One of the Meaningful Use(MU) core objectives for eligible professionals, eligible hospitals and critical access hospitals is to conduct through technical risk analysis of EHR and ePHI systems. The primary objective of the risk analysis is to identify the key vulnerabilities in the ePHI and EHR systems and plan on mitigating the risks by fixing, transferring or accepting risks. Attestation of the risk analysis is required every year to CMS for incentive payments. EHR 2.0 risk analysis services ensures you identify the key technical risks in your areas. Why risk analysis? HIPAA and meaningful risk analysis is the first step in healthcare practice’s security rule compliance efforts. Risk analysis is an ongoing process that should provide the practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The key questions asked during a risk analysis are: Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit. What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI? What are the human, natural, and environmental threats to information systems that contain e-PHI? What is the scope of the risk analysis? The scope of risk analysis that the HIPAA security rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI. How to inventory ePHI systems? An healthcare organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. How to identify and document potential threats and vulnerabilities? Healthcare organizations must identify and document reasonably anticipated threats to e-PHI. Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. Contract us at info@ehr20.com

1. Welcome to our
Webinar on
Meaningful Use
Risk Analysis!
We will be starting in a moment …
Visit us at www.ehr20.com

2. Meaningful Use Risk
Analysis

3. Webinar Objective
Understand and Perform Meaningful Use
Risk Analysis that satisfies CMS
incentive and attestation requirement.
E-mail: info@ehr20.com
3

4. Who are we …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
 Education(Training, Webinar & Workshops)
 Consulting Services
 Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and painless
experience, while building capability and confidence.

5. Glossary
1. HHS, CMS:
2. NIST:
3. Findings:
4. Risk Analysis:
5. HITECH:
6. MU:
5

6. Why now?
6

7. HITECH Modifications to HIPAA
 Creating incentives for developing a meaningful use
of electronic health records
 Changing the liability and responsibilities of Business
Associates
 Redefining what a breach is
 Creating stricter notification standards
 Tightening enforcement
 Raising the penalties for a violation
 Creating new code and transaction sets (HIPAA 5010,
ICD10)
7

8. CMS Meaningful Use Incentives
For Eligible Professionals 8

9. MU Risk Analysis
9
http://www.oregon.gov/

10. For Eligible Professionals
10

11. For Eligible Hospital & CAH
11

12. Attestation Overview
 Attestation is to legally state that you have
demonstrated and met the core objective.
 Potential audit by CMS and State
 All relevant supporting documentation (paper or
electronic)
 Six- Years
Certified EHR system doesn’t mean that you need
not perform security analysis
12

13. HIPAA Titles - Overview
13

14. HIPAA Security Rule
164.308(a)(1)
14

15. HIPAA Security Management(164.308)
(A) Risk analysis (Required)
Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health
a(1) Security information held by the covered entity.
(B) Risk management (Required)
Management Implement security measures sufficient to reduce risks
and vulnerabilities to a reasonable and appropriate level
Process to comply with §164.306(a).
Implement policies and (C) Sanction policy (Required)
procedures to prevent, Apply appropriate sanctions against workforce members
detect, contain, and who fail to comply with the security policies and
correct security procedures of the covered entity.
violations.
(D) Information system activity review (Required)
Implement procedures to regularly review records of
information system activity, such as audit logs, access
reports, and security incident tracking reports.
15

16. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
16

17. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
17

18. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 18
identify the individual

19. Healthcare Infrastructure
 Computers
 Storage Devices
 Networking devices (Routers,
Switches & Wireless)
 Medical Devices
 Scanners, fax and
Any device that photocopiers
electronically stores or  VoIP
transmits information  Smart-phones, Tablets (ipad,
using a software
PDAs)
program 19
 Cloud-based services

20. Trends in Healthcare IT
Informatics Collaboration
Mobile EHR
Computing HIE
20

21. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
21
compTIA 2011 Survey

22. EMR and EHR systems
22

23. Health Information Exchange (HIE)
23

24. Social Media
 How does your practice use it?
 Is there a way to safely use social media?
 Do you have policies?
 Have you trained your employees on social
media best practices?
24

25. Cloud-based services
 Public Cloud
 EHR Applications
HIPAA regulations  Private-label e-mail
remain barriers to full
cloud adoption
 Private Cloud
 Archiving of Images
 File Sharing
Cloud Computing is taking
all batch processing, and  On-line Backups
farming it out to a huge
central or virtualized
 Hybrid 25
computers.

26. Informatics
26

27. All risk analysis are not
created equal …
 Organizations Type
 Small Practices, Hospitals and Specialties
 Organization Size
 Employees, Locations, etc.,
 Complexity of Technology
 Mobile, Network, Hosted, Cloud, etc.,
27

28. Conducting Risk Analysis
1. Security Program Roles & Responsibilities
External Parties
2. Security Policy Policy and Procedures
3. Risk Management &
Compliance Risk Assessment and Legal Requirements
4. Training & Awareness On-the-job Training
5. Personnel Security Background Checks, T&C, Termination
6. Physical Security Secure Area
7. Network Security Access, Encryption, VA, Monitoring
8. Logical Access Identify and Access Mgmt.
9. Operations Management AV, Security Monitoring, Media Handling,
Disposal, SOD
10. Incident Management Process and Procedures
11. Business Continuity 28
Management Backup and DRs

29. Risk Assessment Methodology
Flowchart(NIST) – Large Organizations
Step 3: Step 5: Step 7: Step 8:
Step 1: System Step 2: Threat Step 4: Step 6:
Vulnerability Likelihood Risk Control
Characterization Identification Control Analysis Impact Analysis
Identification determination Determination Recommendation
Current controls
Mission impact Recommended
Reports from and planned Likelihood of
Hardware, analysis, asset controls
previous risk controls Threat source threat
Software, criticality
assessments, motivation, assessment, exploitation,
System any audit threat capacity, data criticality, magnitude of
Interfaces, Data History of comments, Nature of data sensitivity impact,
and Information, system attack, security List of current vulnerability, adequacy of
People and Data from requirements, and planned current controls planned or
System mission intelligence security test controls current controls
agencies results
Impact rating
Risk and
List of potential Likelihood rating Associated risk
System vulnerabilities levels
boundary,
functions,
criticality and
sensitivity
Threat
Statement

30. Risk Analysis - Example
Risk Description
Risk Description /Threat and Probability Conse- Risk Risk
Potential Loss of Loss quence Score Value
ePHI located on Desk top in an 4 4 16 High
employees office is not routinely
backed up.
Risk = Loss of PHI
(Identified in Gap Analysis)

31. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
31

32. Risk Analysis for a Small Practice
32

33. Top 5 Recommendations
1. Ensure encryption or de-identification
2. Mobile device security program.
3. Awareness and training programs.
4. Complete business associate due diligence
5. Minimize sensitive data capture, storage and
sharing.
33

34. Meaningful Use Stage 2 and Stage 3
Security Requirements
 Security risk analysis with encryption
assessment
 Secure messaging for ambulatory practices
34

35. Where do you start?
Identify ePHI systems, processes
and people involved
Conduct Risk Assessment
- Type, Size and Complexity
Prioritize and Remediate
- Risk Analysis template
Assess and Improve
- Monitor, Evaluate and adjust 35

36. Key Takeaways
 Risk Analysis is foundation for an effective
security program
 ePHI elements drives risk analysis scope
 There is no silver bullet for risk management. It
is a journey of continuous assessment and
improvement
36

37. Additional Resources
 NIST - Risk Management Guide for Information
Technology Systems SP800-30
 An Introductory Resource Guide for
implementing the (HIPAA) Security Rule
 Small Practice Security Guide
37

38. Next Steps
 Training Package
 Risk assessment questionnaire
 Sample policies and procedures
 4-hour training/consulting
ehr20.com/services
 Next Live Webinars:
 Business Associate Assessment (4/25/2012)
 HIPAA/HITECH Security Assessment(5/2/2012)
Sign-up at ehr20.com/webinars
38

39. Questions?
E-mail: info@ehr20.com
Call: 802-448-2255
39

40. Thank you!!
40