SlideShare uma empresa Scribd logo

HITRUST CSF Meaningful use risk assessment

Vinit Thakur
Vinit Thakur
1 de 51
Baixar para ler offline
Meaningful Use Privacy and Security Risk Assessment: What it is and How to Approach it Leveraging the CSF and CSF Assurance Program June 2011
Introduction HITRUST continues to receive questions on performing a risk assessment for meaningful use. This document is being released as guidance to provide the healthcare industry with a clear process to satisfy the privacy and security requirements of meaningful use. This guidance is intended for security and compliance professionals of healthcare providers and is divided into three sections: 1. Quick start guide to conducting a risk assessment for Stage 1 meaningful use security and privacy requirements 2. Background on meaningful use and the Stage 1 security and privacy requirements for conducting a risk assessment 3. The recommended approach for conducting an efficient and effective risk assessment leveraging the CSF Assurance program 1 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Conducting your Meaningful Use Risk Assessment Five steps to getting started with the CSF Assurance Program: 1. Visit http://www.hitrustalliance.net/selfassessment/ for performing your meaningful use risk assessment.* 2. Identify your scope – Details on slides 15 and 40 3. Perform an assessment using the Common Health Information Protection Questionnaire (CHIP) and Compliance Worksheet.** – Details on slides 16-20 and 42-43 4. Submit your CHIP to HITRUST 5. Obtain a HITRUST CSF Validated Report with benchmarking data and CAP – Details on slides 23-24 and 46-48 6. Register and attest for meaningful use Stage 1 – Details on slides 26-30 *For other assurance options, including remote and on-site assessments via a third party CSF Assessor, please visit http://www.hitrustalliance.net/assurance/ **A Compliance Worksheet is required for assessments conducted by a CSF Assessor or when a compliance scorecard is requested (e.g., HIPAA Security Rule) © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved. 2
Meaningful Use Stage 1 Requirements for Privacy and Security 3 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
What is Meaningful Use? • The use of a certified EHR [system/technology] in [a] meaningful way: – For the electronic exchange of health information to improve the quality of health care, and – To submit clinical quality and other measures (to federal and state agencies) • Stage 1 requirements (2011 and 2012) – For eligible hospitals and critical access hospitals • 25 MU objectives – 15 core objectives that are required » Includes the protection of electronic health information – 5 of 10 menu set objectives that are optional – For eligible professionals • 24 MU objectives – 14 core objectives that are required » Includes the protection of electronic health information – 5 of 10 menu set objectives that are optional Source: https://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp 4 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Why Pursue Meaningful Use? • Medicare and Medicaid provide financial incentives for the meaningful use of certified EHR technology to achieve health and efficiency goals. • By [implementing] and meaningfully using an EHR system, providers: – Receive financial incentives (complex formula) • Hospitals (Health System = Hospital) – Base of $2 million—up to 1,149 acute inpatient discharges for prior 12 months – Maximum of $6,370,200—$200 for each additional discharge up to 23,000 • Critical Care Hospitals will be paid “on reasonable costs” • Eligible Providers – Between $24K and $44K based on first calendar year submitted – Avoid reductions in Medicare and Medicaid payments beyond 2015 – Reap benefits beyond financial incentives (e.g., reduction in errors, availability of records/data, reminders and alerts, clinical decision support, and e- prescribing/refill automation) Source: https://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp http://journal.ahima.org/2010/08/26/meaningful-use%E2%80%94incentive-payments-and-program-requirements 5 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
What are the Security & Privacy Requirements? • Stage 1 MU Measure – Protect [ePHI] created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities • Stage 1 MU Objective – As part of [an overall] risk management process • Conduct or review a security risk analysis [per the HIPAA Security Rule] (45 CFR 164.308(a)(1)) • Implement security updates as necessary • Correct identified security deficiencies • Stage 1 MU Attestation – Organizations must conduct a risk analysis at least once prior to the end of the EHR reporting period with supporting documentation and updates implemented as necessary – You’re attesting to the government, which implies civil and/or criminal penalties for false statements … so take attestation very seriously! Source: http://www.cms.gov/EHRIncentivePrograms/Downloads/14HC-ProtectElectronicHealthInformation.pdf 6 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
What is a Security Risk Analysis? • The Security Rule describes a “risk analysis” as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [ePHI]” • Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule • Additionally, the Security Rule requires entities to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI • However the Security Rule does not prescribe a specific risk analysis methodology … Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf 7 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
What are the Elements of a Risk Analysis? • Scope the Analysis – Include the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that an organization creates, receives, maintains, or transmits (45 CFR § 164.306(a)) • Collect Data – Identify where ePHI is stored, received, maintained or transmitted (See 45 CFR §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)) • Identify and Document Potential Threats and Vulnerabilities – Identify and document reasonably anticipated threats to ePHI (See 45 CFR §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii)) • Assess Current Security Measures – Assess and document the security measures an entity uses to safeguard ePHI (See 45 CFR §§ 164.306(b)(1), 164.308(a)(1)(ii)(A) and 164.316(b)(1)) – In other words, conduct an information security risk assessment Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf 8 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Guide to Meaningful Use Risk Assessments 1. Demonstrate reasonable practices A. Select a sound risk assessment methodology B. Align controls with industry standards and best practices 2. Be efficient—you’ll need resources for remediation efforts A. Meaningful use focuses on your certified EHR not the whole environment B. Use sampling techniques in your environment for similar implementations C. Don’t forget physician practices—they are an entry point into your environment 3. Take remediation seriously A. Develop prioritized corrective action plans, but be careful not to over- commit or under-commit resources, as this could expose you to cost overruns or non-compliance with regulatory requirements B. Actively manage remediation as a portfolio of projects and initiatives 9 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Demonstrate Reasonable Practices 10 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Select a Sound Risk Assessment Methodology • Identify an information security risk assessment approach that – Scopes (tailors) the assessment – Prepares for the assessment – Reports assessment results – Tracks and measures progress (corrective actions) • If you use a third party to assist with or conduct the assessment, ensure their “proprietary” methodology incorporates the above-listed items • Identify standard templates for documenting results and developing corrective action plans • Many organizations confuse a technical evaluation of controls with a risk assessment, however, these are different concepts and different requirements under HIPAA 11 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Fundamental Risk Assessment Approach 1. 2. 3. 4. Prepare for Assessment Report Track and Determine Scope Measure Progress - Focus on high risk areas - Establish a - Identify individuals PM over the responsible for key - Report of remediation - Applications, control areas findings - Track progress interfaces, against industry infrastructure - Conduct top down - Remediation enterprise control plan benchmarks analysis - Focus on - Do not get stuck in the measures weeds 12 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Align Control Decisions with Industry Standards • Seek an integrated information security and compliance framework COBIT • Choose a controls-based approach that is ISO 27001/2 – Comprehensive HITECH – Prescriptive Act – Certifiable HIPAA PCI Security • Define control practices tailored Mngfl. for use in a healthcare State Use Reqs. environment NIST 800-53 13 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Be Efficient 14 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Focus on the Certified EHR System • Within scope of a review – All servers that run any module of the certified EHR – The wide area and local networks supporting the EHR – Information/data exchange interfaces with other systems – Workstations, laptops or portable media used to access the EHR – Vendors that support or have access to data in the EHR – People, process, policies and standards that are related to the control of the above components • Potentially out of scope – Third party applications that do not interface with the EHR (for example, payroll system would not be included in scope) – Network environments that are isolated from the wide area network or the network connected to the EHR 15 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Testing • Testing of controls to identify risks may include one or all of the following components: – Interview of key personnel responsible for security, IT and key business processes – Review of documentation related to the security practices of the organization and systems – Technical testing of application, system and hardware configurations © 2010 HITRUST LLC, Frisco, TX. All Rights Reserved. 16
Example Interviews • Types of roles to interview: – Web application manager – Internal audit – Security assurance manager (risk management, business continuity management, vulnerability management, training and awareness, security policies) – Monitoring and response manager – Server engineering – Desktop engineering – Human resources – Access and identity management – Application developer – Operations/office manager – Legal counsel 17 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Example Documents to Review (i) • Asset inventory with risk classification • Network diagram • Organization chart • Business associate agreement template • Risk assessment program – Application assessment questionnaires – Sample web application assessments – Sample network vulnerability assessments – Sample attack and penetration report • Project/engagement hierarchy • System configuration checklists 18 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Example Documents to Review (ii) • Business continuity management program – Business impact analysis templates – Business continuity plan template – Disaster recovery plan template – Sample business continuity and disaster recovery plans • Sample security awareness and training materials • Policies and standards framework – Policy and standards third party review report • Incident monitoring and response program and associated procedures • Security council charter 19 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Use Sampling Techniques Where Appropriate • General rule of thumb – Use sampling when: • Environment is under the same management control • Departments/facilities/systems are subject to the same policies and procedures • Portions of hybrid enterprise/local environments are under enterprise control – Assess everything if sample indicates excessive variability • Multi-facility systems – Scope is directly impacted by the level of standardization • Highly standardized with enterprise level controls – Select a random sample of like facilities to assess risks (e.g., assess a sample of large acute care, smaller acute care and of outpatient facilities) • Little standardization – Select a sample of facilities to assess any enterprise wide or centrally managed controls (e.g., assess how effectively the enterprise wide patch management function is operating at a sample of facilities) – Assess non-standard controls at every facility (e.g., if facilities contract and manage data disposal independently, then assess this process at every facility) 20 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Assist Physician Practices • Physician practices: – Introduce significant vulnerabilities into an EHR system of a hospital or health system – Generally do not have the expertise or resources to conduct a risk assessment • To assist: – Physician practices that run on a hospital’s EHR and are subject to hospital policies • Leverage hospital assessment for any controls under direct control of the hospital (e.g., the patching and configuration of the EHR servers) • Select a sample of practices to assess how effectively hospital policies are implemented (e.g., clear desk policy, password management policies) – Physician practices that run on a hospital’s EHR, but aren’t subject to hospital policies • Leverage hospital assessment for any controls under direct control of the hospital (e.g., the patching and configuration of the EHR servers) • For each practice, assess controls under the management of the physician practice (e.g., security policies, workstation security) 21 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Take Remediation Seriously 22 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Develop Sound Corrective Action Plans • Develop a methodology for the development of corrective action plans (CAPs) … what the federal government refers to as “Plans of Action and Milestones” – Integrate CAP development into existing processes where possible • Project management • Ticketing systems (or other workflow management) • Change control – Automate with a governance, risk and compliance (GRC) system/tool when possible • Obtain or develop training materials for control owners and other stakeholders (e.g., management) to understand and implement the CAP methodology • Train your control owners and other stakeholders 23 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Actively Manage Remediation • HIPAA (in general) and meaningful use (in particular) requires the remediation of identified security deficiencies – It’s sufficient for Stage 1 meaningful use to develop formal corrective action plans – However, there is an expectation that these corrective actions will be taken – Failure to take reasonable and appropriate measures to remediate deficiencies would be a violation of the HIPAA Security Rule and could make an organization subject to federal and state civil and criminal penalties for making false statements • Use project management principles and techniques to actively manage remediation activities as a single portfolio – Management should formally approve all corrective action plans – Remediation activities should be actively monitored and CAPs updated accordingly – CAP status should be reported to senior management on a regular and timely basis (along with other security risk metrics), such as: • Number of CAPs developed and approved as a percentage of identified deficiencies • CAP progress such as percentage on-time or behind schedule sorted by risk • Number of CAPs remediated over time as a percentage of all CAPs actively managed 24 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Additional Information: Attestation of Meaningful Use 25 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Attestation … How to get the money • Medicare hospitals’ EPs must attest, through “secure mechanism approved by CMS,” that they have “satisfied the required objectives and associated measures” of §495.6 • Calendar years 2011 and after (no provision for demonstration), except that EPs using certified EHR need not attest until 2012 (42 CFR §§ 495.8; 495.210) • Medicaid providers must attest: “This is to certify that the foregoing information is true, accurate, and complete. I understand that Medicaid EHR incentive payments submitted under this provider number will be from Federal funds, and that any falsification, or concealment of a material fact may be prosecuted under Federal and State laws.” (42 CFR §§ 495.368) 26 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Attestation … Associated Risks (i) • Comment: “A commenter indicated that attestation is an insufficient means to hold providers accountable for the expenditure of public funds and to protect against fraud and abuse.” (Federal Register Vol. 75, No. 144, p. 44324) • Response: “We likewise are concerned with the potential fraud and abuse. However, Congress for the HITECH Act specifically authorized submission of information as to meaningful use through attestation. CMS is developing an audit strategy to ameliorate and address the risk of fraud and abuse.” (Ibid.) • CMS (Medicare) and states may “review an EP, eligible hospital or CAH’s demonstration of meaningful use.” (42 CFR § 495.8) • States required to “annually collect and verify information regarding the efforts to adopt, implement, or upgrade certified EHR technology and the meaningful use of said technology before making any payments to providers.” (42 CFR § 495.366) 27 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Attestation … Associated Risks (ii) • States are required to ensure the qualifications of the providers who request Medicaid EHR incentive payments – Detect and take corrective action for improper payments to providers – Refer suspected cases of fraud and abuse to Medicaid Fraud Control Unit (42 CFR § 495.368) • HITECH incentives audits • HIPAA compliance investigations • Security breach investigations • Federal/state false claims act penalties • Whistleblower (qui tam) lawsuits • Federal/state program disqualification • Criminal/civil fraud actions 28 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Attestation … Manage the Risks • Risk analysis is a process, not a product • Follow HIPAA “flexible factors” and “reasonable and appropriate” standards in determining updates and corrections • Show due diligence in risk identification and update and correction implementation – Use appropriate professional expertise – Incorporate “reasonable practice” information from industry, professional communities – Strongly consider the use of outside expertise 29 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Attestation … Perform “Due Diligence” • Make sure attesting officer is properly informed about risks, updates, corrections, etc. – Create and retain supporting documentation file – In any field where officer does not have appropriate expertise, ensure s/he is briefed and provided with supporting documentation from appropriate experts – Good “business judgment” is the attesting officer’s best friend • Show your work! – Document risk analysis process and findings – Document implementation of updates and corrections – Providers must retain “documentation supporting their demonstration of meaningful use for 6 years” after attestation • Note HIPAA has same document retention period Source: John R. Christiansen, Esq., Christiansen IT Law 30 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Meaningful Use Privacy and Security Risk Assessment: Leveraging the HITRUST CSF Assurance Program 31 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Guide to Meaningful Use Risk Assessments 1. Demonstrate reasonable practices HITRUST Common A. Select a sound risk assessment methodology Security B. Align control decisions with industry standards/practices Framework 2. Be efficient—you’ll need resources for remediation HITRUST CSF A. Meaningful use focuses on your certified EHR Assurance not the whole environment A. Use sampling techniques in your environment for similar implementations B. Assist physician practices—they are an entry point into your environment HITRUST CSF 3. Take remediation seriously Assurance A. Develop sound corrective action plans but be careful not to over-commit or under-commit resources, as this could expose you to cost overruns or non-compliance with regulatory requirements B. Actively manage remediation as a portfolio of projects and initiatives 32 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Demonstrate Reasonable Practices 33 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Select a Sound Risk Assessment Methodology The CSF Assurance assessment is based on NIST and ISO standards for evaluating risk Likelihood Impact Risk Residual Risk Controls Risk • HITRUST risk areas • Based upon analysis of breach data • Significantly simplified for organizations • HITRUST Common Security Framework • Reasonable practice 34 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
High Risks for Healthcare Organizations* • Insecure and/or unauthorized removable/transportable media and laptops (internal and external movements) • Insecure and/or unauthorized external electronic transmissions of covered information • Insecure and/or unauthorized remote access by internal and third-party personnel • Insider snooping and data theft • Malicious code and inconsistent implementation and update of prevention software • Inadequate and irregular information security awareness for the entire workforce • Lack of consistent network isolation between internal and external domains • Insecure and/or unauthorized implementation of wireless technology • Lack of consistent service provider, third-party and product support for information security • Insecure web development and applications • Ineffective password management and protection • Ineffective disposal of system assets *Based on loss and breach data analyzed by HITRUST 35 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Overview of CSF Assurance Risk Assessments • Referenced by Office of Civil Rights in risk assessment guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidanc e.pdf • Designed to cost-effectively gather the information about security controls needed to appropriately understand and mitigate risk • Leverages defined, reasonable controls in the HITRUST CSF – The most broadly adopted security control framework in the healthcare industry • Streamlines risk determination analysis by prioritizing areas based on analysis for breach data for the healthcare industry • Provides formal and credible report for internal and external reporting • Utilizes benchmarking data • Provides recommendations for remediation 36 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
CSF Assurance Assessment Approach 1. 2. 3. 4. Track and Determine Scope Prepare for Assessment Report Measure Progress - Focus on high risk areas - Identify individuals responsible - Track progress - Applications, for key control areas against industry - Report of findings interfaces, benchmarks - Conduct top down enterprise and remediation plan infrastructure control analysis - Focus on measures - Do not get stuck in the weeds - HITRUST CSF - HITRUST Scoping - HITRUST High Risk List Validated Report - HITRUST CSF Template - HITRUST CHIP Questionnaire - Corrective Action Validated Report Plan Template 37 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Align Control Decisions with Industry Standards, Regulations and Best Practices HITRUST CSF • Healthcare-specific security initiative • Openly available framework • Comprehensive requirements – Focused on high risk controls • Integrated control set • Prescriptive and certifiable • Value-added services – Industry-reviewed control practices – Vendor product certification – “Trusted broker” third–party assurance 38 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Be Efficient 39 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Focus on the Certified EHR System • HITRUST CSF assessments are broken out into two types of assessment – Organizational: assesses the general information security controls that may impact the confidentiality, integrity or availability of ePHI – System: assess the administrative, technical and physical controls specific to the implementation of a certified EHR technology • Each type of assessment is further scoped (tailored) based on very specific factors related to risk and an entity’s ability to implement appropriate and reasonable security measures – Organizational: includes type of organization, size, and revenue – System: includes average number of transactions and external interfaces • Assessments are further focused on high risk areas – Based on HITRUST’s analysis of breach data and feedback from over 200 healthcare and security experienced professionals – Focus on these risks first, adjust for your environment, and expand as dollars and resources allow (i.e., follow the 80/20 rule) 40 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Key Components of the CSF Assurance Program • Standardized tools and processes – Questionnaire • Focus assurance dollars to efficiently assess risk exposure • Measured approach based on risk and compliance requirements • Ability to escalate assurance level based on risk – Worksheet for reporting compliance – Report that is consistently interpreted across the industry • Cost effective and rigorous assurance – Multiple assurance options based on risk • Self reporting • Remote testing—conducted by a CSF Assessor; includes interviews with key personnel and review of policies, procedures and other relevant documentation • On-site assessment—conducted by a CSF Assessor; includes remote testing and the review of system configurations and physical walkthroughs – Quality control processes to ensure consistent quality/output from CSF Assessors 41 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Questionnaire Common Healthcare Information Protection (CHIP) Questionnaire: • Innovative approach to assess the quality of information protection practices in an efficient manner • Focus on the security capabilities and outcomes of an organization • Leverages key measures and supports benchmarking • Structured according to the high- risk areas identified in the CSF, which reflect the controls required to mitigate the most common sources of breaches for the industry 42 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Use Sampling Techniques Where Appropriate • HITRUST CSF Assurance supports sampling when – Practices/locations are governed by one set of policies and procedures – Environments and administrative/technology controls are similar • There must be a basis for concluding the practices/locations are similar – Some dissimilarity may support sub-grouping and sampling within sub-groups • HITRUST recommended sample sizes Number of Practices in Population/Group Minimum Number of Practices at Which to Perform Security Risk Assessments >50 10%, Maximum of 25 Practices 15-50 Minimum of 5/Use Judgment <15 Minimum of 3/All Practices • Sampling should be random but other methods could be supported • Inconsistent results from the sample imply … – All practices/locations may need to be addressed / assessed • Exceptions/deviations should be investigated to determine root cause(s) • If isolated instance or human error, may be able to select a replacement • Decision and rationale should be documented as part of the assessment 43 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Assist Physician Practices • HITRUST recognizes the constraints and limitations of physician practices and other small healthcare organizations • Small Organization Health Information Assurance Questionnaire (SOHIA) – Simplified questionnaire • Intended for self assessment • Assesses general organizational security for high risk factors – Automated technical assessment • Simple agent-based tool downloaded from vendor Web site • Assessment of current vulnerabilities • Re-assessment provides proof of corrective action 44 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Take Remediation Seriously 45 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Develop a Sound Corrective Action Plan • Meaningful use only requires a focus on the certified EHR, but…. • Organizations are expected to routinely perform a risk analysis under HIPAA and manage/implement corrective actions • If a HIPAA risk assessment was not performed in over two years, consider a broader risk assessment to stay aligned with HIPAA requirements • HITRUST includes a HIPAA Compliance Scorecard produced for each HIPAA security requirement • Ratings and benchmarks for high risk controls can help organizations prioritize remediation efforts 46 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Benchmark Data Higher Priority Lower Priority CAPs CAPs PRISMA SCORE Organization Benchmark Orgs 47 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Actively Manage Remediation • HITRUST CSF Validated and Certified provide a standard assessment report, compliance scorecard and corrective action plans HITRUST Common Security Framework CSF Assurance Toolkit 2010 / v1.0 Corrective Action Plan [TEMPLATE] Instructions Use this spreadsheet to document the corrective action plan to remediate any findings resulting from an assessment under the CSF Assurance Program. The weakness identifier will be Weaknesses represent any program or system-level Related HITRUST CSF Control A POC is the organization, Resources required include the Completion dates should Milestones with completion dates outline the Changes to milestones indicate the new estimated used to track and correlate information security vulnerability that poses an unacceptable Specification for the identified department or title of the funding (denoted in dollars) or be set based on a specific high-level steps to be executed in future date of a milestone’s completion if the weaknesses that are ongoing risk of compromising confidentiality, integrity or availability of weakness. position within the man-hours necessary for realistic estimate of mitigating the weakness and the estimated original date is not met. throughout quarterly information. organization that is directly mitigating a weakness. The type amount of time it will completion date for each step. submissions within the Ex. 01.b User Registration responsible for mitigating the of funding (current, new or take to collect the Ex. None noted to-date organization. A rule of thumb is Ex. 1—Granting, transfer and termination procedures for user weakness. reallocated) should be noted. resources for the Ex. Develop user registration procedures for to use an abbreviated system access are not established corrective action and granting, transferring, and terminating access, name, the quarter, the year, and Ex. System X Director of IT Ex. 120 hours, current staff implement/test the 8/1/2009 a unique number. Security corrective action. Submit to System X Administrator for review and input, 8/15/2009 Ex. SYSX_3_2009_1 Ex. 8/31/2009 Weakness Identifier Weakness Description HITRUST CSF Control Organizational Point of Resources Required Scheduled Milestones with Completion Dates Changes to Milestones Reference(s) Contact (PoC) Completion Date • Remediation of security deficiencies is required to maintain CSF Validated status – No gaps with prioritized requirements (controls) are allowed with CSF Certified status 48 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
Conducting your Meaningful Use Risk Assessment Five steps to getting started with the CSF Assurance Program: 1. Visit http://www.hitrustalliance.net/selfassessment/ for performing your meaningful use risk assessment.* 2. Identify your scope – Details on slides 15 and 40 3. Perform an assessment using the Common Health Information Protection Questionnaire (CHIP) and Compliance Worksheet.** – Details on slides 16-20 and 42-43 4. Submit your CHIP to HITRUST 5. Obtain a HITRUST CSF Validated Report with benchmarking data and CAP – Details on slides 23-24 and 46-48 6. Register and attest for meaningful use Stage 1 – Details on slides 26-30 *For other assurance options, including remote and on-site assessments via a third party CSF Assessor, please visit http://www.hitrustalliance.net/assurance/ **A Compliance Worksheet is required for assessments conducted by a CSF Assessor or when a compliance scorecard is requested (e.g., HIPAA Security Rule) © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved. 49
For More Information: For more information on the CSF Assurance Program visit: www.HITRUSTAlliance.net/assurance For a list of HITRUST CSF Assessors visit: www.HITRUSTAlliance.net/Assessors_List.pdf HITRUST Central professional subscribers, can contact customer support for questions: support@HITRUSTalliance.net 50 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.

Recomendados

UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalajcob123
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know➲ Stella Bridges
 

Recomendados

UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalajcob123
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know➲ Stella Bridges
 
HITRUST Article
HITRUST ArticleHITRUST Article
HITRUST ArticleAlexis Kennedy, CPA, CISA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbizshailu devi
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHostway|HOSTING
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?ID Experts
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Overcoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAOvercoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAMatt Moneypenny
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™CPaschal
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HITRUST CSF TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
CMS 2015 Program Audit Protocol
CMS 2015 Program Audit ProtocolCMS 2015 Program Audit Protocol
CMS 2015 Program Audit ProtocolInovaare
 

Mais conteúdo relacionado

Mais procurados

HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHostway|HOSTING
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?ID Experts
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Overcoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAOvercoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAMatt Moneypenny
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™CPaschal
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 

Mais procurados (20)

HITRUST Article
HITRUST ArticleHITRUST Article
HITRUST Article
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Overcoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRAOvercoming the Challenges of Conducting a SRA
Overcoming the Challenges of Conducting a SRA
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 

Destaque

CMS 2015 Program Audit Protocol
CMS 2015 Program Audit ProtocolCMS 2015 Program Audit Protocol
CMS 2015 Program Audit ProtocolInovaare
 
KLL4312
KLL4312KLL4312
KLL4312KLIBEL
 
Differentiation sample english unit plan
Differentiation sample english unit planDifferentiation sample english unit plan
Differentiation sample english unit planluvreading
 
Corrective action training april 2013
Corrective action training april 2013Corrective action training april 2013
Corrective action training april 2013Doug Bryson
 
NIPP Healthacre Sector Cybersecurity Framework
NIPP Healthacre Sector Cybersecurity FrameworkNIPP Healthacre Sector Cybersecurity Framework
NIPP Healthacre Sector Cybersecurity FrameworkDavid Sweigert
 

Destaque (6)

HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HITRUST CSF Topology
 
CMS 2015 Program Audit Protocol
CMS 2015 Program Audit ProtocolCMS 2015 Program Audit Protocol
CMS 2015 Program Audit Protocol
 
KLL4312
KLL4312KLL4312
KLL4312
 
Differentiation sample english unit plan
Differentiation sample english unit planDifferentiation sample english unit plan
Differentiation sample english unit plan
 
Corrective action training april 2013
Corrective action training april 2013Corrective action training april 2013
Corrective action training april 2013
 
NIPP Healthacre Sector Cybersecurity Framework
NIPP Healthacre Sector Cybersecurity FrameworkNIPP Healthacre Sector Cybersecurity Framework
NIPP Healthacre Sector Cybersecurity Framework
 

Semelhante a HITRUST CSF Meaningful use risk assessment

Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207Erik Ginalick
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
Comp8 unit2 lecture_slides
Comp8 unit2 lecture_slidesComp8 unit2 lecture_slides
Comp8 unit2 lecture_slidesCMDLMS
 
Meaningful Use - 8/2010
Meaningful Use - 8/2010Meaningful Use - 8/2010
Meaningful Use - 8/2010rogersons
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisCharles McNeil
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceThomas Bronack
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Compliancy Group
 
Aami hitech mu impact on the future on HC IT
Aami hitech mu impact on the future on HC ITAami hitech mu impact on the future on HC IT
Aami hitech mu impact on the future on HC ITAmy Stowers
 
STUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docx
STUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docxSTUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docx
STUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docxhanneloremccaffery
 
Modern Healthcare Information Technology
Modern Healthcare Information TechnologyModern Healthcare Information Technology
Modern Healthcare Information TechnologyJeffrey Paulette
 
HLTH606 Facilitated Discussion - EHR (Oct 2011)
HLTH606 Facilitated Discussion - EHR (Oct 2011)HLTH606 Facilitated Discussion - EHR (Oct 2011)
HLTH606 Facilitated Discussion - EHR (Oct 2011)Katie Seeler Hoskins
 
hitech act
hitech acthitech act
hitech actpadler01
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Meaningful Use in Radiology
Meaningful Use in RadiologyMeaningful Use in Radiology
Meaningful Use in RadiologyCarestream
 

Semelhante a HITRUST CSF Meaningful use risk assessment (20)

Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
 
Comp8 unit2 lecture_slides
Comp8 unit2 lecture_slidesComp8 unit2 lecture_slides
Comp8 unit2 lecture_slides
 
Meaningful Use - 8/2010
Meaningful Use - 8/2010Meaningful Use - 8/2010
Meaningful Use - 8/2010
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
 
Mikhaela ripa
Mikhaela ripaMikhaela ripa
Mikhaela ripa
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry compliance
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
Aami hitech mu impact on the future on HC IT
Aami hitech mu impact on the future on HC ITAami hitech mu impact on the future on HC IT
Aami hitech mu impact on the future on HC IT
 
STUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docx
STUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docxSTUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docx
STUDY PROTOCOL Open AccessSafety Assurance Factors for Ele.docx
 
Modern Healthcare Information Technology
Modern Healthcare Information TechnologyModern Healthcare Information Technology
Modern Healthcare Information Technology
 
HLTH606 Facilitated Discussion - EHR (Oct 2011)
HLTH606 Facilitated Discussion - EHR (Oct 2011)HLTH606 Facilitated Discussion - EHR (Oct 2011)
HLTH606 Facilitated Discussion - EHR (Oct 2011)
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
hitech act
hitech acthitech act
hitech act
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Meaningful Use in Radiology
Meaningful Use in RadiologyMeaningful Use in Radiology
Meaningful Use in Radiology
 

HITRUST CSF Meaningful use risk assessment

  • 1. Meaningful Use Privacy and Security Risk Assessment: What it is and How to Approach it Leveraging the CSF and CSF Assurance Program June 2011
  • 2. Introduction HITRUST continues to receive questions on performing a risk assessment for meaningful use. This document is being released as guidance to provide the healthcare industry with a clear process to satisfy the privacy and security requirements of meaningful use. This guidance is intended for security and compliance professionals of healthcare providers and is divided into three sections: 1. Quick start guide to conducting a risk assessment for Stage 1 meaningful use security and privacy requirements 2. Background on meaningful use and the Stage 1 security and privacy requirements for conducting a risk assessment 3. The recommended approach for conducting an efficient and effective risk assessment leveraging the CSF Assurance program 1 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 3. Conducting your Meaningful Use Risk Assessment Five steps to getting started with the CSF Assurance Program: 1. Visit http://www.hitrustalliance.net/selfassessment/ for performing your meaningful use risk assessment.* 2. Identify your scope – Details on slides 15 and 40 3. Perform an assessment using the Common Health Information Protection Questionnaire (CHIP) and Compliance Worksheet.** – Details on slides 16-20 and 42-43 4. Submit your CHIP to HITRUST 5. Obtain a HITRUST CSF Validated Report with benchmarking data and CAP – Details on slides 23-24 and 46-48 6. Register and attest for meaningful use Stage 1 – Details on slides 26-30 *For other assurance options, including remote and on-site assessments via a third party CSF Assessor, please visit http://www.hitrustalliance.net/assurance/ **A Compliance Worksheet is required for assessments conducted by a CSF Assessor or when a compliance scorecard is requested (e.g., HIPAA Security Rule) © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved. 2
  • 4. Meaningful Use Stage 1 Requirements for Privacy and Security 3 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 5. What is Meaningful Use? • The use of a certified EHR [system/technology] in [a] meaningful way: – For the electronic exchange of health information to improve the quality of health care, and – To submit clinical quality and other measures (to federal and state agencies) • Stage 1 requirements (2011 and 2012) – For eligible hospitals and critical access hospitals • 25 MU objectives – 15 core objectives that are required » Includes the protection of electronic health information – 5 of 10 menu set objectives that are optional – For eligible professionals • 24 MU objectives – 14 core objectives that are required » Includes the protection of electronic health information – 5 of 10 menu set objectives that are optional Source: https://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp 4 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 6. Why Pursue Meaningful Use? • Medicare and Medicaid provide financial incentives for the meaningful use of certified EHR technology to achieve health and efficiency goals. • By [implementing] and meaningfully using an EHR system, providers: – Receive financial incentives (complex formula) • Hospitals (Health System = Hospital) – Base of $2 million—up to 1,149 acute inpatient discharges for prior 12 months – Maximum of $6,370,200—$200 for each additional discharge up to 23,000 • Critical Care Hospitals will be paid “on reasonable costs” • Eligible Providers – Between $24K and $44K based on first calendar year submitted – Avoid reductions in Medicare and Medicaid payments beyond 2015 – Reap benefits beyond financial incentives (e.g., reduction in errors, availability of records/data, reminders and alerts, clinical decision support, and e- prescribing/refill automation) Source: https://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp http://journal.ahima.org/2010/08/26/meaningful-use%E2%80%94incentive-payments-and-program-requirements 5 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 7. What are the Security & Privacy Requirements? • Stage 1 MU Measure – Protect [ePHI] created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities • Stage 1 MU Objective – As part of [an overall] risk management process • Conduct or review a security risk analysis [per the HIPAA Security Rule] (45 CFR 164.308(a)(1)) • Implement security updates as necessary • Correct identified security deficiencies • Stage 1 MU Attestation – Organizations must conduct a risk analysis at least once prior to the end of the EHR reporting period with supporting documentation and updates implemented as necessary – You’re attesting to the government, which implies civil and/or criminal penalties for false statements … so take attestation very seriously! Source: http://www.cms.gov/EHRIncentivePrograms/Downloads/14HC-ProtectElectronicHealthInformation.pdf 6 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 8. What is a Security Risk Analysis? • The Security Rule describes a “risk analysis” as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [ePHI]” • Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule • Additionally, the Security Rule requires entities to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI • However the Security Rule does not prescribe a specific risk analysis methodology … Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf 7 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 9. What are the Elements of a Risk Analysis? • Scope the Analysis – Include the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that an organization creates, receives, maintains, or transmits (45 CFR § 164.306(a)) • Collect Data – Identify where ePHI is stored, received, maintained or transmitted (See 45 CFR §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)) • Identify and Document Potential Threats and Vulnerabilities – Identify and document reasonably anticipated threats to ePHI (See 45 CFR §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii)) • Assess Current Security Measures – Assess and document the security measures an entity uses to safeguard ePHI (See 45 CFR §§ 164.306(b)(1), 164.308(a)(1)(ii)(A) and 164.316(b)(1)) – In other words, conduct an information security risk assessment Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf 8 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 10. Guide to Meaningful Use Risk Assessments 1. Demonstrate reasonable practices A. Select a sound risk assessment methodology B. Align controls with industry standards and best practices 2. Be efficient—you’ll need resources for remediation efforts A. Meaningful use focuses on your certified EHR not the whole environment B. Use sampling techniques in your environment for similar implementations C. Don’t forget physician practices—they are an entry point into your environment 3. Take remediation seriously A. Develop prioritized corrective action plans, but be careful not to over- commit or under-commit resources, as this could expose you to cost overruns or non-compliance with regulatory requirements B. Actively manage remediation as a portfolio of projects and initiatives 9 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 11. Demonstrate Reasonable Practices 10 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 12. Select a Sound Risk Assessment Methodology • Identify an information security risk assessment approach that – Scopes (tailors) the assessment – Prepares for the assessment – Reports assessment results – Tracks and measures progress (corrective actions) • If you use a third party to assist with or conduct the assessment, ensure their “proprietary” methodology incorporates the above-listed items • Identify standard templates for documenting results and developing corrective action plans • Many organizations confuse a technical evaluation of controls with a risk assessment, however, these are different concepts and different requirements under HIPAA 11 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 13. Fundamental Risk Assessment Approach 1. 2. 3. 4. Prepare for Assessment Report Track and Determine Scope Measure Progress - Focus on high risk areas - Establish a - Identify individuals PM over the responsible for key - Report of remediation - Applications, control areas findings - Track progress interfaces, against industry infrastructure - Conduct top down - Remediation enterprise control plan benchmarks analysis - Focus on - Do not get stuck in the measures weeds 12 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 14. Align Control Decisions with Industry Standards • Seek an integrated information security and compliance framework COBIT • Choose a controls-based approach that is ISO 27001/2 – Comprehensive HITECH – Prescriptive Act – Certifiable HIPAA PCI Security • Define control practices tailored Mngfl. for use in a healthcare State Use Reqs. environment NIST 800-53 13 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 15. Be Efficient 14 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 16. Focus on the Certified EHR System • Within scope of a review – All servers that run any module of the certified EHR – The wide area and local networks supporting the EHR – Information/data exchange interfaces with other systems – Workstations, laptops or portable media used to access the EHR – Vendors that support or have access to data in the EHR – People, process, policies and standards that are related to the control of the above components • Potentially out of scope – Third party applications that do not interface with the EHR (for example, payroll system would not be included in scope) – Network environments that are isolated from the wide area network or the network connected to the EHR 15 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 17. Testing • Testing of controls to identify risks may include one or all of the following components: – Interview of key personnel responsible for security, IT and key business processes – Review of documentation related to the security practices of the organization and systems – Technical testing of application, system and hardware configurations © 2010 HITRUST LLC, Frisco, TX. All Rights Reserved. 16
  • 18. Example Interviews • Types of roles to interview: – Web application manager – Internal audit – Security assurance manager (risk management, business continuity management, vulnerability management, training and awareness, security policies) – Monitoring and response manager – Server engineering – Desktop engineering – Human resources – Access and identity management – Application developer – Operations/office manager – Legal counsel 17 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 19. Example Documents to Review (i) • Asset inventory with risk classification • Network diagram • Organization chart • Business associate agreement template • Risk assessment program – Application assessment questionnaires – Sample web application assessments – Sample network vulnerability assessments – Sample attack and penetration report • Project/engagement hierarchy • System configuration checklists 18 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 20. Example Documents to Review (ii) • Business continuity management program – Business impact analysis templates – Business continuity plan template – Disaster recovery plan template – Sample business continuity and disaster recovery plans • Sample security awareness and training materials • Policies and standards framework – Policy and standards third party review report • Incident monitoring and response program and associated procedures • Security council charter 19 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 21. Use Sampling Techniques Where Appropriate • General rule of thumb – Use sampling when: • Environment is under the same management control • Departments/facilities/systems are subject to the same policies and procedures • Portions of hybrid enterprise/local environments are under enterprise control – Assess everything if sample indicates excessive variability • Multi-facility systems – Scope is directly impacted by the level of standardization • Highly standardized with enterprise level controls – Select a random sample of like facilities to assess risks (e.g., assess a sample of large acute care, smaller acute care and of outpatient facilities) • Little standardization – Select a sample of facilities to assess any enterprise wide or centrally managed controls (e.g., assess how effectively the enterprise wide patch management function is operating at a sample of facilities) – Assess non-standard controls at every facility (e.g., if facilities contract and manage data disposal independently, then assess this process at every facility) 20 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 22. Assist Physician Practices • Physician practices: – Introduce significant vulnerabilities into an EHR system of a hospital or health system – Generally do not have the expertise or resources to conduct a risk assessment • To assist: – Physician practices that run on a hospital’s EHR and are subject to hospital policies • Leverage hospital assessment for any controls under direct control of the hospital (e.g., the patching and configuration of the EHR servers) • Select a sample of practices to assess how effectively hospital policies are implemented (e.g., clear desk policy, password management policies) – Physician practices that run on a hospital’s EHR, but aren’t subject to hospital policies • Leverage hospital assessment for any controls under direct control of the hospital (e.g., the patching and configuration of the EHR servers) • For each practice, assess controls under the management of the physician practice (e.g., security policies, workstation security) 21 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 23. Take Remediation Seriously 22 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 24. Develop Sound Corrective Action Plans • Develop a methodology for the development of corrective action plans (CAPs) … what the federal government refers to as “Plans of Action and Milestones” – Integrate CAP development into existing processes where possible • Project management • Ticketing systems (or other workflow management) • Change control – Automate with a governance, risk and compliance (GRC) system/tool when possible • Obtain or develop training materials for control owners and other stakeholders (e.g., management) to understand and implement the CAP methodology • Train your control owners and other stakeholders 23 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 25. Actively Manage Remediation • HIPAA (in general) and meaningful use (in particular) requires the remediation of identified security deficiencies – It’s sufficient for Stage 1 meaningful use to develop formal corrective action plans – However, there is an expectation that these corrective actions will be taken – Failure to take reasonable and appropriate measures to remediate deficiencies would be a violation of the HIPAA Security Rule and could make an organization subject to federal and state civil and criminal penalties for making false statements • Use project management principles and techniques to actively manage remediation activities as a single portfolio – Management should formally approve all corrective action plans – Remediation activities should be actively monitored and CAPs updated accordingly – CAP status should be reported to senior management on a regular and timely basis (along with other security risk metrics), such as: • Number of CAPs developed and approved as a percentage of identified deficiencies • CAP progress such as percentage on-time or behind schedule sorted by risk • Number of CAPs remediated over time as a percentage of all CAPs actively managed 24 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 26. Additional Information: Attestation of Meaningful Use 25 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 27. Attestation … How to get the money • Medicare hospitals’ EPs must attest, through “secure mechanism approved by CMS,” that they have “satisfied the required objectives and associated measures” of §495.6 • Calendar years 2011 and after (no provision for demonstration), except that EPs using certified EHR need not attest until 2012 (42 CFR §§ 495.8; 495.210) • Medicaid providers must attest: “This is to certify that the foregoing information is true, accurate, and complete. I understand that Medicaid EHR incentive payments submitted under this provider number will be from Federal funds, and that any falsification, or concealment of a material fact may be prosecuted under Federal and State laws.” (42 CFR §§ 495.368) 26 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 28. Attestation … Associated Risks (i) • Comment: “A commenter indicated that attestation is an insufficient means to hold providers accountable for the expenditure of public funds and to protect against fraud and abuse.” (Federal Register Vol. 75, No. 144, p. 44324) • Response: “We likewise are concerned with the potential fraud and abuse. However, Congress for the HITECH Act specifically authorized submission of information as to meaningful use through attestation. CMS is developing an audit strategy to ameliorate and address the risk of fraud and abuse.” (Ibid.) • CMS (Medicare) and states may “review an EP, eligible hospital or CAH’s demonstration of meaningful use.” (42 CFR § 495.8) • States required to “annually collect and verify information regarding the efforts to adopt, implement, or upgrade certified EHR technology and the meaningful use of said technology before making any payments to providers.” (42 CFR § 495.366) 27 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 29. Attestation … Associated Risks (ii) • States are required to ensure the qualifications of the providers who request Medicaid EHR incentive payments – Detect and take corrective action for improper payments to providers – Refer suspected cases of fraud and abuse to Medicaid Fraud Control Unit (42 CFR § 495.368) • HITECH incentives audits • HIPAA compliance investigations • Security breach investigations • Federal/state false claims act penalties • Whistleblower (qui tam) lawsuits • Federal/state program disqualification • Criminal/civil fraud actions 28 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 30. Attestation … Manage the Risks • Risk analysis is a process, not a product • Follow HIPAA “flexible factors” and “reasonable and appropriate” standards in determining updates and corrections • Show due diligence in risk identification and update and correction implementation – Use appropriate professional expertise – Incorporate “reasonable practice” information from industry, professional communities – Strongly consider the use of outside expertise 29 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 31. Attestation … Perform “Due Diligence” • Make sure attesting officer is properly informed about risks, updates, corrections, etc. – Create and retain supporting documentation file – In any field where officer does not have appropriate expertise, ensure s/he is briefed and provided with supporting documentation from appropriate experts – Good “business judgment” is the attesting officer’s best friend • Show your work! – Document risk analysis process and findings – Document implementation of updates and corrections – Providers must retain “documentation supporting their demonstration of meaningful use for 6 years” after attestation • Note HIPAA has same document retention period Source: John R. Christiansen, Esq., Christiansen IT Law 30 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 32. Meaningful Use Privacy and Security Risk Assessment: Leveraging the HITRUST CSF Assurance Program 31 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 33. Guide to Meaningful Use Risk Assessments 1. Demonstrate reasonable practices HITRUST Common A. Select a sound risk assessment methodology Security B. Align control decisions with industry standards/practices Framework 2. Be efficient—you’ll need resources for remediation HITRUST CSF A. Meaningful use focuses on your certified EHR Assurance not the whole environment A. Use sampling techniques in your environment for similar implementations B. Assist physician practices—they are an entry point into your environment HITRUST CSF 3. Take remediation seriously Assurance A. Develop sound corrective action plans but be careful not to over-commit or under-commit resources, as this could expose you to cost overruns or non-compliance with regulatory requirements B. Actively manage remediation as a portfolio of projects and initiatives 32 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 34. Demonstrate Reasonable Practices 33 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 35. Select a Sound Risk Assessment Methodology The CSF Assurance assessment is based on NIST and ISO standards for evaluating risk Likelihood Impact Risk Residual Risk Controls Risk • HITRUST risk areas • Based upon analysis of breach data • Significantly simplified for organizations • HITRUST Common Security Framework • Reasonable practice 34 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 36. High Risks for Healthcare Organizations* • Insecure and/or unauthorized removable/transportable media and laptops (internal and external movements) • Insecure and/or unauthorized external electronic transmissions of covered information • Insecure and/or unauthorized remote access by internal and third-party personnel • Insider snooping and data theft • Malicious code and inconsistent implementation and update of prevention software • Inadequate and irregular information security awareness for the entire workforce • Lack of consistent network isolation between internal and external domains • Insecure and/or unauthorized implementation of wireless technology • Lack of consistent service provider, third-party and product support for information security • Insecure web development and applications • Ineffective password management and protection • Ineffective disposal of system assets *Based on loss and breach data analyzed by HITRUST 35 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 37. Overview of CSF Assurance Risk Assessments • Referenced by Office of Civil Rights in risk assessment guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidanc e.pdf • Designed to cost-effectively gather the information about security controls needed to appropriately understand and mitigate risk • Leverages defined, reasonable controls in the HITRUST CSF – The most broadly adopted security control framework in the healthcare industry • Streamlines risk determination analysis by prioritizing areas based on analysis for breach data for the healthcare industry • Provides formal and credible report for internal and external reporting • Utilizes benchmarking data • Provides recommendations for remediation 36 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 38. CSF Assurance Assessment Approach 1. 2. 3. 4. Track and Determine Scope Prepare for Assessment Report Measure Progress - Focus on high risk areas - Identify individuals responsible - Track progress - Applications, for key control areas against industry - Report of findings interfaces, benchmarks - Conduct top down enterprise and remediation plan infrastructure control analysis - Focus on measures - Do not get stuck in the weeds - HITRUST CSF - HITRUST Scoping - HITRUST High Risk List Validated Report - HITRUST CSF Template - HITRUST CHIP Questionnaire - Corrective Action Validated Report Plan Template 37 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 39. Align Control Decisions with Industry Standards, Regulations and Best Practices HITRUST CSF • Healthcare-specific security initiative • Openly available framework • Comprehensive requirements – Focused on high risk controls • Integrated control set • Prescriptive and certifiable • Value-added services – Industry-reviewed control practices – Vendor product certification – “Trusted broker” third–party assurance 38 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 40. Be Efficient 39 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 41. Focus on the Certified EHR System • HITRUST CSF assessments are broken out into two types of assessment – Organizational: assesses the general information security controls that may impact the confidentiality, integrity or availability of ePHI – System: assess the administrative, technical and physical controls specific to the implementation of a certified EHR technology • Each type of assessment is further scoped (tailored) based on very specific factors related to risk and an entity’s ability to implement appropriate and reasonable security measures – Organizational: includes type of organization, size, and revenue – System: includes average number of transactions and external interfaces • Assessments are further focused on high risk areas – Based on HITRUST’s analysis of breach data and feedback from over 200 healthcare and security experienced professionals – Focus on these risks first, adjust for your environment, and expand as dollars and resources allow (i.e., follow the 80/20 rule) 40 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 42. Key Components of the CSF Assurance Program • Standardized tools and processes – Questionnaire • Focus assurance dollars to efficiently assess risk exposure • Measured approach based on risk and compliance requirements • Ability to escalate assurance level based on risk – Worksheet for reporting compliance – Report that is consistently interpreted across the industry • Cost effective and rigorous assurance – Multiple assurance options based on risk • Self reporting • Remote testing—conducted by a CSF Assessor; includes interviews with key personnel and review of policies, procedures and other relevant documentation • On-site assessment—conducted by a CSF Assessor; includes remote testing and the review of system configurations and physical walkthroughs – Quality control processes to ensure consistent quality/output from CSF Assessors 41 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 43. Questionnaire Common Healthcare Information Protection (CHIP) Questionnaire: • Innovative approach to assess the quality of information protection practices in an efficient manner • Focus on the security capabilities and outcomes of an organization • Leverages key measures and supports benchmarking • Structured according to the high- risk areas identified in the CSF, which reflect the controls required to mitigate the most common sources of breaches for the industry 42 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 44. Use Sampling Techniques Where Appropriate • HITRUST CSF Assurance supports sampling when – Practices/locations are governed by one set of policies and procedures – Environments and administrative/technology controls are similar • There must be a basis for concluding the practices/locations are similar – Some dissimilarity may support sub-grouping and sampling within sub-groups • HITRUST recommended sample sizes Number of Practices in Population/Group Minimum Number of Practices at Which to Perform Security Risk Assessments >50 10%, Maximum of 25 Practices 15-50 Minimum of 5/Use Judgment <15 Minimum of 3/All Practices • Sampling should be random but other methods could be supported • Inconsistent results from the sample imply … – All practices/locations may need to be addressed / assessed • Exceptions/deviations should be investigated to determine root cause(s) • If isolated instance or human error, may be able to select a replacement • Decision and rationale should be documented as part of the assessment 43 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 45. Assist Physician Practices • HITRUST recognizes the constraints and limitations of physician practices and other small healthcare organizations • Small Organization Health Information Assurance Questionnaire (SOHIA) – Simplified questionnaire • Intended for self assessment • Assesses general organizational security for high risk factors – Automated technical assessment • Simple agent-based tool downloaded from vendor Web site • Assessment of current vulnerabilities • Re-assessment provides proof of corrective action 44 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 46. Take Remediation Seriously 45 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 47. Develop a Sound Corrective Action Plan • Meaningful use only requires a focus on the certified EHR, but…. • Organizations are expected to routinely perform a risk analysis under HIPAA and manage/implement corrective actions • If a HIPAA risk assessment was not performed in over two years, consider a broader risk assessment to stay aligned with HIPAA requirements • HITRUST includes a HIPAA Compliance Scorecard produced for each HIPAA security requirement • Ratings and benchmarks for high risk controls can help organizations prioritize remediation efforts 46 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 48. Benchmark Data Higher Priority Lower Priority CAPs CAPs PRISMA SCORE Organization Benchmark Orgs 47 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 49. Actively Manage Remediation • HITRUST CSF Validated and Certified provide a standard assessment report, compliance scorecard and corrective action plans HITRUST Common Security Framework CSF Assurance Toolkit 2010 / v1.0 Corrective Action Plan [TEMPLATE] Instructions Use this spreadsheet to document the corrective action plan to remediate any findings resulting from an assessment under the CSF Assurance Program. The weakness identifier will be Weaknesses represent any program or system-level Related HITRUST CSF Control A POC is the organization, Resources required include the Completion dates should Milestones with completion dates outline the Changes to milestones indicate the new estimated used to track and correlate information security vulnerability that poses an unacceptable Specification for the identified department or title of the funding (denoted in dollars) or be set based on a specific high-level steps to be executed in future date of a milestone’s completion if the weaknesses that are ongoing risk of compromising confidentiality, integrity or availability of weakness. position within the man-hours necessary for realistic estimate of mitigating the weakness and the estimated original date is not met. throughout quarterly information. organization that is directly mitigating a weakness. The type amount of time it will completion date for each step. submissions within the Ex. 01.b User Registration responsible for mitigating the of funding (current, new or take to collect the Ex. None noted to-date organization. A rule of thumb is Ex. 1—Granting, transfer and termination procedures for user weakness. reallocated) should be noted. resources for the Ex. Develop user registration procedures for to use an abbreviated system access are not established corrective action and granting, transferring, and terminating access, name, the quarter, the year, and Ex. System X Director of IT Ex. 120 hours, current staff implement/test the 8/1/2009 a unique number. Security corrective action. Submit to System X Administrator for review and input, 8/15/2009 Ex. SYSX_3_2009_1 Ex. 8/31/2009 Weakness Identifier Weakness Description HITRUST CSF Control Organizational Point of Resources Required Scheduled Milestones with Completion Dates Changes to Milestones Reference(s) Contact (PoC) Completion Date • Remediation of security deficiencies is required to maintain CSF Validated status – No gaps with prioritized requirements (controls) are allowed with CSF Certified status 48 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.
  • 50. Conducting your Meaningful Use Risk Assessment Five steps to getting started with the CSF Assurance Program: 1. Visit http://www.hitrustalliance.net/selfassessment/ for performing your meaningful use risk assessment.* 2. Identify your scope – Details on slides 15 and 40 3. Perform an assessment using the Common Health Information Protection Questionnaire (CHIP) and Compliance Worksheet.** – Details on slides 16-20 and 42-43 4. Submit your CHIP to HITRUST 5. Obtain a HITRUST CSF Validated Report with benchmarking data and CAP – Details on slides 23-24 and 46-48 6. Register and attest for meaningful use Stage 1 – Details on slides 26-30 *For other assurance options, including remote and on-site assessments via a third party CSF Assessor, please visit http://www.hitrustalliance.net/assurance/ **A Compliance Worksheet is required for assessments conducted by a CSF Assessor or when a compliance scorecard is requested (e.g., HIPAA Security Rule) © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved. 49
  • 51. For More Information: For more information on the CSF Assurance Program visit: www.HITRUSTAlliance.net/assurance For a list of HITRUST CSF Assessors visit: www.HITRUSTAlliance.net/Assessors_List.pdf HITRUST Central professional subscribers, can contact customer support for questions: support@HITRUSTalliance.net 50 © 2011 HITRUST LLC, Frisco, TX. All Rights Reserved.