SlideShare ist ein Scribd-Unternehmen logo

SEMHIMA Presentation Final 06052012

M
mrpchcchpc

Presentation for the South Eastern Michigan Health Information Management Association

1 von 16
Downloaden Sie, um offline zu lesen
 HFHS Overview ◦ Landscape ◦ Then vs. Now  HIPAA/HITECH Overview  Use of PHI  Disclosures of PHI  Operational Considerations ◦ Breach Response Plan ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) ◦ Social Media Exposure 2
 Founded in 1915 and comprised of ◦ 4 Acute Care Facilities (Approx. 2000 beds) ◦ 1200 Member Medical Group & 500 Member Physician Network ◦ Health Plan serving approximately 640,000 members ◦ Home Health, retail pharmacy, optical care, Hospice, Occupational Health, Extended Care divisions  In 2011 ◦ Awarded the prestigious Malcolm Baldrige National Quality Award ◦ Approximately 31,000 workforce members ◦ 3.3 million outpatient visits; 89,000 surgical procedures; 101,396 patients admitted to HFHS hospitals ◦ Revenue, $4.22 billion; net income, $21.5 million; uncompensated care, $210 million 3
 HFHS is entering into new territory to ensure synergy between Privacy & Security – Culture of Confidentiality  Then… ◦ Privacy was a subset of Corporate Compliance ◦ Security was a subset of Information Technology ◦ Competing priorities diminished the focus on both ◦ Decentralized approach throughout the System ◦ Lean resources to carry out the Privacy & Security Mission  Observation ◦ Due to lean resources, competing priorities and fragmented oversight, Privacy & Security compliance was misaligned with the HFHS Mission & Vision 4
 Now… ◦ Established the new Information Privacy Office with an expanded scope to include all confidential data and not just patient focused ◦ IPO is a subset of Information Technology under the leadership of the Chief Information Officer which creates better opportunities for synergy with the Information Security Office ◦ Priorities are streamlined and standardized between the two offices…confidentiality foundation. ◦ Centralized corporate IPO resources to ensure consistency in approach System wide  Observation ◦ This will be the catalyst in creating a culture of confidentiality related to any sensitive data protected by various regulations and laws 5
 Convened a workgroup to create an incident response plan prior to the 2009 compliance date ◦ Reviewed HITECH regulations and documented process and plan ◦ Conducted research with other organizations to determine how to address the “risk of harm” standard ◦ Created manual process for conducting breach risk assessments ◦ Applied plan to previous breaches to vet approach 6
 Stolen Laptop with patient information of approximately 4000 exposed patients  Data stored in a compiled spreadsheet by a clinician  Laptop was unencrypted and the physical security of the office was compromised due to an open door  Breach response was an internal effort utilizing HFHS staff members ◦ Call center support, notification management, etc. ◦ Assessment  Notification: 56 Days 7
 The 56 day response time was outside of our service standards and proved that our response plan was flawed  Assuming responsibility for the entire breach response lifecycle was extending our response time  A breach response partner, with proven experience, was necessary to ensure that we could meet our 4-week target response deadline  Communication of our incident response plan failed due to lack of branding and continuous reinforcement (8 x 8 Rule)  The workforce didn’t understand the urgency during the assessment phase due to flawed communication and education plan 8
 Secured a breach response partner that had a strong focus in the healthcare market ◦ Wanted a partner and not an out-sourced solution ◦ ID Experts (www.idexpertscorp.com)  Chartered a Code B Alert (Rapid Response) Team  Branded a breach response communication plan ◦ Code B Alert Program ◦ Internal Communication to Workforce ◦ External Communication to Patients, Media & OCR  Immediately engaged our breach response partner during our next incident ◦ Assessment  Notification: 18 Days 9
 Led by the Chief Privacy Officer and the Chief Information Security Officer ◦ Includes representation from Legal, Public Relations, Human Resources, Risk Management, Business Unit Leadership ◦ All incidents begin with a Code A(ssessment) that assesses and determines if a breach has occurred  Includes representation from Legal, IPO & ISO  Once a “Breach” has been called, the Code B Alert (Rapid Response) Team works with our breach response partner to respond to the breach  Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level 10
 Flash Drive Lost ◦ Approximately 3000 patients affected with significant risk to harm ◦ Even though response time was decreased and communication plan was effective, we found another concern, portable storage devices  How do we protect the data?  How do we encrypt the data?  What is our policy around flash drives and their usage within HFHS?  How do we protect the integrity/security of our network?  How do we decrease the flash drive footprint at HFHS?  Our answer…The iComply Program! 11
 System wide effort coordinated by the Information Privacy & Information Security Offices  All employees were required to visit one of 20 “IT staffed” stations to turn in all personal flash drives for our approved IronKeys solution ◦ Registered hundreds of external hard drives and personal laptops  The stations were also a place to enter into the drawing for an iPad2 ◦ Entries were a crossword puzzle based on our privacy & security policies  Approximately 5000 flash drives collected within a 4 week period 12
 Create a “secret shopper” monitoring program to test your privacy policies and practices  Consider pushing the cost to respond to the data breach to the offending department once education has occurred system-wide  Utilize contests/incentives to drive workforce members to your privacy & security policies ◦ Crossword puzzles ◦ Scavenger hunts ◦ Encourage department “friendly” competition 13
 iComply – Phase 2 ◦ Security and encryption of mobile devices ◦ Consumer device usage by guests/patients ◦ Continuous education ◦ Apple support program (i.e., iPads, iPhone, etc.)  Social Media Monitoring  iPad Patient Rounding  Data Loss Prevention Program Implementation  Increased Synergy between Privacy & Security Departments to reinforce our culture of confidentiality 14
 Assess your organizations culture to determine the best approach for breach response ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) 15
Meredith R. Phillips, CHC, CHPC Chief Privacy Officer Henry Ford Health System One Ford Place, Suite 2A Detroit, MI 48202 313-874-5168 mphilli2@hfhs.org Twitter: @mphillipschc 16

Empfohlen

Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Anna Fenston
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Niran Seriki, CCISO, CISM
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 

Empfohlen

Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Anna Fenston
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Niran Seriki, CCISO, CISM
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)U.S. News Healthcare of Tomorrow
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysDigital Guardian
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinSteve Phelps
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles Hamilton2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles HamiltonReenergize
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
Mind the gap
Mind the gapMind the gap
Mind the gapRoger Hagedorn
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedJerry Paul Acosta
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 BrochureOCTF Industry Engagement
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...IT Network marcus evans
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)U.S. News Healthcare of Tomorrow
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysDigital Guardian
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinSteve Phelps
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles Hamilton2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles HamiltonReenergize
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedJerry Paul Acosta
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 

Was ist angesagt? (20)

Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacks
 
2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles Hamilton2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles Hamilton
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is Implemented
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 Brochure
 

Ähnlich wie SEMHIMA Presentation Final 06052012

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...IT Network marcus evans
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Webinar: Overcoming it challenges
Webinar: Overcoming it challengesWebinar: Overcoming it challenges
Webinar: Overcoming it challengesModern Healthcare
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
Case Study
Case StudyCase Study
Case Studylneut03
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
NCVHS Privacy and Security Update
NCVHS Privacy and Security Update NCVHS Privacy and Security Update
NCVHS Privacy and Security Update Brian Ahier
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 

Ähnlich wie SEMHIMA Presentation Final 06052012 (20)

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Webinar: Overcoming it challenges
Webinar: Overcoming it challengesWebinar: Overcoming it challenges
Webinar: Overcoming it challenges
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Audit Reality Webinar
Audit Reality WebinarAudit Reality Webinar
Audit Reality Webinar
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Case Study
Case StudyCase Study
Case Study
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
Trofi Security Service Catalogue (1)
Trofi Security Service Catalogue (1)Trofi Security Service Catalogue (1)
Trofi Security Service Catalogue (1)
 
NCVHS Privacy and Security Update
NCVHS Privacy and Security Update NCVHS Privacy and Security Update
NCVHS Privacy and Security Update
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 

SEMHIMA Presentation Final 06052012

  • 1.
  • 2. HFHS Overview ◦ Landscape ◦ Then vs. Now  HIPAA/HITECH Overview  Use of PHI  Disclosures of PHI  Operational Considerations ◦ Breach Response Plan ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) ◦ Social Media Exposure 2
  • 3. Founded in 1915 and comprised of ◦ 4 Acute Care Facilities (Approx. 2000 beds) ◦ 1200 Member Medical Group & 500 Member Physician Network ◦ Health Plan serving approximately 640,000 members ◦ Home Health, retail pharmacy, optical care, Hospice, Occupational Health, Extended Care divisions  In 2011 ◦ Awarded the prestigious Malcolm Baldrige National Quality Award ◦ Approximately 31,000 workforce members ◦ 3.3 million outpatient visits; 89,000 surgical procedures; 101,396 patients admitted to HFHS hospitals ◦ Revenue, $4.22 billion; net income, $21.5 million; uncompensated care, $210 million 3
  • 4. HFHS is entering into new territory to ensure synergy between Privacy & Security – Culture of Confidentiality  Then… ◦ Privacy was a subset of Corporate Compliance ◦ Security was a subset of Information Technology ◦ Competing priorities diminished the focus on both ◦ Decentralized approach throughout the System ◦ Lean resources to carry out the Privacy & Security Mission  Observation ◦ Due to lean resources, competing priorities and fragmented oversight, Privacy & Security compliance was misaligned with the HFHS Mission & Vision 4
  • 5. Now… ◦ Established the new Information Privacy Office with an expanded scope to include all confidential data and not just patient focused ◦ IPO is a subset of Information Technology under the leadership of the Chief Information Officer which creates better opportunities for synergy with the Information Security Office ◦ Priorities are streamlined and standardized between the two offices…confidentiality foundation. ◦ Centralized corporate IPO resources to ensure consistency in approach System wide  Observation ◦ This will be the catalyst in creating a culture of confidentiality related to any sensitive data protected by various regulations and laws 5
  • 6. Convened a workgroup to create an incident response plan prior to the 2009 compliance date ◦ Reviewed HITECH regulations and documented process and plan ◦ Conducted research with other organizations to determine how to address the “risk of harm” standard ◦ Created manual process for conducting breach risk assessments ◦ Applied plan to previous breaches to vet approach 6
  • 7. Stolen Laptop with patient information of approximately 4000 exposed patients  Data stored in a compiled spreadsheet by a clinician  Laptop was unencrypted and the physical security of the office was compromised due to an open door  Breach response was an internal effort utilizing HFHS staff members ◦ Call center support, notification management, etc. ◦ Assessment  Notification: 56 Days 7
  • 8. The 56 day response time was outside of our service standards and proved that our response plan was flawed  Assuming responsibility for the entire breach response lifecycle was extending our response time  A breach response partner, with proven experience, was necessary to ensure that we could meet our 4-week target response deadline  Communication of our incident response plan failed due to lack of branding and continuous reinforcement (8 x 8 Rule)  The workforce didn’t understand the urgency during the assessment phase due to flawed communication and education plan 8
  • 9. Secured a breach response partner that had a strong focus in the healthcare market ◦ Wanted a partner and not an out-sourced solution ◦ ID Experts (www.idexpertscorp.com)  Chartered a Code B Alert (Rapid Response) Team  Branded a breach response communication plan ◦ Code B Alert Program ◦ Internal Communication to Workforce ◦ External Communication to Patients, Media & OCR  Immediately engaged our breach response partner during our next incident ◦ Assessment  Notification: 18 Days 9
  • 10. Led by the Chief Privacy Officer and the Chief Information Security Officer ◦ Includes representation from Legal, Public Relations, Human Resources, Risk Management, Business Unit Leadership ◦ All incidents begin with a Code A(ssessment) that assesses and determines if a breach has occurred  Includes representation from Legal, IPO & ISO  Once a “Breach” has been called, the Code B Alert (Rapid Response) Team works with our breach response partner to respond to the breach  Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level 10
  • 11. Flash Drive Lost ◦ Approximately 3000 patients affected with significant risk to harm ◦ Even though response time was decreased and communication plan was effective, we found another concern, portable storage devices  How do we protect the data?  How do we encrypt the data?  What is our policy around flash drives and their usage within HFHS?  How do we protect the integrity/security of our network?  How do we decrease the flash drive footprint at HFHS?  Our answer…The iComply Program! 11
  • 12. System wide effort coordinated by the Information Privacy & Information Security Offices  All employees were required to visit one of 20 “IT staffed” stations to turn in all personal flash drives for our approved IronKeys solution ◦ Registered hundreds of external hard drives and personal laptops  The stations were also a place to enter into the drawing for an iPad2 ◦ Entries were a crossword puzzle based on our privacy & security policies  Approximately 5000 flash drives collected within a 4 week period 12
  • 13. Create a “secret shopper” monitoring program to test your privacy policies and practices  Consider pushing the cost to respond to the data breach to the offending department once education has occurred system-wide  Utilize contests/incentives to drive workforce members to your privacy & security policies ◦ Crossword puzzles ◦ Scavenger hunts ◦ Encourage department “friendly” competition 13
  • 14. iComply – Phase 2 ◦ Security and encryption of mobile devices ◦ Consumer device usage by guests/patients ◦ Continuous education ◦ Apple support program (i.e., iPads, iPhone, etc.)  Social Media Monitoring  iPad Patient Rounding  Data Loss Prevention Program Implementation  Increased Synergy between Privacy & Security Departments to reinforce our culture of confidentiality 14
  • 15. Assess your organizations culture to determine the best approach for breach response ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) 15
  • 16. Meredith R. Phillips, CHC, CHPC Chief Privacy Officer Henry Ford Health System One Ford Place, Suite 2A Detroit, MI 48202 313-874-5168 mphilli2@hfhs.org Twitter: @mphillipschc 16