Jane Dysart @ IFLA2014 Evaluating Library & Research Services: Meaningful Measures
Meaningful Use Core Measures Protect Electronic Health ...
Transcript of Meaningful Use Core Measures Protect Electronic Health ...
Chris Erdle
Senior Information Systems Security Officer
Alaska Native Tribal Health ConsortiumAlaska Native Tribal Health Consortium
2
Protect electronic health information created or
maintained by the certified electronic health record maintained by the certified electronic health record
(EHR) technology through the implementation of
appropriate technical capabilities.
3
� Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR
164.308(a)(1); and
� Implement security updates as necessary and � Implement security updates as necessary and
correct identified security deficiencies as part of its
risk management process.
4
To meet this measure eligible hospitals, critical access
hospitals (CAH), and professionals must:
� Attest YES to having conducted or reviewed a
security risk analysis in accordance with the security risk analysis in accordance with the
requirements under 45 CFR 164.308(a)(1)
� Implement security updates as necessary
� Correct identified security deficiencies prior to or
during the EHR reporting period.
5
Eligible hospitals, CAHs, and professionals must:
� Conduct or review a security risk analysis of certified EHR technology
� Implement updates as necessary at least once prior � Implement updates as necessary at least once prior to the end of the EHR reporting period
� Attest to that conduct or review
� Testing could occur prior to the beginning of the first EHR reporting period
� A new review would have to occur for each subsequent reporting period
6
� A security update would be required if any security
deficiencies were identified during the risk analysis
� A security update could be updated:
◦ software for certified EHR technology to be implemented
as soon as availableas soon as available
◦ changes in workflow processes or storage methods
◦ other necessary corrective action that needs to take place in
order to eliminate the security deficiency or deficiencies
identified in the risk analysis
Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Source: CMS.gov website, EHR Incentive Programs, Eligible Eligible Eligible Eligible Hospitals, CAHsHospitals, CAHsHospitals, CAHsHospitals, CAHs, and Professionals , and Professionals , and Professionals , and Professionals Meaningful Use Core MeasuresMeaningful Use Core MeasuresMeaningful Use Core MeasuresMeaningful Use Core Measures
7
� NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems
� NIST Special Publication 800-39: Integrated Enterprise-Wide Risk Management
� NIST Special Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and OrganizationsOrganizations
� NIST Special Publication 800-37 Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems
� NIST Special Publication 800-66 Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
� ISO/IEC 27005: Information Security Risk Management
� ISACA Risk IT Framework
8