![Page 1: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/1.jpg)
MU Security Objectives
Direct Messaging
Questions
Meaningful Use Webcast
October 3, 2013
![Page 2: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/2.jpg)
Security’s Importance to Meaningful Use
The Security Objective
Satisfying the Objective
Security Mechanisms in the EHR Software
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 3: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/3.jpg)
• Patient’s Privacy
• Trustworthiness
• Interoperability Goals
How Important is Security?
• EH / CAH -> 42 CFR §495.6(l)(15)
• EP -> 42 CFR §495.6(j)(16)
Core Objective
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 4: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/4.jpg)
• Protect electronic health information created or maintained by the CEHRT through implementation of appropriate technical capabilities.
The Objective
• Not Percentage-based
• Satisfied through attestation
Items to Note
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 5: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/5.jpg)
• Conduct or review a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1) including addressing the encryption / security of data stored in the Certified EHR Technology in accordance with requirements under 45 CFR 164.132(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct any identified security deficiencies as part of the EH’s, CAH’s or EP’s Risk Management process
The Measure
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 6: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/6.jpg)
• All EHs, EPs, and CAHs must conduct (or review a previous SRA) per HIPAA Security Administrative standard during the attestation period.
• Address the Security / Encryption of Data stored and in use in accordance with HIPPA Technical Standards.
• Implement security updates as necessary
• Correct any identified security deficiencies as a part of the risk management process.
What is being asked by CMS?
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 7: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/7.jpg)
• When should the SRA be conducted?
• We already perform one yearly as a part of our hospital policy, do we have to do another or does that one count?
• Do all findings need to be mitigated by the end of the attestation perioed?
• How do you conduct a security risk analysis?
Questions Frequently Asked of CPSI
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 8: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/8.jpg)
• National Institute of Standards and Technology (NIST)
• Assessing Risk – A Path to Action www.trubridge.net/webinars
How to conduct a Security Risk Analysis
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 9: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/9.jpg)
Risk Management
Risk Analysis
Data Gathering
Control Assessment
Planning
Implementation
Monitoring
The Assessment Process
Risk
Identification
Source: Assessing Risk: A Path to Action
MU Security Objective
![Page 10: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/10.jpg)
Implementation Monitoring
MU Security Objective
Meaningful Use Webcast
System Screen
Rule Based Security
Data Encryption
Employee Log
Patient Log
October 3, 2013
![Page 11: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/11.jpg)
• CPSI Meaningful Use Security Roadmap
• http://www.healthit.gov/providers-professionals/ehr-privacy-security
• ONC’s Guide to Privacy Security and Security of Health Information
• Chapter 2 specifically addresses MU
Where can I find out more?
Meaningful Use Webcast
MU Security Objective
October 3, 2013
![Page 12: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/12.jpg)
MU Security Objectives
Direct Messaging
Questions
Meaningful Use Webcast
October 3, 2013
![Page 13: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/13.jpg)
What is Direct Messaging
Objectives that Incorporate the use of Direct Messaging
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 14: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/14.jpg)
• Requires a HISP (Health Information Service Provider).
• Allows sharing of information in a secure way
Direct Messaging
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 15: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/15.jpg)
•Simple
•Secure
•Scalable
•Standards-Based
Direct Messaging
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 16: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/16.jpg)
Diagram of HISP (Health Information Service Provider)
What is a HISP?
Sender to Sender HISP
Sender’s HISP to Receiver’s HISP
Receiver's HISP to Receiver
Get the Message
Sender’s HISP Receiver’s HISP Push the Message
Routing Information
Directory
Locate the Servers
Push the Message
![Page 17: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/17.jpg)
• Transition/Summary of Care
• View Download Transmit
Objectives Using Direct Messaging
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 18: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/18.jpg)
• Measure A: The eligible hospital that transitions or refers their patient to another setting of care or referral provides a summary of care record for more than 50% of transitions/referrals.
Transfer/Summary of Care
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 19: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/19.jpg)
• Measure B: The eligible hospital that transitions or refers their patient to another setting of care or referral provides a summary of care record for more than 10% of such transitions and referrals electronically (via Direct)
Transfer/Summary of Care
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 20: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/20.jpg)
• Measure C: The eligible hospital must satisfy one of the following Criteria:
• Conducts a successful electronic exchange of measure B with a recipient who has EHR technology designed by a different vendor than the senders OR
• Conducts a successful electronic exchange of measure B with the CMS designated test EHR during the reporting period. (EHR-Randomizer)
Transfer/Summary of Care
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 21: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/21.jpg)
• Contact facilities to obtain Direct Addresses.
• Determine how your facility will exchange information for Measure C:
• Exchange with a facility who was designed by a different EHR Vendor
• Exchange with the CMS designated EHR-Randomizer.
How can I Prepare?
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 22: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/22.jpg)
• Measure A: More than 50% of all unique patients discharged during the reporting period have their information available online within 36 hours of discharge
View, Download, Transmit
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 23: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/23.jpg)
• Measure B (Stage 2 Only): More than 5% of all patients (or authorized representatives) who are discharged view, download or transmit to a 3rd party their information during the reporting period.
View, Download, Transmit
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 24: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/24.jpg)
• Set-Up and Registration of Direct Messaging
• Onboarding and Onboarding Process for an organization.
• Use of Direct Messaging with Non- Certified EHR’s
Future Webcast
Meaningful Use Webcast
Direct Messaging
October 3, 2013
![Page 25: Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use Webcast.pdf · How to conduct a Security Risk Analysis Meaningful Use Webcast MU Security](https://reader033.vdocument.in/reader033/viewer/2022053019/5f2763fe1125d73cf506452b/html5/thumbnails/25.jpg)
MU Security Objectives
Direct Messaging
Questions
Meaningful Use Webcast
October 3, 2013