HIPAA Compliance Demands Information Risk TitleMaturity Management Subtitle Featuring a Case Study with Sentara Healthcare June Date 9, 2015 The audio to this webinar will be streaming through your computer, please make sure the speakers are turned on. If you prefer to access the audio portion via phone, please dial: 1.866.710.0179 -- When prompted by the operator, give the Passcode: 89517 Copyright © 2015 AHA Solutions, Inc. – 155 North Wacker Drive, Suite 400, Chicago, IL 60606 | solutions@aha.org | 800.242.4677 AHA Solutions Signature Learning Series™ events are exclusive offered to hospital personnel. There is no charge to attend. Facebook.com/AHASolutions Twitter.com/aha_solutions LinkedIn.com/company/AHA-Solutions Agenda Slide Introduction by Monique Showalter, AHA Solutions, Inc. HIPAA Compliance Demands Information Risk Management Maturity Featuring a Case Study with Sentara Healthcare Kathy Jobes, Chief Information Security Officer, Sentara Healthcare Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, CEO & Founder, Clearwater Compliance Question and Answer Session 2 3 About this webinar This educational event has been developed by AHA Solutions, Inc. together with Sentara Healthcare and Clearwater Compliance. We thank these organizations for their willingness to share their expertise. Health Care Information Privacy, Security, Compliance & Risk Management Solutions from Clearwater Compliance have earned the exclusive Endorsement of The American Hospital Association. 4 Kathy Jobes Kathy has over 25 years of experience working in health care; beginning her career in hospital operations, she worked in clinical, financial and IT roles before settling in IT security. Kathy’s experience includes stints at Shands HealthCare, Bon Secours Health System, Inc., afterwhich Ms. Jobes joined one of the nation’s top integrated health care systems, Sentara Healthcare, in 2013. As the Chief Information Security Officer at Sentara she is responsible for providing IT Security leadership and vision in the areas of identity and access management (IAM), Security Risk Management, governance, education, assurance and threat management. She is a trusted member of Sentara’s senior leadership team, providing regulatory, operational and technical security guidance to senior executives, the Board and other members of the team. Ms. Jobes earned her B.S. in Health Sciences / Health Care Administration from the University of West Florida, and holds a certificate in Medical Informatics. Kathy Jobes Chief Information Security Officer Sentara Healthcare kejobes@sentara.com 5 Bob Chaput • • • • • • • CEO & Founder: Clearwater Compliance LLC 35+ years in Business, Operations and Technology 25+ years in Healthcare Executive | Educator | Entrepreneur Global Executive: GE, JNJ, HWAY Responsible for largest healthcare datasets in world Industry Expertise and Focus: Healthcare Covered Entities and Business Associates, Financial Services, Retail, Legal • Member: ACAP, AEHIS Foundation, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US Chief Executive Officer Clearwater Compliance LLC Email: bob.chaput@clearwatercompliance.c om 6 HIPAA Compliance Demands Information Risk Management Maturity Featuring a Case Study with Sentara Healthcare Kathy Jobes Chief Information Security Officer Sentara Healthcare Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US Chief Executive Officer Clearwater Compliance LLC 7 Discussion Flow 1. Setting / Situation / Challenges - Kathy 2. Turning Point (Information Risk Management Maturity) – Kathy 3. Call to Arms – Kathy & Bob 8 Sentara Background • 125-year not-for-profit history • Headquartered in Norfolk, VA Sentara includes 12 hospitals, 5 medical groups, 3,800-provider medical staff, Optima Health plan, Advanced imaging centers, Home health and hospice, Nightingale air ambulance, Rehab and therapy centers, Nursing and assisted living centers • Ranked as one of the nation's top integrated healthcare systems by Modern Healthcare for more than a decade. Complexity, High-Growth, Lots of End Points 9 Setting / Situation 1. Narrowly Focused IT Security Efforts 2. Silo-ed Risk Assessment approach: business line / focus area 3. Multiple Roles & Hats: Care Provider, Health Plan, Business Associate, Vendor 4. Increasing Participation in Federal Programs 5. Meaningful Use Attestations 10 Standard OCR Investigation Letter Request “9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so. 11 The Inevitable Audits • OCR’s permanent HIPAA audit program slated to begin in 2015 • ~200 Covered Entities to be selected for desk audits • Equal number or less BAs selected for desk audits • Greater number of onāsite audits, but no specific number given yet. • Only documentation submitted on time is reviewed • All documentation must be current as of the date of the request • Auditors will not be able to contact the entity for clarifications or ask for additional information • Critical that documentation accurately reflects the program 2015 CE Desk Audit Scope • Security—Risk Analysis and risk management • Breach—Content and timeliness of breach notifications • Privacy—Notice of Privacy Practices and Access 2015 BA Desk Audit Scope • Security—Risk Analysis and risk management • Breach—Breach reporting to covered entities 12 Recent FBI Healthcare Alerts: April / August 2014 “Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely” “…observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).” Healthcare is the Next Cyber Security Battleground 13 Priorities / Challenges – December 2013 1. Un-quantified Risk = Undefined Risk Tolerance 2. Distributed Security Functions and Responsibilities 3. Flat Landscape: Everything is treated Equal 4. Framework and Strategy 5. Information Security Integration: business, workforce, organization risk 6. Governance Links in the Security Chain: Adversaries attack the weakest link… where is ours? 14 Discussion Flow 1. Setting / Situation / Challenges - Kathy 2. Turning Point (Information Risk Management Maturity) – Kathy 3. Call to Arms – Kathy & Bob 15 Turning Point – Q4 2014 1. Set Strategy and Vision 2. Identified and Vetted Candidate Partners 3. Choose Partner with Compatible Vision / Strategy to Create a Platform and “Teach Us How to Fish” 4. Adopted NIST Framework Embraced Information Risk Management Capability Advancement Model™ (IRMCAM™) 16 NIST Security Framework • NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments • NIST SP800-34 Contingency Planning Guide for Federal Information Systems • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach • NIST SP800-39-final_Managing Information Security Risk • NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans • NIST SP800-115 Technical Guide to Information Security Testing and Assessment • MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05 Remember! • CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals Security Rule • CMS Security Risk Assessment Fact Sheet (Updated 20131122) is Based on • NIST Risk Management Framework 2009 NIST! 17 NIST Risk Management http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf 18 Actions Taken 1. Assigned Responsibility and Authority 2. Formed Clearwater Partnership 3. Defined Program Elements: categorize, select, implement, assess, authorize, monitor (begin again) 4. Centralized Documentation 5. Standardized Tracking and Reporting Protocols 6. Engaged Leadership 7. Assessed Maturity Level 19 Outcomes 1. Completed Bona Fide Risk Analyses: A. B. 11 Hospitals 133 EPs 2. 3. 4. 5. 6. Added Staff Started Knowledge Transfer Created Reporting Format Established Governance Initiated Executive Dashboard Development 7. Formalized Risk Response Approach 8. Expanded Program to other Business Units 20 Discussion Flow 1. Setting / Situation / Challenges - Kathy 2. Turning Point (Information Risk Management Maturity) – Kathy 3. Call to Arms – Kathy & Bob 21 Bottom Line Up Front (BLUF) 1. HIPAA Compliance Demands Information Risk Management 2. Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management 3. Too few organizations are working to complete bona fide risk management AND “mature” their information risk management processes 4. Too many people trying to “check-list” their way to security with “Top Challenges Facing CISOs…”-type lists 5. Too few people understand risk, not to mention information risk analysis and risk management WE MUST CHANGE THE CONVERSATION! 6. It’s a patient safety/quality of care/information risk issue … not a “HIPAA compliance” issue 22 Types of Risk… Think – what causes loss or harm to stakeholders? 1. 2. 3. 4. 5. 6. 7. 8. 9. Legal Regulatory Compliance Financial Operational Strategic Reputational Clinical Others Information Risk, Anyone? 23 ”First, Do No Harm.” - Hippocrates, 4th Century, B.C.E. OR - Auguste François Chomel (1788–1858), Parisian pathologist and clinician It’s a Patient Safety / Quality of Care Journey … Not a HIPAA Compliance Destination 24 The Risk Problem We’re Trying to Solve What if my Protected Health Information is not complete, up-to-date and accurate? What if my Protected Health Information is shared? With whom? How? PHI, PII MyCard, Credit PHI / Prop. ePHI Intel. Don’t Compromise C-I-A! AVAILABILITY What if my Protected Health Information is not there when it is needed? 25 Connect the Dots! Confidentiality Quality and Safe Care Integrity Access to Care Availability Timely Care 26 How Clearwater Assisted Sentara Healthcare Customer’s Role Clearwater’s Role “We do it for you” Clearwater provides content, strategy, leadership, tools, software and resources to complete gap assessments and risk analyses. Customer reviews recommendations. “We do it with you” Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations. “We train you to do it” Clearwater teaches Customer how to perform gap assessments & risk analyses AND to measure information risk management maturity levels to establish continuous process improvement. Proven, Flexible Engagement Model - 100s of Successes | We Want Our Customers to Become Self-Sufficient 27 Specific Solutions Provided by Clearwater 1. Clearwater IRM|Analysis™ Software Clearwater WorkShop™ Process 2. Clearwater Trade-marked Professional Services WorkShop™ • • • • 01 02 03 Plan"/"Gather"/"Schedule" Read"Ahead"/"Review"Materials" Provide"SaaS"SubscripHon/Train" Administer"Surveys" • • • • Facilitate"&"Discover" Educate"&"Equip" Evaluate"&"Advise" Gather"&"Populate"SaaS" • • • • Analyze"Findings"" Document"ObservaHons" Develop"RecommendaHons" Present"and"Sign"Off" Software Subscription Plus WorkShop™ • • • • • • • • 2.5<hours"training"for"as"many"staff"as" you"wish" Ongoing"technical"support" IRM"|"Pro™"<"2"or"3<year"subscripHon," paid"annually." Ongoing"soJ ware"updates." Ongoing"Community"engagement." Professional"consulHng"services"to" complete"the"risk"analysis"process," end<to<end." Risk"Analysis"Report"with"Findings," ObservaHons"and"RecommendaHons." Fully<populated"IRM"|"Analysis™" soJ ware"applicaHon." 12" ©"Clearwater"Compliance"|"All"Rights"Reserved" 3. Clearwater Information Risk Management Capability Advancement Model™ (IRMCAM™) Clearwater IRMCAM™ Model 30" ©"Clearwater"Compliance"|"All"Rights"Reserved" 28 1. Be both!! Tactical-TechnicalSpot welding and StrategicBusiness-orientedArchitectural! 2. Do a real, comprehensive risk analysis ASAP to understand your risks! 3. Initiate the process of a IRM Program Strategic Assessment and determine your current maturity level. It’s a Patient Safety / Quality of Care Journey … Not a HIPAA Compliance Destination 29 We Invite Your Questions! To submit a question, please type your question on the left-hand side of your presentation screen. Health Care Information Privacy, Security, Compliance & Risk Management Solutions from Clearwater Compliance have earned the exclusive Endorsement of The American Hospital Association. 30 Contact Information Kathy Jobes Chief Information Security Officer Sentara Healthcare 757.252.0637 kejobes@sentara.com Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US CEO & Founder Clearwater Compliance 800.704.3394 bob.chaput@clearwatercompliance.com For more information on AHA Solutions or Clearwater Compliance please visit www.ahasolutions.org Monique Showalter AHA Solutions, Inc. 312.895.2516 mshowalter@aha.org Follow us! #AHASealServes 31 Join Us Upcoming AHA Solutions Signature Learning Series Webinars Care Transitions: Using Remote Patient Monitoring to Improve Outcomes, Cost and Patient Experience Wednesday, June 10, noon – 1 pm Central To learn more or to register Call 1.800.242.4677 or visit www.aha-solutions.org Spotlight on Case Management Excellence Featuring Stephen Ricks from Seton Family of Hospitals Thursday, June 11, noon – 1 pm Central 32 A New Network for Health Care Leaders Launched by the American Hospital Association, AHA SmartMarket is a FREE social collaboration website for health care professionals. •Customize your experience Create a personal profile to deliver custom information based on trending issues facing health care leaders. •Build a circle of trust Connect with peers and industry experts to build your professional network specific to health care. •Share your experiences Join discussions to share successes achieved and efficiencies gained. •Find answers, ideas and innovation View ratings and reviews from trusted connections in your network, and leave your own ratings and feedback on what’s worked effectively for your organization. Register now at AHASmartMarket.com 33 Thank You! AHA Solutions, Inc. values your participation and interest in our Signature Learning Series™ events. For further information on other educational events and our endorsed products, please visit www.aha-solutions.org Copyright © 2015 AHA Solutions, Inc. – 155 North Wacker Drive, Suite 400, Chicago, IL 60606 | solutions@aha.org | 800.242.4677 AHA Solutions Signature Learning Series™ events are exclusive offered to hospital personnel. There is no charge to attend. Facebook.com/AHASolutions Twitter.com/aha_solutions LinkedIn.com/company/AHA-Solutions