Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage your Technology and The Cloud” with Raymond Lowe, Senior Director, Information Technology, Dignity

Draft – For Discussion Purposes

A use case… thoughts on how to leverage your technology and the cloud Iht2 Conference – Beverly Hills November 4, 2014 Raymond Lowe Senior Director Enterprise IT Infrastructure and Technology’

Draft – For Discussion Purposes Draft – For Discussion Purposes 2

• Dignity Health – Hello Humankindness

• Data Centers and Cloud

– Where are you in the cloud?

• Dignity Health and the cloud

– Big 7 trends in Healthcare

• Steps to the Cloud

• Cloud Security

• Questions and Answers

Agenda

Draft – For Discussion Purposes Draft – For Discussion Purposes

Dignity Health

3


Who is Dignity Health

• Assets: $13.1 billion

• Net Operating Revenue: $10.6 billion

• General Acute Patient Care Days: 1.8 million

• Community Benefits and Care of the Poor: $1.4 billion

• Acute Care Beds: 8,800

• Skilled Nursing Beds: 800

• Acute Care Hospitals: 40

• Clinics/Ancillary Care Centers: 150

• Medical Foundations: 11

• Active Physicians: 10,000

• Total Employees: 55,000

4


Aligning Dignity Health for Future Success

5

Operating company with strong local leadership

Focus on markets, not hospitals

Aligns system and market leaders

Fosters clinical enterprise focus

Enables streamlined decision making

Creates greater accountability for outcomes

Responsive to community needs



https://www.youtube.com/watch?v=K8s8UD211pU#t=34

https://www.youtube.com/watch?v=K8s8UD211pU

https://www.youtube.com/watch?v=K8s8UD211pU


Where are you on your technology transformation and your journey to the cloud?

Draft – For Discussion Purposes Source: Vmware


1. Do you have any ASP hosted applications?

2. Do you use Box, Dropbox, MS OneDrive?

3. Are your backup being electronically stored outside of the walls of your facility?

4. Does your Disaster Recovery and business continuity storage leave your facilities?

Poll the Audience


Dignity Health – Cloud


Big 7 Trends in Health Care

1. Personalized Health Services • Transition from not-for-profit, one-time acute episodes to for-profit, recurring wellness

services 2. Consumerism

• Embrace that health care is consumer-driven with many choices of retail experiences 3. Employer Direct

• Market a comprehensive, service-based network direct to employers with a focus on the self-funded employers - instead of relying on insurers and payers

4. Telehealth • Expand core PCP and specialist services across the continuum of care with global reach

and local partnerships for best-in-class hybrid delivery model 5. Cloud

• Provide interoperability with a consumer-focused “outside-in” perspective – integrating across many SaaS/IaaS/PaaS partners for speed-to-market

6. IP-Enabled Medical Devices • Integrate wearables, implantibles for real-time monitoring, alerting, diagnosing, and

prescribing that connect to the Internet of Medical Things 7. Predictive Analytics

• Drive care quality and cost efficiencies with analytics that forge new pathways from chronic to preventative to wellness


Big Trend #5: The Cloud Is Already Here at Dignity Health

Private PHI Cloud: Enterprise Data Warehouse (SAS)

Private PHI Cloud: EMR (Cerner)

Proprietary DC’s: - Patient Revenue Cycle (Lawson) - Ambulatory EMR (Allscripts) - MS Exchange, Sharepoint

PHI Co-Lo: Disaster Recovery (Switch)

Public Cloud: Social Collaboration (Yammer @Microsoft Azure)

Private PHI Cloud: Patient Portal (MedSeek)

Private PHI Cloud: HIE (MobileMD)

Private PHI Cloud: Pathology Reporting (Olympus EndoWorks)

Dignity Health PHI: Clinical Applications in the Cloud

Public Cloud: File Sharing (Box)


Steps to the Cloud


1. Define Cloud Security Governance and Policies

2. Define approach to standardize the current architecture

3. Develop and use a target state architecture to define

standards

4. Buy commoditized cloud services and capabilities whenever

possible without exposing PHI.

5. Migrate existing applications and systems into private/hybrid

cloud using phased approach

6. Decommission existing legacy systems as new capabilities

come online within your target state environment

Steps to Cloud Computing


Rationalizing, standardizing and consolidation of applications and infrastructure.

Application Migration Strategy


Cloud Security

Draft – For Discussion Purposes 18

Threats, Vulnerabilities, and Exposures are Increasing

April, 2014 4,500,000 individuals

February, 2014 405,000 individuals

Healthcare Industry HIPAA Breaches and Fines

33,800,000 individuals

September, 2010 6,800 individuals

$4.5M fine May, 2014

Consumer and Business Breaches

July, 2013 4,000,000 individuals

July, 2011 4,900,000 individuals

2011 20,000 individuals

$4M settlement March, 2014

December, 2009 1,200,000 individuals

$3M settlement March, 2014


Situational Analysis:

– Cloud computing has many facets to address for public, private or hybrid cloud solution deployment – including cost, infrastructure, software, platforms, contractual, management oversight, audit and security.

– Important aspects for security in a virtualized environment and security defenses include confidentiality, integrity and availability. Further security analysis includes governance, risk management and compliance; including implementation visibility and auditing rights of security controls.

– However, the most critical business decision point for leadership, assuming appropriate security, legal and audit controls are in place – is the decision point to include HIPAA regulatory requirements and accompanying Business Associate agreements in the cloud decision – as these compliance measures are at the most fundamental core on how Dignity Health protects PHI/ePHI-based business applications.

Business Decision Point for Cloud Computing

Undeniably, Cloud Computing is present at Dignity Health in various forms. However, as additional deployment options are developed driven by strategic business reasons, leadership must address a

critical decision point in the deployment of cloud-based solutions at Dignity Health.


Development of a Cloud Security Plan

1. Specific Business Goals

• Regulatory Compliance

• Organization Objectives & Capabilities Risk

• Enable Technologies, Processes and People

• Provide an aggregated view of the risk profile the company accept

• ITILv3, ISO 2700X and NIST

• 3rd Party Relationships & Business Associates (HIPAA)

2. Risk Management Program

3. Develop a Security Plan to Support Business Goals

4. Audit, Review and Continuously Improve

• Compliance program, technologies, and processes with very specific results

• HIPAA, HITECH, SSAE 16

• Monitor changing Government & Regulatory Landscape (Omnibus)

• Continue to expand HIPAA Compliance, PCI, Meaningful Use for all Stages

• Risk Assessment as a Continuous Process and ‘Way of Thinking’

Key Considerations • Security of Enterprise Applications & PHI

• Compliant Managed Cloud Service Provider

• Take an active role in Security & Risk management

4

3

2

1

Enterprise Cloud Security Plan


Regulatory, Compliance & Control Objectives Overview

• The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) drives important protections, that require an entity providing a service to a provider, to control Protected Health Information (“PHI”)

• A Business Associate Agreement (“BAA”) has significant contractual obligations by the service provider for covered entities, such as Dignity Health. A BAA shall have the meaning ascribed to them in HIPAA as contained in 45 CFR parts 160, 162 and 164, and of the American Recovery Act of 2009 (the “HITECH Act”)

• HIPAA regulations include “HIPAA Privacy Regulations” (CFR Parts 160 & 164), “HIPAA Security Regulations” (CFR parts 160 & 164) , “HIPAA Transaction Regulations” ( CFR Parts 160 & 162), and “HIPAA Breach Notification” (CFR Part 164 Subpart D, and the HITECT Act)

Healthcare Regulatory Drivers

• An important security framework which provides a structured methodology for analysis is ISO27001

• Payment Card Industry (“PCI”) has important considerations for cloud provider selection

Security Frameworks and Control Objectives

Drivers and Controls


Business Associate Agreement Responsibilities

BAA Service Objectives

A BAA Upon Commencement of Service Shall Agree to the Following Terms

Security Incidents and Breach of Unsecured PHI

Compliance Audits

Information Safeguards, Mitigation

Subcontractor and Agents

Changing Regulatory and Compliance requirements

Permitted Uses and Disclosures

Accounting Disclosures

Consent, Authorization, and Permission

Designated Record Sets

Minimum Necessary and Limited Data Sets

Right to Terminate for Breach, Effects of Termination, Amendments, and Conflicts

Marketing Use of PHI, Non-Permitted Use, and Uses or Disclosure Restrictions

A BAA has significant contractual obligations, driven by Federal Regulations - continued oversight is essential.


ISO 27001:2005 Security Domains

Security Objectives

Regardless of Health Care Regulations, Cloud Providers Must Address the Following Security Controls

Human Resources Security

Security Policy

Asset Management

Communications and Operations Management

Environmental and Physical Security

Information Security Governance

Business Continuity Management

Encryption

Information Systems Acquisition

Information Security Incident Management

Compliance

Access Control

Security practitioners for Cloud Providers will baseline control objectives against these well understood security domains.


Cloud Security Defense Best Practices

Cloud Governance Align with recognized industry standards, including internal security policies, standards and processes to both internal audits and external certifications.

Security Governance, Risk Management and Compliance

Robust security compliance program. Including physical access, logical access with internal and external auditing.

Problem and Information Security Incident Management

Documented policies and procedures for management and monitoring of security events, including escalation and resolution.

Identity and Access Management

Ensure access is tightly controlled. Privileged user monitoring to ensure enforcement and compliance to customer data protections.

Categorize and Protect Data and Information Assets

Encryption in-flight, @Rest and backups. Key Management if necessary. Protection of portable media and storage device disposal controls.

System Acquisition, Development and Maintenance

Security applied throughout lifecycle, Hypervisors Common Criteria certified and hardened servers

Secure Infrastructure Against Threats and Vulnerabilities

Defense in depth, underpinned with people and technology, IDPS @ boundary, vulnerability scanning, configuration mngt & security zones

Physical and Personnel Security Strong physical controls, including CCTV, biometric authentication, resiliency tools and door alarms. Employee training of customer data handling and protections.

Secure by Design


Questions & Answers

25

Education

Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage your Technology and The Cloud” with Raymond Lowe, Senior Director, Information Technology, Dignity