31
Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.co m
| Date post: | 31-Dec-2015 |
| Category: |
Documents |
| Upload: | glenna-hunt |
| View: | 22 times |
| Download: | 2 times |
Risk Assessment
Robert MorrisVP Business ServicesIon IT Group, Inc
www.IonITGroup.com
2www.IonITGroup.com
Robert Morris, VP of Business Services 20 years healthcare experience Sr healthcare information technologist in
engineering and applications 18 years HIPAA security specialist VP Innovation TNHIMSS
Previously employed by ONC/TNREC Community Health Systems Healthstation IBM Numerous Ambulatory Providers/CAH’s
Who I am
www.IonITGroup.com
Nashville
4
Not my intent
5www.IonITGroup.com
1. Confidently review your facilities Privacy & Security Risk Assessment2. Help prepare your environment for data sharing3. Risk Assessment tools
After our talk today you will be able to:
www.IonITGroup.com
www.IonITGroup.com
Most every provider has the goal of….
Improving the Health Status of our Community Reducing Health Care Costs Improving the Patient Experience Enriching the Lives of Caregivers
8www.IonITGroup.com
So how exactly do you actually become compliant with HIPAA,
HITECH, Meaningful Use, Omnibus?
9
10
News from HIMSS 2014
11
Was the establishment of Privacy and Security Rules for PHI.
• Privacy- Definition, Use & Disclosure of PHI, Notice of rights, how you handle PHI
• Security- Definitions, How you secure PHI, physically, technically, organization cares for it and the risk assessment.
In summary what is….
12
• It widen the scope of Privacy and Security Rules • It increased legal liability• It provides/created more specific enforcement of
certain parts of the rule:• Breach notification• Created the vehicle for state enforcement• Created the vehicle for financial penalties• Created mandatory penalties for “willful
neglect”
In summary what is….In summary what
is….In summary what is….HITEC
HHealth Information
Technology for Economic and Clinical Health Act
13
Objective:Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.
Meaningful Use and Risk Assessment
www.IonITGroup.com
In summary what is….
14
Meaningful Use asks if your managing PHI by performing a risk assessment?
www.IonITGroup.com
In summary what is….
HIPAA
HITEC
HOM
NIBUS
15
Tools from HHS
16
Tools from HHS
www.IonITGroup.com
We live in a complicated world. ..
www.IonITGroup.com
Healthcare Partner Services
Patient is Referred to Clinical Health Partner• Hospital
Discharge• Emergency
Room Visit• Referred by
physician• Patient self-
referral
Transitional
Ambulatory /
Extended
Social Services
• Hospital Discharge
• Skilled Care• Home Visits
• Long Term Care• Emergency Room
• Wellness Coaching• Disease
Management
• “Life” Resources• “Family” Resources
• Psychosocial Needs
• Community Resources
19
20www.IonITGroup.com
Source: Ponemon Institute 3rd Annual Benchmark Study Data Survey 2012
“Covered entities and business associates have the burden of proof
to demonstrate that data is managed and protected.“
21www.IonITGroup.com
1. Minimal Protection:A number of organizations lacked even rudimentary safeguards toprotect their networks. 2. Poor Data Management:Many covered entities did not have a handle on where their data ‘lived.’ Some of it was in spreadsheets, some on individual workstations and much of it was—as expected—in core clinical applications3. Lack of Oversight:Overall, the OCR discovered a general lack of monitoring and audit control. No one was minding the store, and breaches often went undetected.
What they found was troubling:
22
Recent penalties in the news
Internet
23www.IonITGroup.com
Firewall/Router/Switch
Nerd stuff
Secure Network
PHI Host
How can a network breech
happen?
24www.IonITGroup.com
Inpatient stay Lab results Billing Care Transition Surgical Centers Business
Associate
Hospice Home Health Ambulatory Care Health
Information Exchange
Referral On and on and
on…
Preparing for data sharing
25www.IonITGroup.com
How to help your organization with
compliance.
Accounting for Disclosures
Accounting for DisclosuresAlways indicate why treatment, payment, or authorization information is being disclosed.Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.”
26www.IonITGroup.com
Tasks for the IT Dept
Role-Based Access: Manage who gets access to what.
Firewall Review: Make sure that communication with the outside world is secure.
Wireless Security: Manage who gets WiFi access, is it secure.
Antivirus: Manage software to keep viruses and malware at bay.
Server/Workstation Updates: Make sure all software AND hardware gets appropriate updates to mitigate problems. Replace antiquated non supported hardware whenever possible.
27www.IonITGroup.com
No longer Supported. No security updates.
Tasks for the IT Dept
Backup: Keep a backup of all dataBackup Encryption: Make backup data unreadable to snoopers.Recovery: Have an operation and data recover plan in case disaster strikes!
28www.IonITGroup.com
Tasks for the IT Dept
29www.IonITGroup.com
Heartbleed Open SSL Vulnerability is serious!
30
For More information/Additional Resources:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html
Penalties and Enforcement
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Privacy and Security Guide from ONC
http://ocrnotifications.hhs.gov/Breach Notification/ Who do I notify?
