hipaa hitech e-prescribing / e-prescription
TRANSCRIPT
HIPAA –HITECH e-Prescribing & Risk Analysis
Valdez Ladd – CISSP, CISA, MBA, MS ISM, MAIA, ISO TC 215 WG 4
HIPAA –HITECH e-Prescribing & Risk Analysis
HIPAA –HITECH Medical Security
• BAs will be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions and be responsible for
• Administrative Safeguards• Physical Safeguards• Technical Safeguards• Policies and Procedures and • Documentation requirements of the Security Rule• 45 C.F.R. §§ 164.308, 164.310, 164.312 and
164.316, respectively.•
HIPAA –HITECH Breach Example
• Stanford Hospital sued over data breach: New York Times September 8, 2011
• A Class-Action lawsuit was filed following a reported data breach of 20,000 patients' medical records claims Stanford Hospital & Clinics unlawfully disclosed confidential medical information.
•
• A detailed spreadsheet made its way from one of its vendors, a billing • contractor identified as Multi-Specialty Collection Services, to a Web • site called Student of Fortune, which allows students to solicit paid • assistance with their schoolwork.
• Ref: Patient Data Posted Online in Major Breach of Privacy, NY Times• http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all
HIPAA –HITECH Breach Example
• Stanford Hospital sued over data breach
• New York Times September 8, 2011, KEVIN SACK
• A detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.
• The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birth dates, credit-card numbers or other information used to perpetrate identity theft, ...
• Ref: Patient Data Posted Online in Major Breach of Privacy• http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all
HIPAA –HITECH Breach Example
• Dr. Cline said health care providers depend unjustifiably on legal contracts with vendors to protect medical records. “That just doesn’t work, as we can see,” he said. “You have to do due diligence, something to assure yourself that the people you’re giving your data to can be trusted.”
• Ref: Patient Data Posted Online in Major Breach of Privacy• http://www.nytimes.com/2011/09/09/us/09breach.html?pagewanted=all
HIPAA – HITECH e-Prescribing & Risk Analysis
The Center for Improving Medication Managementwww.thecimm.org
HIPAA – HITECH e-Prescribing & Risk Analysis
The Center for Improving Medication Management www.thecimm.org
42nd ISM Annual Conference September 1, 2009 9
Delaware E-Prescribing Process Flow
Physician
Software vendors Pharmacy NetworkSurescripts SIG
Master Beneficiary and Formulary Database Surescripts PRN
Medicaid Other Pharmacy Benefit Manager Other Payers
Mail Order Pharmacy
Retail Pharmacy
Pharmacy Network
Payer Network
Institutional Pharmacy
Computerized Provider (Physician) Order Entry (CPOE) Prescribing
• Computerized physician order entry (CPOE), is a process of electronic entry of medical practitioner instructions for the treatment of patients.
• (CPOE) Prescribing errors are the largest identified source of preventable errors in hospitals. A 2006 report by the Institute of Medicine estimated that a hospitalized patient is exposed to a medication error each day of his or her stay.
• Computerized provider order entry (CPOE),can reduce total medication error rates by 80%, and adverse medication (serious with harm to patient) errors by 55%.
• Electronic Prescribing of Controlled Substances (EPCS)
• Ref: Wikipedia.com: Health Information Technology; CPOE
HIPAA – HITECH e-Prescribing & Risk Analysis
• Clinician’s Guide to e- Prescribing
• E-prescribing and pharmacy applications must conduct internal audits to determine whether security incidents have occurred (the DEA expects this will be an automated process that generates a report for human review).
• If the person reviewing the report determines that a security incident has occurred, they must report the incident to the application provider and the DEA within one business day
• (US Drug Enforcement Agency: DEA)
• The Center for Improving Medication Management• www.thecimm.org
HIPAA – HITECH e-Prescribing & Risk Analysis
• The DEA now permits prescriptions for controlled substances to be issued:
• • Prescribers that wish to manage these prescriptions electronically must use technology that has been certified for this transmission
• • Prescribers themselves must undergo an ID Proofing process before they begin to submit prescriptions for controlled substances electronically
• • Prescribers must use a ‘two-factor authentication process’ each time they send a prescription for a controlled substance electronically.
• • The Center for Improving Medication Management• www.thecimm.org
Use of an E-Prescribing Application Certified for EPCS - Certified to manage
• 1) The prescriber must use an e-prescribing application that has been certified to manage these prescriptions electronically.
• • Prescribers unsure of the status of a current or prospective e-prescribing application should
• ask that application’s vendor of the status of this compliance.
• E-Prescribing Application Requirements and Notifications of Non-Compliance
• The Center for Improving Medication Management• www.thecimm.org
Use of an E-Prescribing Application Certified for EPCS - ID Proofing
• ID Proofing
• • The prescriber must complete an ID Proofing Process conducted by credential service providers (CSP) or certification authorities (CA) approved by the federal government.
• • Prescribers should be informed by their e-prescribing application vendor or practice administrator as to which CSP or CA they should work with.
• • CSP or CA may also issue a two-factor credential to the prescriber.
• • Remote identity proofing is permissible. • • Institutional prescribers may conduct identity proofing in-house and in
person.
• The Center for Improving Medication Management• www.thecimm.org
Use of an E-Prescribing Application Certified for EPCS – Two-Factor
• Two-Factor Authentication
• • The prescriber must use a “two-factor authentication” credential each and every time they issue a prescription for a controlled substance.
• • Credentials are designed to protect prescribers from misuse of credentials by insiders and/or from external threats because prescribers retain control of a biometric or hard token.
• • Two-factor credentials will be used for two purposes: • – To approve access controls. • – To sign prescriptions.
• • The two-factor authentication requirement is designed to protect prescribers from misuse of credentials by insiders and/or from external threats because prescribers retain control of a biometric or hard token.
• The Center for Improving Medication Management• www.thecimm.org
Use of an E-Prescribing Application Certified for EPCS – Two-Factor
• Two-Factor Authentication
• • In The Event of A Lost or Stolen Hard Token:
• Prescribers must notify designated individuals within one business day of a prescription for a controlled substance each and every time they issue
• discovery that a hard token has been lost, stolen, or compromised or the authentication
• protocol has been otherwise compromised.
• • Failure to comply may result in prescribers being held responsible for any controlled
• substance prescriptions written using their credentials. • .
• The Center for Improving Medication Management• www.thecimm.org
HIPAA – HITECH e-Prescribing & Risk Management
Application Audits or Certifications
• • E-prescribing and pharmacy applications must undergo independent audit or certification by:
• Persons qualified to conduct SysTrust, WebTrust, or SAS 70 audits.- [SSAE 16 supersedes Statement on Auditing Standards (SAS ) No. 70]
• – Certified Information System Auditors (CISA)
• – Independent certification organizations approved by the DEA.
• • Audit/certification must determine if the application meets the DEA’s EPCS requirements.
• • • Application providers must make their audit or certification reports available to
prescribers or pharmacies using or considering using their applications.
• • Prescribers and pharmacies may only sign or process EPCSs using applications that have been determined to meet the DEA’s requirements through the types of audits mentioned above. The Center for Improving Medication Management
www.thecimm.org
HIPAA – HITECH e-Prescribing & Risk Management
• (EPCS) is voluntary from DEA’s perspective— • written, manually signed, and oral
prescriptions for controlled substances, where applicable, are still permitted.
• The rule also permits pharmacies to receive, dispense, and archive electronic prescriptions for controlled substances.
•
The Center for Improving Medication Management www.thecimm.org
e-Prescribing & Risk Analysis
» Elements of a Risk Analysis
• Scope of the Analysis
• Data Collection
• Identify and Document Potential Threats and Vulnerabilities
• Assess Current Security Measures
• Determine Likelihood of Threat Occurrence
• Determine Potential Impact of Threat Occurrence
• Determine the Level of Risk
• Finalize Documentation; Periodic Updates to the Assessment
• Ref: Dell SecureWorks Meaningful Use and the Security Rule : Risks and Rewards• www.eseminarslive.com/c/a/Health-Care-IT/Dell100611/
e-Prescribing & Risk Analysis – Additional Resources
• Additional Security Resources:
• NIST SP-800-66-Revision1• An Introductory Resource Guide for Implementing the HIPAA Security Rule
• Cloud Security Alliance’s:
• Cloud Controls Matrix • - Principles to guide cloud vendors and assist cloud customers.
• Consensus Assessments Initiative Questionnaire• - Questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.
• Ref. https://cloudsecurityalliance.org/
Questions?!
• Thank you.
• Valdez Ladd • contact me: Linkedin
• CISSP, CISA,COBIT 4.1, ITIL v3 F., CNSS 4011, CIW-SA• MBA, MS ISM, MAIA• ISO TC 215 WG 4• Cloud Security Alliance• NCHICA