If an intruder gains access to the network, they are most of the way in to the electronic record software.
The new CMS Stage 2 / Stage 3 rule published on October 16, 2015 includes some wording adjustments to the Privacy and Security Objective that are significant. The Measure is as follows:
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the [EP’s or eligible hospital’s or CAH’s] risk management process.
The revised objective clarifies that the annual risk analysis required by use is narrower in scope than a comprehensive HIPAA Security Risk Analysis. The risk analysis required by HIPAA security requires addressing all ePHI, not merely the data in the CEHRT, that is, the Certified Electronic Health Record Technology.
Why include the network? In order to properly secure the application, its perimeter must be secure. If an intruder gains access to the network, they are most of the way in to the electronic record software.”
In addition to their electronic record systems, hospitals will often utilize separate Revenue Cycle Management, EDI clearinghouse interfaces, claim scrubbers, PACS, Pharmacy, Laboratory and numerous clinical and medical device systems all that contain ePHI. Physician practices will often have a separate practice management/billing system, EDI clearinghouse systems, and various clinical systems that vary by specialty including EKG, PACS, Ultrasound and a myriad of other medical equipment that contain ePHI. Both hospitals and physicians typically have some ePHI on their file servers in word processing and spreadsheet files.
One of the tasks in the Security Risk Analysis is to inventory and characterize all of the ePHI at the organization, which by itself is not an insignificant effort at a medium to large organization. Based on the quantity, sensitivity and access to the data, these different applications/data sets will then be characterized based on risk. The next step is to identify the controls in place for each of these systems, usually placing the most resources on the systems that involve the greatest risk. The overall risk analysis will then aggregate and report on all of this information, identifying the various risks, quantifying the risk involved, and prioritizing the risks.
The narrower focus for meaningful use requires that only the security of the electronic record data, not the myriad of other systems that may be present in the organization. In Eagle Consulting Partner’s opinion, this would involve examining the controls in the application software plus the controls involving the network security.
Why include the network? In order to properly secure the application, its perimeter must be secure. If an intruder gains access to the network, they are most of the way in to the electronic record software. For example, once an intruder has control of an endpoint, and monitors keystrokes with a keylogger, access credentials and passwords could readily be obtained that would provide access to the electronic record system. This example would apply both for electronic record software maintained on the network, or in the cloud but accessed from a workstation on an organizations network.
For a small physician practice with an integrated electronic record/practice management system application, and no other significant applications, this rule adjustment will not make any practical difference in the scope or cost of the risk analysis.
The takeaways are as follows:
- Organizations that haven’t completed a security risk analysis for 2015 need to get this completed by the end of the year, and
- For medium to larger organizations, the annual security risk analysis focused on the electronic record data can be a portion of a larger effort which periodically examines all of the electronic PHI that the organization stores and maintains.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
