EHR Security

1
EHR RoadmapWebEx
Stratis Health, the Minnesota Quality
Improvement Organization in partnership with
other QIOs, presents . .

• EHR Security

2
Presenter

• Margret Amatayakul
• RHIA, CHPS, CPHIT, CPEHR, FHIMSS
• President, Margret\A Consulting, LLC,
  Schaumburg, IL
• Consultant to Stratis Health DOQ-IT Project
• Independent information management and
  systems consultant,
  focusing on EHRs and
  their value proposition
• Adjunct faculty College of St. Scholastica,
  Duluth, MN, masters program in health informatics
• Founder and former executive director of
  Computer-based Patient Record Institute,
  associate executive director AHIMA, associate
  professor Univ. of Ill., information services
  IEEI
• Active participant in standards development,
  HIMSS BOD, and co-founder of and faculty for
  Health IT Certification

3
EHR Roadmap
4
Objectives

• Appreciate that security is necessary as much for
  good business practices as for HIPAA compliance
• Identify the security features and functions
  needed to afford confidentiality, data integrity,
  and availability in an electronic environment
• Ensure that there is an ongoing privacy and
  security compliance assurance program
• Practice techniques to reassure providers and
  patients of the privacy and security of
  electronic health information

5
EHR Security

• Security in an Electronic World

6
Its Not Just HIPAA

• Privacy and security are good business practices
• Patient privacy is part of the Hippocratic Oath
• Business information must be kept confidential
• Ensuring the safety of staff and visitors is
  essential
• Keeping cash, drugs, supplies, and other
  materials from theft is a business function
• Yet even such matters can be
• compromised through human
  
• factors, where people may not pay
  
• sufficient attention

7
But HIPAA Is Important

• Privacy rule compliance was required by April 14,
  2003, Security rule by April 20, 2005
• Compliance is not an end state, it is a
  beginning
• 160.308 Compliance Reviews
• The Secretary may conduct compliance reviews to
  determine whether covered entities are complying
  with the applicable requirements
• 160.310 Responsibilities of covered entities
• Provide records and compliance reports
• Cooperate with complaint investigations and
  compliance reviews
• Permit access to information . . . pertinent to
  ascertaining compliance

8
Also bear in mind,

• Purpose of HIPAA Administrative Simplification
• To improve the efficiency and effectiveness of
  the health care system
• By encouraging the development of a health
  information system
• Through the establishment of standards and
  requirements for the electronic transmission of
  certain health information
• Privacy rule tends to assume a greater level of
  automation than exists today
• Security rule only addresses electronic data

9
Security Is A Concern

• Stratis Health Attitudes Survey suggests security
  of EHR is on the minds of clinics
• Security impacts CIA
• Confidentiality protecting against wrongful
  disclosure and ensuring privacy rights
• Integrity of data keeping data from being
  altered or destroyed, such as by viruses and
  other malware, or human error
• Availability ensuring data are always available
  when needed, including protecting against
  degradation of system performance

10
Confidentiality

• There have been breaches in the security of
  electronic protected health information (ePHI)
• There have been wrongful disclosures of PHI from
  paper record systems
• There has been identity theft in provider
  settings that has nothing to do with ePHI

The case of . . .
11
EHR Security

• EHR System Security

12
HIPAA Security is Risk Based

• 164.306 Security Standards - In deciding which
  security measures to use, a covered entity must
  take into account
• Size, complexity, capabilities
• Technical infrastructure
• Costs
• Probability and criticality of potential risks

12
13
Risk Analysis Steps

• Owner guidance on risk
• Inventory characterize policies, procedures,
  processes, physical layout, systems
• Identify threats
• Identify vulnerabilities
• Determine likelihood risks may actually occur
• Analyze impact if risk actually occurs
• Determine rate each risk
• Analyze appropriate types of controls
• Recommend controls describe residual risk
• Document results

13
14
Threats Vulnerabilities

• Accidental Acts
• Incidental disclosures
• Errors and omissions
• Proximity to risk areas
• Work stoppage
• Equipment malfunction
• Deliberate Acts
• Inattention/inaction
• Misuse/abuse of privileges
• Fraud
• Theft/embezzlement
• Extortion
• Vandalism
• Crime
• Environmental threats
• Contamination
• Fire
• Flood
• Power

• Administrative
• Policy
• Accountability
• Management
• Resources
• Training
• Documentation
• Physical
• Entrance/exit controls
• Supervision/monitoring
• Locks, barriers, routes
• Devices
• Disposal
• Technical
• New applications
• Major modifications
• Network reconfiguration
• New hardware
• Open ports

14
15
Probability of Occurrence Criticality of Impact

• Has it happened before?
• How frequently?
• Does threat source have
• Access, knowledge, motivation?
• Predictability, forewarning?
• Known speed of onset, spread, duration?
• Are controls available to
• Prevent?
• Deter?
• Detect?
• React?
• Recover?

• Patient care
• Confidentiality
• Complaint/lawsuit
• Reduce productivity
• Loss of revenue
• Cost to remediate
• Licensure/ accreditation
• Consumer confidence
• Competitive advantage

15
16
Risk Analysis Tool
17
Risk Scoring
18
Greatest Areas of Risk in EHR for Clinics

• Not performing a true risk analysis
• Access and audit controls
• Not acquiring an EHR with strong, role-based
  access controls and audit controls
• Not establishing strong controls, often due to
  lack of break-the-glass controls in products
• Not removing access privileges on a timely basis
• Users not adhering to requirement for unique
  userID and authentication
• One-time-only security training, with few
  reminders and awareness building
• Not correlating security incidents with privacy
  complaints and addressing root cause

19
More Risk Areas

• Inadequate contingency plans
• Only on-site back up
• No processor redundancy
• Minimal disaster recovery/emergency mode
  operation (a.k.a. business continuity) plan
• Minimal space for data center, sometimes shared
  space, often exposed equipment
• Lack of investment in and attention to
  maintenance of strong malware protection
• Lack of policy surrounding use of personal
  devices
• Inattention to change control changing defaults,
  returning security controls to proper status

20
Examples of Tools to Help
21
Access Controls and Authentication
21
22
Audit Controls

• Turn on
• Use well-defined access controls
• Use UserIDs
• Review regularly for patterns
• Consider software to analyze for patterns

22
23
In Case Youre Not ConvincedTop OCR Complaints

• Top five types of complaints
• Impermissible uses disclosures
• Lack of adequate safeguards (e.g., charts left
  around)
• Refused access
• Disclosure of more than minimum necessary
• Inadequate authorization or no NOPP

• Top five sources of complaints
• Private providers
• Hospitals
• Pharmacies
• Outpatient facilities (e.g., ASC)
• Group health plans

24
HIMSS/Phoenix Summer 2005

• Most difficult security areas for providers to
  address
• Audit Controls (55)
• Contingency Planning (47)
• Risk Management/Risk Analysis (45)
• Information System Activity Review (45)

25
Not As Much Risk

• Email most are cautious, follow guidance, use a
  portal
• More commonly a risk for patients themselves
• Some education for patients can be helpful
• Firewalls, intrusion detection, and other
  transmission security controls often included
  in standard
  purchases
• Workstation security
  most have worked
  
  on such issues under
  
  privacy because they
  
  are most visible
• Disposal

26
EHR Security

• Ongoing Security Compliance

27
Compliance Continual Monitoring
27
28
Compliance Assurance Plan
29
EHR Security

• Patient Communications

30
Security ? Secret Process
Hiding your note taking is passé, and may
raise suspicions
Youve always engaged patients sometimes
Explain what youre doing, including logging on
and off for security!
Engage patient for better compliance
31
Stratis Health is a non-profit independent
quality improvement organization that
collaborates with providers and consumers to
improve health care.
This presentation was created by Stratis Health
under a contract with the Centers for Medicare
Medicaid Services (CMS). The contents do not
necessarily reflect CMS policy.