Security Analysis & Evaluation

Security Evaluations Icon

Protecting Patient Health Information via Security Risk Assessment (SRA)

Health care providers of all organization sizes and types have data at risk. Breaches of sensitive data, including electronic protected health information (ePHI) occur on a regular basis.

The Department of Health and Human Services Office for Civil Rights (OCR) started a new phase of their audit program where they randomly evaluate practice’s compliance with the HIPAA Privacy & Security Rules. As part of this new phase, OCR is conducting on-site and off-site audits. All practices should ensure they are prepared for such an audit, since any HIPAA covered entity can be selected.

During the 2016 calendar year, a total of 450 unique covered entities had at least one data breach that resulted in the compromise of protected health information. The health care industry averaged more than one data breach per day in 2016. With the rise of ransomware, threat actors have more ways than ever to breach your data. March Health Data Breaches, April 13, 2017. (Retrieved from https://www.protenus.com/blog/march-health-data-breaches-time-to-report-improving-but-time-to-discovery-still-troubling)

What is the objective of an SRA?

Patient information is necessary to perform medical care but can be very damaging if it falls into the wrong hands. Patients can be victimized by fraud, identity theft, loss of privacy, or improper modification of their medical records. Health care organizations that breach patient data can be subject to financial penalties, lost revenue, bad publicity, and legal action. Loss of access to health information can seriously impede an organization’s ability to provide care, even grinding all healthcare operations to a halt for severely affected entities. Securing patient information is necessary to ensuring adequate medical care can be provided. This is why patient information is protected by law under HIPAA rules. The Quality Payment Program and the EHR Incentive Program highlight the critical need for information security by making security risk analysis a prominent requirement in each.

Quality Payment Program (MACRA/MIPS) Advancing Care Information measure

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician's risk management process.”

Eligible Clinicians must meet this requirement in order to receive the 50% base score and be able to receive a score in the Advancing Care Information category.

EHR Incentive Program (Meaningful Use) measure

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP, eligible hospital, or CAH’s risk management process.”

Eligible Professionals must meet the SRA requirement to attest to Meaningful Use for a given year. The SRA must occur during the year for which they are attesting and prior to attestation.

Evaluate Your Network Security to Keep Your Practice and Patients Safe

Ransomware is in the spotlight now and it is just a matter of time before another weakness within your network is potentially exploited resulting in compromised patient records or sensitive data. Ensure your computer systems are in the best position to prevent these attacks by knowing your weaknesses and how to address them.

Evaluating and determining where every weak point is within your network could be a long process requiring a lot of technical expertise. There are most likely more devices connected to your network then you are currently aware of which will result in further hours of analysis. One of these unknown devices could be just the window an attacker needs in order to gain access to sensitive information.

We want your data to be safe and secure, and to put your practice in the best possible position to mitigate a breach.

Hacking incidents only make up one-third of the breaches that occurred so far in 2017, these incidents are responsible for about 60 percent of the victims that have been impacted, or about 1.6 million individuals. U.S. Department of Health and Human Services, July 10, 2017. (Retrieved from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)

Our Network Security Evaluation service will allow your practice to not only know where your weaknesses lie but what you can do to address these weaknesses based on your current budget and resources. We will prioritize weaknesses so you will know which vulnerable systems should be addressed first. The Network Security Evaluation process is quick, simple, and with our suite of tools and extensive security and privacy expertise you will always be evaluated against all of the known vulnerabilities that are in the world today.

To take control of your computer network and prioritize the safety of not only your practice but your patients contact M-CEITA today before the next big ransomware outbreak strikes.

Please see the M-CEITA Security Evaluation fact sheet for more information.

M-CEITA has helped thousands of providers with their security assessments and evaluations. We can help you, too.

Contact Us

Resources

No resources available.

Webinars

REGISTER NOW!

As expected, Year 2 of the QPP includes significant program changes that clinicians and administrators need to ful

News

No news available.