Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Learning Objectives
Review of Cyber Security Challenges
Understand the changes to the meaningful use and advancing care information
Discussion of Advancing Care Information and its impact on Hospital physicians
Medical Identity Theft
4
• Medical Identity Theft increased 22% in 2014 NBC News and grew Tenfold in 2015
• Medical Identity Theft is an Epidemic –USA Today
• Medical Identity Theft is Low Hanging Fruit—CBS News
• Health records are worth a lot more on the black market — an estimated $50 - $70 vs $2 for a hacked credit card
http://www.greenvilleonline.com/story/news/2017/08/29/medical-identity-theft-growing-threat/572830001/
2017 Data Breaches Reported in Georgia
AU Medical Center 6109—emailNational DCP Health Plan 1190—emailBraun Internal Medicine 680—emailPeachtree Neurological 76,295—ServerGI Care for Kids Endoscopy 1700—ServerAU Medical Center 5600—EmailSkin Cancer Specialists 3365—Server
2016 Breaches in GA
Emory Healthcare 79930 ---HackingPeachtree Orthopaedic 531,000—ServerVascular Surgical 36,496 –ServerAthens Orthopedic 200,000 --Server
RansomwareMore than 4,000 ransomware attacks have occurred every day since the beginning of 2016.
That's a 300% increase over 2015, where 1,000 ransomware attacks were seen per day.
Computer Crime and Intellectual Property Section (CCIPS) of FBI
Security Incident Response
Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).
Security Incident ResponseBegin with an initial analysis to: • determine the scope of the incident to identify what
networks, systems, or applications are affected; • determine the origination of the incident
(who/what/where/when); • determine whether the incident is finished, is ongoing
or has propagated additional incidents throughout the environment; and
• determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Security Incident ResponseSubsequent security incident response activities include : • contain the impact and propagation of the ransomware; • eradicate the instances of ransomware and mitigate or remediate
vulnerabilities that permitted the ransomware attack and propagation;• recover from the ransomware attack by restoring data lost during the
attack and returning to “business as usual” operations; and • conduct post-incident activities, which could include a deeper
analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Security Incident ResponseAfter the Analysis and Investigation is Complete,
determine if PHI was involved.If Yes….
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Initiate Breach Notification Protocol(See 45 C.F.R. 164.400-414)
Security RuleAccess Control
§ 164.312(a)(1) Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
Auto Controls
§ 164.312(b)
Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information
Person or Entity Authentication
§ 164.312(d)
Transmission Security
§ 164.312(e)(1) Integrity Controls
Encryption
Relevant FactsOctober 6th GAO and Inspector General find HHS, FDA and VA among 24 Agencies with Ineffective SecurityFive Key Control Areas: 1. access controls, 2. configuration management, 3. segregation of duties, 4. contingency planning and 5. security management
Challenges for Providers
• Staffing • Technology• Budget• Constant Monitoring/Constant Changing• Human Error• Desire for more Innovation• Global Threat
Cyber Security
Board of Trustees should be informedResources are required to address the security concernsEvaluate Cyberliability insurance coverage Evaluate State resources designed to support Hospitals
Meaningful Use
Attestation Moving to QnetStarting in October 2017, CMS will open new user enrollment registration on the QNet portal. Between October and December 2017, you will be able to view your data in the existing CMS EHR Incentive Program’s Registration and Attestation system.
Medicaid 2017 Reporting
Medicaid Only: Hospitals must report on objectives and Eligible Providers on 10 measures
Certified EHR may be one of the following:2014 Certification2015 CertificationCombination of Both
Objectives
1) Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical capabilities.
2) Use clinical decision support to improve performance on high-priority health conditions.
3) Use computerized provider order entry (CPOE) for medication, laboratory, and radiology orders directly entered by any licensed healthcare professional who can enter orders into the medical record per state, local, and professional guidelines.
4) Generate and transmit permissible discharge prescriptions electronically (eRx).
Objectives
5) Health Information Exchange – The eligible hospital who transitions their patient to another setting of care or provider of care or refers their patient to another provider of care provides a summary care record for each transition of care or referral.
6) Use clinically relevant information from CEHRT to identify patient-specific education resources and provide those resources to the patient.
7) The eligible hospital that receives a patient from another setting of care or provider of care or believes an encounter is relevant performs medication reconciliation.
8) Patient Electronic Access – Provide patients the ability to view online, download, and transmit their health information within 36 hours of hospital discharge.
9) Public Health Reporting – The eligible hospital is in active engagement with a public health agency to submit electronic public health data from CEHRT except where prohibited and in accordance with applicable law and practice.
• Reduced from 11 to 5 measures• Bonus for Public Registry Reporting/Clinical
Data Registries• Patient Electronic Access• Electronic Care Coordination• Health Information Exchange
• Bonus points for reporting to public health or clinical data registries
Advancing Care Information
• In 2017, there are two measure set options for reporting. The option you use to submit your data is based on your electronic health record edition.
• Option 1: Advancing Care Information Objectives and Measures
• Option 2: 2017 Advancing Care Information Transition Objectives and Measures
Advancing Care Information Reporting
• You can report the Advancing Care Information Objectives and Measures:
• If you have technology certified to the 2015 Edition; or
• If you have a combination of technologies from 2014 and 2015 Editions that support these measures.
Certified Electronic Records
• You can report the 2017 Advancing Care Information Transition Objectives and Measures:
• If you have technology certified to the 2015 Edition; or
• If you have technology certified to the 2014 Edition; or
• If you have a combination of technologies from 2014 and 2015 Editions.
Advancing Care Information Reporting
Individual: AttestationQCDRQualified RegistryEHR Vendor
Group:AttestationQCDRQualified RegistryEHR VendorCMS Web Interface (groups larger than 25)
Data Submission
Performance Category Proposed Performance Standard Final Performance Standard
Advancing CareInformation
Based on participation (base score)andperformance (performance score).
Base score: Achieved by meetingthe Protect Patient HealthInformation objective and reportingthe numerator (of at least one) anddenominator or yes/no statement asapplicable (only a yes statementwould qualify for credit under thebase score) for each requiredmeasure.Performance score: decile scale foradditional achievement on measuresabove the base score requirements,plus 1 bonus point.
Based on participation (base score) andperformance (performance score).
Base score: Achieved by meeting the ProtectPatient Health Information objective andreporting the numerator (of at least one) anddenominator or yes/no statement as applicable(only a yes statement would qualify for creditunder the base score) for each requiredmeasure.Performance score: Between zero and 10 or 20percent per measure (as designated by CMS)based upon measure reporting rate, plus up to15 percent bonus score.
Performance Standards 2017
Base ACI Objective and Measures
2017 ACI Transition Objectives
Limited Health Information Exchange
Protect Patient Information
E-Prescribing
Patient Electronic Access
Health Information Exchange
Security Analysis
E-Prescribing
Provide Patient Access
Send Summary of Care
Request and accept as Summary of Care (bonus)
ACI Performance MeasuresAdditional ACI Performance:
Coordination of Care through patient generated data
HIE: Clinical Information Reconciliation
Transition Performance:
Patient Electronic Accesspatient accessview, transmit download
Patient Specific Education
Secure Messaging
Health Information Exchange
Medication Reconciliation
Immunization Registry reporting
5% bonus to report to the following:Syndromic Surveillance ReportingSpecialized Registry ReportingElectronic Case ReportingPublic Registry ReportingClinical Data Registry Reporting
10% Use Certified Electronic System to Report
Bonus Points
• Non patient facing providers = 0%• Insufficient Internet Connectivity• Extreme and Uncontrollable
Circumstances• Lack of control over availability of
– Certified Electronic Health Records
Exceptions to ACI
PICK YOUR PACE
Negative 4%
Submit1 Quality
1 Improvement
ActivityOr
4‐5 ACI
Submit for full Year
Submit at least 90 Days
Learning Objectives
Review of Cyber Security Challenges
Understand the changes to the meaningful use and advancing care information
Discussion of Advancing Care Information and its impact on Hospital physicians
Presentation
Michele Madison - Partner, Healthcare, Healthcare IT, Data Security & Privacy Practices atMorris, Manning & Martin, [email protected]
DisclaimerThe materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice. Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP. This document is Copyright ©2017Morris, Manning & Martin, LLP. All rights reserved worldwide.
36