How to Use the NYeC Privacy and Security Toolkit V 1.1

Transcription

1 How to Use the NYeC Privacy and Security Toolkit V 1.1 Scope of the Privacy and Security Toolkit The tools included in the Privacy and Security Toolkit serve as guidance for educating stakeholders about the privacy, security and risk mitigation guidelines to be followed at provider practices. The objective of the documents and tools is to increase awareness about the recommended safeguards for compliance, and to implement strategies in order to protect electronic health information (ephi) created or maintained by certified Electronic Health Record (EHR) technology. The goal is to implement appropriate technical capabilities and protective measures in order to reduce risk to an acceptable level. Meaningful Use Objective Stage 1 Meaningful Use guidelines state that the practice is to conduct or review a security risk analysis, as per 45 CFR (a) (1), implement security updates as necessary, and correct identified security deficiencies as part of the management process. Privacy and Security and Risk Mitigation Process The practice will be informed about the privacy and security and risk mitigation requirements that are required for meeting Meaningful Use objectives. The Implementation team will conduct a privacy and security assessment during the implementation stage, in order to identify security-related issues that need to be addressed by the practice. They will conduct a risk analysis to determine current risk, and put into place an effective risk mitigation strategy. Security policy documentation will be updated with the practice rules and regulations that have been put into place and responsibility for their implementation at the practice will be determined. Practice staff will be trained and educated about the practice s security approach and requirements. HITRC CoP Privacy and Security The tools in the NYeC Privacy and Security Toolkit are a sampling of those generally created within the HITRC CoP (Community of Practice) Privacy and Security Toolkit Work

2 Group. HITRC is a site for members of all Regional Extension Centers to work collaboratively on common requirements. After a review of all of the HITRC Privacy and Security tools, the toolkit is the NYeC-recommended path to assess and mitigate risk at practices. There are a number of other tools and documents that you may find useful. Please go to the HITRC site in order to review all available tools. The HITRC website CoP Privacy and Security can be found at: Completion of these tools will assist a practice in complying with Meaningful Use and the HIPAA Security Rule, but it is not a guarantee of compliance with either. Practices are still obligated to comply with the specific requirement of each rule. Use of the tools will provide an overall view of the state of security and provide suggestions for remediation of deficiencies. A complete risk assessment must address each asset type separately, which these tools do not do. Referenced from the ONC HIT Security Risk Assessment Questionnaire - Released in January 2011.

3 Privacy, Security and Risk Mitigation Process for Provider Practices These Documents/Tools are listed in the recommended order of their use Document/ Tool Responsible Party Stage / Optional Background information for the Practice Pre-Implementation Agent CyberSecurity Guide Background Practice Project Kickoff Optional This CyberSecurity Guide lists the 10 Best Practices for the Small Healthcare Environment. Issued by the US Department of Health and Human Services (HHS) through the Office of the National Coordinator (ONC) as a first look at the key security points to keep in mind when protecting health information networks that connect to the Internet. It includes a list of ten security best practices and checklists to confirm that healthcare practices are following security recommendations. NYeC Privacy and Security Meaningful Use Fact Sheet Practice Project Kickoff The NYeC Privacy and Security Meaningful Use Fact Sheet presents an overview of the Privacy and Security Stage 1 Meaningful Use criteria in question and answer format. It is a brief overview of the intersection between Meaningful Use and Privacy and Security. Security Awareness and Training NYeC Privacy and Security Training for the Practice Practice Project Kickoff This PowerPoint training deck about security awareness goes into HIPAA Privacy, Security and HITECH rules, risk analysis, and network security. Implementation Gap Analysis and Risk Mitigation NYeC ONC HIT Security Risk Assessment Agent + Questionnaire v Released in Practice January 2011 NYeC ONC HIT Security Risk Assessment Questionnaire v REC Update Agent + Practice Implementation Implementation This comprehensive HIT Security Risk Assessment Questionnaire was released by ONC in early 2011 to address the Meaningful Use core measure for the assessment of security risk. The REC Update version starts with the ONC Questionnaire and contains additional guidance supplied by the HITRC Privacy and Security work group. The tool is the backbone of the Privacy and Security toolkit. Its four step process enables respondents to identify and mitigate their risks against pre-identified threats and vulnerabilities. Practice Security Policy Manual with Instructions. Information Security Policy Manual for Agent + the Practice (and Instructions) Practice Implementation Practices should update this Information Security Policy Manual template with the privacy and security safeguards and risk mitigation techniques implemented at the practice. The safeguards and policies at the practice should be gathered from the output of the NYeC Privacy and Security Checklist with Risk Analysis in the prior step. This manual remains at the practice and all personnel should be educated on the policies therein.

4 Overview of the Privacy and Security Toolkit - Tools and Documents The privacy and security toolkit contains documents and tools that are meant to provide the agent and practice with the information they need in order to implement privacy, security and risk mitigation processes that conform to the intent of the meaningful use core measure. NYeC Privacy and Security Meaningful Use Fact Sheet. This fact sheet is used to prepare the provider for the privacy and security requirements for Meaningful Use. This is meant to prepare the provider for the privacy and security related activities that follow. CyberSecurity The protection of data and systems in networks that connect to the Internet. 10 Best Practices for the Small Healthcare Environment. This guide contains explanations for each of the ten identified best practices, as well as checklists that support healthcare practices validating that they meet the basic requirements outlined in each section. The 10 best practices highlighted are: 1. Use Strong passwords 2. Install and Maintain Anti-Virus Software 3. Use a Firewall 4. Control Access to Protected health Information 5. Control Physical Access 6. Limit Network Access 7. Plan for the Unexpected 8. Maintain Good Computer Habits 9. Protect Mobile Devices 10. Establish a Security Culture NYeC Privacy and Security Training for the Practice The PowerPoint training deck is meant to educate practice members about security awareness. NYeC ONC HIT Security Risk Assessment Questionnaire v This ONC HIT Security Risk Assessment Questionnaire was released by the ONC in early 2011 to address the Meaningful Use core measure that a practice must protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. It is the centerpiece of the Privacy and Security Toolkit. There are 7 tabs in this spreadsheet tool. The first tab introduces the risk assessment. The second tab identifies the Nine Primary Risk Assessment Steps found in the NIST Special Publication SP The tabs that follow include screening questions for the practice, identification of existing controls at the practice, and the likelihood and impact of risk exposure. The next tab is a takeaway list which is an accumulation of the risk findings, and remediation from the prior tabs. These are the risk analysis results. The last tab is an optional inventory of people and technology assets that touch ephi. For more information about this tool, refer to Introduction to the NYeC HIT Security Risk Assessment Questionnaire.

5 Note - Select Enable Content when the Questionnaire is opened this enables the macros to run correctly. NYeC ONC HIT Security Risk Assessment Questionnaire v REC Changes This tool contains all of the information in the ONC HIT Security Risk Assessment Questionnaire tool with additions made by the Regional Extension Center (REC) HITRC Privacy and Security CoP workgroup. Practice summary - new section where practice information is entered. Inventory (Preparation) section has not been changed Screening Questions (Step 1) additional guidance added in blue. Columns changed to People/Processes and Technology. These columns populate the Existing Control column in in Steps 2a and 2b. Common responses prefilled. People and Processes (Step 2a) additional guidance added in green. Ability to add up to five more people and processes and technology items to the list. Technology (Step 2b) additional guidance added in green. Findings-Remediation (Step 3) added three columns - owner, remediation steps and target date for better risk management tracking. Information Security Policy This policy defines the technical controls and security configuration that are in place at the practice. This is a procedures manual for all personnel affiliated with the practice, to insure their awareness of those privacy, security and risk mitigation processes. All personnel should be instructed to read the policy and sign the Appendix B Confidentiality Form. This template includes the following documents: IS-1.0 Introduction IS-1.1 Employee Responsibilities IS-1.2 Identification and Authentication IS-1.3 Network Connectivity IS-1.4 Malicious Code IS-1.5 Encryption IS-1.6 Building Security IS-1.7 Telecommuting IS-1.8 Specific Protocols and Devices IS-1.9 Retention / Destruction of Paper Documents IS-1.10 Disposal of External Media / Hardware IS-2.0 Emergency Operations Procedures IS-3.0 Emergency Access "Break Glass" Procedures IS-4.0 Sanction Policy IS-5.0 e-discovery Policy "Production and Disclosure" IS-5.1 e-discovery Policy "Retention" IS-6.0 Breach Notification Procedures Appendix A: Network Access Request Form

6 Appendix B: Confidentiality Form Appendix C: Approved Software Appendix D: Approved Vendors Appendix E: Breach Assessment Tool Reference The National Institute of Standards and Technology (NIST) Special Publications (SP) and are guidance pieces for a security risk assessment. (SP) 8006 is an introductory resource for the Health Insurance portability and Accountability Act (HIAA) Security Rule, and NIST SP is a risk management guide for information technology