Académique Documents
Professionnel Documents
Culture Documents
Consulting
Risk Analysis for
Meaningful Use
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meaningful Use Overview
Vision & Goals
Vision
Enable improvements in population health
through a transformed health care delivery
system
Goals
Quality, safety and efficiency
Engaging patients and their families
Care coordination
Population and public health
Privacy and security protections
2 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meaningful Use
Security and Privacy
Objectives Measures
3 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Best Practices for Achieving
the Goal Of Meaningful Use
Review existing governance of privacy and security programs
Help implement security governance processes
Include privacy and security as primary components of the organizations strategic
planning process
Enhance internal controls for compliance with privacy and security requirements (HIPAA
and other federal and state regulations)
Conduct regular evaluations and audits of compliance with
HIPAA and new requirements included in HITECH (e.g., breach notification, accounting of
disclosures, sale of PHI for
marketing and fundraising). Understand the gaps and prioritize improvement efforts
Develop an ongoing and documented process for evaluating the privacy and security
programs. This is not a one-time process,
but rather a regular recurring assessment to consider changes
in the environment and regulatory requirements.
Include privacy and security risk assessment in the enterprise-wide risk assessment and
management (EWRA) processes
Develop new and enhanced training programs in privacy and security for management,
board, staff and all those considered to be part of the organizations workforce (e.g.,
medical students, residents, fellows, volunteers, contractors, etc.).
4 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meeting New Requirements
for Privacy/Security
5 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meeting New Requirements
for Privacy/Security
What is Involved
Despite 10 years since the passage
of HIPAA
Nearly weekly news reports of lax security Common HIPAA Violations
practices involving sensitive patient information
Found in Compliance
The public and regulators receive these Audits in 2008
constant reminders that more protection is
needed HIPAA Security Policies and Procedures
6 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meeting New Requirements
for Privacy/Security
Getting There
Conduct a security risk assessment and develop and implement a remediation plan ASAP
Follow all CMS recommendations/requirements
Include elements of the National Privacy and
Security Framework
Cover all of the new systems, system upgrades and physical relocations of IT assets for
meaningful use
Lax practices are typically a bigger threat
than hackers
Do not wait until 2015 to move data from the desktop and incorporate encryption in
data management
More patient data online = more responsibility to ramp up the protections that technology can
afford
Incorporate as part of the roll-out for meaningful use
Critical for device selection and the user transition
HITECH encourages hospitals to participate in
HIE of patient data
Your responsibility travels with your data after it crosses your corporate boundaries
7 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
AT&T Security Consulting Meaningful Use
Risk Assessments
Information Review
Reporting
Gathering & Analyses
Staff
Interviews &
Documentation
Review
Objectives &
Controls
Governance,
Policy,
Management,
& Risk
Assessment
Tolerance
Business Report
Drivers
Security &
Project Privacy Risk / Gap
Initiation Requirements Analysis
Information
& Technology Management
Discovery Environment Presentation
ePHI Mapping
& Supporting
Business
Processes
Regulatory
Requirements
Technical
Vulnerability
Testing /
Results
8 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Assessment Scope
9 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Risk Analysis Methodology
Threats
Threats-From Vulnerability
Determination Determination
Exposures
General IT
Control
Threats-To Risk
Determination
Determination Determination
Likelihood
Likely Attacks
& Attack Exposures
Vectors
Threats
10 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Risk Analysis Methodology
Compute
Residual Risk
11 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
HIPAA / HITECH / Meaningful Use
Risk Assessment
Value Scope
12 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Scope and Pricing Considerations
Scoping Factors
Type (e.g., Health Plan, Medical Facility/
Hospital, Pharmacy, Third Party Processor)
and size of the organization (e.g., hospitals
can be measured by number of beds)
Geographical Factors
State, Multi-state, Offshore
System Factors
Quantity and types of devices, systems and
applications that store, process or transit PHI
Additional risk factors such as whether the in
scope systems are Internet-accessible,
accessible by third parties, business partner
connections and mobile devices are used in the
environment
Security Program Maturity
13 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Meaningful Use Risk Analysis
Requirement
Conduct or review a security risk analysis,
remediate identified risks, as appropriate,
and continually improve controls
Certification Letter
This one page summary report will
present AT&T Consulting test scope
of the risk analysis and summary
findings in a manner that can be
presented to third parties.
Logo
You will be granted certification and
will be given the use of the AT&T
SureSealSM logo to be used on your
website for a one-year period.
15 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Sample Certification Customer Logo Display
You can display the logo on your website and
other official materials for a one-year period
16 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
17 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.