Presentation on theme: "EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center University of Missouri: Department of Health Management and Informatics."— Presentation transcript:
Missouri’s Federally-designated Regional Extension Center University of Missouri: Department of Health Management and Informatics Center for Health Policy Department of Family and Community Medicine Missouri School of Journalism Partners: EHR Pathway Hospital Industry Data Institute (Critical Access Hospitals) Missouri Primary Care Association Missouri Telehealth Network Primaris
Assist Missouri's health care providers in using electronic health records to improve the access and quality of health services; to reduce inefficiencies and avoidable costs; and to optimize the health outcomes of Missourians
For providers who do not have a certified EHR system - We help you choose and implement one in your office For providers who already have a system - We help eligible providers meet the Medicare or Medicaid criteria for incentive payments 4
Cerner and the University of Missouri Health System have an independent strategic alliance to provide unique support for the Tiger Institute for Health Innovation, a collaborative venture to promote innovative health care solutions to drive down cost and dramatically increase quality of care for the state of Missouri. The Missouri Health Information Technology Assistance Center at the University of Missouri, however, is vendor neutral in its support of the adoption and implementation of EMRs by health care providers in Missouri as they move toward meaningful use. This regional extension center is funded through an award from the Office of the National Coordinator for Health Information Technology, Department of Health and Human Services Award Number 90RC0039/01
Information Security Risk Assessment Process Becky Thurmond Fowler System Security Analyst –Principal Division of IT, University of Missouri
Why Are We Doing This? Increased focus on security & privacy in society Federal and state laws and regulations Heard of a little thing called HIPAA?
HIPAA Covered Entities (CE’s) and Business Associates of CE’s must comply with the HIPAA Security Rule, including: ◦Due diligence ◦Good business practices ◦Analysis of risk ◦Creation of appropriate safeguards ◦Documentation
The Process – An Overview 1. Identify key relevant systems 2. Conduct a risk assessment 3. Implement a risk management program 4. Acquire IT systems and services as necessary 5. Create and deploy policies and procedures 6. Develop and implement a sanction policy 7. Develop and deploy the information system activity review process
Risk Assessment Process Identify key relevant systems ◦Categorize the sensitivity of the data ◦Which information systems are involved? ◦Perform inventory – who owns? ◦Configuration management and documentation
Risk Assessment Process Conduct a risk assessment ◦Variety of checklists and procedures to help you through the process ◦Document what you’re doing, do what you’re documenting! ◦Answers to questions raised in your risk assessment can help you determine where your data is vulnerable
Risk Assessment Cheat Sheet Section 1: Organizational Information ◦Definition of Personally Identifiable Information (PII) What kind of PII does your organization have, and what do you do with it?
Risk Assessment Cheat Sheet Section II: Access to Work Area Objective: To control unauthorized access to work areas where confidential or sensitive information is held or utilized
Risk Assessment Cheat Sheet Section III: Access to Work Equipment/Information/Materials Objective: To control unauthorized access to confidential or sensitive materials and work equipment
Risk Assessment Cheat Sheet Section IV: Information Systems Security & Access Objective: To appropriately manage confidential and sensitive electronic files and IT resources
Risk Assessment Cheat Sheet Section IV: (continued) ◦This section will require close work with your Information Technology folks. Technical reviews Application and server level controls Networking Disaster Recovery and Business Continuity
Risk Assessment Cheat Sheet Section V: Access to Waste Materials Objective: To ensure paper and electronic files and media are properly destroyed when appropriate
Risk Assessment Cheat Sheet Section VI: Organizational Procedures & Employee Training Objective: To set expectations and raise awareness among employees who handle confidential and sensitive information
Risk Assessment Process Implement Risk Management program ◦Thoughtfully choose security measures to reduce risks. ◦Qualitative vs. quantitative Looking to: ◦Reduce risk ◦Transfer risk ◦Accept risk ◦Avoid risk
Risk Assessment Process Acquire IT systems and services as necessary ◦Security isn’t free! What is your desired end result?
Risk Assessment Process Create and deploy policies and procedures Develop and implement a sanction policy Develop and deploy the information system activity review process (rinse & repeat)