Dealing with Information Security, Risk Management & Cyber Resilience
SEMHIMA Presentation Final 06052012
1.
2. HFHS Overview
◦ Landscape
◦ Then vs. Now
HIPAA/HITECH Overview
Use of PHI
Disclosures of PHI
Operational Considerations
◦ Breach Response Plan
◦ Risk Tolerance Assessment
◦ Rapid Response Teams
◦ Branding Opportunities
◦ Communication Strategy
◦ Breach Response Partners
◦ Continuous Education
◦ Elimination of Immediate Risk
◦ Breach Insurance (Cyber Insurance)
◦ Social Media Exposure
2
3. Founded in 1915 and comprised of
◦ 4 Acute Care Facilities (Approx. 2000 beds)
◦ 1200 Member Medical Group & 500 Member Physician Network
◦ Health Plan serving approximately 640,000 members
◦ Home Health, retail pharmacy, optical care, Hospice, Occupational
Health, Extended Care divisions
In 2011
◦ Awarded the prestigious Malcolm Baldrige National Quality Award
◦ Approximately 31,000 workforce members
◦ 3.3 million outpatient visits; 89,000 surgical procedures; 101,396
patients admitted to HFHS hospitals
◦ Revenue, $4.22 billion; net income, $21.5 million; uncompensated
care, $210 million
3
4. HFHS is entering into new territory to ensure synergy
between Privacy & Security – Culture of Confidentiality
Then…
◦ Privacy was a subset of Corporate Compliance
◦ Security was a subset of Information Technology
◦ Competing priorities diminished the focus on both
◦ Decentralized approach throughout the System
◦ Lean resources to carry out the Privacy & Security Mission
Observation
◦ Due to lean resources, competing priorities and fragmented
oversight, Privacy & Security compliance was misaligned with the
HFHS Mission & Vision
4
5. Now…
◦ Established the new Information Privacy Office with an expanded
scope to include all confidential data and not just patient focused
◦ IPO is a subset of Information Technology under the leadership of
the Chief Information Officer which creates better opportunities for
synergy with the Information Security Office
◦ Priorities are streamlined and standardized between the two
offices…confidentiality foundation.
◦ Centralized corporate IPO resources to ensure consistency in
approach System wide
Observation
◦ This will be the catalyst in creating a culture of confidentiality
related to any sensitive data protected by various regulations and
laws
5
6. Convened a workgroup to create an incident response plan
prior to the 2009 compliance date
◦ Reviewed HITECH regulations and documented process and plan
◦ Conducted research with other organizations to determine how to
address the “risk of harm” standard
◦ Created manual process for conducting breach risk assessments
◦ Applied plan to previous breaches to vet approach
6
7. Stolen Laptop with patient information of approximately 4000
exposed patients
Data stored in a compiled spreadsheet by a clinician
Laptop was unencrypted and the physical security of the
office was compromised due to an open door
Breach response was an internal effort utilizing HFHS staff
members
◦ Call center support, notification management, etc.
◦ Assessment Notification: 56 Days
7
8. The 56 day response time was outside of our service standards and
proved that our response plan was flawed
Assuming responsibility for the entire breach response lifecycle was
extending our response time
A breach response partner, with proven experience, was necessary
to ensure that we could meet our 4-week target response deadline
Communication of our incident response plan failed due to lack of
branding and continuous reinforcement (8 x 8 Rule)
The workforce didn’t understand the urgency during the assessment
phase due to flawed communication and education plan
8
9. Secured a breach response partner that had a strong focus in
the healthcare market
◦ Wanted a partner and not an out-sourced solution
◦ ID Experts (www.idexpertscorp.com)
Chartered a Code B Alert (Rapid Response) Team
Branded a breach response communication plan
◦ Code B Alert Program
◦ Internal Communication to Workforce
◦ External Communication to Patients, Media & OCR
Immediately engaged our breach response partner during our
next incident
◦ Assessment Notification: 18 Days
9
10. Led by the Chief Privacy Officer and the Chief Information
Security Officer
◦ Includes representation from Legal, Public Relations, Human
Resources, Risk Management, Business Unit Leadership
◦ All incidents begin with a Code A(ssessment) that assesses and
determines if a breach has occurred
Includes representation from Legal, IPO & ISO
Once a “Breach” has been called, the Code B Alert (Rapid
Response) Team works with our breach response partner to
respond to the breach
Branded communication plan consistently utilized throughout
the system and managed corporately instead of at the
business unit level
10
11. Flash Drive Lost
◦ Approximately 3000 patients affected with significant risk to harm
◦ Even though response time was decreased and communication
plan was effective, we found another concern, portable storage
devices
How do we protect the data?
How do we encrypt the data?
What is our policy around flash drives and their usage within
HFHS?
How do we protect the integrity/security of our network?
How do we decrease the flash drive footprint at HFHS?
Our answer…The iComply Program!
11
12. System wide effort coordinated by the Information Privacy &
Information Security Offices
All employees were required to visit one of 20 “IT staffed”
stations to turn in all personal flash drives for our approved
IronKeys solution
◦ Registered hundreds of external hard drives and personal laptops
The stations were also a place to enter into the drawing for an
iPad2
◦ Entries were a crossword puzzle based on our privacy & security
policies
Approximately 5000 flash drives collected within a 4 week
period
12
13. Create a “secret shopper” monitoring program to test your
privacy policies and practices
Consider pushing the cost to respond to the data breach to
the offending department once education has occurred
system-wide
Utilize contests/incentives to drive workforce members to your
privacy & security policies
◦ Crossword puzzles
◦ Scavenger hunts
◦ Encourage department “friendly” competition
13
14. iComply – Phase 2
◦ Security and encryption of mobile devices
◦ Consumer device usage by guests/patients
◦ Continuous education
◦ Apple support program (i.e., iPads, iPhone, etc.)
Social Media Monitoring
iPad Patient Rounding
Data Loss Prevention Program Implementation
Increased Synergy between Privacy & Security Departments
to reinforce our culture of confidentiality
14
15. Assess your organizations culture to determine the best
approach for breach response
◦ Risk Tolerance Assessment
◦ Rapid Response Teams
◦ Branding Opportunities
◦ Communication Strategy
◦ Breach Response Partners
◦ Continuous Education
◦ Elimination of Immediate Risk
◦ Breach Insurance (Cyber Insurance)
15
16. Meredith R. Phillips, CHC, CHPC
Chief Privacy Officer
Henry Ford Health System
One Ford Place, Suite 2A
Detroit, MI 48202
313-874-5168
mphilli2@hfhs.org
Twitter: @mphillipschc
16