Meaningful Use Core Measures

Protect Electronic Health Information

Chris Erdle

Senior Information Systems Security Officer

Alaska Native Tribal Health ConsortiumAlaska Native Tribal Health Consortium

2

Protect electronic health information created or

maintained by the certified electronic health record maintained by the certified electronic health record

(EHR) technology through the implementation of

appropriate technical capabilities.

3

� Conduct or review a security risk analysis in

accordance with the requirements under 45 CFR

164.308(a)(1); and

� Implement security updates as necessary and � Implement security updates as necessary and

correct identified security deficiencies as part of its

risk management process.

4

To meet this measure eligible hospitals, critical access

hospitals (CAH), and professionals must:

� Attest YES to having conducted or reviewed a

security risk analysis in accordance with the security risk analysis in accordance with the

requirements under 45 CFR 164.308(a)(1)

� Implement security updates as necessary

� Correct identified security deficiencies prior to or

during the EHR reporting period.

5

Eligible hospitals, CAHs, and professionals must:

� Conduct or review a security risk analysis of certified EHR technology

� Implement updates as necessary at least once prior � Implement updates as necessary at least once prior to the end of the EHR reporting period

� Attest to that conduct or review

� Testing could occur prior to the beginning of the first EHR reporting period

� A new review would have to occur for each subsequent reporting period

6

� A security update would be required if any security

deficiencies were identified during the risk analysis

� A security update could be updated:

◦ software for certified EHR technology to be implemented

as soon as availableas soon as available

◦ changes in workflow processes or storage methods

◦ other necessary corrective action that needs to take place in

order to eliminate the security deficiency or deficiencies

identified in the risk analysis

Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Eligible Eligible Eligible Eligible Hospitals, CAHsHospitals, CAHsHospitals, CAHsHospitals, CAHs, and Professionals , and Professionals , and Professionals , and Professionals Meaningful Use Core MeasuresMeaningful Use Core MeasuresMeaningful Use Core MeasuresMeaningful Use Core Measures

7

� NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems

� NIST Special Publication 800-39: Integrated Enterprise-Wide Risk Management

� NIST Special Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and OrganizationsOrganizations

� NIST Special Publication 800-37 Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems

� NIST Special Publication 800-66 Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

� ISO/IEC 27005: Information Security Risk Management

� ISACA Risk IT Framework

8