Upload
duongkiet
View
216
Download
2
Embed Size (px)
Citation preview
Chris Erdle
Senior Information Systems Security Officer
Alaska Native Tribal Health ConsortiumAlaska Native Tribal Health Consortium
2
Protect electronic health information created or
maintained by the certified electronic health record maintained by the certified electronic health record
(EHR) technology through the implementation of
appropriate technical capabilities.
3
� Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR
164.308(a)(1); and
� Implement security updates as necessary and � Implement security updates as necessary and
correct identified security deficiencies as part of its
risk management process.
4
To meet this measure eligible hospitals, critical access
hospitals (CAH), and professionals must:
� Attest YES to having conducted or reviewed a
security risk analysis in accordance with the security risk analysis in accordance with the
requirements under 45 CFR 164.308(a)(1)
� Implement security updates as necessary
� Correct identified security deficiencies prior to or
during the EHR reporting period.
5
Eligible hospitals, CAHs, and professionals must:
� Conduct or review a security risk analysis of certified EHR technology
� Implement updates as necessary at least once prior � Implement updates as necessary at least once prior to the end of the EHR reporting period
� Attest to that conduct or review
� Testing could occur prior to the beginning of the first EHR reporting period
� A new review would have to occur for each subsequent reporting period
6
� A security update would be required if any security
deficiencies were identified during the risk analysis
� A security update could be updated:
◦ software for certified EHR technology to be implemented
as soon as availableas soon as available
◦ changes in workflow processes or storage methods
◦ other necessary corrective action that needs to take place in
order to eliminate the security deficiency or deficiencies
identified in the risk analysis
Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Eligible Eligible Eligible Eligible Hospitals, CAHsHospitals, CAHsHospitals, CAHsHospitals, CAHs, and Professionals , and Professionals , and Professionals , and Professionals Meaningful Use Core MeasuresMeaningful Use Core MeasuresMeaningful Use Core MeasuresMeaningful Use Core Measures
7
� NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems
� NIST Special Publication 800-39: Integrated Enterprise-Wide Risk Management
� NIST Special Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and OrganizationsOrganizations
� NIST Special Publication 800-37 Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems
� NIST Special Publication 800-66 Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
� ISO/IEC 27005: Information Security Risk Management
� ISACA Risk IT Framework
8