Risk Assessment
Download
Report
Transcript Risk Assessment
Meaningful Use:
Security Risk Assessments
Nathan Gibson, CISA, CISSP
Agenda
Meaningful Use
RA Guidance
RA Tools
Risk Assessment
Prioritizing Risks
Attesting
Summary
Meaningful Use
Core Objective
– Protect electronic health information created or maintained by
the certified EHR technology through the implementation of
appropriate technical capabilities
Measure
– Conduct or review a security risk analysis in accordance with
the requirements under 45 CFR 164.308(a)(1) and implement
security updates as necessary and correct identified security
deficiencies as part of its risk management process.
HIPAA Security Rule
45 CFR 164.308(a)(1)
–
–
–
–
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
Risk Analysis
– Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information held by the covered entity.
RA Guidance
OCR
– HIPAA Security Standards: Guidance on Risk Analysis
– http://www.hhs.gov/ocr/privacy/hipaa/administra
tive/securityrule/radraftguidance.pdf
NIST
– NIST 800-66: HIPAA Security Rule Guidance
– NIST 800-30: Risk Management
RA Process
Scope the Assessment
Gather Information
Identify Realistic Threats
Identify Potential Vulnerabilities
Assess Current Security Controls
Determine the Likelihood and Impact
Determine the Level of Risk
Recommend Security Controls
Document the Risk Assessment Results
NIST SP 800-30
RA Tool
ONC Security Risk Assessment Questionnaire
– Excel spreadsheet
– Follows NIST guidance (800-30 & 800-66)
– People/Processes and Technology (upcoming slide)
REC Version
–
–
–
–
Practice Summary tab
Simplifies the process
Additional guidance
Risk management
RA Tool
TVS###
Threat-Vulnerability Statement (TVS)
–
–
–
–
Risk Assessment Tool (ONC & REC versions)
Information Security Policy Template
EHR Security Assessment
Privacy and Security Checklist (HIPAA/HITECH)
RA Tool
People and Processes vs. Technology
Encryption (TVS012)
– People/Processes (2a)
• Policies and procedures for how PHI is protected during electronic messaging
with third parties.
– Technology (2b)
• Technology used when protecting and monitoring PHI. There could also be
vulnerabilities within that technology which need to be assessed.
DRP & Backups (TVS026)
– People/Processes (2a)
• DR Planning including notification lists, evacuation plans, and business
continuity
• Also includes processes associated with technology DR. ie. You have
backups, but what are you going to do with those backups in the event of
a disaster?
– Technology (2b)
• How are you performing backups? Onsite vs. offsite? Are they encrypted?
Risk Assessment
Closer look…
Prioritizing Risks
Risk Rating
Risk Likelihood
–
Risk Impact
–
How likely an 'Undesirable Event', such as power
outage or fire, are to occur to the medical practice.
In the event that an 'Undesirable Event' such as a
power outage, fire, or lost backup tape occurs, what
is the level of impact to the practice?
Contributing Factors
–
–
–
–
Patient & Employee Safety
Number of Patient Records
• Backup Tapes
• USB Thumb drives
• Laptops
State & Federal Regulatory Requirements
• HIPAA
• Breach Notification
Ability to See Patients (conduct business)
Attesting
Risk assessment
– Prior to or during the 90-day reporting period
– Must be of the certified EHR technology
– Yearly updates (minimum)
When to attest
– Conducted your security risk assessment
– Corrected any identified deficiencies
ONC Guide to Privacy and Security of Health Information
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Summary
REC Version of the Security Risk Assessment tool
People/Processes and Technology
PHI stored & transmitted
Accept, Transfer or Mitigate risk
– Reasonable and appropriate
Document, document, document!
– Security Rule Requirement (45 CFR 164.316(b))
Information Security Policy Template
– Formally adopt within the practice
Have a question, comment, or suggestion?
Contact Nathan Gibson at:
[email protected]
304-346-9864 ext. 2236