20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning® 2010
Executive Webinar Series
Risk Management in the Age of Regulations: Creating a Lean, Integrated, Hospital-Wide Risk Management ProgramFebruary 25, 2010
CLICK HERE FOR WEBINAR REPLAY
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Today’s Agenda
• Risk Management, Christopher Paidhrin
• Privacy Breach Detection, Kurt Long
• Question & Answer Session
Christopher Paidhrin
Security Compliance Officer
Risk Management
in the Age of RegulationsSouthwest Washington Medical Center
Agenda
Southwest’s history of excellence
The challenges of compliance and Risk Management (RM)
The critical decision path: technology and solutions
Implementation history
Outcome and benefits
Lessons learned
and shared
Learning Objectives:
Recognize risk and compliance challenges
Mapping the RM terrain – selecting a framework
Risk Management (RM) – a simplified model
Use of limited resources
– Demonstrating the need for the right tools
Methods of measurement
Southwest Washington Medical Center
Honored six-times as a Thompson / Reuters / Solucient Top 100 hospital
152 year old regional health system with many specialties, including heart, cancer, and trauma centers
3,200 employees, 3,600 care provider partners
Serve SW Washington state an PDX Metro
55 talented IT staff
1 IT security staff
2006 & 2008
The Challenges of Compliance
Business Drivers
– Risk Management – Cost of non-compliance
– Burgeoning cost of health care delivery
– Constricted IT budgets and staff resources
Business Goals
– Organizational standards and regulatory compliance
– Lean IT framework – service delivery and operations
– Integration of IT with organizational strategic plan
The Challenges of Compliance
Requires a synergistic mapping of standards
– Plan, Processes, Policies, Procedures
– Gap Analysis, Compliance Committee or team
– Training, Documentation, Audits, Reporting
– Checklists, Priorities, Resourcing
The Realm of Regulations
Red Flags Rule
E-discovery Laws
http://www.hitrustalliance.net/
HITRUST Common Security Framework (CSF)
A certifiable framework that provides
• needed structure
• detail and clarity relating to information security
• tailored to the healthcare industry
Harmonizes the requirements of standards and regulations
• HIPAA, HITECH
• Third party – PCI, COBIT
• Government – NIST, FTC
•CSF is publically available free of charge:
Harmonizing the Requirements of
Standards and Regulations
The Critical Decision Path > GRC
Findings from annual Risk, IT Security & HIPAA compliance audits
Bi-annual network penetration test and third party audit
Lean Risk analysis: Accept, Delegate, Mitigate
IT Security Council Cont. Regulatory Comp. Executive Team
Compliance Action Plan
– IT security and information privacy matrices
– Vendor comparisons – coverage of 20 IT security sub-domains
– Quick customer interviews, map findings to strategy
– Risk and solution rankings, budgeting, implementation
The Critical Decision Path – Phase II
Dollars drive decisions
– Shoestring economics – best bang for the buck
– Leverage integrated and hybrid technologies
– Risk priorities trump expansion of services
– ROI – 1 public incident = 3 x cost of solutions
Selling the solution(s)
– Credibility of research methods and analysis
– CIO champion for executive team
– Simple message of regulatory compliance
– It is not a matter of whether, but when and how
Solutions for Regulatory
Compliance
Administrative
– Privacy Monitoring: FairWarning®
Major EHR Suite Vendor
User information from
business & identity applications
FairWarning®
Users
Privacy
Compliance
Security
Risk
OGC
FairWarning®
privacy analysis,
alerting, reporting
Patient privacy incidents
detected by FairWarning®
sent to SIEM
Other suites and
supporting applications
Infrastructure / Technical IT
Controls
Technical
– Access: Imprivata ESSO /GuardianEdge Encryption
– Activity: Niksun NetDetector
– Network: ArcSight ESM
– Assets: MS SCCM (SMS)
Physical
– Prox. ID Readers: Imprivata
Maturity Assessment
Gartner Maturity Model
Southwest’s GRC Maturity History
2002
Risk Management Program
2001
SonicWall VPN
– 100 clinics
Internet usage monitoring software
2000
IT Security Program
IT Security pol. & proc
1989
"MUMs The Word" privacy & security awareness program
Compliance
Ma
turity
2002
Southwest’s GRC Maturity History
2005
Secure e-mail -- CypherTrust/McAfee
Imprivata ESSO w/Biometric Readers
HIPAA IT security compliance
2004
ISO 20000 / 27001 standards
First external penetration test
DR/ BC Plan
2003
HIPAA privacy comp.
Compliance
Ma
turity
2002
2005
Southwest’s GRC Maturity History
2008
Change Mgmt. Stnd.
Server Virtualization
MS VPN - MAC
MS ISA -- Query Tool
Ent. Risk Assessment
2007
StuderGroup
Security Zones
2006
Second ext. pen. test
GuardianEdge Hard Disk Encryption
Compliance
Ma
turity
2002
2005
2008
Southwest’s IT Maturity History
2010
RelayHealth HIE Portal
ArcSight ESM
FairWarning Enterprise
2009
Niksun NetDetector
Imprivata Proximity Card Readers
Microsoft Systems Center
CobIT / ITIL standards
Compliance
Ma
turity
2002
2005
2008
2010
Risk Model – The Standard
Enterprise Risk Management (ERM)
-- The Theory of Risk Management
Vulnerability
Assets, service, resources
(people, knowledge capital, etc.)
Likelihood
Threats
Risk Model – In Practice
-- The Practice of Risk ManagementWhat is the likelihood?
What will the impact be?
-- What is practical?
1) Would the loss or disruption of your ____
cost your organization more than $100K?
2) Do you have a concern that your loss will happen within
the next year?
3) Do you have the internal resources to manage your
identified risk?
Risk Model – Southwest’s Lean
PDCA
Plan – Do – Check – Act
Shewhart/Deming
o P -- Define categories of risk
o D -- Measure
o C -- Initial scoring
o A -- Remediation
• Secondary scoring
• Report findings
Risk Model - Southwest’s Lean
P - Define categories of risk
Risk Sources
Technology
People
Processes
External …
Risk Types
Data Loss
Theft
Reputation …
Risk Areas
Operations and Services
Investments
Assets (Information) …
Risk Model - Southwest’s Lean
D – MeasureDefine Charter & Engage key stakeholders – have them at the table
C3 – communicate, communicate, and communicate
Establish RM as a business priority, strategy, and org. value
Dovetail RM/RA with audit comp. efforts (same goal, different lens)
The goal is to identify, protect and retain value – (contributes value)
A word about risk management automation
Tools, solutions, consultants – the answer is a healthy blending
Define Scope of RA, business functions, assets, information
Pareto principle – 80/20 rule http://en.wikipedia.org/wiki/Pareto_principle
Target known areas of risk, loss, org/fin challenges
There will always be the unknown
The iterative process helps you identify and minimize the unknown
Define Roles, Responsibilities, Authority
Collect Information – Identify, assess, and prioritize
Select one framework or methodology
Interviews & surveys
Risk Assessment
D – Measure (continued)
Measure HML (High, Medium, Low)
Risk Source Risk Type Risk Name Description Likelihood Impact Score
BIA Identified DR Applications
Application Description Less than 12 12 to 24 24 to 48 48 to 72 More than 72
Core Clinicals HCI/HOM/Tracking Board/Care Organizer X
Horizon Patient Folder Long-Term Medical Record X
Horizon Medical Imaging PACS (Image Storage) X X
Horizon Lab Lab X
Horizon Blood Bank Blood Bank X
Horizon Meds Manager Pharmacy Order Entry and Department Management X
Physician Portal Front End for Physicians to clinical information X
IMPAC Radiation Oncology Treatment and Medical Record X
STAR ADT/Charge Capture/Financial Management X X
Printing User Drives, Department Drives, Printing X
Admin RX Medication Administration X
Network Shares Individual and Department Shares X
Care Point Outpatient Pharmacy Orders and Management X
Email Electronic Mail X
Pinestar Nuclear Medicine (Dosing) X
Horizon Radiology Manager Radilogy Order Entry and Department Management X
Lawson HR/Payroll X
System Recovery Point (When System is available for use)
Risk Assessment
DR Discovery Summary Grid 0/0/2008 *** Confidential Information: Do Not Distribute ***
** Assume Network (LAN and WAN)/SAN/Term Svcs. and Interface Engine are prestaged
General Information Recovery Options (RPO)
Application
Operating System
Database DB on SAN?
Backup Loc.
App/Svr. Location
Critical App #
Dependencies by app. #
Desired Recovery Window
(HRS) (RTO)
Option 1: Remote DB on SAN; HA Server
Option 2: Remote DB on SAN; Prestaged
HW
Option 3: Backup on
Remote SAN; Stby HW
Option 4: Backup restored via Tape to SAN/ Server; Stby HW Hdware
Est. $
SAN Requirements Notes:
Core Clinicals AIX Oracle /Unix * Yes Yes Main 1-4 12 12 316000 --
EMR W2003 * SQL /W2K (13) Yes Yes Main 5 12-Jan 4 - 8 88000 --
DI W2003 Oracle /W2003 DB On Svr. Main 6 12, IDX 72 52000 --
LAB AIX/Unix * Oracle Yes Yes Remote 7 1-4, 12 12 24000 --
RAD W2K Oracle DB Yes Remote 8 1-4, 12 12 36000 --
Meds W2K Oracle /Unix * Yes Yes Remote 9 12, 14 12 32000 --
Portal Linux Oracle DB Yes Main 10 1 - 4 72 36000 --
Accounts W2K Pervasive DB Yes Remote 11 2, 13 72 62000 Yes --
Internet Linux Oracle SAN Yes Remote 12 NA 4 - 8 200000 Yes --
D – Measure (continued)
Risk Matrix
C - Initial scoring
A Standard 5x5 Matrix
Weighted to Priorities & Level of Risk Acceptance
– Consistently applied
– Vetted by stakeholders
Likelihood
Imp
act
Risk Model - Standard
A - Remediation of Risk
--Apply the matrix to define priorities
- Measure HML (High Medium Low)
Remediation Likelihood Impact Risk ownership Notes
- Monitor
Once is not enough
- Control
A plan to manage risk – continuous improvement
Risk Management
SecurityGovernance
Compliance
Risk
Process
Staff Technology
IT Service Management Framework
Click Here for the full ITSM Best Practices Map
Risk Management Framework
Framework elements
Framework flow
Checklist
Make a compliance measurement grid
Continuous gap analyses
Complete a compliance plan
Collaborate with peers and mentors
Conduct periodic training &
Regular internal risk audits
Document efforts
Lessons learned and shared
Careful research, planning and execution
Always have a backup and back-out plan
Hold initiative to scope and timeline
Hold vendors accountable
Trust a proven expert
Integrate solutions into business processes
Review and report on improvements
Raise the bar each year
Thank You!
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
2010 U.S. State of Healthcare Privacy Survey
92.1 % are aware of ARRA HITECH privacy rule which includes definition of privacy breach as “inappropriate access”
40.7 % report notification as top concern
Full survey results
by clicking here or
www.FairWarningAudit.com
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Regulatory Considerations
HIPAA Security Rules:
• Executive event
• Approximately 60 CIOs from top healthcare institutions across the US
• ARRA HITECH and privacy breach notification is a top concern
• Accounting of disclosures also top-of-mind
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
HHS Posts List of Covered Entities Reporting Breaches of Protected Health Information Affecting More than 500 Individuals
February 22, 2010
• HHS is obligated, pursuant to section 13402(e)(4) of the HITECH Act, to post on its website a list of the covered entities that have reported breaches affecting more than 500 individuals. The list of the covered entities that have reported such breaches, along with other relevant information about each breach, is available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Breach detection and compliance automation
• Streamline patientprivacy investigations,reporting, and accountingof disclosures
• Automate systematic audit log review of all applications
• Alert on 100+ patient privacy scenarios with filtering. Deters snooping, medical identity theft, identity theft
• 100+ EHRs supported out-of-the-box
• Out-of-the-box, in-production, massive scale, patents pending
See www.FairWarningAudit.com for detailed FairWarning® to regulatory mappings.
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
• 200% customer adoption in 2009 at measured by number of hospitals that FairWarning customers represent
• Healthcare entities ranging from 1,000 employees up to 70,000 total users
• New California customers represent 20 of the region’s most sophisticated hospitals and over 100 clinics
• Amongst Canada’s largest healthcare providers (representing 30+ hospitals)
• Amongst UK/Europe’s healthcare providers (+5,000 beds)
• 49% of FairWarning customers are recognized as the healthcare industry’s most sophisticated providers.
Presidential Visit
About FairWarning®
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Working partnerships with the world’s health privacy leaders
FairWarning® Ready-for-Healthcare
Integration with leading technology solutions, including:
– SIEM
– IDM / SSO
– EMPI
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Privacy Monitoring Resources
Customer case studies: [email protected]
U.S. and Canada webinars on privacy monitoring: Click here
UK webinar on privacy monitoring: Click here
Privacy monitoring white paper: Click here
FairWarning® compatibility with SIEMs white paper: Click here
Return on investment calculator: [email protected]
Comparison & evaluation forms: [email protected]
Planning & deployment guide: [email protected]
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning’s mission is to continue to be the world’s leading supplier of solutions which monitor and protect patient privacy in Electronic Health Records.