Redspin February 17 2011 Webinar - Meaningful Use

Meaningful Use and IT Security
A Live Update from the RSA Conference in San Francisco
Daniel W. Berger, Executive Vice President, Redspin, Inc.

dberger@redspin.com
(805) 576-7158
2/17/2011 http://www.redspin.com
So yes, I was at RSA….
2/17/2011 http://www.redspin.com 2
Agenda
- EHR Meaningful Use Incentive Program
Progress to Date
- Navigating “Meaningful Use” Amidst a Changing
Political Landscape
- Assessing Your Internal Security Program for
Compliance and Long Term Success
- What's New on the Security Front
- The Challenges of Creating a Secure, Private
Cloud Environment
- Case Study: Beth Israel Deaconess Medical Ctr
Where Did It All Start?
• American Recovery and Reinvestment Act

(ARRA)
– Established new Medicare and Medicaid
incentives to stimulate critically needed
investments in health information technology
(health IT)
• Two key concepts determine whether
providers qualify for health IT incentives:
– must make "meaningful use" of IT
– use a "qualified or certified EHR" (electronic
health record).
The ONC Mandate
“Americans will benefit from

electronic health records as
“part of a modernized,
interconnected, and vastly
improved system of care
delivery.”
Dr. David Blumenthal, Office of National Coordinator (ONC) for Health

Information Technology (Outgoing Head)
“Meaningful Use” – A Quick Review
- Use of a certified EHR in a meaningful manner

(e.g. e-prescribing)
- Use of certified EHR technology for electronic

exchange of health information to improve
quality of health care
- Use of certified EHR technology to submit

clinical quality and other measures
Eligible Entities
– Eligible professionals (EPs)

– Eligible hospitals
– Critical access hospitals
– Certain Medicare Advantage
Organizations whose affiliated EPs and
hospitals are meaningful users of certified
EHR technology
Criteria and Standards
– Is the practice or hospital is making adequate
use of EHRs?
– Has a risk analysis been conducted?
– Is their a platform for staged implementation?
To achieve meaningful use, providers must:

– Provide and monitor privacy and security
protection of confidential PHI through operating
policies, procedures, and technologies
– Comply with all applicable federal and state laws
and regulations
– Provide transparency of data sharing to patients
CMS Meaningful Use Goals
 Improve quality, safety, and
efficiency of health care and reduce
health disparities
 Engage patients and families
 Improve care coordination
 Improve population and public
health, and
 Ensure adequate privacy and
security protections for personal
health information
CMS Requirements
• Healthcare providers must demonstrate by the end of
2011 (September 30th for hospitals) a 90-day contiguous
meaningful use of an electronic health record (EHR) for
Medicare transactions
• Either adopt, implement or upgrade an EHR for Medicaid

also within 90 days.
• Hospitals can receive payments for both, but physicians

only one.
Show Me the Money
Meaningful Incentive Program
Medicare EHR Medicaid EHR
 Participation as early as  Voluntarily offered by
FY 2011 individual states
 EPs may receive up to  May begin as early as FY
$44,000 over 5 years, plus 2011
incentive if in HSPA  EPs may receive up to
 Must begin by 2012 to get $63,750 over 6 years
maximum  Incentives for hospitals may
 Incentives for hospitals begin in 2011
may begin in 2011 w/a  No payment adjustment for
$2 million base payment providers who do not show
 Medicare EPs, hospitals meaningful use
and CAHs who do not
show meaningful use will
have Medicare payments
decrease beginning 2015
Meaningful Use Incentive Program
Progress to Date
Meaningful Use Incentive Program
Progress to Date
Jan 3, 2011 Meaningful Use registration opens
Jan 5, 2011 2-physician medical group in Austin,
TX received $42,500 under the
Medicaid incentive program for EHR
Feb 11, 2011 >18,000 providers registered under
meaningful use incentive program
> 40,000 providers have registered at
62 regional extension centers for
assistance in meeting requirements
May 1, 2011 First payments will go out to qualified
Medicare providers
Navigating Meaningful Use Amidst
a Changing Political Landscape
• House vote 245-189 to repeal Patient Protection
and Affordable care act (PPACA)
• Spending Reduction Act HR 408 would imply
rescinding funding for EHR incentives
• Blumenthal’s resignation
• PPACA ruled unconstitutional in a Virginia court
and then again in U.S. district court in Florida
Keep Calm and Carry On
Assessing Your Internal Security Program
for Compliance and Long Term Success
Meaningful Use Stage 1
Core Objective
Protect Electronic Health Information
• Protect electronic health information created or

maintained by the certified EHR technology through the
implementation of appropriate technical capabilities.
• Conduct or review a security risk analysis in accordance

with the requirements under 45 CFR 164.308(a)(1) and
implement security updates as necessary and correct
identified security deficiencies as part of its risk
management process.
Security Rule Standards
Evaluation Standard
Perform a periodic technical and non-technical evaluation,
based initially upon the standards and implemented under this
rule and subsequently, in response to environmental or
operational changes affecting the security of electronic
protected health information, that establishes the extent to
which an entity’s security policies and procedures meet the
requirements of this subpart.” [§164.308(a)(8)]
Related Standards
Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)
Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review

§164.308(a)(1)(ii)(D)
Business Associates
Covered Entity (CE)

A health plan, health care clearinghouse, or health
care provider who transmits any health information in
electronic form in connection with a transaction
covered under the HITECH Act
Business Associate (BA)

Party who performs a function on behalf of a Covered
Entity and has access to PHI in the performance of
that function
.
HIPAA/HITECH Compliance
What are the objectives of a
HIPAA Risk Analysis and
Security Assessments?
Compliance: a HIPAA Risk Analysis

verifies compliance with the standards
defined in the Security Rule of the
Administrative Provisions in Title II of
HIPAA.
Security : Utilizes a risk-based

approach to minimize the risk of a
compromise of Electronic Protected
Health Information (EPHI) triggering
the breach notification requirements.
PHI/PII Risk Indication
Components of Risk
The assets The vulnerabilities

(what you are trying to protect is PHI) (how could the threat occur?)
• You need to know where it is, how it is used, and • Targeted social engineering attacks; malware
how it is transported over the network. exploiting Adobe .pdf and MS office .doc
vulnerabilities
The threats • Application vulnerabilities (e.g., SQL injection,
(what are you afraid of happening?) command injection)
• Sophisticated cybercriminals stealing account • Mis-configured database access controls
credentials, credit card records, or medical Current mitigation
history to file false claims. (what is currently reducing the risk?)
• Hackers using application attacks to gain access • Staff
to database records. • Technology
• Insiders gathering inappropriate data through mis- • Processes
configured access control.
Some Types of Assessments
Wireless Pen
Web App
External Pen
Internal Pen
Social Engineering
Other possible assessments: Controls

- PCI, if credit cards
- Sarbanes-Oxley
- Gramm-Leach-Bliley Data Network Physical Systems
Security Analysis Security Analysis
Business Associate Compliance
Liability:
-BAs are contractually liable to CEs
for breach of BA agreement Business Associates (BAs):
-BAs are civilly and criminally liable - IT vendors
to Federal government for violations - coding vendors
- outsourced call center
- subcontractors
Notification:
- insurance companies
-BA notify CE of any breach - pharmacies
-CE has obligation to notify patients - hospitals
and HHS - physicians
-If 500+ persons, notify media Covered - e-prescribing ecosystem
serving their area Entity (CE) - CPOE
- radiology labs
- HIEs
Recommendations:
- RHIOs
-Identify BAs with highest risk - ACOs
-Communicate expectations to BAs - lawyers
-Automate contract and BA - CPAs
agreement files - housekeeping services
-Develop auditing and monitoring - etc. !!!
process
-Educate executives and key players
on2/17/2011
BAs http://www.redspin.com 27
HIPAA Audit Scope Attributions
What’s New on the Security Front
Healthcare IT
Challenges of creating a secure cloud environment
What is Cloud Computing?
Many definitions, but key characteristics include:
• Broad Network Access

• Rapid Elasticity
• Measured Service
• On-Demand Service
• Resource Pooling
Most Common Cloud Computing
Deployment Models
Public – Available to the general public is owned by an
organization selling cloud services.
Private – Operated solely for a single organization. It
may be managed by the organization or a third party, and
may exist on-premises or off-premises.
Community – Shared by several organizations and
supports a specific community that has shared concerns.
It may be managed by the organizations or a third party
and may exist on-premises or off-premises.
Hybrid – A composition of two or more clouds.
A Hybrid Model – Most Common
(Diagram courtesy of Symantec)
Security and Compliance Challenge
What should you be worried about?
•Balancing Control Vs. Trust

•Supporting Accessibility
•Protecting the Data
•Proving Your Solution is Secure
Solution: PHI in Cloud Context
How to avoid HHS's Breach List:
• Where is the Data

• Monitor and Log Access
• Encryption in Storage and Transit
• On-going Testing Program
Beth Israel Deaconess
Medical Center
CASE STUDY
Profile
• Teaching hospital of Harvard Medical School
• >750,000 patient visits annually (Boston area)
• 631 licensed beds, including 429 medical / surgical
beds, 77 critical care beds and 60 OB/GYN beds
• Approximately 5,000 births a year
• A full range of ER services including a Level 1 Trauma
Center and roof-top heliport
• Medical provider to Boston Red Sox
Source: http://www.bidmc.org/AboutBIDMC/StatsandFacts.aspx
The Middle of the Story - Today
• Beth Israel Deaconess Medical Center (BIDMC) is first
hospital nationally to meet new federal electronic health
record requirements with its own software (January 26,
2011)
• Technology supports all quality, safety and efficiency

goals spelled out in the American Recovery and
Reinvestment Act. (ARRA)
Source: http://www.bidmc.org/News/AroundBIDMC/2011/January/Meaningfuluse.aspx
The Beginning of the Story
• 2+ years ago
• Part of an eClinicalWorks LLC electronic health record
(EHR) deployment to roughly 200 affiliated ambulatory
physicians. Will be 350 by year end.
• BIDMC virtualized servers on VMware
• One at a time, one virtual server -- including the EHR
software integrated with a practice management app and
billing system -- was deployed to each practice.
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
(Jan 10, 2011)
The Result
• Beth Israel Deaconess realized it inadvertently had built

the first -- or one of the first -- private clouds
• Scalable, doesn't require a huge hardware outlay or data
center footprint at the start
• BIDMC has many attributes that are attractive to other
health care networks looking or a model to crib their own
EHR infrastructure.
Jan 10, 2011
In Their Own Words
“We didn't go into this thinking, 'Hey, let's build a

cloud.' It was, 'We want a subscription-type service
in which physicians could get rid of their homegrown
technology and tap into Beth Israel Deaconess'
infrastructure with only an Internet connection and
their desktop machines.
- Bill Gillis
BIDMC eHealth Technical Director
Jan 10, 2011
In Their Own Words
“It's probably the most complex clinical health information

thing I've ever tried to achieve --more complex than
building this cloud. There are so many moving parts, so
many pieces that need to work and flow. It is challenging.”
- Bill Gillis
BIDMC eHealth Technical Director
Jan 10, 2011
The Future at BIDMC
• First step - Let physicians within its private cloud
exchange data.
• Extend Hospital network's HIE project to other area
hospitals and later to the whole country.
• Deploy virtual desktops in a hardware-agnostic way so
physicians could manage apps from their laptops, tablets
and smart phones.
• Interoperability combining data from various proprietary
systems into a patient-accessible HER.
(Jan 10, 2011)
http://www.redspin.com/resources/
healthcare/index.php
Appendix
New Enforcement Efforts and Priorities
HHS made changes to the HIPAA regulations to

conform the enforcement component of the
regulations to the statutory revisions made
pursuant to the HITECH Act.
• Civil Monetary Penalties

• Violations categorized
• Tiered ranges of civil money penalty amounts
Penalties – Per Calendar Year
$100 - $50K/violation, not to $10K - $50K/violation, not to
exceed $25K - $1.5MM exceed $250K - $1.5MM
Person did not know (and by Due to willful neglect and
exercising reasonable due violation was corrected
diligence) would not have
known
$1,000 - $50K/violation, not At least $50K/violation, not to

to exceed $100K - $1.5MM exceed $1.5MM
Violation due to reasonable Due to willful neglect and
cause and not to willful violation was not corrected
neglect
Penalties – Per Calendar Year
$100 - $50K/violation, not to $10K - $50K/violation, not to
exceed $25K - $1.5MM exceed $250K - $1.5MM
Person did not know (and by Due to willful neglect and
exercising reasonable due violation was corrected
diligence) would not have
known
$1,000 - $50K/violation, not At least $50K/violation, not to

to exceed $100K - $1.5MM exceed $1.5MM
Violation due to reasonable Due to willful neglect and
cause and not to willful violation was not corrected
neglect

Redspin February 17 2011 Webinar - Meaningful Use

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Redspin February 17 2011 Webinar - Meaningful Use

Uploaded by

Copyright:

Available Formats

Meaningful Use and IT Security

A Live Update from the RSA Conference in San Francisco

Daniel W. Berger, Executive Vice President, Redspin, Inc.

• American Recovery and Reinvestment Act

“Americans will benefit from

Dr. David Blumenthal, Office of National Coordinator (ONC) for Health

- Use of a certified EHR in a meaningful manner

- Use of certified EHR technology for electronic

- Use of certified EHR technology to submit

– Eligible professionals (EPs)

To achieve meaningful use, providers must:

• Either adopt, implement or upgrade an EHR for Medicaid

• Hospitals can receive payments for both, but physicians

• Protect electronic health information created or

• Conduct or review a security risk analysis in accordance

Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)

Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review

Covered Entity (CE)

Business Associate (BA)

Compliance: a HIPAA Risk Analysis

Security : Utilizes a risk-based

The assets The vulnerabilities

Other possible assessments: Controls

Many definitions, but key characteristics include:

• Broad Network Access

(Diagram courtesy of Symantec)

What should you be worried about?

•Balancing Control Vs. Trust

How to avoid HHS's Breach List:

• Where is the Data

• Technology supports all quality, safety and efficiency

• Beth Israel Deaconess realized it inadvertently had built

“We didn't go into this thinking, 'Hey, let's build a

“It's probably the most complex clinical health information

HHS made changes to the HIPAA regulations to

• Civil Monetary Penalties

$1,000 - $50K/violation, not At least $50K/violation, not to

$1,000 - $50K/violation, not At least $50K/violation, not to

You might also like