The following article was published on December 1, 2016 by South Florida Hospital News.

By Gabriel Imperato and Paul R. DeMuro

Providers are starting to get notices from the government that they have not met the Meaningful Use requirement with respect to protecting electronic health information. They have attested that they have and thus, stated that they have conducted and reviewed a security risk analysis implementing security updates as need to meet this Meaningful Use Core Measure, but have they? Having attested to doing so, if they do not meet the requirement, the government has taken the position that such providers have improperly sought and received government monies, which results in false claims liability.

Eligible Professionals (EP) must conduct or review a security analysis of their certified EHR technology (CEHRT),

including addressing encryption/security of data, and implement updates as necessary at least once prior to the end of the EHR reporting period. A new review has to occur for each reporting period. If EPs have attested to this conductand review, and have not properly done so, they may be subject to recoupment of payments for Meaningful Use and a reimbursement adjustment, depending upon their particular situation.

The parameters of the security risk analysis were created by the HIPAA Security Rule. Thus, Meaningful Use did not impose new or expanded requirements on the HIPAA Security Rule and it did not require the specific use of every certification and standard that is included in the certification of EHR technology. However, to meet the Meaningful Use objective and measure, EPs must possess the capabilities and standards of CEHRT.

EPs should verify against a unique identifier(s) that a person seeking access to electronic health information is the one claimed. They should establish the type of access to electronic health information a user is permitted based on the unique identifier(s), and the actions the user is permitted to perform. They need to record actions, have default settings, have limited ability to disable the audit log, and audit log protection. In addition, the EHR technology must be able to detect whether the audit log has been altered.

A use has to be able to create an audit report. A user needs to be able to electronically select the record affected by the patient’s request for adjustment and perform certain capabilities. A user needs to be prevented from gaining further access to an electronic session after a predetermined time of activity. An identified set of users need to be able to access electronic health information during an emergency.

There needs to be end-user device encryption. There needs to be integrity of the electronically exchanged health information, and disclosures made for treatment, payment, and health care operations should be recorded consistent with applicable standards. The audit log must record certain of this information.

Not only is it important that providers meet the requirements for Meaningful Use, if they have attested to doing so, they should also want to implement security measures to help prevent the introduction of malware, including ransomware. Some of these security measures include:
implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;

  • implementing procedures to guard against and detect malicious software;
  • training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
  • implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

Robust security incident procedures for responding to a ransomware attack should include processes to:
detect and conduct an initial analysis of the ransomware;

  • contain the impact and propagation of the ransomware;
  • eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
  • conduct post-incident activities, and incorporate any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

The time for providers to ensure that their security attestation is correct is at the time of attestation, but many may want to go back and ensure that their prior attestations are correct, less they may find they face false claims liability.