Introduction and Welcome:

Nancie McAnaugh, MSWCenter for Health PolicyMO HIT Assistance Center

Presenter:

Rebecca Thurmond FowlerSystem Security Analyst-PrincipalUniversity of Missouri Division of Information Technology

EHR Privacy & Security

MO HIT Assistance CenterMissouri’s Federally-designated Regional Extension Center

University of Missouri: Department of Health Management and Informatics Center for Health Policy Department of Family and Community Medicine Missouri School of Journalism

Partners: EHR Pathway Hospital Industry Data Institute (Critical Access Hospitals) Missouri Primary Care Association Missouri Telehealth Network Primaris

Assist Missouri's health care providers in using electronic health records to improve the access and quality of health services; to reduce inefficiencies and avoidable costs; and to optimize the health outcomes of Missourians

Vision

For providers who do not have a certified EHR system - We help you choose and implement one in your office

For providers who already have a system - We help eligible providers meet the Medicare or Medicaid criteria for incentive payments

4

What is our role?

Cerner and the University of Missouri Health System have an independent strategic alliance to provide unique support for the Tiger Institute for Health Innovation, a collaborative venture to promote innovative health care solutions to drive down cost and dramatically increase quality of care for the state of Missouri. The Missouri Health Information Technology Assistance Center at the University of Missouri, however, is vendor neutral in its support of the adoption and implementation of EMRs by health care providers in Missouri as they move toward meaningful use.

Disclosures

This regional extension center is funded through an award from the Office of the National Coordinator for Health Information Technology, Department of Health and Human Services Award Number 90RC0039/01

Information Security Risk Assessment Process

Becky Thurmond FowlerSystem Security Analyst –Principal

Division of IT, University of Missouri

Agenda

Introduction

Risk Assessment Process

Risk Assessment Cheat Sheet

Moving Forward…

Questions?

Why Are We Doing This?

Increased focus on security & privacy in society

Federal and state laws and regulations

Heard of a little thing called HIPAA?

HIPAA

Covered Entities (CE’s) and Business Associates of CE’s must comply with the HIPAA Security Rule, including:

◦Due diligence◦Good business practices◦Analysis of risk◦Creation of appropriate safeguards◦Documentation

The Process – An Overview

1. Identify key relevant systems2. Conduct a risk assessment3. Implement a risk management program4. Acquire IT systems and services as

necessary5. Create and deploy policies and procedures6. Develop and implement a sanction policy7. Develop and deploy the information

system activity review process

Risk Assessment Process

Identify key relevant systems

◦Categorize the sensitivity of the data

◦Which information systems are involved?

◦Perform inventory – who owns?

◦Configuration management and documentation

Risk Assessment Process

Conduct a risk assessment◦Variety of checklists and procedures to help you

through the process

◦Document what you’re doing, do what you’re documenting!

◦Answers to questions raised in your risk assessment can help you determine where your data is vulnerable

Risk Assessment Cheat Sheet

Section 1: Organizational Information

◦Definition of Personally Identifiable Information (PII)

What kind of PII does your organization have, and what do you do with it?

Risk Assessment Cheat Sheet

Section II: Access to Work Area

Objective: To control unauthorized access to work areas where confidential or sensitive information is held or utilized

Risk Assessment Cheat Sheet

Section III: Access to Work Equipment/Information/Materials

Objective: To control unauthorized access to confidential or sensitive materials and work equipment

Risk Assessment Cheat Sheet

Section IV: Information Systems Security & Access

Objective: To appropriately manage confidential and sensitive electronic files and IT resources

Risk Assessment Cheat Sheet

Section IV: (continued)

◦This section will require close work with your Information Technology folks. Technical reviews Application and server level controls Networking Disaster Recovery and Business Continuity

Risk Assessment Cheat Sheet

Section V: Access to Waste Materials

Objective: To ensure paper and electronic files and media are properly destroyed when appropriate

Risk Assessment Cheat Sheet

Section VI: Organizational Procedures & Employee Training

Objective: To set expectations and raise awareness among employees who handle confidential and sensitive information

Risk Assessment Process

Implement Risk Management program

◦Thoughtfully choose security measures to reduce risks.

◦Qualitative vs. quantitative

Looking to:◦Reduce risk◦Transfer risk◦Accept risk◦Avoid risk

Risk Assessment Process

Acquire IT systems and services as necessary

◦Security isn’t free!

What is your desired end result?

Risk Assessment Process

Create and deploy policies and procedures

Develop and implement a sanction policy

Develop and deploy the information system activity review process (rinse & repeat)

Q & A

Questions?

Thank you!

If you do not wish to ask a question, please press * 6 to mute your phone.

Your Phone Line is Now Open!

Meaningful Use & Physician Quality Reporting System (PQRS)Wednesday, November 9th

Presenter:

Sandra PogonesProgram Manager

Primaris

Upcoming Webinars:

Contact MO HIT Assistance Center for details and pricing

MO HIT Assistance Center Now Serves

Large Practices & Specialists

Website: http://ehrhelp.missouri.edu

E-Mail:◦ EHRhelp@missouri.edu

Phone:◦ 1-877-882-9933

For More Information: