Embed Size (px)
Citation preview
Governmental & Regulatory Compliance - Debar checks - Information Security
Mike Bryson Manager
Corporate Procurement
Government and Regulatory Compliance
• .
Topic Speaker
Session 1: 10 a.m. – 10:40 a.m.
Session 2: 10:50 a.m. to 11:30 a.m.
Welcome Mike Bryson, Corporate Procurement
Government and Regulatory Compliance • Debar checks
Christine Pfeiffer, OGC Ralph Serrico, Corporate Procurement
Information Security Damon Stokes, Manager Information Security and Governance
Questions and Answers All speakers
Christine Pfeiffer Attorney
Office of the General Counsel
Ralph Serrico Corporate Procurement
The “New Normal”
• The “New Normal” — governmental regulation and compliance
• Who is affected and are you one of these groups? First tier, downstream and related entities
Debar checks – an overview
• Debar checks
What is a debar check?
Why do we do them? Different types of debar checks (OIG, SAM, etc.) Who is required to do them ( BCBSM, suppliers, etc. )?
Employees, subcontractors, board members, etc.
OIG process (example - monthly)
Step 1
Step 2
OIG process (example - monthly)
Step 3
SAM process (monthly)
Step 1
SAM process (monthly)
Step 2
SAM process (monthly)
Step 3
Results from SAM search
Additional info regarding the debar process
• SAM/EPLS/GSA debarment attestations Website for SAM debarment: www.sam.gov
• OIG attestations for exclusions
OIG (Office of Inspector General) attestations http://exclusions.oig.hhs.gov/
• Examples of how to do an OIG attestation http://www.youtube.com/watch?v=K-ISehoQkzo http://www.youtube.com/watch?v=9jaaacHpwoc
Damon Stokes Manager
Information Security Governance
Information security
From the cleaning and support staff that could potentially be exposed to member data; to customer service representatives who have direct access to privileged information; to the engineering teams that export customer files.
Good data security requires a holistic effort with all employees, contractors and suppliers.
A single PHI record has 50 times the street value
of a Social Security number.*
* CIO Magazine, December 2012
Securing BCBSM information is everyone’s responsibility
A culture of security
• Information Security is more than securing “data”
• Effective security comes from a combination of efforts:
Data security Physical security Employee engagement in security Ongoing training on security Ongoing assessment of security Executive leadership commitment to security
Effective information security requires that you build and invest in creating a culture of security.
Threats are everywhere, all the time
Biggest security threats of 2013
1. Social engineering
2. Advanced persistent threats
3. Insider threats
4. Bring-your-own-device
5. Cloud security
6. HTML5
7. Botnets
8. Precision targeted malware
*Forbes Magazine - 12/05/2012
17
How we partner with suppliers to secure BCBSM customer data?
• Vendor Risk Management Program
Consists of a security assessment questionnaire If Protected Health Information, called PHI, is being accessed or
handled, an on-site assessment is performed Procurement's role is to facilitate all assessment activities
(questionnaire and on-site) Identified issues are ‘risk rated’ and placed in an enterprise
tracking system The contract administrator/business relationship manager works
with the supplier to remediate issues/risks.
• Critical risks must be closed prior to accessing BCBSM customer PHI/data
About the vendor security assessment
• A due diligence process prior to a supplier connecting to BCBSM PHI data.
• Identify risks to BCBSM and PHI data. • Critical risks found during the assessment must be
remediated prior to doing business with a supplier . • The remaining risk levels/ratings (high, medium, low)
have timeframes associated with their remediation efforts.
• The contract administrator/business relationship manager does not have the final authority to proceed is a critical risk exists: the decision is made by the Corporate Compliance Committee.
Vendor security assessment: new & improved
Top assessment findings
Lack of written policies and procedures Not having an understanding of the importance of the
Office of the Inspector General exclusionary list Incomplete access logging that results in not being able
to fulfill an ‘accounting of disclosures’ request Suppliers not having a formal vendor risk management
process to verify that their contractors are protecting information that is shared with them
Lack of controls/procedures that prevent access creep for employees
Insufficient procedures for destruction of PHI when it is no longer required (contract terminates, etc.)
• 173 on-site visits
completed • 81 questionnaire-only
assessments completed
81 Critical
370 High
393 Medium
164 Low
254 Vendor risk
reports finalized
Risk Level Risk Description
Critical PHI is deemed to be exposed or has lead to a previous unmitigated/un-remediated exposure. Requires immediate resolution. Remediation in 30 – 60 days.
High PHI has the potential to be exposed or the vendor is found to be out of compliance with HIPAA/HITECH or with an internal BCBSM contractual standard (VISPRD/BAA). Requires quick resolution. Remediation in 60 – 90 days.
Medium Could lead or has led to a service interruption affecting BCBSM. Prioritized according to BCBSM business criticality. Remediation in 90 – 120 days*.
Low Could lead to degradation in operational capability or performance. These risks should be addressed as a good business practice..
1008 Closed risks
Vendor risk management stats (Since 2011)
Vendor risk management stats (2013)
23
• 53 On-site visits completed • 15 questionnaire-only
assessments completed
2 Critical
36 High
36 Medium
28 Low
6 Critical
40 High
45 Medium
2 Low
68 Vendor risk
reports finalized**
Risk Level Risk Description
Critical PHI is deemed to be exposed or has lead to a previous unmitigated/un-remediated exposure. Requires immediate resolution. Remediation in 30 – 60 days.
High PHI has the potential to be exposed or the vendor is found to be out of compliance with HIPAA/HITECH or with an internal BCBSM contractual standard (VISPRD/BAA). Requires quick resolution. Remediation in 60 – 90 days.
Medium Could lead or has led to a service interruption affecting BCBSM. Prioritized according to BCBSM business criticality. Remediation in 90 – 120 days*.
Low Could lead to degradation in operational capability or performance. These risks should be addressed as a good business practice..
** Not all questionnaire-only reviews require a formal report
102 Open risks
93 Closed risks
August 20 , 2013
How we partner with you
Both Corporate Procurement and the contract administrator have key roles in the security assessment process.
Procurement: provide vendor security assessment questionnaire
Procurement: facilitate on-site assessment
Contract administrator: provide updates from the supplier on
remediation efforts
What we need from suppliers
• Be open to the BCBSM Vendor Risk Management Program: vendor security assessment questionnaire and on-site assessment.
• Developing a strong information security program takes time. Start on the path today and continue to measure your progress.
• Collaboration is key and will benefit both of us. BCBSM is here for you as an information resource to help you.
Excelling in how you secure BCBSM
information will give you a competitive
advantage!
Questions and answer cards
26
Technology & Performance - eSettlements - sPro Vendor Performance Session 3 & 4
Harry Nowell Manager
Corporate Procurement
Technology and Performance
• .
Topic Speaker
Session 3: 10 a.m. – 10 :40 a.m.
Session 4: 10:50 a.m. to 11:30 a.m.
Welcome •Quick note on taxable goods
Harry Nowell, Procurement
•eSettlements (electronic invoicing) Juanita Mayberry, Accounts Payable
•sPro Juanita Mayberry, Accounts Payable Lisa Pointer, Procurement
•Supplier Performance
Pat Sherman, Procurement
Questions and Answers All Speakers
Taxable goods
• Jan. 1, 2014 BCBSM will be required to pay sales/use tax
• BCBSM and BCN will require separate purchase orders
• Invoices will need to reflect 6% Michigan sales tax
• Invoices for goods received in 2013 must meet deadline
• BCN tax status does not change
• Supplier letters were sent by BCBSM in August 2013
Juanita Mayberry Accounts Payable
eSettlements
• What is eSettlements? • Who should be set up on eSettlements? • Who can you contact for further
information? Please review the Procurement website for
additional information • Discussion of: Required password updates every 30 days Checking payment status in BCBSM system
eSettlements payment review
eSettlements invoice review
sPro payments
• Why doesn’t my invoice number appear on the remittance detail?
• What period am I paying for?
• How do I get the detail for my payment? Supplier instructions for obtaining payment detail can be found
on the Procurement Website.
Lisa Pointer Corporate Procurement
PeopleSoft Services Procurement “Total Resource Management” PeopleSoft Services Procurement allows suppliers to effectively manage the entire process from candidate submittals through payment details. The system provides visibility into the entire process through automation and tracking capabilities.
PEOPLESOFT SERVICE PROCUREMENT “sPro”
sPro — staying on the tracks
PeopleSoft Services Procurement allows contract administrators to effectively manage the entire procurement process from request through payment. The system provides visibility into the entire process through automation and tracking capabilities.
BUSINESS RULES FOR CONTINGENT LABOR SUPPLIERS BCBSM/BCN
Supplier contingent labor business rules
sPro – staying on the tracks
BCBSM and BCN have several active contingent labor programs. The introduction of a common technical platform (PeopleSoft Services Procurement or “sPro”) in 2011 brought value to the program through the implementation and reinforcement of standard business rules at an enterprise level. More specifically, consistent handling of key business scenarios by applying repeatable rules reduces risk to BCBSM and suppliers while increasing program efficiency.
Contract administrator business rules
Always start with the PeopleSoft system. If you have system inquiries, start with procurement or IT Service coordinators.
IT/ Non-IT Contingent Labor Classifications BOTH SUPPLIER AND CONTRACT
ADMINISTRATOR
Job Family
Description IT or Non-IT Comment
BUMED BU Medical Non-IT Bargaining Unit, Single resource, No SOW BUTMP BU Temporary Non-IT Bargaining Unit, Single resource, No SOW
NBUMED
NBU Medical Non-IT Non-Bargaining Unit, Single resource, No SOW
NBUTMP NBU Temporary Non-IT Non-Bargaining Unit, Single resource, No SOW
NONITS Non-IT Consulting SOW/No SOW
Non-IT Non-Bargaining Unit, Single resource, SOW or No SOW *
MLNIT Non-IT Multi-resource requisition
Non-IT Non-Bargaining Unit, Multiple resources, SOW or No SOW *
ITCNTG IT Leased Employees (RMO ONLY)
IT Single resource, Staff augmentation level, No SOW
ITPRFS IT Consulting Professional Services
IT Professional Services, Non-consultative*
ITCONS IT Consulting SOW/ No SOW Required
IT Single resource, Consultant level, SOW/No SOW *
MLIT IT Multi-resource requisition IT Multiple resources, SOW or No SOW *
Choosing a Job Family in sPro • Contact Corporate Procurement to validate these job families before submitting the requisition or if you have questions • See attached rates and job descriptions
sPro – staying on the tracks
CONTRACT ADMINISTRATOR STEPS FOR CREATING A
REQUISITION
sPro – Staying On The Tracks
SUPPLIER VIEW OF REQUIREMENTS
sPro – staying on the tracks
Market rate – Southeast Michigan market-driven bill rates for a fully qualified resource capable to perform at an average level compared to peers. Maximum rate – The maximum bill rate BCBSM will accept for this role. Resources at or near maximum are proven high performers with skills/experience above their peers.
SUPPLIER SUBMITTALS /BID FACTORS
EXISTING-Vs-NEW
Note: Per established business rules, submissions are limited as follows: •Two resumes per supplier per sPro request on IT requests
•Four resumes per supplier per sPro request on non-IT requests
sPro – staying on the tracks
ONBOARDING RESOURCES Always start with a valid work order
sPro – Staying On The Tracks
Escort all resources into BCBSM/BCN for all interviews Escort the resource into BCBSM/BCN on the first day and badging Review PeopleSoft Time entry with the resources
IT Resources – MSP NON – IT Resources – PeopleSoft “sPro” NON – IT when Instructed both sPro and MSP
Review all other BCBCM/BCN code of conduct rules
OFFBOARDING RESOURCES BOTH SUPPLIERS AND CONTRACT ADMINISTRATORS
Always start and end with Procurement
All terminations must be coordinated through the Service Coordinator (IT or NON-IT)
SUPPLIER SCORECARDS
sPro – Staying On The Tracks
KNOW YOUR SCORE BCBSM will monitor supplier’s performance of its services and responsibilities under this agreement. BCBSM’s engagement manager will provide supplier with feedback on supplier’s performance. Feedback will be based on, but not limited to, the key performance categories.
Pat Sherman Manager
Corporate Procurement
Why BCBSM established Vendor Management Center Of Excellence
46
The risk of suppliers not meeting performance metrics, and not adhering to regulatory and accreditation standards interjects major risks into the Blues enterprise. Risks can be:
– Operational – Financial exposure – Reputational damage – Loss of market share
Enterprise risk Solution
Establish a Vendor Management Center Excellence within Corporate Procurement, to ensure BCBSM as a company utilizes standardized best practices to deliver the following value:
– Keep administrative costs down – Governance and compliance – Vendor performance management – Control and mitigate risks
Governance and oversight Annual VM assessments…
47
Are you performing?
Are you delivering value?
Are you protecting us from risks ?
Do you provide competitive pricing?
48
Key players in managing supplier relationships and performance
Corporate Procurement Business leaders Office of the General Counsel Data and Information Security Compliance
Regulatory Accreditation
Corporate Audit Finance Risk Management
Procurement process
Preferred suppliers…
Top reasons you are a preferred supplier Meet regulatory/accreditation standards
Contractibility Deliver value and mitigate risks
Provide competitive pricing Perform to contract terms & conditions Committed to continuous improvement
Financially viable
Preferred Suppliers
Questions and answer cards
51
