Meaningful Use and Security Risk Analysis

Transcription

1 Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition

2 Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties? You re not alone. A majority of healthcare providers plan to either implement electronic health records, or take a closer look at existing systems to apply for compliance in the immediate future. A key part of meeting the Meaningful Use compliance requirement is conducting a risk assessment. There is considerable confusion in the market regarding how this should be conducted, but at the core it is a revival of the original HIPAA rules regarding security. By conducting an analysis that covers several core areas, and gaining a comprehensive understanding of how and where your electronic health information is used and stored, you can begin to build a stronger risk posture and avoid fines and penalties. Only 20 percent of doctors and 10 percent of hospitals use even basic electronic health records. Kathleen Sebelius, Secretary of Health and Human Services, July 2010 Introduction In the evolutionary race of patient data, electronic medical records are winning; not only because of the efficiencies gained from these technologies, but also due to mounting pressure from increased prevalence of breaches, audits, and government incentives. Despite this rapid natural selection of the computing landscape, though, many healthcare providers have yet to adopt an electronic data reporting or electronic health records (EHR) system, although there are many EHR options in the marketplace. This will likely change, since the Meaningful Use guidelines provide incentives in the near-term, followed by penalties for late adoption of EHR. As an incentive to secure these systems, Stage 1 of the Meaningful Use guidelines includes a measure for protecting electronic health information under requirement 45 CFR (a)(1), including conducting a risk analysis and implementing security measures as appropriate, and correcting identified security deficiencies as part of an overall risk management process. Approximately 90 percent of hospitals have expressed intent to meet the Stage 1 requirements by However, only 2 percent of providers had met Stage 1 of the Meaningful Use requirement by And according to a survey by PricewaterhouseCoopers, as of September 2011, only 19 percent of healthcare providers said they have completed the prerequisite security assessment, which includes criteria for access control, identity management, and encryption. 1 As HHS Secretary Kathleen Sebelius proclaimed in 2010, only 10 percent of hospitals are using electronic health records in any capacity. 2 This glaring reality illustrates that, even though HIPAA regulations have been defined since 1996, and 1 PwC Whitepaper, Old Data learns new tricks 2 Page 2

3 electronic medical records software has been in the market for decades, the United States is still very slow to adopt these technologies. With incentives through HITECH and the Meaningful Use guidelines, large amounts of data are expected to come online in the near future, creating significant exposure to unprecedented risks. Since healthcare is already under attack from cybercriminals and insiders, the current trends could only be the tip of the iceberg in terms of the number and types of breaches and cyber-attacks that we may see in the future. To put this potential risk in further perspective, HIMSS Analytics awards the Stage 7 designation for health care organizations that have the highest level of EHR implementation, with patient encounters that are completely paperless and integrated. According to HIMSS, this allows the health organization to support the true sharing and use of health and wellness information. However, only 61 US hospitals have achieved this award as of October And already, a breach of personal health information occurred, on average, every other day in the past year and a half p, accessed October 25, US Department of Health and Human Services Office for Civil Rights, accessed June 27, 2011, ificationrule/breachtool.html. Meaningful Use Incentives and Disincentives Government incentives are in place to quickly meet the Meaningful Use requirements, including security. The HITECH Act earmarks up to $27 billion for healthcare IT (HIT) over the next several years, with stimulus payments to adopt the core and menu sets of the Meaningful Use requirements. 5 Therefore, providers have a strong rationale to begin immediate adoption of EHR. Under the Medicare EHR Incentive Program, Medicare eligible professionals who demonstrate meaningful use of certified EHR technology can receive up to $44,000 individually over 5 years. But to receive the maximum incentive payment, the eligible professionals must begin participation by For 2015 and later, Medicare eligible professionals who do not successfully demonstrate Meaningful Use will have a payment adjustment to their Medicare reimbursement. The payment reduction starts at 1 percent and increases each year that a Medicare eligible professional does not demonstrate meaningful use, to a maximum of 5 percent (see Figure 1). This is a strong indicator that hospitals will eventually be required to meet the Meaningful Use requirements. The incentives that are in place require providers to act quickly to buffer enough time to implement the strategies, hardware, processes, and controls that will be required. The incentives and penalties also indicate that information technology and security may consume more of a provider s capital budget in the near future; and that culture change and workflow change management will need to take place prior to implementing a new electronic health records system in order for the strategy to be sustainable. 5 security-meaningful-use-ehr-electronic-health-record html Page 3

4 Figure 1: Meaningful Use Incentives Strong incentives are in place to conduct a comprehensive risk assessment Page 4

5 Figure 2: Meaningful Use as it Relates to HIPAA Meaningful Use is a Throwback to HIPAA The security requirements for Meaningful Use are nothing new. Meaningful Use references the Security Rule established in 1996 in the original form of HIPAA. When the HITECH Act was developed as part of the American Recovery and Reinvestment Act, it applied some new extensions to the already existing rule. 6 For instance, with HITECH, new breach notification rules were extended, mandating reporting of breach incidents to HHS for breaches that affect more than 500 people, and extending the rules to health care business associates. HITECH also implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorneys general to file civil actions for HIPAA violations on behalf of a community s constituents. 6 The specific carryover of the Meaningful Use guidelines, set out by CMS, is measure 45 CFR , which sets out the requirement to conduct a risk assessment. This measure, in turn is part of a series of measures that encompass the full security rule from HIPAA (see Figure 2). Meaningful Use can be thought of as HHS finally starting to get some sizzle to their steak in terms of enforcing and incenting providers to not only adopt EHR, but also to make sure that they are implemented in a way that supports the original HIPAA guidelines. One of the core requirements for meeting Meaningful Use is having a risk mitigation and security plan in place for protecting electronic Personal Health Information (ephi). The large cohort of providers that are planning to meet the Stage 1 requirements by 2012 have the onus to pay particular attention to the implementation of a Page 5

6 clear security and risk mitigation and management plan. How the risk assessments are conducted still has some flexibility built in, which adds some confusion to the environment. Many federal guidelines are often referred to such as NIST SP There are several core questions that this guideline and others recommend that providers should consider in implementing the security rule, such as: Have you identified what the specific ephi is within your organization, including that which is created or transmitted? Have you identified all external sources of ephi, including what business associates create, receive, or transfer? Have you identified all internal and external threats to your information systems that could compromise ephi? While risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it is also a necessary tool to reach any sort of substantial compliance with many other standards and implementation specifications. So, although it is a starting point, the risk assessment is really just a step toward the goal of complete compliance that will be required and continually enforced in the near future. The HIPAA Security Rule specifically focuses on the safeguarding of ephi and is the most comprehensive guideline regarding protected health information. All HIPAA covered entities, which includes some federal agencies, must comply with the rule, which focuses on protecting the confidentiality, integrity, and availability of ephi. The ephi that a covered entity creates, utilizes, archives, or transmits must be protected against reasonably anticipated threats, hazards, and unauthorized disclosure. Specifically, the Security Rule applies to all covered entities including covered healthcare providers, health plans, healthcare clearinghouses, and Medicare prescription drug card sponsors; although the HITECH Act has extended this liability to third parties that interface with the organization s ephi. 7 Three Major Imperatives of the Security Rule The one measure related to security in the Meaningful Use guidelines is Core Measure 15 for Eligible Providers (EPs). The measure stipulates that healthcare providers must conduct a risk assessment; but in its totality, there are three basic areas that comprise the Meaningful Use Security Rule as part of rule The first - conducting a security risk analysis is already required by HIPAA. Some of the key questions to ask regarding this requirement are: How thorough was the initial risk analysis, if any? What methodology was used? Did it just cover your organization, or were third parties also examined? This is important to note since the HITECH Act added rules mandating that the security rule apply not only to the covered entity, but also to business associates who interact with your ephi. Secondly, the risk analysis should be updated annually. As the media has sensationalized almost daily, constant threats are emerging of an alwaysincreasing scale and sophistication, so having a process in place to proactively monitor these threats regularly is essential. Each year, the original benchmark analysis should be revisited, and a vulnerability management program should be implemented to find, test, and deploy necessary fixes and security interventions that arise. Mobile devices present a special concern since more than 85 percent of physicians have expressed a desire to be able to access ephi 7 Page 6

7 anytime, anywhere, and on any device. 8 And since a significant portion of these devices are not currently encrypted or tracked on most networks, it is sometimes difficult to fully comprehend what the level of risk is without understanding the demands these disparate devices place on having layered security, policies, controls and procedures in place. The third requirement is correcting security deficiencies. This is already a familiar concept in the world of healthcare since patient safety, financial risk, and occupational hazards are all tracked and measured. This same strategy needs to be applied to security risk management. And not all of these measures are necessarily technical. Process oversight, training, and accountability management are just as necessary to keep a streamlined risk management program in place. Overall, the measure also encompasses , which dictates that covered entities must also apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures, and implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The security rule is not just a one-time event that can be used to apply for federal incentives or examine the system it really must be a repeatable and sustainable process that allows for regular updates and mitigation at any point in the cycle. Audits are Underway Historically, audits have been limited in healthcare; and because the healthcare industry doesn t have examiners as in the financial industry, the risks have been limited to an actual breach, not of failing an examination as in the banking industry. But the increasing objectivity of the requirements of Meaningful Use and audit plans for the future are changing this dynamic to create a more urgent need to implement a security strategy. In July of 2011, the HHS Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of The implementation of this audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act. The KPMG contract enables OCR to put feet on the street, while retaining an oversight role in the process. Sue McAndrew, OCR s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. Certainly, if we uncover in the course of the audit major violations or potential violations we will be dealing with those in the same manner we would through our formal enforcement process, she said recently. 10 Criminal and civil penalties can also be levied against organizations and/or individuals for violations of HIPAA Privacy and Security Rules. Monetary penalties for a breach of HIPAA Privacy and Security Rules range from $100 to $50,000 per violation. Additionally, state attorneys general are t_id=3924&opg=1 Page 7

8 now authorized to bring civil actions against HIPAA violators on behalf of state residents. 11 Each audit will follow a typical onsite audit process with an in-person visit and interviews with key management personnel such as the CIO, privacy officer, legal counsel, and health information management/medical records director. These audits will supposedly initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues. While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to any one organization fairly low, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well. Conclusion Organizations participating in the EHR Meaningful Use plan already have a compelling incentive to conduct or update a security risk analysis. But simply pushing the organization to meet Meaningful Use with the singular goal of collecting incentive payouts does not prepare the organization for inevitable future audits and to mitigate the additional risks posed by online data access, mobile devices, Health Information Exchanges, Accountable Care Organizations, increased abilities of hackers, and the increased demands placed on organizations from macroeconomic trends such as aging of the population. Meaningful Use has reinvigorated the discussion of what it means to have a strong security posture, but the most comprehensive security guidelines have existed in previous incarnations in the forms of HIPAA and HITECH. There are fundamental components of any assessment: understanding what controls are currently in effect, determining the impact of likely events from viruses to natural disasters, and documenting exposures and vulnerabilities, not only in systems but also in processes. A healthcare organization s assessment program should consider questions regarding the controls that are implemented to safeguard the systems and information, and the physical facility and surrounding environment as well. For more information about Dell SecureWorks, visit ity.pdf Page 8