Home Forums Discussions General Discussion Questions on Security Risk Analysis

Hi all,

I have received information from a vendor which states that the ONC has determined that in order to comply with meaningful use, all providers must attest that they have had a risk analysis completed. This is part of core requirement 15. Moreover, merely having a certified EHR does not meet the requirement. According to ONC, the CMS has hired auditing firm to conduct desk audits of as many as 20% of eligible providers to verify that they have conducted and completed a security risk analysis.

I am not really sure what to do about this for the clients I have using Amazing Charts (I am the IT person who supports them). Can anyone offer guidance on this?

Thanks,
John

The ONC has provided a free risk analysis tool. This will be sufficient to satisfy Core 15. Be careful of certain firms who charge from $2,000 as high as $10,000 for solo providers. It is unnecessary.

Here is the download:
http://www.texmed.org/WorkArea/DownloadAsset.aspx?id=25071

They basically want documentation of your current setup and what steps you are taking to resolve any potential security holes. The guide will make it easy for you to find out this information. When you're done, print/save the report with the date and file it away safely.

Thanks Sandeep

Yes, thanks Sandeep. But looking at the form it's pretty overwhelming. Do the Feds seriously expect every doc in solo practice trying to take care of patients to do all this??

It reminds me of an incident back in 1994. We had hired a baby sitter and realized that we had paid enough for the year to require reporting it to the IRS. The "Nannygate" scandal had been in the papers. Wanting to avoid our own problems with the IRS, we decided to try to comply with the regulations. The forms we had to fill out were a nightmare and included a question like this: "Do you have more than 1,000 employees? If so you must report your data on mag-tape." No, we only had a babysitter.

John

You could have a staff member fill it out. Most of it is just inventory. It really makes you think about the security of the data on your network. Something that should've been considered before implementing the EMR.

For example, running on a P2P system, lots of people have Everyone in their permissions for AC to work. Meaning anyone who gets on the network can get access. How would you resolve something like that?

Most of these should've been factored in before implementation.

I don't want to bash cloud or anything but it serves as a wake up call for people who think cloud secures everything. From the document you can see just because you have cloud doesn't mean you are secure. Getting cloud satisfies maybe one or two requirements and adds a whole new layer of security requirements.

I can certainly see how the cloud only satisfies a few requirements; much of the security assessment deals with office organization and clerical issues, quite a pain. Not sure how it adds a new layer of security requirements, though.

I just had some folks from the local health department (which has a program to help MD's attain MU) come to the office to walk through the security assessment. When we got to the EMR implementation and I told them I was going to the cloud, they said that makes the assessment easier, since you no longer have to deal with local network, hardware and server security issues.

Michael
NY

The most obvious question is do you have a way of auditing access to the cloud? How do you know someone you don't know is logging in from a different state or if employees are logging in from home?

Viruses on machines you use to connect to the cloud, DDoS attacks that will knock your Internet, etc. Basically all the same threats are there with the exception of the one you are putting in the cloud. But now there is a new layer of security involved in protecting the cloud application.

Yikes, I'm scared if they told you no longer have to deal with the local network. A simple keylogger on any system and they can access your data from anywhere in the world. Not to mention, people still keep a lot of data outside of AC (word documents, faxes, etc.). These still need to be secured.

I may be misquoting them a bit on this. What I think they said/meant was that with the EMR hosted in the cloud, we didn't need to do a whole risk analysis of the local server, how is it secured both physically and on the network, how is it backed up, are the backups encrypted etc. We did go through stuff like who has access to the computers and to the EMR.

Michael

If you store any ePHI outside of AC (Scans, Faxes, word docs, etc.), that is still subject to the same requirements. Need to backup those, encrypt those, etc. So if you wanted a complete cloud solution, you would need to offload everything. There are a few providers that do that. (Rackspace, AWS, etc.) They are very expensive though. You could get a new server every few months.

Read those Cloud SLA's carefully. They are not responsible for data loss. The maximum amount they are liable for is your monthly payment. I'm sure they make backups, but if data loss does happen, it's not their fault. You can google around for cloud storage data loss. That's why a lot of them are implementing a local backup plan at the customer's site as well. Also, if there is a data breach, guess whose fault it is? (Hint: not the cloud provider). I'm sure the news will show you it doesn't matter if you have the deep pockets of Microsoft or Amazon, data breaches happen.

http://www.usatoday.com/story/cybertruth/2013/05/31/cloud-security-hacking-encryption/2375689/

So, in summary, network security is still an issue. Physical security can be resolved by placing the server in a locked room and using disk encryption so I wouldn't consider that a major issue. Cloud is superb but it has its limitations and you need to be taking active steps to secure it as you would a local network. Make sure you understand what's secure and what isn't. You can never have too many backups.

These are a few of the reasons, many enterprises are not offloading any mission critical apps or sensitive data. The reality is the odds of a network attack in a small business are a lot smaller than an Internet attack. That's why AC recommends going wired over wireless. People need physical access to compromise the network.

The best solution is a hybrid system that utilizes the strengths of both.

Hi Sandeep ,
just a quick related question. I was told by AC tech support that encrypting the disk on the main computer was not necessary as the data files were already encrypted, and it may interfere with other users accessing AC, so do you have any suggestions as to how this can be done? I was planning to use Trucrypt or bit locker .
Is it enough to encrypt just the mobile devices ?
thanks
Bala

I would recommend bit locker. The data on the main computer is not encrypted. The Imported Items are stored as plain files. Using whole volume encryption with bitlocker would appear seamless to AC (TPM highly recommended). I'd recommend against using TruCrypt Encryption on a program directory. It's great as a container for files, but I'm not sure I would trust it with a program directory.

Remember disk-based encryption is designed to protect against physical theft.

Regional Extension Centers (partially funded by CMS I believe) should be able to do it for you: http://www.healthit.gov/providers-professionals/regional-extension-centers-recs

We had the local one do our security analysis. We didn't get charged because not enough people had signed up for their services and they needed to use the grant money before it expired. They basically asked questions about our policies, put the answers in their analysis spreadsheet and gave us the report.

thanks Sandeep for the advice , always appreciate your take on things.
I will get Win7 pro or ultimate.
Did I understand that TPM is not absolutely required for bit locker but highly recommended ?
thanks
Bala

You're welcome.

But remember only Win 7 Ultimate has BitLocker; Windows 7 Professional does not. Windows 8 Professional has it however.

No a TPM is not necessary. You can use a USB flash drive, but the TPM does offer some advantages over the flash drive.

What is a TPM?

Thanks Sandeep for the info.
As I understand it the TPM ( trusted platform module) can be checked by opening the Bios and it will tell you if your computer has TPM or not , but a easier way would be to just try and enable bit locker and win 7 will tell you you have TPM or not .
Bala

That's correct.

Basically it's dedicated device for Drive Encryption/Bitlocker. It provides the benefit of Integrity Checking when the computer is offline to detect if there has been any tampering.

For example,
Moving the BitLocker-protected drive into a new computer.
-Installing a new motherboard with a new TPM.
-Turning off, disabling, or clearing the TPM.
-Changing any boot configuration settings.
-Changing the BIOS, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.


It's pretty common on servers and business grade computers/laptops (e.g. Lenovo ThinkPad/ThinkCentre)

It looks something like this:

Turning it on is as easy as clicking a few buttons. I can post a tutorial if desired.

Dear Sandeep ,
thanks again. I actually looked thru the steps on one of my computers with Win 7 ultimate but chickened out for 2 reasons :
1. apparently sometimes the computer decides to lock down if it senses that something may have been tampered with and I was afraid that any changes we made like installing new software etc may be misinterpreted by Win7 and locked down
2. wasnt sure if all other users could still use AC smoothly if the main computer disk was encrypted- this was before you explained that this should not happen, if I understood correctly
but a tutorial from you sure would help!
bala

Alright I'll post a video soon.

Hi,
If an external hard drive is encrypted using bit locker on the go, can it be used on other computers with different versions of windows like XP or are those files inaccessible on other versions of windows?
maybe this will be answered in Sandeeps video but thought I would ask as I am planning to use bit locker , but I do use an ext HD for backup and have to use it between different computers running XP pro and win 7 ultimate
thanks
Bala

There's an application called BitLocker to Go for XP that will let you read BitLocker encrypted drives. (Download Here)

However, one major caveat is if the drive is formatted with NTFS (common), then you will not be able to read it on XP. The drive must be formatted with FAT32/exFAT for it to work in XP. XP needs a windows update to read exFAT. (Download Here) FAT32 is limited at 4GB file sizes. exFAT is much better.

However, it should be mentioned that XP is almost at end of extended support. Windows XP SP3 and Office 2003 will go out of support on April 8, 2014. Which means no security updates or service packs. So the few caveats with XP won't matter much in that time.

Speaking of cyber security, there was an interesting article in Medical Economics, May 25, 2013: "Cyber Insurance Now a Must for Medical Practices."

Has anyone out there gotten cyber insurance?

thanks Sandeep for the info and links
appreciate it very much
Maybe I will just get Win Ultimate upgrades for all my XP computers now.
Bala

You're welcome. That's a pretty good idea. Everyone on Server 2003/XP Home/Pro/etc. should be migrating soon. It's almost 12 years old.

Kind of scary isn't it? With this whole PRISM system being employed by the NSA. Backdoors built into every service we use on a daily basis. Google, yahoo, Microsoft, etc. Who's to say those backdoors aren't being exploited by hackers. Should be interesting what info turns about security and backdoors in things we use today.

Apparently a backdoor has been built on every version of Windows after 95.
http://beforeitsnews.com/alternativ...windows-software-since-1999-2679622.html

Almost all of these companies comply with subpoenas to release all of your information (too expensive to counter it). While if you had control, you can file for a rejection (Motion to Quash) the subpoena due to the nature of the information (e.g. confidential patient data, financial, etc.) They have to go through you and you have to be notified before they take your information. You will know if they come into your office to get your server. This is one of the protections you get as being a physician is that you can refuse subpoenas (which don't require the signature of a judge) and make them get a warrant for the information. Bear in mind, any judge willing to sign such a warrant to turn over confidential patient information is committing political suicide. So it's much harder for them to get to get a warrant for sensitive information. This is how it should be.