Healthcare IT Security and Compliance The New Trend in Healthcare IT
EHR 2.0 – Company Background Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Consulting services to secure IT systems Education to increase staff awareness Best Practices Publications on HIPAA/HITECH Security Goal: To make compliance a painless and an enjoyable experience, while building capability and confidence.
Health Care Costs Out of Control The cost of the patient care is increasing across the world; however, the increase is more pronounced in US compared to any other developed or developing country in the world. Currently, approximately 15% of the US GDP (Gross Domestic Product) is spent on healthcare (5). As a result, healthcare is distinctly the largest industry in the US economy. One trend is that the expenditure on healthcare in the US has continued to grow over time – 5% of GDP in 1960 to 15% GDP in 2010. There are many reasons for such an increase in costs – Demand for better care – The average cost for cancer treatment is near $60,000 (1). Triple drug antiretroviral cocktails used to treat HIV average $12,000 per year (2). The accumulation of costs for a heart attack victim from hospital admission to discharge is $23,000 (3). Aging population – increased life expectancy – we are living longer and some say, by being sick. 4% of population were older than 65 years in 1960 – it is forecasted to 25% by 2050. Poor Lifestyle – increasing waist lines long queues before physician offices. Chronic diseases such as diabetes, high blood pressure means continuous physician visits, daily medicines thus, increasing costs. These costs are projected to increase as baby boomer generation is now retiring. Health care in the United States is provided by many separate legal entities. Health care facilities are largely owned and operated by theprivate sector. Health insurance is now primarily provided by the government in the public sector, with 60-65% of healthcare provision and spending coming from programs such as Medicare, Medicaid, TRICARE, the Children's Health Insurance Program, and the Veterans Health Administration. In addition, health care costs are also increasing due to aging population, poor life style, misdiagnosis and slow adoption of the technology. Nuemorous research studies have demonstrated that the adoptation of technologies, for example IT, will not only improve the quality of health care but also improve work flow efficiencies of health care providers. Growth in Total Health Expenditure Per Capita, U.S. and Selected Countries, 1970-2008 Source: Organization for Economic and Co-operation and Development (OECD), 2010 The cost of patient care is rising throughout the world with little correlation to quality of care in developed countries. Nowhere is this more evident than the US.
Why breaches? Don’t know or Don’t care Steal information Use of Technology Publicity & Show off Accidents Average cost per compromised record is approximately $300 to $400 Average cost $7M plus Portable Media Account for 22% of breaches (HHS list) Service providers cause 44% of breaches
The American Recovery and Reinvestment Act of 2009 and HITECH
Medicare and Medicaid Meaningful Use Incentives Penalties after For eligible professionals
OCR/HHS Audit Policies and procedures Risk Analysis and Management Documentation Training BA Agreement and Contracts Risk Analysis and Management
Health Information Exchange (HIE) An HIE automates the transfer of health-related information that is typically stored in multiple Organizations, while maintaining the context and integrity of the information being exchanged. An HIE provides access to and retrieval of patient information to authorized users in order to provide safe, efficient, effective and timely patient care. Formal organizations have been formed in a number of states and regions that provide technology, governance and support for HIE efforts. Those formal organizations are termed health Information organizations (HIO) or even regional health information organizations (RHIO). Key- Multi-directional
HIPAA Titles - Overview
HIPAA Security Rule Brief overview of this with emphasis on where we are going later.
Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 11
Protected Health Information(PHI) Individually Identifiable Health Information PHI
Trends in Healthcare IT Informatics Collaboration Mobile Computing HIE http://www.securedgenetworks.com/secure-edge-networks-blog/bid/54690/4-Healthcare-Technology-Trends-from-HIMSS11
EMR and EHR systems CDC Survey
For Eligible Hospital & CAH
Risk Assessment Methodology Flowchart(NIST) Step 1: System Characterization Hardware, Software, System Interfaces, Data and Information, People and System mission System boundary, functions, criticality and sensitivity Step 2: Threat Identification History of system attack, Data from intelligence agencies Threat Statement Step 3: Vulnerability Identification Reports from previous risk assessments, any audit comments, security requirements, security test results List of potential vulnerabilities Step 4: Control Analysis Current controls and planned controls List of current and planned controls Step 5: Likelihood determination Threat source motivation, threat capacity, Nature of vulnerability, current controls Likelihood rating Step 6: Impact Analysis Mission impact analysis, asset criticality assessment, data criticality, data sensitivity Impact rating Step 7: Risk Determination Likelihood of threat exploitation, magnitude of impact, adequacy of planned or current controls Risk and Associated risk levels Step 8: Control Recommendation Recommended controls Risk Assessment Methodology Flowchart(NIST)
HIPAA/HITECH Security Assessment Cycle Find out where your business is weak Determine the compliance and security needs & gaps Put reasonable policies and business processes in place Implement the right technologies & processes to help with enforcement Re-evaluate on a periodic and consistent basis
Best Practices Framework EHR 2.0 HIPAA Security Best Practices Framework 4. Prioritize & Select Key Control Areas 2. Assessment of existing safeguards, policies and procedures 1. Determine ePHI Systems, Activities and People 6. Documentation, Training and Reasssesment 5. Implement HIPAA Corrective Measures 3. Gap Analysis comparing existing vs. required HIPAA security rule The New Trend in Healthcare IT
Security – A Overarching Driver Regulations &Standards Federal /State International Laws Reputation Value Compliance 19
What do we do … Education Consulting Toolkit Tools Risk Analysis for Meaningful Use HIPAA /HITECH Security Assessment Federal Audit Advisory Services 1 Healthcare IT Security and Compliance Risk Assessment Mobile & Social Media Compliance 2 Consulting Toolkit Tools Best practices Checklist Policies and Procedures 3 The New Trend in Healthcare IT
THANK YOU! www.ehr20.com info@ehr20.com The New Trend in Healthcare IT