct Line: 1-301-346-9055
www.caroline-hamilton.com
www.twitter.com/riskalert