How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment Caroline Hamilton caroline.r.hamilton@gmail.com Risk & Security LLC As channeled by Dr. HIPAA
Meaningful Use was the Hottest Topic at HIMSS 2012
Meaningful Use The American Recovery and Reinvestment Act of 2009 (Recovery Act) authorizes the Centers for Medicare & Medicaid Services (CMS) to provide reimbursement incentives for eligible professionals and hospitals who are successful in becoming "meaningful users" of certified electronic health record (EHR) technology. Meaningful Use of Electronic Health Records Final Rule This rule provides guidelines to health professionals and hospitals on how to adopt and use electronic health record technology in a meaningful way to help improve the quality, safety, and efficiency of patient care. The rule also provides guidelines on how providers can qualify for the Medicare and Medicaid EHR Incentive Programs. http://healthit.hhs.gov/portal/server.pt/community/healthit_hh s_gov regulations_and_guidance/1496
Required Meaningful Use Core Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
From Federal Auditors-June, 2012
#1 Deficiency in HIPAA Security Rule Compliance AND #1 Reason for Not Completing Meaningful Use! Have Not Conducted the REQUIRED Risk analysis!
RISK ANALYSIS (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. Findings Did not perform a risk assessment Did not have a formalized, documented risk assessment process Had outdated risk assessments Did not address all potential areas of risk Recommendations Develop formal risk analysis program that is comprehensive Maintain accurate inventory of where EPHI & PHI resides Identify threats & vulnerabilities Assess the level of risk Develop a Corrective Action Plan for gaps identified
OCR Audit Issues - Security
OCR Audit Issues by Type
From the KPMG Audits, June, 2012 At the Healthcare Financial Management Association s National Institute, June 24-27 in Las Vegas, two KPMG officials walked through the audit process. It covers the full range of health care organizations, from mom and pop practices to large delivery systems, says Mark Higdon, a co-presenter and a partner in KPMG s healthcare advisory unit. Every provider needs to initiate an internal risk assessment now, Higdon advises. If they wind up being audited, That will go a long way toward smoothing the audit, he adds.
LESSONS LEARNED from HIPAA Risk Analyses in the Field 1. Risk Analyses not up to Date, or never done 2. Analyses too concentrated on technical elements 3. Input for the analysis are too limited often to just the IT security staff. 4. Business Associates are not included in the analyses. 5. Analyses don t follow NIST 800-66 guidance. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. 6. Analyses haven t been updated. 7. Didn t include paper records protection
MEGA-HIPAA RULE WILL BE RELEASED SOON The mega rule combines four separate rulemakings: the changes to HIPAA's privacy and security rules mandated by the HITECH Act; the new enforcement requirements and higher penalty requirements; the final regulations of HITECH's breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act (GINA). OCR also will release guidance to help entities implement the changes, including an updated business associate agreement. OCR helped the National Institute of Standards and Technology (NIST) develop an electronic tool to help entities comply with HIPAA's security rule.
OCR issued Final Guidance on the Risk Analysis in July, 2010
Defining a Risk and Compliance Program with the HIPAA Risk Analysis Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the HIPAA Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail.. (Office of Civil Rights Guidance, July 2010) In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. (Office of Civil Rights Guidance, July 2010)
Why Haven t Organizations Met The HIPAA Risk Analysis Requirement? Lots of work - Lots of numbers Must meet audit requirements for risk assessment Voluminous content is hard to keep updated How to administer Web-based surveys? And involve management and the user community. How do you do the Risk Calculation and QUANTIFY RISK? How to quickly put reports together for management?
California Fines for Breaches Average Cost Per Record - $2766.00 1. Community Hospital of San Bernardino: $250,000 fine; unauthorized access of 204 patients medical information by 1 employee 2. Community Hospital of San Bernardino: $75,000 fine; unauthorized access of 3 patients medical information by 1 employee 3. Enloe Medical Center: $130,000 fine; unauthorized access of 1 patient s medical information by 7 employees 4. Rideout Memorial Hospital: $100,000 fine; unauthorized access of 33 patients medical information by 17 employees 5. Ronald Reagan UCLA Medical Center: $95,000 fine; unauthorized access of 1 patient s medical information by 4 employees 6. San Joaquin Community Hospital: $25,000 fine; unauthorized access of 3 patients medical information by 2 employees
Elements of an OCR Risk Analysis Approach Assets/Values Threats/Risks Vulnerabilities/Weaknesses Losses Controls/Safeguards
Data Aggregation & Analysis Asset Loss Threat Vulnerability Applications Delays & Denials Disclosure Acceptable Use Database Fines Hackers Disaster Recovery Financial Patient Info. Data Disclosure Fraud Authentication Hardware Modification Viruses Network Controls System Direct Loss Network Attack No Security Plan Software Loss of Data Accountability Embezzlement Privacy Access Control Risk = Asset Loss Threat Vulnerability Software can Automatically Analyze the Over 3 Million Potential Linking Relationships
Creation of Risk Analysis Reports Include an Executive Summary. Include information about each individual who answered survey questions. Include relevant spreadsheets that detail the calculations and Return On Investment (ROI). Compare data from year to year. Tailor report for management, and make it easy to understand.
Use Easy to Understand Graphics to Illustrate Overall Results 46% 54% Compliant Non-Compliant
Include Recommended Controls By Return On Investment Security Plan File/Program Control Risk Assessment Contingency Plan Application Controls Security Policy Technical Surveillance Documentation Training Audit Trails 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0
Commercially Available Tools Can Make it Easier to Stay in Compliance and Validate the HIPAA Security Decision Process Regulators are dictating how to do the HIPAA Risk Analysis and it is MORE than a technical process. The HIPAA Risk Analysis is the best way to prepare for a potential audit. Ensure that all HIPAA Security Rule standards are met.
Risk & Security LLC Caroline Hamilton Direct Line: 1-301-346-9055 Caroline-hamilton@att.net www.caroline-hamilton.com www.twitter.com/riskalert