Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.

Slides:

Advertisements

Similar presentations

1 HIT Standards Committee Privacy and Security Workgroup: Reformatted Standards Recommendations & Implementation Guidance Dixie Baker, SAIC Steven Findlay,

Advertisements

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

HIT Policy Committee Meaningful Use Workgroup Update Paul Tang Palo Alto Medical Foundation George Hripcsak Columbia University December 15, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 19,

MU Stage 3 Notice of Proposed Rulemaking (NPRM) Comments Privacy and Security Workgroup Deven McGraw, chair Stan Crosley, co-chair May 7, 2015.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

Consumer Work Group Presentation Federal Health IT Strategic Plan January 9, 2015 Gretchen Wyatt Office of Planning, Evaluation, and Analysis.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Complying With The Federal Information Security Act (FISMA)

First Annual Summary of Privacy and Security Tiger Team Activities July 1, 2010 through September 30, 2013 Joy Pritts, Chief Privacy Officer.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Privacy and Security Tiger Team Comparison of Stage 2 Proposed Rules w/Health IT Policy Committee previous privacy & security recommendations Preliminary.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Provider Authentication Recommendations November 19, 2010.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families

HIT Policy Committee Strategic Plan Workgroup Paul Tang, Chair Palo Alto Medical Foundation Jodi Daniel, Co-Chair ONC December 15, 2009.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 3,

1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Summary of 12/9 Hearing on Patient Matching December 13,

HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair September 14,

HIT Policy Committee Strategic Plan Workgroup Strategic Framework Paul Tang, Chair Palo Alto Medical Foundation Jodi Daniel, Co-Chair ONC March 17, 2010.

Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

HIT Policy Committee Governance Workgroup Update John Lumpkin, Robert Wood Johnson Foundation, Chair September 14, 2010.

HIT Policy Committee NHIN Workgroup Introductory Remarks David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of Commerce,

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

HIT Policy Committee Privacy & Security Tiger Team Update Deven McGraw, Co-Chair Center for Democracy & Technology Paul Egerman, Co-Chair June 25, 2010.

Certification and Adoption Workgroup – Policy Committee Update on the ONC Standards and Certification NPRM Marc Probst, workgroup co-chair Larry Wolf,

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Patient Matching Recommendations February 2,

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

HIT Policy Committee Meaningful Use Workgroup Paul Tang, Chair George Hripcsak, Co-Chair June 25, 2010.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

HIT Standards Committee NHIN Workgroup Introductory Remarks Farzad Mostashari Office of the National Coordinator for Health IT Douglas Fridsma Office of.

Privacy & Security Tiger Team: Update on C/A workgroup recommendations for behavioral health & CEHRT May 6, 2014.

Working with HIT Systems

HIT Policy Committee Adoption Certification Workgroup Proposed Next Steps Paul Egerman, Chair Marc Probst, Co-Chair July 21, 2010.

HIT Policy Committee Privacy & Security Policy Workgroup Deven McGraw, Chair Center for Democracy & Technology Rachel Block, Co-Chair NYS Department of.

Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 8, 2015.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,

Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Initial Impressions on November 29 Hearing December 5, 2012.

HIT Policy Committee Health Information Exchange Workgroup Deven McGraw, Center for Democracy & Technology Micky Tripathi, Massachusetts eHealth Collaborative.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair July 21, 2010.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIT Standards Committee Meaningful Use Workgroup Update Paul Tang, Palo Alto Medical Foundation, Chair George Hripcsak, Columbia University, Co- Chair.

Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.

HIT Standards Committee Implementation Workgroup Liz Johnson, Tenet Healthcare, Co-Chair Judy Murphy, Aurora Health Care, Co-Chair November 16, 2011.

First Annual Summary of Privacy and Security Tiger Team Activities July 1, 2010 through September 30, 2013 Joy Pritts, Chief Privacy Officer.

HIT Standards Committee Privacy and Security Workgroup Progress Report on Review of Governance RFI Dixie Baker, Chair Walter Suarez, Co-Chair May 24, 2012.

Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Presenter Gene Geiger, A-LIGN Partner -HITRUST Practitioner -CPA -CISSP -CCSK -QSA -PCIP -ISO 27K LA.

NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI

Presenter: Mohammed Jalaluddin

MBUG 2018 Session Title: NIST in Higher Education

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Continuous Monitoring

HIPAA Security Standards Final Rule

Presentation transcript:

Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011

Tiger Team Members Deven McGraw, Chair, Center for Democracy & Technology Paul Egerman, Co-Chair Dixie Baker, SAIC Dan Callahan, Social Security Administration Neil Calman, Institute for Family Health Carol Diamond, Markle Foundation Judy Faulkner, Epic Leslie Francis, University of Utah; NCVHS Gayle Harrell, Consumer Representative/Florida John Houston, University of Pittsburgh Medical Center Alice Leiter, National Partnership for Women & Families David McCallie, Cerner Corp. Wes Rishel, Gartner Latanya Sweeney, Carnegie Mellon University Micky Tripathi, Massachusetts eHealth Collaborative Joy Pritts, ONC Deborah Lafky, OCR Kevin Stine, NIST Verne Rinker, OCR 2

Goal of Today’s Discussion Briefly describe security rule “gap analysis” performed by ONC and NIST comparing the HIPAA security rule with other common information security frameworks Present recommendations on EHR security 3

Background ONC staff, with the assistance of NIST, performed an analysis comparing the HIPAA Security Rule to other commonly used security frameworks. –Essentially this involved mapping the requirements and addressable specifications in the HIPAA Security Rule to the security controls in other frameworks 4

5 What Are Security Frameworks? Organized taxonomies of security controls Grouped into logically related families May be open standards or proprietary HIPAA Security Rule published prior to current versions of security frameworks in common use today. Today’s common frameworks evolved from earlier efforts; there was rapid evolution in the 1990s. In the view of the ONC and NIST staff performing this work, the HIPAA Security Rule has not evolved in step with others.

6 Common Security Frameworks HIPAA Security Rule ISO FISMA (Federal Information Security Management Act) –NIST SP PCI DSS CoBIT HITRUST –A synthesis of multiple frameworks ONC focused in particular looked at ISO and FISMA

7 Overall results of FISMA analysis – Comparison Table NIST SP Revision 3 Security Control Family Total Controls in Family Total Controls Mapped to HSR Percentage Access Control (AC)161063% Awareness & Training (AT)44100% Audit & Accountability (AU)12975% Certification, Accreditation, and Security Assessments (CA)6583% Configuration Management (CM)9667% Contingency Planning (CP)99100% Identification & Authentication (IA)88100% Incident Response (IR)88100% Maintenance (MA)6583% Media Protection (MP)66100% Physical & Environmental Protection (PE)181056% Planning (PL)55100% Personnel Security (PS)88100% Risk Assessment (RA)44100% System & Services Acquisition (SA)13323% System & Communications Protection (SC)22836% System & Information Integrity (SI)12758% Program Management (PM)11218% Summary %

This analysis was Presented to the Tiger Team ONC/NIST have determined that gaps exist between the HIPAA Security Rule and other commonly used security frameworks like FISMA. A detailed analysis of the specific gaps - and coming up with recommendations to address specific security areas - is beyond the expertise of the Tiger Team and the Policy Committee. However, the Tiger Team did believe there were some high-level recommendations on security policy that were worth presenting to the Policy Committee. 8

Recommendations (slide 1) 1.Security policy for entities collecting, storing and sharing electronic health information (both HIPAA covered entities and business associates) needs to be responsive to innovation and changes in the marketplace. 2.Security policy needs to be flexible and scalable, given the difference in size and resources of entities covered by HHS rules and programs; at the same time, a solid baseline of security policies needs to be established and consistently implemented (e.g., there must be a floor of policies that apply to all). Note - This is currently the general approach of the HIPAA Security Rule. 9

Recommendations (2) 3.Providers need education and guidance on how to comply with security policy requirements. a.The Office for Civil Rights is required by HITECH to issue annual guidance on compliance with the HIPAA Security Rule, and since enactment of HITECH in 2009 they have issued guidance on how to complete a security risk analysis. This guidance is helpful for all entities covered by HIPAA (in particular those needing to do a risk assessment to qualify for Stage 1 of meaningful use). It can also serve as a good foundation for the development of more guidance on policy and countermeasures (business practices) for effectively managing identified risks. b.Guidance should provide specific examples of policies and measures providers can implement to counter identified risk. c.It’s not clear how many providers know of the existence of this guidance. HHS needs to better educate providers about these resources (for example, through the RECs, professional societies and direct mail). 10

Recommendations (3) 4.HHS also should have a consistent and dynamic process for updating security policies and the rapid dissemination of new rules and guidance to all affected. HHS should begin by evaluating the gap analysis performed by ONC and NIST in more detail. 11