Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1

Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 2

M-CEITA's Performance 5,700+ providers enrolled for M-CEITA support, impacting 1.6 million patients 4,500+ providers are live on EHR 3,800+ have achieved Meaningful Use standards Latest survey shows 99% of M-CEITA customers are satisfied with services 3

M-CEITA s Services Our services are highly subsidized for qualified physicians. These Health IT services include: Meaningful Use Support Security Risk Assessment Targeted Process Optimization (Lean) Attestation/Audit Preparation 4

Security Risk Assessment 5

Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 6

HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 7

Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control Security Risk Assessment / review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 8

Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 9

Patient Safety First, do no harm. Breached medical records of over 90 million people have been reported in March, 2015 alone Average of 11.5 million identities stolen every year (this will increase in 2015) Average cost: $4,930 per household 10

Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet 11

Risk is on the Rise Protected Health Information breaches expected to increase 25%* in 2014 The majority of PHI breaches now involve hacking attacks Healthcare is the leading US industry for data breaches This is despite increased awareness of the HIPAA Security Rule due to Meaningful Use programs Factors resulting in increased risk: Lax security practices in health care Increased interconnectivity Changing landscape (ACO, HIE) 12

Recent Major Breaches Anthem Premera Community Health Systems Sony Pictures Entertainment 80 million patient records March, 2015 11 million patient records March, 2015 4.5 million patient records August, 2014 47,000 unique SSN s November, 2014 13

Security Risk Assessment HIPAA Security Rule 45 CFR 164.308(a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Assessment (or Analysis) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 14

SRA as a Meaningful Use requirement: Core Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 15

HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 16

Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP 800-30) 17

What is at risk? Confidentiality Integrity Availability 18

Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 19

Threats and Threat Sources Hostile outsiders Theft / Sabotage Malicious insider Poorly trained staff External Business Associates Internal Infrastructure failures Natural disasters Shadow IT Lax enforcement of P&P 20

Business Associates All vendors who process, store, or transmit PHI need to sign a Business Associate Agreement Disputes between vendors and providers have serious implications: Maine small clinic dispute with EHR vendor Malicious Outsider/Insider: Think Edward Snowden Getting the Business Associate Agreement in place is the first step Equally important is ongoing vendor management, including security Would your vendors pass a HIPAA audit? They might have to. 21

Encryption Addressable Specification found at CFR 45 164.312(a)(2)(iv)...but not optional! ephi must be encrypted when at rest (stored) and in transmission 22

Good Faith Effort Compliance isn t enough You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level The expectation is for organizations to put forth a good faith effort 23

HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2015 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from 2012-2013 pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements On-site and remote audits to be performed Covered Entities and Business Associates 24

Meaningful Use Audits vs HIPAA Audits Meaningful Use Audits Performed by Figliozzi and Co. under contract with CMS 1 / 10 MU attesting providers audited Random and based on prior audit results, if applicable Focus on timing and scope of SRA, key remediation activities (audit logs, compare previous results to current) HIPAA Audits Performed by OCR Comprehensive examination of organization s risk management program Only a few hundred random audits Most OCR investigations occur following a breach 25

Best Practices Security is an investment in your business. Your stakeholders benefit. Educate employees, managers, and ownership on security threats and protocols. Build a culture of security awareness from top to bottom. Involve everyone! Establish, refine, and enhance security policies and practices. Treat your business associates like insiders. Be confident you can trust them by getting the right information. 26

Security Risk Assessment Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 27

Attesting to Meaningful Use Risk assessment requirements Must take place no earlier than the start of the EHR reporting year and no later than the provider attestation date. Must assess certified EHR technology (CEHRT). Repeat for each reporting period (see: CMS FAQ #10754) Attest after you have conducted your Security Risk Assessment You do not have to correct deficiencies identified in the SRA before you attest to Meaningful Use 28

How frequently do I need to do a Risk Assessment? For practices participating in Meaningful Use, a Security Risk Assessment needs to be completed for every year of attestation. Also, after major changes or upgrades to practice, technology, or environment For HIPAA compliance, recommendation is at least annually 29

SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST guidance (800-30 & 800-66) Work on-site with practice leaders Guide through every step of SRA process Deliver analysis and recommended plan of action to improve compliance 30

Risk Assessment Tool Sample Page 31

Sample Policy Breach Notification and Reporting Customizable to your practice 32

Conclusion Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing Practices are expected to take security seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 33

Resources NIST SP 800-30 NIST SP 800-39 NIST SP 800-66 ONC Guide to Privacy and Security of Health Information OCR Wall of Shame HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 34

Questions? Upcoming webinars: April 15, 2015, 12-1pm April 17, 2015 9-10am April 21, 2015 12-1pm April 23, 2015 3-4pm Managing Hypertension and Diabetes by Mastering IT ADDITIONAL CONTACT INFO: MEANINGFUL USE www.mceita.org 888-MICH-EHR mceita@altarum.org SRA Security Risk Assessment Andy Petrovich 734-302-4780 andy.petrovich@altarum.org 35