Last Chance to Review Your Security Risk Analysis

Transcription

1 Learning Forum Fridays Countdown to MIPS Data Submission Webinar Series Last Chance to Review Your Security Risk Analysis Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice, MBA Health Informatics Specialist November 17, 2017

2 To Submit Questions Via Chat Box: 1. Click the [Chat] option at the top right of the presentation. 2. The Chat panel will open. 3. Indicate that you want to send a question to All Panelists. 4. Type your question in the box at the bottom of the panel. 5. Click [Send]. 2

3 Learning Objectives At the completion of this training, the attendee will be able to: Identify required elements of a Security Risk Analysis (SRA). Describe the SRA process. Develop/maintain/provide documentation required to demonstrate compliance. Locate essential tools and resources. 3

4 Acronyms Used In Today s Presentation Acronym ACI ACO CEHRT CMS EHR ephi HIPAA MIPS ONC PHI QPP SRA Definition Advancing Care Information Accountable Care Organization Certified Electronic Health Record Technology Centers for Medicare & Medicaid Services Electronic Health Record Electronic Protected Health Information Health Insurance Portability and Accountability Act Merit-based Incentive Payment System The Office of the National Coordinator for Health Information Technology Protected Health Information Quality Payment Program Security Risk Analysis 4

5 Today s Presenters from Health Services Advisory Group (HSAG) Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice, MBA Health Informatics Specialist 5

6 SRA Defined An SRA is an ongoing process of discovering, correcting, and preventing security problems. Conducting an SRA is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. HIPAA Required Ensures Compliance Helps Reveal Areas at Risk 6 Sources:

7 SRA Is a Process, Not a Document Assess Risk Correct deficiencies Implement updates 7

8 SRA: An ACI Base Score Requirement Conducting an SRA is a Base Score requirement under the Advancing Care Information (ACI) category of the Quality Payment Program (QPP). QPP ACI ACI Base Measures SRA 8

9 Attesting Yes to the SRA The SRA measure is a required ACI base measure. To meet the ACI measure, Merit-based Incentive Payment System (MIPS)-eligible clinicians must attest Yes to: Conducting or reviewing an SRA. Implementing security updates. Correcting identified deficiencies. If the measure is not met, the entire ACI score will be zero. 9

10 What is the Actual Requirement? Objective Protect Patient Health Information (PHI) 10

11 2017 SRA Transition Objective and Measure Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR (a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT)* 11 *In accordance with 45CFR (a)(2)(iv) and 45CRF (d)(3)

12 2017 SRA Transition Objective and Measure (cont.) Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR (a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT) 2. Implement security updates 12

13 2017 SRA Transition Objective and Measure (cont.) Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR (a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT) 2. Implement security updates 3. Correct identified security deficiencies 13

14 SRA According to 45CFR (a)(1) Standard Implement policies and procedures to: Prevent Detect Contain Correct security violations. Implementation The implementation specifications require that a security management process be in place. Process is the operative word 14

15 Implementation Elements of a Security Management Process Risk Analysis: Conduct an assessment of electronic PHI (ephi) Risk Management: Implement security measures Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply Information System Activity Review: Regularly review records of activity such as access reports and audit logs 15 SRA According to 45CFR (a)(1)

16 Risk Analysis Required

17 Risk Analysis: Who? Who does it? You or a qualified outside party 17

18 Risk Analysis: What? Who does it? You or a qualified outside party Analysis or review? Analysis upon installation or upgrade Review covering each performance period 18

19 Risk Analysis: Constraints Who does it? HIPAA You or a qualified outside party SRA Analysis or review? Analysis upon installation or upgrade Review covering each performance period Constraints? Unique for each performance period Includes the whole performance period Conducted within the calendar year of the performance period 19

20 Risk Analysis: Identifying Risk Where is ephi? What is the threat/ vulnerability? How likely is it to occur? What is the impact? Impact x Likelihood = Risk Low: Accept Risk/Minimal Action Medium: Respond/Look at Controls High: Take Action Now! 20

21 Risk Analysis: Identifying Risk Where is ephi? What is the threat/ vulnerability? THREAT LIKELIHOOD How likely is it? What is the impact? Impact x Likelihood = Risk IMPACT Low (10) Medium (50) High (100) High (1.0) Low 10 x 1.00 = 10 High 100 x 1.0 = 100 Medium (0.5) Medium 50 x.05 = 25 Low (0.1) Low: Accept Risk/Minimal Action Medium: Respond/Look at Controls High: Take Action Now! 21

22 Use a Tool, Not a Checklist The Office of the National Coordinator for Health Information Technology s (ONC s) SRA tool, for example, will help you to: Identify Standards. Find detailed Implementation Specifications. Consider options. Recognize possible threats. Provides examples of safeguards Document activities and remediation plans. 22 Source:

23 Requirement to Address Encryption Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable. Encryption of data is Addressable. 23 *In accordance with 45CFR (a)(2)(iv) and 45CRF (d)(3)

24 Requirement to Address Encryption (cont.) Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable Encryption of data is Addressable Options for Addressable Specifications: Implement if reasonable and appropriate Implement an equivalent alternative if specification is unreasonable and inappropriate, and there is an alternative 24 *In accordance with 45CFR (a)(2)(iv) and 45CRF (d)(3)

25 Requirement to Address Encryption (cont.) Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable Encryption of data is Addressable Options for Addressable Specifications: Implement if reasonable and appropriate Implement an equivalent alternative if specification is unreasonable and inappropriate, and there is an alternative Document the decision in writing, including factors considered and basis for the decision 25 *In accordance with 45CFR (a)(2)(iv) and 45CRF (d)(3)

26 Risk Management Required

27 Implement Security Measures Establish and implement security measures by: Using SRA findings to identify/track risk remediation. Applying system and security updates as recommended. Risk ID 1 Description Status Responsible Party Risk Rating Mitigation Action Action Date No defined management process for user access re: terminations or change in responsibilities Closed HR - John Phillips Medium Policy for disabling user accounts developed and approved 09/15/2017 HR/IT Training on Policy 09/23/2017 Policy Implemented 10/01/ Media is compromised due to ineffective handling procedures In Progress CIO - Mark Waters High Media Handling Policy reviewed and updated 11/12/2017 Encryption Software for laptops procured 11/25/

28 Sanction Policy Required

29 Sanction Policy It is important to ensure that you have a Sanction Policy in place that: Defines the purpose of the policy. Defines the violations of the policy. Delineates possible disciplinary actions. Is freely available/known to all members of the organization. Sample policies are readily available from government and professional sources. 29

30 Sample Sanction Policy Acknowledgement 30

31 Information System Activity Review Required

32 Information System Activity Review You must implement procedures for regular activity review. Review who, what, when, and actions taken with: Audit logs Access reports Security Incidents Sample uses include: Detection of unauthorized access Tracking of PHI disclosures Demonstrating compliance 32

33 Data Validation Criteria

34 Data Validation for the SRA Measure The Centers for Medicare & Medicaid Services (CMS) conducts an annual data validation and audit process. If selected for data validation or audit, you will have 45 calendar days to complete data sharing, as requested. You must retain documentation related to your QPP participation for six years, including all documentation related to your SRA. Important Note: Failure to meet requirements for the SRA measure has been the most common cause of audit failure. 34

35 Data Validation Criteria Document The Data Validation Criteria document, available through the QPP Resource Library, is the current resource for accessing specific data validation criteria Library/Resource-library.html

36 Data Validation Criteria Document (cont.) The Data Validation Criteria states that documentation needs to be from CEHRT and be inclusive of: Dates during the selected continuous 90-day or year long performance reporting period. Clinician identification, e.g., National Provider Identifier (NPI). Documentation of, at minimum, one patient. Suggested documentation includes: A document assessing potential risks and vulnerabilities (SRA). Evidence that you have addressed encryption/security of data stored in CEHRT, including proof: That an SRA was performed for the clinician s system. Of implementation of security updates and correction of identified security deficiencies 36

37 Examples of Past SRA Criteria Evaluated Appropriate date for the Risk Analysis 37

38 Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document 38

39 Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document Tangible risk/remediation register 39

40 Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document Tangible Risk/Remediation Register Proof of security updates 40

41 Essential Tools and Resources

42 Questions for Your EHR Vendor Ask your vendor these questions: Where is my data stored? How do I access/generate audit logs? What security policies and procedures do you have in place? How can I confirm my software updates? Don t forget other vendors: faxes, copiers, scanning workstations 42

43 Government Resources HHS.gov Guidance on Risk Analysis National Institute of Standards and Technology (NIST) Toolkit NIST HIPAA Security Toolkit Application Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) Tool HIPAA Security Risk Assessment (SRA) Tool (downloadable & paper-based) ONC Health IT Playbook, Privacy & Security Section Other Resources: Professional Organizations, Security Vendors, ACOs 43

44 Revisiting the Value of YES The SRA measure is a required ACI base measure. If the measure is not met, your ACI score will be zero. To meet the ACI measure, Merit-based Incentive Payment System (MIPS)-eligible clinicians must attest YES to: Conducting or reviewing an SRA. Implementing security updates. Correcting identified deficiencies. 44

45 Key Takeaways The important points to remember about SRA are that you must: 1. Assess a. Identify/track threats and vulnerabilities b. Address encryption 2. Implement a. Develop policies and procedures b. Apply updates 3. Correct Deficiencies a. Enforce policies, procedures b. Remediate risks Correct Assess Implement 45

46 HSAG QPP Service Center Available 46

47 QPP Technical Assistance Resource Guide 47 Source: The Centers for Medicare & Medicaid Services

48 Next Learning Forum Friday Event: December 1, 2017 Strategize to Report Your Best Performance For additional event topics and registration information please visit: Topics and dates are subject to change, so please check the webpage for up-to-date information. 48

49 General Resources CMS Quality Payment Program Website Subscribe to the QPP ListServe Medicare Learning Network Learning Management System Booklet (LMS) FAQs Learning-Network-MLN/MLNProducts/Downloads/LMPOS-FAQs- Booklet-ICN pdf Associations Offering Credit for MLN Events and Training Learning-Network-MLN/MLNGenInfo/CE-Associations.html 49

50 CMS and HSAG Announcements Virtual Groups Public Webinar Date: Tuesday, November 21 st Time: 1 2 p.m. ET Registration Link: HSAG MIPS Readiness Professional Certificate Program coming soon! QPP Year Two Final Rule comment period ends January 2, 2018, 5 p.m. ET. For more information visit: 50

51 CE Approval This program has been pre-approved for 1.0 CE unit for the following professional boards: National o Board of Registered Nursing (Provider #16578) Florida o Board of Clinical Social Work, Marriage & Family Therapy and Mental Health Counseling o Board of Nursing Home Administrators o Board of Dietetics and Nutrition Practice Council o Board of Pharmacy Please Note: To verify CE approval for any other state, license, or certification, please check with your licensing or certification board. 51

52 CE Credit Process 1. Register in HSAG s Learning Management Center (LMC) at 2. Once you have registered in the LMC, you must complete the evaluation that will appear in WebEx at the conclusion of the webinar. a. Following the event, please do not close the WebEx evaluation window. You will not be able to access the evaluation and request CE if you close the window. b. CEs are only available to attendees that participate in the live event. c. If for some reason you completed the evaluation and do not have the link to the new user registration, please refer to Step #1 or contact Debra Price at dprice@hsag.com for CE certificate questions. 52

53 CE Credit Process: Existing User To login to your existing LMC account click 53

54 CE Credit Process (cont.) Following the conclusion of the webinar, you will also receive a Thank You for Attending using the address provided during registration. You will be requested to register in the HSAG Learning Management Center (LMC). This is a separate registration from WebEx. Please use your personal so you can receive your certificate. Your organization may have firewalls up that block our certificates. 54

55 CE Certificate Problems If you do not immediately receive a response to the that you signed up with in the Learning Management Center, you have a firewall up that is blocking the link that was sent. Please go back to the New User link and register your personal account. Personal s do not have firewalls. 55

56 HSAG QPP Technical Assistance Line Toll free: Monday Friday 8 a.m. to 8 p.m. ET HSAG QPP Support: HSAGQPPSupport@hsag.com 56

57 This material was prepared by Health Services Advisory Group, Inc., the Medicare Quality Improvement Organization for Arizona, under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy. Publication No. QN-11SOW-D