redspin february 17 2011 webinar - meaningful use

Meaningful Use and IT Security A Live Update from the RSA Conference in San Francisco

Daniel W. Berger, Executive Vice President, Redspin, [email protected]

(805) 576-7158

2/17/2011 http://www.redspin.com

mailto:[email protected]

So yes, I was at RSA….

2/17/2011 2http://www.redspin.com

Agenda

- EHR Meaningful Use Incentive Program

Progress to Date

- Navigating “Meaningful Use” Amidst a Changing

Political Landscape

- Assessing Your Internal Security Program for

Compliance and Long Term Success

- What's New on the Security Front

- The Challenges of Creating a Secure, Private

Cloud Environment

- Case Study: Beth Israel Deaconess Medical Ctr


Where Did It All Start?

• American Recovery and Reinvestment Act

(ARRA)

– Established new Medicare and Medicaid

incentives to stimulate critically needed

investments in health information technology

(health IT)

• Two key concepts determine whether

providers qualify for health IT incentives:

– must make "meaningful use" of IT

– use a "qualified or certified EHR" (electronic

health record).


The ONC Mandate

“Americans will benefit from

electronic health records as

“part of a modernized,

interconnected, and vastly

improved system of care

delivery.”

Dr. David Blumenthal, Office of National Coordinator (ONC) for Health

Information Technology (Outgoing Head)


“Meaningful Use” – A Quick Review

- Use of a certified EHR in a meaningful manner

(e.g. e-prescribing)

- Use of certified EHR technology for electronic

exchange of health information to improve

quality of health care

- Use of certified EHR technology to submit

clinical quality and other measures


Eligible Entities

– Eligible professionals (EPs)

– Eligible hospitals

– Critical access hospitals

– Certain Medicare Advantage

Organizations whose affiliated EPs and

hospitals are meaningful users of certified

EHR technology


Criteria and Standards

– Is the practice or hospital is making adequate

use of EHRs?

– Has a risk analysis been conducted?

– Is their a platform for staged implementation?

To achieve meaningful use, providers must:

– Provide and monitor privacy and security

protection of confidential PHI through operating

policies, procedures, and technologies

– Comply with all applicable federal and state laws and regulations

– Provide transparency of data sharing to patients


CMS Meaningful Use Goals

Improve quality, safety, and

efficiency of health care and reduce

health disparities

Engage patients and families

Improve care coordination

Improve population and public

health, and

Ensure adequate privacy and

security protections for personal

health information


CMS Requirements

• Healthcare providers must demonstrate by the end of

2011 (September 30th for hospitals) a 90-day contiguous

meaningful use of an electronic health record (EHR) for

Medicare transactions

• Either adopt, implement or upgrade an EHR for Medicaid

also within 90 days.

• Hospitals can receive payments for both, but physicians

only one.


Show Me the Money


Meaningful Incentive ProgramMedicare EHR

Participation as early as FY 2011

EPs may receive up to $44,000 over 5 years, plus incentive if in HSPA

Must begin by 2012 to get maximum

Incentives for hospitals may begin in 2011 w/a $2 million base payment

Medicare EPs, hospitals and CAHs who do not show meaningful use will have Medicare payments decrease beginning 2015

Medicaid EHR

Voluntarily offered by individual states

May begin as early as FY 2011

EPs may receive up to $63,750 over 6 years

Incentives for hospitals may begin in 2011

No payment adjustment for providers who do not show meaningful use


Meaningful Use Incentive Program

Progress to Date


http://www.foxgrp.com/blog/ehr-certification-process-where-is-my-meaningful-use-incentive-check/attachment/hand-drawing-empty-diagram/

Meaningful Use Incentive Program

Progress to Date

Jan 3, 2011 Meaningful Use registration opens

Jan 5, 2011 2-physician medical group in Austin, TX received $42,500 under the Medicaid incentive program for EHR

Feb 11, 2011 >18,000 providers registered under

meaningful use incentive program

> 40,000 providers have registered at 62 regional extension centers for assistance in meeting requirements

May 1, 2011 First payments will go out to qualified Medicare providers


Navigating Meaningful Use Amidst

a Changing Political Landscape

• House vote 245-189 to repeal Patient Protection

and Affordable care act (PPACA)

• Spending Reduction Act HR 408 would imply

rescinding funding for EHR incentives

• Blumenthal’s resignation

• PPACA ruled unconstitutional in a Virginia court

and then again in U.S. district court in Florida


Keep Calm and Carry On


Assessing Your Internal Security Program

for Compliance and Long Term Success


Meaningful Use Stage 1 Core Objective

Protect Electronic Health Information

• Protect electronic health information created or

maintained by the certified EHR technology through the

implementation of appropriate technical capabilities.

• Conduct or review a security risk analysis in accordance

with the requirements under 45 CFR 164.308(a)(1) and

implement security updates as necessary and correct

identified security deficiencies as part of its risk

management process.


Security Rule Standards

Evaluation Standard

Perform a periodic technical and non-technical evaluation,

based initially upon the standards and implemented under this

rule and subsequently, in response to environmental or

operational changes affecting the security of electronic

protected health information, that establishes the extent to

which an entity’s security policies and procedures meet the

requirements of this subpart.” [§164.308(a)(8)]

Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)

Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)

Related Standards


Business Associates

Covered Entity (CE)

A health plan, health care clearinghouse, or health

care provider who transmits any health information in

electronic form in connection with a transaction

covered under the HITECH Act

Business Associate (BA)

Party who performs a function on behalf of a Covered

Entity and has access to PHI in the performance of

that function


.


HIPAA/HITECH Compliance

What are the objectives of a

HIPAA Risk Analysis and

Security Assessments?

Compliance: a HIPAA Risk Analysis

verifies compliance with the standards

defined in the Security Rule of the

Administrative Provisions in Title II of

HIPAA.

Security : Utilizes a risk-based

approach to minimize the risk of a

compromise of Electronic Protected

Health Information (EPHI) triggering

the breach notification requirements.


PHI/PII Risk Indication


Components of Risk

The assets

(what you are trying to protect is PHI)

• You need to know where it is, how it is used, and

how it is transported over the network.

The threats

(what are you afraid of happening?)

• Sophisticated cybercriminals stealing account

credentials, credit card records, or medical

history to file false claims.

• Hackers using application attacks to gain access

to database records.

• Insiders gathering inappropriate data through mis-

configured access control.

The vulnerabilities

(how could the threat occur?)

• Targeted social engineering attacks; malware

exploiting Adobe .pdf and MS office .doc

vulnerabilities

• Application vulnerabilities (e.g., SQL injection,

command injection)

• Mis-configured database access controls

Current mitigation

(what is currently reducing the risk?)

• Staff

• Technology

• Processes


Some Types of Assessments

Controls

Data Security

Network Analysis

Physical Security

Systems Analysis

External Pen

Internal Pen

Wireless Pen

Web App

Social Engineering

Other possible assessments:- PCI, if credit cards- Sarbanes-Oxley- Gramm-Leach-Bliley


Business Associate Compliance

Business Associates (BAs):- IT vendors- coding vendors- outsourced call center- subcontractors- insurance companies- pharmacies- hospitals- physicians- e-prescribing ecosystem- CPOE- radiology labs- HIEs- RHIOs- ACOs- lawyers- CPAs- housekeeping services- etc. !!!

CoveredEntity (CE)

Liability:

-BAs are contractually liable to CEs

for breach of BA agreement

-BAs are civilly and criminally liable

to Federal government for violations

Notification:

-BA notify CE of any breach

-CE has obligation to notify patients

and HHS

-If 500+ persons, notify media

serving their area

Recommendations:

-Identify BAs with highest risk

-Communicate expectations to BAs

-Automate contract and BA

agreement files

-Develop auditing and monitoring

process

-Educate executives and key players

on BAs2/17/2011 27http://www.redspin.com

HIPAA Audit Scope Attributions


What’s New on the Security Front


Healthcare ITChallenges of creating a secure cloud environment


What is Cloud Computing?

Many definitions, but key characteristics include:

• Broad Network Access

• Rapid Elasticity

• Measured Service

• On-Demand Service

• Resource Pooling


Most Common Cloud Computing

Deployment Models

Public – Available to the general public is owned by an

organization selling cloud services.

Private – Operated solely for a single organization. It

may be managed by the organization or a third party, and

may exist on-premises or off-premises.

Community – Shared by several organizations and

supports a specific community that has shared concerns.

It may be managed by the organizations or a third party

and may exist on-premises or off-premises.

Hybrid – A composition of two or more clouds.


A Hybrid Model – Most Common


(Diagram courtesy of Symantec)

Security and Compliance Challenge

What should you be worried about?

•Balancing Control Vs. Trust

•Supporting Accessibility

•Protecting the Data

•Proving Your Solution is Secure


Solution: PHI in Cloud Context

How to avoid HHS's Breach List:

• Where is the Data

• Monitor and Log Access

• Encryption in Storage and Transit

• On-going Testing Program


CASE STUDY

Beth Israel Deaconess Medical Center


Profile

• Teaching hospital of Harvard Medical School

• >750,000 patient visits annually (Boston area)

• 631 licensed beds, including 429 medical / surgical

beds, 77 critical care beds and 60 OB/GYN beds

• Approximately 5,000 births a year

• A full range of ER services including a Level 1 Trauma

Center and roof-top heliport

• Medical provider to Boston Red Sox


Source: http://www.bidmc.org/AboutBIDMC/StatsandFacts.aspx

The Middle of the Story - Today

• Beth Israel Deaconess Medical Center (BIDMC) is first

hospital nationally to meet new federal electronic health

record requirements with its own software (January 26,

2011)

• Technology supports all quality, safety and efficiency

goals spelled out in the American Recovery and

Reinvestment Act. (ARRA)


Source: http://www.bidmc.org/News/AroundBIDMC/2011/January/Meaningfuluse.aspx

The Beginning of the Story

• 2+ years ago

• Part of an eClinicalWorks LLC electronic health record

(EHR) deployment to roughly 200 affiliated ambulatory

physicians. Will be 350 by year end.

• BIDMC virtualized servers on VMware

• One at a time, one virtual server -- including the EHR

software integrated with a practice management app and

billing system -- was deployed to each practice.


Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth

(Jan 10, 2011)

The Result

• Beth Israel Deaconess realized it inadvertently had built

the first -- or one of the first -- private clouds

• Scalable, doesn't require a huge hardware outlay or data

center footprint at the start

• BIDMC has many attributes that are attractive to other

health care networks looking or a model to crib their own

EHR infrastructure.



Jan 10, 2011

“We didn't go into this thinking, 'Hey, let's build a

cloud.' It was, 'We want a subscription-type service

in which physicians could get rid of their homegrown

technology and tap into Beth Israel Deaconess'

infrastructure with only an Internet connection and

their desktop machines.

- Bill Gillis

BIDMC eHealth Technical Director

In Their Own Words



Jan 10, 2011

In Their Own Words

“It's probably the most complex clinical health information

thing I've ever tried to achieve --more complex than

building this cloud. There are so many moving parts, so

many pieces that need to work and flow. It is challenging.”

- Bill Gillis

BIDMC eHealth Technical Director



Jan 10, 2011

The Future at BIDMC

• First step - Let physicians within its private cloud

exchange data.

• Extend Hospital network's HIE project to other area

hospitals and later to the whole country.

• Deploy virtual desktops in a hardware-agnostic way so

physicians could manage apps from their laptops, tablets

and smart phones.

• Interoperability combining data from various proprietary

systems into a patient-accessible HER.



(Jan 10, 2011)

http://searchhealthit.techtarget.com/tip/Deploying-desktop-virtualization-technology-in-a-health-care-setting

http://www.redspin.com/resources/

healthcare/index.php


Appendix


New Enforcement Efforts and Priorities

HHS made changes to the HIPAA regulations to

conform the enforcement component of the

regulations to the statutory revisions made

pursuant to the HITECH Act.

• Civil Monetary Penalties

• Violations categorized

• Tiered ranges of civil money penalty amounts


Penalties – Per Calendar Year

$100 - $50K/violation, not to

exceed $25K - $1.5MM

Person did not know (and by

exercising reasonable due

diligence) would not have

known

$1,000 - $50K/violation, not

to exceed $100K - $1.5MM

Violation due to reasonable

cause and not to willful

neglect

$10K - $50K/violation, not to


Due to willful neglect and

violation was corrected

At least $50K/violation, not to

exceed $1.5MM


violation was not corrected


Penalties – Per Calendar Year

$100 - $50K/violation, not to


Person did not know (and by

exercising reasonable due

diligence) would not have

known

$1,000 - $50K/violation, not

to exceed $100K - $1.5MM

Violation due to reasonable

cause and not to willful

neglect

$10K - $50K/violation, not to



violation was corrected

At least $50K/violation, not to

exceed $1.5MM


violation was not corrected


redspin february 17 2011 webinar - meaningful use

Health & Medicine

meaningful use stage

cms meaningful use goals

meaningful mannere

quick review use

day contiguousmeaningful

patients2172011 http

florida2172011 http

medicare eps