1 / 23

Privacy & Security Process and Tools Overview

Privacy & Security Process and Tools Overview. Scott C Pettigrew Practice Consultant. The Approach. Prepare: Gather the knowledge, organizational information, and expertise to successfully perform a Privacy & Security audit. . Gather Knowledge. Research Am I a Covered Entity (CE)?

gita
Download Presentation

Privacy & Security Process and Tools Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy & Security Process and Tools Overview Scott C Pettigrew Practice Consultant

  2. The Approach

  3. Prepare:Gather the knowledge, organizational information, and expertise to successfully perform a Privacy & Security audit.

  4. Gather Knowledge • Research • Am I a Covered Entity (CE)? • How do the Privacy & Security rules affect your organization? • What are the possible implications if a breach occurs? • Perform Site Inventory • What technology is used in your practice? • Do these items transmit, process, or store EPHI? • Do you have a set of relevant policies and procedures? • Where are they located? • When were they last updated? • When did you last review them with your staff?

  5. Assemble Your Team Internal Resources • Who are your designated Privacy/Security Officers? • Who in your organization has the most knowledge about technology and how it’s used? External Resources • IT Vendor • Parent or Affiliate Organization IT Security Staff • EHR Vendor • Regional Extension Center • Security Organizations

  6. Tools: Preparation • REC-Provided Document:Privacy & Security Preparation: Necessary Resources

  7. Tools: Preparation • ONC-Provided Document:HIT Security Risk Assessment Questionnaire:Inventory Assets (Preparation) http://www.healthit.gov/providers-professionals/core-measure-15

  8. Soapbox: Encryption • Lost /stolen devices are a major cause of reported security breaches! • How would you prove what patient records were on a missing device? (Hint: If you don’t do daily backups, this is nearly impossible!)

  9. Soapbox: Encryption • Encryption is not necessarily expensive! • Free Alternatives: • PC: Microsoft EFS, BitLocker, TrueCrypt • Apple OSX: FileVault, TrueCrypt

  10. Tools: Preparation • REC-Provided Document:Computer & Mobile TechnologyEncryption Log

  11. Identify:Assess each functional area and technology resource where EPHI is processed, stored, or transmitted to find areas of vulnerability.

  12. Tools: Identification • Facility Walkthrough

  13. Tools: Identification • Risk Assessment Questionnaire:Screening Questions (Step 1)

  14. Prioritize:Examine each possible vulnerability, honestly rating the current systems’ effectiveness, likelihood of breaches, and the impact a breach would have.

  15. Tools: Prioritization • Risk Assessment Questionnaire:People & Processes (Step 2a)

  16. Tools: Prioritization • Risk Assessment Questionnaire:Technology (Step 2b)

  17. Mitigate:For each identified area of vulnerability, maximize the effectiveness of existing controls, and minimize both the possibility of breach and the extent of damage should an unavoidable breach take place.

  18. Tools: Mitigation • Risk Assessment Questionnaire:Findings – Remediation (Step 3)

  19. Tools: Mitigation • REC-Provided Document:Identified Vulnerability Action Plan

  20. Prepare:Continue to gather the knowledge, organizational information, and expertise to successfully review and update your Privacy & Security audit on a yearly basis.

  21. Prepare Now In Case of Audit! • CMS recommends the following documentation be retained: Source:http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf

  22. Tools: Preparation • REC-Provided Document:Policy Review Log

  23. Contact Us! • Visit us online at www.tristaterec.org • Email us at rec@healthbridge.org • Call us at 513-469-7222, ext. 3 • Follow us on Twitter: @HealthBridgeHIO • Like us on Facebook: www.facebook.com/pages/Cincinnati-OH/HealthBridge/128672340540952

More Related