Meaningful Use Security Risk AnalysisPassing Your Audit

• Introduction

• Meaningful Use Requirement – Protect Electronic Health Information

• Security Risk Analysis

• Meaningful Use Audits

• Questions

Agenda

Introduction

Adam Kehler, CISSP, CEH

Privacy and Security Specialist

PA REACH East & West

akehler@wvmi.org

Meaningful Use

1. In Stage 1, eligible professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

2. In Stage 2, eligible professionals need to meet the same security risk analysis requirements as Stage 1, but must also address the encryption/security of data at rest.

• Note: a security risk analysis needs to be reviewed and updated for each reporting period for Stage 1 and Stage 2.

HIPAA Security Rule

“Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii))”

Myths & Facts

1. ALL providers must conduct a risk analysis; no exceptions.

2. Simply installing a certified EHR does not mean you’ve met the security requirements of the risk analysis

3. Your EHR vendor is not responsible for your compliance with the HIPAA Security Rule or risk analysis

4. You do not have to outsource your analysis (though you may wish to)

5. You must update your risk analysis periodically or as changes occur.

What is a Security Risk Analysis?

What is a Security Risk Analysis?

• There is no single method or “best practice” that guarantees compliance

• But most risk analysis and risk management processes have steps in common.

• OCR and NIST have provided guidance and recommendations.

Common Steps

1. Define the scope

2. Data Collection

3. Identify and document potential threats to ePHI

4. Assess Current Security Measures

5. Determine the Likelihood of Threat Occurrence

6. Determine the Potential Impact of Threat Occurrence

7. Determine the Level of Risk

8. Finalize Documentation

9. Continuous Risk Analysis

Example

Risk = Threat x Vulnerability x Impact

Why Not Just a Checklist

1. Every organization is different.

2. What is reasonable for one situation or organization is not reasonable for another.

3. Technology and threats are always changing.

So instead, it is simply required to identify your risks and do what is reasonable and appropriate to address them.

Meaningful Use Audits

Meaningful Use

1. In Stage 1, eligible professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

2. In Stage 2, eligible professionals need to meet the same security risk analysis requirements as Stage 1, but must also address the encryption/security of data at rest.

• Note: a security risk analysis needs to be reviewed and updated for each reporting period for Stage 1 and Stage 2.

Medicare Audits

• Conducted by Figliozzi and Co. for Medicare

• Individual states arrange for Medicaid audits

• Can be a pre- or post-payment audit

• A right to appeal an audit determination is available

• Failure of an audit requires that incentive monies be returned

• Approximately 5% of MU participants will be audited

ValidationSecurity risk analysis of the certified EHR technology was performed prior to the end of the reporting period.

Suggested DocumentationReport that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.).

MU SRA Audit Guidance - Medicare

Medicaid Audits – West Virginia

• Receive a letter from the WV Dept. of HHS

• Will start as a desk audit; could follow-up with onsite audit if necessary

• Letter contains a questionnaire to be filled out

• Return questionnaire and supporting documentation via enclosed CD or flash drive (encrypt!)

Medicaid Audits

Medicaid Audits – Information Request

Ensure that the Security Risk Analysis is a bona fide Security Risk Analysis of the Certified EHR Technology and not a narrative description of security controls in use at the organization nor a security gap analysis.

“The documentation provided for this measure is … not an actual security risk analysis specific to the CEHRT system. Acceptable documentation would be proof that a security risk analysis was performed prior to the end of the reporting period (i.e. a report that outlines procedures performed and the results of an analysis).”

Audit Issues

“The documentation provided is not a valid security risk analysis. Acceptable documentation would be proof that a security risk analysis of the certified EHR technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis. If material deficiencies were identified, mitigation of these deficiencies must be included).”

Audit Issues

Ensure that the SRA report documents the correct date of the SRA and does not include extraneous dates.

“The supplied security risk assessment was performed as of XX/XX/20XX. However, per CMS Regulations, a new review would have to occur for each subsequent reporting period. Therefore, we will need the security risk assessment that was completed for the 20XX attestation (i.e. report which documents the procedures performed during the analysis, the noted threats/vulnerabilities, and the results of the analysis).”

Audit Issues

Ensure that remediation plans are complete.

“The …Remediation [Plan] of the risk analysis supplied was not completed.”

“A security risk management gap analysis was supplied. However, the results of the analysis, risks identified, and remediation plan to address the risks are also needed.”

Audit Issues

• Ensure what you are doing constitutes a “Security Risk Analysis” and is not just a checklist or description of security controls

• Document the steps you followed• Document a risk mitigation strategy• Update your security risk analysis for each reporting period (i.e.

annually)• If you are not comfortable with doing it yourself, seek outside help

Recommendations

Questions