What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: Meaningful Use - Security Risk Assessment Demystified
Select a size
MEANINGFUL USE RISK ASSESSMENTS
A STUDY OF RISK ASSESSMENTS AS A COMPLIANCE REQUIREMENT OF MEANINGFUL USE
Compliance with meaningful use requirements
A common thread in all stages of Meaningful Use requirements is the role of the Security Risk Assessment (SRA) as a core criterion for compliance. You must demonstrate you have met the criteria for the Electronic Health Records (EHR) incentive program’s privacy and security objective. At the time of this writing, the only privacy and security measure is to:
Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process.
This statement is deceptively simple after the first read. A closer look at the language and guidance provided by the U.S. Department of Health and Human Services (HRSA), the Office for Civil Rights (OCR), and the ONC, discovers depth and meaning which are not readily apparent.
The SRA in its complete form requires a specific code of federal regulation consisting of three safeguards (administrative, technical, and physical). Within these safeguards, there are more than fifty (50) individual items which must be completed.
This article will discuss this security measure and will detail the anatomy of an SRA. It is also important to note this discussion will concern itself with SRA as a compliance requirement as well as a meaningful way to make business decisions (manage cost). We argue leveraging the SRA requirement of Meaningful Use benefits us in three ways: Meeting Meaningful Use SRA requirements; Meeting HIPAA SRA requirements; and effectively and efficiently making sound financial decisions regarding both technical and non-technical business decisions.
Risk Assessments Drive Business
A regular and repeatable process for the evaluation of risk to the business. This is a risk assessment. It is arguably the most impactful tool at your disposal. Simply put, a well done, mature risk assessment looks at all the bad things that could happen, how likely it is something will happen, and how much it will cost when something does happen.
Said another way, a risk assessment combines operational and strategic needs with technical and financial considerations to produce a matrix which can then be used to make informed decisions. The risk assessment should be used to drive the technology and security budgeting process.
What is a Risk Assessment within the context of HIPAA’s Meaningful Use guidelines?
There is an enormous body of information from various government agencies including: The U.S. Department of Health and Human Services; the Office for Civil Rights; and the Office of the National Coordinator for Health Information Technology. It is from this body of information that we continue our discussion of Security Risk Assessments.
A brief definition of Risk Assessment
A risk assessment is the act of following a formalized approach to defining and documenting potential impact to a business.
A not-so-brief description of a risk assessment.
Understanding what a risk assessment is can be deceptively easy. The most common misconception we see is business leaders viewing a Security Risk Assessment as a necessary “checkbox” required by Meaningful Use.
The true value of a Security Risk Assessment is not commonly understood or effectively communicated. Similar to what was seen in the community banking industry, legislators have put together a comprehensive requirement package (the Security Rule). If the policies and requirements of the Security Rule are adopted, a framework is in place that not only protects sensitive healthcare information, but can be leveraged to drive business growth and efficiency.
The fundamentals of a risk assessment include concepts of Vulnerability, Threat, Impact, and Risk.
A Vulnerability is some type of flaw or exposure which is capable of being exploited (i.e. The back door leading to the dumpster in the alley is left unlocked).
A Threat is a force or activity which has the potential of exploiting a vulnerability (i.e. There is a guy in the alley checking doors to see if any of them are unlocked).
Impact is the severity of the damage incurred when a threat exploits a vulnerability (i.e. The laptop cost the business $1,000 and contained 100 sensitive records valued at $50 per record).
Risk is not a single factor or event. Rather, it is a combination of factors and events that when they occur adversely affect the business (i.e. The sneaky guy in the alley finds the unlocked door to the dumpster and enters the building. Once inside, he finds an unattended laptop and makes off with it without being noticed).
A Security Risk Analysis Is Required
Meaningful Use requires everyone to perform a Security Risk Analysis. The SRA must meet the requirements of HIPAA’s administrative safeguard. Also required is correcting any identified deficiencies. The business must not only perform the SRA, but also must maintain a “documentation chain” as evidence of remediation or mitigation of any identified deficiencies.
Said another way, it is not enough to just perform an SRA. You must also keep records pertaining to what you’ve done to fix any problems the SRA reveals.
The Security Rule also indicates that the SRA is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. Evidence of this can be found in the Security Rule 164.306(d)(3), which clarifies the distinction of an “Addressable Specification”.
A specification in the Security Rule is not optional. Rather, if any specification is identified as not reasonable and appropriate, you must document why and adopt an “equivalent measure” if it is reasonable and appropriate to do so. This is done through the SRA tool.
The Successful Security Risk Analysis Program
Client success is central to a SRA program. A successful business in the medical community includes compliance with Meaningful use and HIPAA requirements. An SRA package must be designed to address these concerns.
The successful SRA program typically involves engaging a partner intimately familiar with your business who is committed to the success and growth of your organization. The program should also take a continuing approach to ensure measured and incremental changes to business process and technical solutions are fully understood and rigorously pursued as compliance requirements evolve.
The SRA Process
Step 1 – Identify the Scope of the Analysis
Aligning with section 164.306(a) of the Security Rule, Edafio’s SRA package includes a formal identification of vulnerabilities and threats to the Confidentiality, Integrity, and Availability (CIA) of electronic Personal Healthcare Information (PHI) your business creates, receives, maintains, or transmits.
Step 2 – Data Gathering
This process includes formal documentation and workflow diagrams designed to provide an overview of your individual handling of e-PHI including, but not limited to: the networks over which the information travels; the media on which the information is stored (i.e. CD-ROM, Backup Tapes, Computer Hard Drives; PDA’s; Cell Phones; etc...) throughout its entire lifecycle.
Step 3 – Identify and Document Potential Threats and Vulnerabilities
A full Security Risk Assessment includes identifying and documenting “reasonably anticipated threats” to ePHI. This requirement is defined in the Security Rule 164.306(a)(2) and 164.16(b)(1)(ii). Edafio’s SRA package is tailored to your unique environment and is never “boiler-plated”. Our team of security experts will work with you to identify and document threats which are unique to your environment and circumstances. We will also help both quantify and qualify the associated business risk and provide a recommendation for remediation or mitigation of the risk.
Step 4 – Assess Current Security Measures
Assessors work with your staff to identify and document existing security measures in place to protect ePHI. These measures are evaluated against industry best practices, understood regulatory requirements, and your unique environment as identified in Step 2.
Risk Assessment Line Item Example
For the practically minded, this article includes an example of the process as detailed in the section “The SRA Process”.
The vulnerability is the back door at the office leading to the dumpster was found to be unlocked during a Security Risk Assessment Exercise.
The business has identified the threat associated with this vulnerability to be a guy walking down the alley checking all the doors to see if any of them are unlocked.
There is a seldom used examination room near the back door that has a laptop computer which is not physically secured using a low-jack cable. The laptop cost about $1,000 including all the software licenses and has approximately fifty (50) records containing sensitive personal information of existing patients.
Working the Example (Doing the math)
In our example, we are identifying a single risk to include in our full Security Risk Assessment. We are going to use two formulas.
First, we are going to get a “Risk Rating” by using the formula:
Second, we are going to calculate the “Impact Cost” by using the formula:
We consider our vulnerability rating a 4 out of 5 due to several factors including we didn’t have the hard drive encrypted, we will lose productivity because the laptop is gone and we have to replace it, and we only have three computers in our office.
Our business is downtown, and as such there is a significant chance someone may try the doors in the alley on a regular basis, so we will set our base Threat Likelihood of 50%. But since we almost always keep the back door locked, we reduce that number down to 10%.
Following our formula, our Risk Rating = 4 x 10% or a (.4). Continuing the math, the impact for a single loss of the computer is $1,000 + (100 x $50), or $5,000.
To finish out the math, the Impact for this single identified risk is ($5,000 * .4) or $2,000.
Summarizing the Finding
Now that we have a hard number associated with how much the business could suffer because we occasionally forget to lock the back door, we can use that information to make decisions. An automatic locking mechanism for the back door would cost $750 to install. Or, we could hire a security firm to set up a camera system and monitor it for $5,000 a year. Comparing the cost of these solutions, it doesn’t make sense for us to spend more money in a year than the total loss incurred if someone were to steal the laptop, so the right answer is to install an automatic locking mechanism on the door.kage includes a formal identification of vulnerabilities and threats to the Confidentiality, Integrity, and Availability (CIA) of electronic Personal Healthcare Information (PHI) your business creates, receives, maintains, or transmits.
Assessors work with your staff to identify and document existing security measures in place to protect ePHI. These measures are evaluated against industry best practices, understood regulatory requirements, and your uniq