Embed Size (px)
Citation preview
Meaningful Use Security Risk Assessment (SRA):
Resources for Eligible Professionals (EPs)
Kim Bell, MHA, FACHE, PCMH-CCEExecutive Director
Georgia Health Information Technology Extension Center
Learning ObjectivesUpon completion of this session, Eligible Providers and their office staff will be able to:
Identify resources available to assist providers in identifying level of risk against pre-identified threats and vulnerabilities related to the stringent HIPAA privacy and security requirements of meaningful use.
Presentation material derived from: Officer of the National Coordinator for Health Information Technology (ONC).
“Guide to Privacy and Security of Health Information”. Version 1.2 060112.
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.
2
SourcesDisclaimers:1.Information contained in the guide is not intended to serve as legal advice nor substitute for legal counsel.
2.Guide is not exhaustive; encouraged to seek additional detailed technical guidance.
http://www.healthit.gov/sites/default/files/
pdf/privacy/privacy-and-security-guide.pdf.
3
Privacy & Security and Meaningful Use (MU)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
4
Privacy & Security and MU: The “SRA”
Eligible Professionals (EPs) must:
•conduct or review a security risk assessment/analysis (SRA) of certified EHR technology;
•implement updates as necessary at least once prior to the end of the EHR reporting period;
•attest to that conduct or review; and
•complete a security update if any security deficiencies were identified during the risk analysis.
5
The “SRA”A security risk assessment/analysis is a systematic and ongoing process of both:
• Identifying and examining potential threats and vulnerabilities to protected health information (PHI) in your medical practice; and
• Implementing changes to make PHI more secure than at present, then monitoring results (i.e., risk management).
6
The “SRA”Review Existing
Security of PHI
Identify Threats
Assess Risks for Likelihood
& Impact
Mitigate Security Risks
Monitor Results
7
The “SRA”: Key Elements of a Comprehensive Risk Assessment/Analysis
Program1. Scope the Assessment.
2. Gather information.
3. Identify realistic threats.
4. Identify potential vulnerabilities.
5. Assess current security controls.
6. Determine the likelihood and impact of a threat.
7. Determine the level of risk.
8. Recommend security controls.
9. Document the Risk Assessment results.
(NIST SP 800-66)
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=908030
8
SRA…SRA…Fact or Fiction?Fact or Fiction?
9
The “SRA”: Resources
10
