Meaningful Use Risk Assessment:  Medicare & Medicaid Electronic Health Record Incentive Program

Protecting Electronic Health Information

The Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs were established to encourage eligible professionals and eligible hospitals to adopt, implement, upgrade (AIU), and demonstrate meaningful use of certified EHR technology. A meaningful use risk assessment ensures adequate privacy and security protections are in place to protect electronic health information. The approach of the risk assessment is to concentrate on the functionality, the flow of information, and the underlying technology of the defined area. The Department of Health and Human Services (DHHS) recommends utilizing NIST Special Publication 800-30 Revision 1: Risk Management Guide for Information Technology Systems, as guidance.

Tyler Cybersecurity's Collaborative Approach

In accordance with NIST standards, Tyler Cybersecurity employs a five-step process to determine risk level, and if required, appropriate remediation recommendations. The risk assessments employ a multidisciplinary interview approach. Each risk assessment will include the following information:

  • Identification and characterization of the information asset, information system, and supporting infrastructure.
  • Identification of the probable threats, vulnerabilities, and related inherent risk.
  • Documentation of the current mitigating and compensating (internal and external) controls and configuration.
  • Identification of the residual risk (including reference to compliance requirement).
  • Risk reduction and security enhancement recommendations.

Note: Meaningful Use Risk Assessment Update engagements will update findings and controls for current year along with HIPAA compliance ratings.

Tyler Cybersecurity’s Meaningful Use Information Security Risk Assessment methodology does not involve statistical sampling or testing, but is based instead on information gathered during interviews with hospital/practice staff Subject Matter Experts (SMEs).

We customize each interview, control set, and results report to fit your specific environment. Topics include:

  • A functional overview of the application – its name, vendor, managed service providers, and how it is used in the organization.
  • A technical overview of the application – its architecture and computing environment.
  • Details about the application control environment, including the security mechanisms in place.
  • Other information security-related topics, including:
    • Network & Application Authentication requirements, including password characteristics.
    • Workstation & Session Controls, such as malware protection and patch management.
    • Administrative Controls, such as number of system-wide and application administrators, their privileges, and separation of duties/oversight methods.
    • User Lifecycle Provisioning process, from pre-hire and onboarding through termination.
    • Data Protection Controls, including the use of encryption, and data destruction policies with respect to the HIPAA Omnibus Rule encryption, and destruction Safe Harbor Rules.
    • Physical Security Controls, such as visitor policies and site access logging/monitoring.
    • Audit capabilities of the application and the routines of the Covered Entity or Business Associate.
    • Resiliency and Business Continuity, including backup policies and procedures, failover plans, and disaster recovery plans and regular testing procedures.
    • Remote Access Controls, for your workforce members as well as third-parties, e.g., application vendor, IT and end user support providers.
    • Breach Response, such as Incident Detection, Reporting, (Risk) Assessment and Notification processes and procedures pursuant to 45 C.F.R. Part 164, Subpart D: Notification in the Case of Breach of Unsecured Protected Health Information.

Reports and Recommendations

A “Meaningful Use Risk Assessment” Report for each application which documents:

  • The level of residual risk with supporting evidence.
  • Risk reduction, security enhancement, and compliance remediation recommendations.

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More