Top 10 Myths of Security Risk Analysis (Part 2 of 10) – Certified EHRs
In this 10 part series we will explore the top 10 myths of Security Risk Analysis and how they potentially impact you as a covered entity.
Myth #2: Simply installing a certified EHR fulfills the Security Risk Analysis MU requirement.
Many small medical practices have just flat out ignored Core Measure 15, as it is complicated and has a lot of gray areas. To some degree I don’t blame them, but when you consider the dollars they are wanting to get back from the Federal Government it seems that spending a few thousand dollars to have a Security Risk Analysis done right is a small price to pay for such a large amount of money.
What does a Risk Analysis need to include in order to meet the criteria set out by HHS? Will it cover all the bases in event of an audit?
First we can look at the “risk” and that it can be measured by the likelihood of the exploitation of a particular vulnerability and the resulting impact on the organization. Essentially this points out that risk is not a single factor or event, but a combination of threats and vulnerabilities, and the impact they may have on the organization. To read in detail the entire security rule guidance from HHS check out this PDF:
Some of the questions from the NIST Special Publication include:
- Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
- What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?
There is no one-size-fits-all, and as the size of the practice changes so does the scope of the analysis. The key is that the security rule encompasses the confidentiality, availability and integrity of all ePHI (electronic Protected Health Information) that an organization creates, receives, maintains or transmits.
Why Untangled Solutions?
If you would like help reviewing the details of all the elements of a Risk Analysis please don’t hesitate to reach out to us at Untangled Solutions.
Since 2009 Untangled Solutions and its world class team of IT Security experts have been performing security, privacy and breach vulnerability assessments for covered entities all over the United States. You can count on Untangled Solutions to provide you with a complete book of evidence and we are 100% committed to your success.