Brought to you by Physicians Insurance A Mutual Company April 24, 2012 Presented by: Chris Apgar, CISSP

Transcription

1 Risk Analysis & Meaningful Use Brought to you by Physicians Insurance A Mutual Company April 24, 2012 Presented by: Chris Apgar, CISSP

2 Today s Webinar All participant lines are muted. If you have questions, please use the chat box to type in your question. We will do our best to respond to questions during the webinar but may need to follow up at a later time. The webinar is being recorded and instructions for how to access it will be provided via . Please join our next webinar on May 22, 2012 from 1-2 p.m. PST for: Risk Management Tips for EMR. We will discuss the top 10 ways in which practitioners can better use EMR to avoid malpractice risk and utilize actual case examples to demonstrate how EMR can improve documentation and how EMR can create potential litigation traps for the unwary.

3 Disclosure The speaker and planners for this activity have attested that neither they nor any immediate family members have a financial relationship or interest with a proprietary entity producing health care goods or services. The content of this CME activity will not include discussion of unapproved or investigational uses of products or devices. Physicians Insurance CME maintains full control of the content of every course we provide. It is our policy to identify and resolve all speaker and planner conflicts of interest. Each speaker is required to give a balanced, evidence-based presentation that is free of commercial bias.

4 Overview HIPAA Security Rule Requirements Meaningful Use Risk Analysis Requirements What Is a Risk Analysis? Conducting a Risk Analysis Summary and Q&A

5 HIPAA Security Rule & Risk Analysis Health provider organizations must: Implement a security management process (policies and procedures to prevent, detect, correct security violations) Periodically conduct a risk analysis (appropriate practice requires conducting the analysis at least annually) Implement an appropriate risk management program

6 HIPAA Security Rule & Risk Analysis Directly tied to meaningful use incentives but required beginning April 2005 OCR announced one of the areas an audit would focus on is risk analysis Need to demonstrate risk analysis was conducted (whole organization and not just IT or the EHR), mitigation plans developed, and risks addressed or accepted

7 Meaningful Use Stage 1 meaningful use measures includes attesting to completing a risk analysis as required by the HIPAA Security Rule More than a technical risk analysis Must assess administrative & physical risks Focus broader than just EHR Required to conduct risk analysis at least annually

8 Meaningful Use CMS will likely require submission of documentation demonstrating measures have been met including at least summary of risk analysis during Stage 2 Stage 2 requirements have been delayed to 2014

9 Meaningful Use Stage 2 draft rules published week of March 5, 2012 Additional security requirements in draft Stage 2 rule and more are likely in Stage 3 Wise to require business associates (BA) conduct a risk analysis (especially EHR vendor and because HITECH requires BAs adhere to the security rule)

10 What is a Risk Analysis? Quantitative Attempts to apply independently objective monetary value to: Risk components via actual cost or formula Potential losses via actual cost or formula More difficult to perform but may be more persuasive, objective, able to calculate riskrelated cost Many times based on actual cost Qualitative Subjective narrative descriptions of risk without ranking

11 What is a Risk Analysis? Ranking Approach Combination without strict financial values Allows for determination of probability and criticality of potential risks Can be used to determine prioritization and allow focus of practices on high-risk areas Uses high-medium-low categorization Following is an example of a combination of the qualitative and ranking approach

12 Conducting a Risk Analysis Review data systems Identify threats and vulnerabilities Evaluate existing security controls Assess likelihood Consider impact on organization Determine the risk

13 Review Data Systems Hardware (including portable hardware) Software Data storage locations (network, portable, shared storage, archiving, and backup storage) Modes of data transit Data sensitivity Primary users (internal and external)

14 Identify Threats Natural/Environmental disasters Electrical storm, flood, tornado, chemical spill Human threats Accidental data entry or deletion Internal inappropriate access for personal use or out of curiosity Hackers, viruses, malware, theft, vandalism Vulnerabilities Internal weaknesses or flaws technical, physical, administrative personnel

15 Identify Threats Physical threats Walk through office Develop and use walk-through survey based on security rule physical security safeguards Visitor access Alarm systems Administrative threats Presence or absence of policy/procedure Apply accountability to workforce Presence of training

16 Evaluate Security Controls Preventive Access restrictions (minimum necessary; internal and external) Policies & procedures Authentication passwords, biometrics, tokens Effective staff training Personnel management, background checks, work history Environmental controls

17 Evaluate Security Controls Detective Audit trails/audit programs Alarms anti-virus applications, malware detection, intrusion detection, firewalls, etc.

18 Assess Likelihood Nature of the specific threat or vulnerability Create a matrix considering: Threat/vulnerability source motivation and capability Existence and effectiveness of current controls

19 Assess Likelihood Likelihood levels: balance between threat and controls High controls required Medium controls appropriate/balance against business requirements Low controls if cost-effective (if not, document)

20 Consider Impact Purpose - Determine adverse impact to the practice if threat is successful Consider: How important is the activity affected? How critical is system or data to operations? How sensitive is the data? Other external adverse impacts (such as loss of business, civil suits, etc.)

21 Consider Impact Describe the potential impact as: Loss or degradation of any one or combination of integrity, availability, or confidentiality Impact on ability to treat patients Intangible or indirect impacts include: Lost revenue stream Repair/personnel costs Civil liability Public loss of confidence, credibility

22 Consider Impact Of data Release/misuse Manipulation/corruption Temporary or permanent inaccessibility Temporary data erasure Backup copies available? Recovery of backed-up data tested? Frequency and cost of each event

23 Magnitude of Impact Magnitude of impact Qualitative measures High Medium Low Prioritize Use qualitative or ranking approach Direct cost and ROI Requires quantitative analysis

24 Determine Risk Define: Likelihood level Magnitude of impact Apply to organization defined risk matrix (see sample risk matrix following)

25 Risk Matrix

26 Low Risk Actions Based on Risk Level No action, accept risk and document reasons for risk acceptance or, Minimal action needed Medium Risk Some response needed in reasonable time Look at controls High Risk Take action now, urgency present Implement additional protections

27 Resources Physicians Insurance: Office for Civil Rights: administrative/securityrule/rafinal guidance.html National Institute of Standards & Technology: /800-30/sp pdf Apgar & Associates, LLC:

28 Summary and Q&A This presentation brought to you by Physicians Insurance A Mutual Company. Special thanks to our expert presenter: Chris Apgar, CISSP CEO & President