Unblocking The Main Thread Solving ANRs and Frozen Frames
Stage 2 Meaningful Use: The Next Step in Security Risk Analysis
1. Stage 2 Meaningful Use: The Next Step in Security Risk Analysis
At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to
have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one
notable addition highlighted below:
“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1),including
addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45
CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of
the provider’s risk management process.
Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security
risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule.
Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism to
encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,”
it is not specifically mandated.
As part of Stage 2 Meaningful Use, encryption of “data at rest” must be considered as an addressable control. As
such, providers need a process by which they evaluate whether the control is “reasonable and appropriate” and would
likely contribute to protecting its health information. If the control is deemed “reasonable and appropriate,” then
it must be implemented. However, if the provider decides “encryption of data at rest” is not reasonable and appropriate,
then it must 1) document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if
reasonable and appropriate. Despite a little remaining wiggle room, it has become increasingly difficult to justify not
encrypting ePHI under the “reasonable and appropriate” caveat.
Turning to the new rules for EHR software certification, Stage 2 also requires the main software application ‘to be able to
demonstrate the capacity to encrypt [data on] mobile devices in circumstances where the EHR technology manages the
data flow on the mobile device,” In our view, these provisions stop just short of a mandate. Determining reasonableness is
not just about the cost of hardware and software or the complexity of implementation. It is more about whether or not the
organization can execute the requirement consistently and effectively.
Given that the majority of significant breaches to date have been the result of lost or stolen devices containing
unencrypted data, and the increasing mobility of data itself, it will be difficult to find “equivalent alternative measures.” That
said, Redspin can provide a framework for considering the issue within our overall SRA roadmap and expert guidance on
how to reasonably and effectively protect patient information.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM