Final HITECH Act Stage 3 Meaningful Use Rules May Require Annual Risk Analysis plus a Risk Management Component

Andrew Hicks, Managing Principal, Coalfire

The comments are in and the HHS is scrambling to review them all before they issue the final Stage 3 Meaningful Use rules later this summer.  Comments from entities such as CHIME and HIMSS represent good news and bad news for healthcare providers, depending on how you look at it.  The HIPAA Security Rule has always required a risk analysis, but now there could be an annual requirement for risk analyses.
It’s simply too risky to have a ‘point-in-time’ risk analysis that often addresses risk for up to three years or more for many organizations.  And even riskier is to conduct a baseline risk analysis and not follow through with the risk management component that addresses the identified risks.  The other issue brought up in the comments is how healthcare providers are only doing the ‘bare minimum’ when it comes to risk analysis and the final rules should provide guidance on what an acceptable baseline is for a security risk analysis.
Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018 and in January 2018, healthcare providers are required to have a certified EHR system in place or they’ll face financial penalties.  So perhaps the CMS will reach middle ground on this risk analysis issue by providing a mandate that requires providers to conduct a risk analysis only at the time of EHR technology installation or when a new version of the technology is implemented.
Stage 3 allows healthcare providers to qualify for an additional incentive by achieving a proposed new list of objectives.  One of these proposed requirements is a risk assessment.  It states that healthcare providers must conduct a risk assessment that specifically looks at risk to information maintained by their certified EHR technology.
The language in the HHS proposed rule says this, “The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in the certified EHR technology.”  CHIME said that while they agree with the need to safeguard ePHI, they think that providers will be confused by the timing for assessments or reviews.  But with all due respect, what’s so confusing about requiring an annual assessment in the same way that PCI and FedRAMP regulations require them?
It may need to get even more stringent by not only requiring an annual risk assessment, but also issuing a mandate to use a third-party assessor organization to conduct the assessment given that providers seem to be doing the bare minimum when actually a far more thorough risk analysis is needed.  They could also add a continuous monitoring mandate to the rule, who knows?
In any case, with the fast-growing healthcare ecosystem, there’s data all over the place including the EHR technology, so there’s certainly a need for more thorough risk assessments conducted more often than every three years.  Perhaps this is why we’ve seen a huge demand in the past six months for HITRUST assessments and certifications from both BAs and CEs – it’s truly the only risk framework that fills the need described in the final Stage 3 rule for providers.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS