EHR Security - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

EHR Security

Description:

But HIPAA Is Important ... Consider software to analyze for patterns. 22. 23. In Case You're Not Convinced. Top OCR Complaints ... – PowerPoint PPT presentation

Number of Views:802
Avg rating:3.0/5.0
Slides: 32
Provided by: MargretAm5
Category:
Tags: ehr | hipaa | security | software

less

Transcript and Presenter's Notes

Title: EHR Security


1
EHR RoadmapWebEx
Stratis Health, the Minnesota Quality
Improvement Organization in partnership with
other QIOs, presents . .
  • EHR Security

2
Presenter
  • Margret Amatayakul
  • RHIA, CHPS, CPHIT, CPEHR, FHIMSS
  • President, Margret\A Consulting, LLC,
    Schaumburg, IL
  • Consultant to Stratis Health DOQ-IT Project
  • Independent information management and
    systems consultant,
    focusing on EHRs and
    their value proposition
  • Adjunct faculty College of St. Scholastica,
    Duluth, MN, masters program in health informatics
  • Founder and former executive director of
    Computer-based Patient Record Institute,
    associate executive director AHIMA, associate
    professor Univ. of Ill., information services
    IEEI
  • Active participant in standards development,
    HIMSS BOD, and co-founder of and faculty for
    Health IT Certification

3
EHR Roadmap
4
Objectives
  • Appreciate that security is necessary as much for
    good business practices as for HIPAA compliance
  • Identify the security features and functions
    needed to afford confidentiality, data integrity,
    and availability in an electronic environment
  • Ensure that there is an ongoing privacy and
    security compliance assurance program
  • Practice techniques to reassure providers and
    patients of the privacy and security of
    electronic health information

5
EHR Security
  • Security in an Electronic World

6
Its Not Just HIPAA
  • Privacy and security are good business practices
  • Patient privacy is part of the Hippocratic Oath
  • Business information must be kept confidential
  • Ensuring the safety of staff and visitors is
    essential
  • Keeping cash, drugs, supplies, and other
    materials from theft is a business function
  • Yet even such matters can be
  • compromised through human
  • factors, where people may not pay
  • sufficient attention

7
But HIPAA Is Important
  • Privacy rule compliance was required by April 14,
    2003, Security rule by April 20, 2005
  • Compliance is not an end state, it is a
    beginning
  • 160.308 Compliance Reviews
  • The Secretary may conduct compliance reviews to
    determine whether covered entities are complying
    with the applicable requirements
  • 160.310 Responsibilities of covered entities
  • Provide records and compliance reports
  • Cooperate with complaint investigations and
    compliance reviews
  • Permit access to information . . . pertinent to
    ascertaining compliance

8
Also bear in mind,
  • Purpose of HIPAA Administrative Simplification
  • To improve the efficiency and effectiveness of
    the health care system
  • By encouraging the development of a health
    information system
  • Through the establishment of standards and
    requirements for the electronic transmission of
    certain health information
  • Privacy rule tends to assume a greater level of
    automation than exists today
  • Security rule only addresses electronic data

9
Security Is A Concern
  • Stratis Health Attitudes Survey suggests security
    of EHR is on the minds of clinics
  • Security impacts CIA
  • Confidentiality protecting against wrongful
    disclosure and ensuring privacy rights
  • Integrity of data keeping data from being
    altered or destroyed, such as by viruses and
    other malware, or human error
  • Availability ensuring data are always available
    when needed, including protecting against
    degradation of system performance

10
Confidentiality
  • There have been breaches in the security of
    electronic protected health information (ePHI)
  • There have been wrongful disclosures of PHI from
    paper record systems
  • There has been identity theft in provider
    settings that has nothing to do with ePHI

The case of . . .
11
EHR Security
  • EHR System Security

12
HIPAA Security is Risk Based
  • 164.306 Security Standards - In deciding which
    security measures to use, a covered entity must
    take into account
  • Size, complexity, capabilities
  • Technical infrastructure
  • Costs
  • Probability and criticality of potential risks

12
13
Risk Analysis Steps
  • Owner guidance on risk
  • Inventory characterize policies, procedures,
    processes, physical layout, systems
  • Identify threats
  • Identify vulnerabilities
  • Determine likelihood risks may actually occur
  • Analyze impact if risk actually occurs
  • Determine rate each risk
  • Analyze appropriate types of controls
  • Recommend controls describe residual risk
  • Document results

13
14
Threats Vulnerabilities
  • Accidental Acts
  • Incidental disclosures
  • Errors and omissions
  • Proximity to risk areas
  • Work stoppage
  • Equipment malfunction
  • Deliberate Acts
  • Inattention/inaction
  • Misuse/abuse of privileges
  • Fraud
  • Theft/embezzlement
  • Extortion
  • Vandalism
  • Crime
  • Environmental threats
  • Contamination
  • Fire
  • Flood
  • Power
  • Administrative
  • Policy
  • Accountability
  • Management
  • Resources
  • Training
  • Documentation
  • Physical
  • Entrance/exit controls
  • Supervision/monitoring
  • Locks, barriers, routes
  • Devices
  • Disposal
  • Technical
  • New applications
  • Major modifications
  • Network reconfiguration
  • New hardware
  • Open ports

14
15
Probability of Occurrence Criticality of Impact
  • Has it happened before?
  • How frequently?
  • Does threat source have
  • Access, knowledge, motivation?
  • Predictability, forewarning?
  • Known speed of onset, spread, duration?
  • Are controls available to
  • Prevent?
  • Deter?
  • Detect?
  • React?
  • Recover?
  • Patient care
  • Confidentiality
  • Complaint/lawsuit
  • Reduce productivity
  • Loss of revenue
  • Cost to remediate
  • Licensure/ accreditation
  • Consumer confidence
  • Competitive advantage

15
16
Risk Analysis Tool
17
Risk Scoring
18
Greatest Areas of Risk in EHR for Clinics
  • Not performing a true risk analysis
  • Access and audit controls
  • Not acquiring an EHR with strong, role-based
    access controls and audit controls
  • Not establishing strong controls, often due to
    lack of break-the-glass controls in products
  • Not removing access privileges on a timely basis
  • Users not adhering to requirement for unique
    userID and authentication
  • One-time-only security training, with few
    reminders and awareness building
  • Not correlating security incidents with privacy
    complaints and addressing root cause

19
More Risk Areas
  • Inadequate contingency plans
  • Only on-site back up
  • No processor redundancy
  • Minimal disaster recovery/emergency mode
    operation (a.k.a. business continuity) plan
  • Minimal space for data center, sometimes shared
    space, often exposed equipment
  • Lack of investment in and attention to
    maintenance of strong malware protection
  • Lack of policy surrounding use of personal
    devices
  • Inattention to change control changing defaults,
    returning security controls to proper status

20
Examples of Tools to Help
21
Access Controls and Authentication
21
22
Audit Controls
  • Turn on
  • Use well-defined access controls
  • Use UserIDs
  • Review regularly for patterns
  • Consider software to analyze for patterns

22
23
In Case Youre Not ConvincedTop OCR Complaints
  • Top five types of complaints
  • Impermissible uses disclosures
  • Lack of adequate safeguards (e.g., charts left
    around)
  • Refused access
  • Disclosure of more than minimum necessary
  • Inadequate authorization or no NOPP
  • Top five sources of complaints
  • Private providers
  • Hospitals
  • Pharmacies
  • Outpatient facilities (e.g., ASC)
  • Group health plans

24
HIMSS/Phoenix Summer 2005
  • Most difficult security areas for providers to
    address
  • Audit Controls (55)
  • Contingency Planning (47)
  • Risk Management/Risk Analysis (45)
  • Information System Activity Review (45)

25
Not As Much Risk
  • Email most are cautious, follow guidance, use a
    portal
  • More commonly a risk for patients themselves
  • Some education for patients can be helpful
  • Firewalls, intrusion detection, and other
    transmission security controls often included
    in standard
    purchases
  • Workstation security
    most have worked

    on such issues under

    privacy because they

    are most visible
  • Disposal

26
EHR Security
  • Ongoing Security Compliance

27
Compliance Continual Monitoring
27
28
Compliance Assurance Plan
29
EHR Security
  • Patient Communications

30
Security ? Secret Process
Hiding your note taking is passé, and may
raise suspicions
Youve always engaged patients sometimes
Explain what youre doing, including logging on
and off for security!
Engage patient for better compliance
31
Stratis Health is a non-profit independent
quality improvement organization that
collaborates with providers and consumers to
improve health care.
This presentation was created by Stratis Health
under a contract with the Centers for Medicare
Medicaid Services (CMS). The contents do not
necessarily reflect CMS policy.
Write a Comment
User Comments (0)
About PowerShow.com