HIPAA Compliance Demands Information Risk
TitleMaturity
Management
Subtitle
Featuring a Case Study
with Sentara Healthcare
June Date
9, 2015
The audio to this webinar will be streaming through your computer,
please make sure the speakers are turned on.
If you prefer to access the audio portion via phone, please dial:
1.866.710.0179 -- When prompted by the operator, give the Passcode: 89517
Copyright © 2015 AHA Solutions, Inc. – 155 North Wacker Drive, Suite 400, Chicago, IL 60606 | solutions@aha.org | 800.242.4677
AHA Solutions Signature Learning Series™ events are exclusive offered to hospital personnel. There is no charge to attend.
Facebook.com/AHASolutions
Twitter.com/aha_solutions
LinkedIn.com/company/AHA-Solutions
Agenda Slide
Introduction by Monique Showalter, AHA Solutions, Inc.
HIPAA Compliance Demands Information Risk Management Maturity
Featuring a Case Study with Sentara Healthcare
Kathy Jobes, Chief Information Security Officer,
Sentara Healthcare
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US,
CEO & Founder, Clearwater Compliance
Question and Answer Session
2
3
About this webinar
This educational event has been developed by AHA Solutions, Inc.
together with Sentara Healthcare and Clearwater Compliance. We
thank these organizations for their willingness to share their expertise.
Health Care Information Privacy, Security,
Compliance & Risk Management Solutions from
Clearwater Compliance have earned the exclusive
Endorsement of The American Hospital Association.
4
Kathy Jobes
Kathy has over 25 years of experience working in health care;
beginning her career in hospital operations, she worked in clinical,
financial and IT roles before settling in IT security.
Kathy’s experience includes stints at Shands HealthCare, Bon
Secours Health System, Inc., afterwhich Ms. Jobes joined one of
the nation’s top integrated health care systems, Sentara
Healthcare, in 2013.
As the Chief Information Security Officer at Sentara she is
responsible for providing IT Security leadership and vision in the
areas of identity and access management (IAM), Security Risk
Management, governance, education, assurance and threat
management. She is a trusted member of Sentara’s senior
leadership team, providing regulatory, operational and technical
security guidance to senior executives, the Board and other
members of the team.
Ms. Jobes earned her B.S. in Health Sciences / Health Care
Administration from the University of West Florida, and holds a
certificate in Medical Informatics.
Kathy Jobes
Chief Information Security Officer
Sentara Healthcare
kejobes@sentara.com
5
Bob Chaput
•
•
•
•
•
•
•
CEO & Founder: Clearwater Compliance LLC
35+ years in Business, Operations and Technology
25+ years in Healthcare
Executive | Educator | Entrepreneur
Global Executive: GE, JNJ, HWAY
Responsible for largest healthcare datasets in world
Industry Expertise and Focus: Healthcare Covered
Entities and Business Associates, Financial Services,
Retail, Legal
• Member: ACAP, AEHIS Foundation, IAPP, ISC2,
HIMSS, ISSA, ISACA, HCCA, HCAA, ACHE, AHIMA,
NTC, ACP, SIM Chambers, Boards
Bob Chaput, CISSP, HCISPP,
CRISC, CIPP/US
Chief Executive Officer
Clearwater Compliance LLC
Email:
bob.chaput@clearwatercompliance.c
om
6
HIPAA Compliance Demands
Information Risk Management Maturity
Featuring a Case Study with Sentara Healthcare
Kathy Jobes
Chief Information Security
Officer
Sentara Healthcare
Bob Chaput, CISSP, HCISPP,
CRISC, CIPP/US
Chief Executive Officer
Clearwater Compliance LLC
7
Discussion Flow
1. Setting / Situation / Challenges - Kathy
2. Turning Point (Information Risk
Management Maturity) – Kathy
3. Call to Arms – Kathy & Bob
8
Sentara Background
• 125-year not-for-profit history
• Headquartered in Norfolk, VA Sentara
includes 12 hospitals, 5 medical groups,
3,800-provider medical staff, Optima Health
plan, Advanced imaging centers, Home
health and hospice, Nightingale air
ambulance, Rehab and therapy centers,
Nursing and assisted living centers
• Ranked as one of the nation's top integrated
healthcare systems by Modern Healthcare
for more than a decade.
Complexity, High-Growth, Lots of End Points
9
Setting / Situation
1. Narrowly Focused IT Security Efforts
2. Silo-ed Risk Assessment approach:
business line / focus area
3. Multiple Roles & Hats: Care Provider,
Health Plan, Business Associate,
Vendor
4. Increasing Participation in Federal
Programs
5. Meaningful Use Attestations
10
Standard OCR Investigation Letter Request
“9. Please submit a copy of
XYZ Hospital’s most recent
risk analysis, as well as a copy
of all risk analyses performed
for or by copy XYZ Hospital
within the past 6 years
pursuant to 45 C.F.R. §
164.308(a)(l)(ii)(A). If no risk
analysis has been performed,
please state so.
11
The Inevitable Audits
• OCR’s permanent HIPAA audit program slated to
begin in 2015
• ~200 Covered Entities to be selected for desk
audits
• Equal number or less BAs selected for desk
audits
• Greater number of on‐site audits, but no specific
number given yet.
• Only documentation submitted on time is
reviewed
• All documentation must be current as of the date
of the request
• Auditors will not be able to contact the entity for
clarifications or ask for additional information
• Critical that documentation accurately reflects
the program
2015 CE Desk Audit Scope
• Security—Risk Analysis and risk
management
• Breach—Content and timeliness of
breach notifications
• Privacy—Notice of Privacy Practices
and Access
2015 BA Desk Audit Scope
• Security—Risk Analysis and risk
management
• Breach—Breach reporting to
covered entities
12
Recent FBI Healthcare Alerts: April / August 2014
“Because the
healthcare industry
is not as “resilient
to cyber intrusions
[as] the financial
and retail sectors,
therefore the
possibility of
increased cyber
intrusions is likely”
“…observed malicious
actors targeting
healthcare related
systems, perhaps for
the purpose of
obtaining Protected
Healthcare
Information (PHI)
and/or Personally
Identifiable
Information (PII).”
Healthcare is the Next Cyber Security Battleground
13
Priorities / Challenges – December 2013
1. Un-quantified Risk = Undefined
Risk Tolerance
2. Distributed Security Functions and
Responsibilities
3. Flat Landscape: Everything is
treated Equal
4. Framework and Strategy
5. Information Security Integration:
business, workforce, organization
risk
6. Governance
Links in the Security
Chain:
Adversaries attack the weakest link…
where is ours?
14
Discussion Flow
1. Setting / Situation / Challenges - Kathy
2. Turning Point (Information Risk
Management Maturity) – Kathy
3. Call to Arms – Kathy & Bob
15
Turning Point – Q4 2014
1. Set Strategy and Vision
2. Identified and Vetted
Candidate Partners
3. Choose Partner with
Compatible Vision /
Strategy to Create a
Platform and “Teach Us
How to Fish”
4. Adopted NIST Framework
Embraced Information Risk
Management Capability
Advancement Model™
(IRMCAM™)
16
NIST Security Framework
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and
Organizations
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal
Information Systems and Organizations: Building Effective Security Assessment Plans
• NIST SP800-115 Technical Guide to Information Security Testing and Assessment
• MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05
Remember!
• CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals
Security Rule
• CMS Security Risk Assessment Fact Sheet (Updated 20131122)
is Based on
• NIST Risk Management Framework 2009
NIST!
17
NIST Risk Management
http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
18
Actions Taken
1. Assigned Responsibility and Authority
2. Formed Clearwater Partnership
3. Defined Program Elements: categorize,
select, implement, assess, authorize,
monitor (begin again)
4. Centralized Documentation
5. Standardized Tracking and Reporting
Protocols
6. Engaged Leadership
7. Assessed Maturity Level
19
Outcomes
1. Completed Bona Fide Risk Analyses:
A.
B.
11 Hospitals
133 EPs
2.
3.
4.
5.
6.
Added Staff
Started Knowledge Transfer
Created Reporting Format
Established Governance
Initiated Executive Dashboard
Development
7. Formalized Risk Response Approach
8. Expanded Program to other Business
Units
20
Discussion Flow
1. Setting / Situation / Challenges - Kathy
2. Turning Point (Information Risk
Management Maturity) – Kathy
3. Call to Arms – Kathy & Bob
21
Bottom Line Up Front (BLUF)
1. HIPAA Compliance Demands Information Risk
Management
2. Too many BOD / C-Suites are not educated and,
therefore, far too disengaged from information risk
management
3. Too few organizations are working to complete bona fide
risk management AND “mature” their information risk
management processes
4. Too many people trying to “check-list” their way to
security with “Top Challenges Facing CISOs…”-type
lists
5. Too few people understand risk, not to mention
information risk analysis and risk management
WE MUST
CHANGE THE
CONVERSATION!
6. It’s a patient safety/quality of care/information risk issue
… not a “HIPAA compliance” issue
22
Types of Risk…
Think – what causes loss or harm to stakeholders?
1.
2.
3.
4.
5.
6.
7.
8.
9.
Legal
Regulatory Compliance
Financial
Operational
Strategic
Reputational
Clinical
Others
Information Risk, Anyone?
23
”First, Do No Harm.”
- Hippocrates, 4th Century, B.C.E.
OR
- Auguste François Chomel (1788–1858), Parisian
pathologist and clinician
It’s a Patient Safety / Quality of Care Journey …
Not a HIPAA Compliance Destination
24
The Risk Problem We’re Trying to Solve
What if my Protected Health
Information is not complete,
up-to-date and accurate?
What if my Protected Health
Information is shared? With
whom? How?
PHI, PII
MyCard,
Credit
PHI / Prop.
ePHI
Intel.
Don’t
Compromise
C-I-A!
AVAILABILITY
What if my Protected Health Information is not there when it is needed?
25
Connect the Dots!
Confidentiality
Quality and Safe
Care
Integrity
Access to
Care
Availability
Timely
Care
26
How Clearwater Assisted Sentara Healthcare
Customer’s Role
Clearwater’s Role
“We do it for you”
Clearwater provides content,
strategy, leadership, tools,
software and resources to
complete gap assessments and
risk analyses. Customer reviews
recommendations.
“We do it with you”
Clearwater and Customer teams
perform gap assessments and risk
analyses, validate findings,
observations and recommendations,
prioritize remediation items and
develop recommendations.
“We train you to do it”
Clearwater teaches Customer how to
perform gap assessments & risk
analyses AND to measure information
risk management maturity levels to
establish continuous process
improvement.
Proven, Flexible Engagement Model - 100s of
Successes | We Want Our Customers to Become
Self-Sufficient
27
Specific Solutions Provided by Clearwater
1. Clearwater IRM|Analysis™
Software
Clearwater WorkShop™ Process
2. Clearwater Trade-marked
Professional Services
WorkShop™
•
•
•
•
01
02
03
Plan"/"Gather"/"Schedule"
Read"Ahead"/"Review"Materials"
Provide"SaaS"SubscripHon/Train"
Administer"Surveys"
•
•
•
•
Facilitate"&"Discover"
Educate"&"Equip"
Evaluate"&"Advise"
Gather"&"Populate"SaaS"
•
•
•
•
Analyze"Findings""
Document"ObservaHons"
Develop"RecommendaHons"
Present"and"Sign"Off"
Software Subscription
Plus WorkShop™
•
•
•
•
•
•
•
•
2.5<hours"training"for"as"many"staff"as"
you"wish"
Ongoing"technical"support"
IRM"|"Pro™"<"2"or"3<year"subscripHon,"
paid"annually."
Ongoing"soJ ware"updates."
Ongoing"Community"engagement."
Professional"consulHng"services"to"
complete"the"risk"analysis"process,"
end<to<end."
Risk"Analysis"Report"with"Findings,"
ObservaHons"and"RecommendaHons."
Fully<populated"IRM"|"Analysis™"
soJ ware"applicaHon."
12"
©"Clearwater"Compliance"|"All"Rights"Reserved"
3. Clearwater Information Risk
Management Capability
Advancement Model™
(IRMCAM™)
Clearwater IRMCAM™ Model
30"
©"Clearwater"Compliance"|"All"Rights"Reserved"
28
1. Be both!! Tactical-TechnicalSpot welding and StrategicBusiness-orientedArchitectural!
2. Do a real, comprehensive
risk analysis ASAP to
understand your risks!
3. Initiate the process of a IRM
Program Strategic
Assessment and determine
your current maturity level.
It’s a Patient Safety / Quality of Care Journey …
Not a HIPAA Compliance Destination
29
We Invite Your Questions!
To submit a question, please type your question on
the left-hand side of your presentation screen.
Health Care Information Privacy, Security,
Compliance & Risk Management Solutions from
Clearwater Compliance have earned the exclusive
Endorsement of The American Hospital Association.
30
Contact Information
Kathy Jobes
Chief Information Security Officer
Sentara Healthcare
757.252.0637
kejobes@sentara.com
Bob Chaput, MA, CISSP, HCISPP,
CRISC, CIPP/US
CEO & Founder
Clearwater Compliance
800.704.3394
bob.chaput@clearwatercompliance.com
For more information on AHA Solutions or
Clearwater Compliance please visit www.ahasolutions.org
Monique Showalter
AHA Solutions, Inc.
312.895.2516
mshowalter@aha.org
Follow us!
#AHASealServes
31
Join Us
Upcoming AHA Solutions
Signature Learning Series Webinars
Care Transitions: Using Remote Patient Monitoring
to Improve Outcomes, Cost and Patient
Experience
Wednesday, June 10, noon – 1 pm Central
To learn more or to
register
Call 1.800.242.4677
or visit
www.aha-solutions.org
Spotlight on Case Management Excellence
Featuring Stephen Ricks from Seton Family of
Hospitals
Thursday, June 11, noon – 1 pm Central
32
A New Network for
Health Care Leaders
Launched by the American Hospital Association, AHA SmartMarket
is a FREE social collaboration website for health care professionals.
•Customize your experience
Create a personal profile to deliver custom information
based on trending issues facing health care leaders.
•Build a circle of trust
Connect with peers and industry experts to build your
professional network specific to health care.
•Share your experiences
Join discussions to share successes achieved and efficiencies gained.
•Find answers, ideas and innovation
View ratings and reviews from trusted connections in your network, and leave your
own ratings and feedback on what’s worked effectively for your organization.
Register now at AHASmartMarket.com
33
Thank You!
AHA Solutions, Inc. values your participation and interest in our Signature
Learning Series™ events. For further information on other educational events and
our endorsed products, please visit www.aha-solutions.org
Copyright © 2015 AHA Solutions, Inc. – 155 North Wacker Drive, Suite 400, Chicago, IL 60606 | solutions@aha.org | 800.242.4677
AHA Solutions Signature Learning Series™ events are exclusive offered to hospital personnel. There is no charge to attend.
Facebook.com/AHASolutions
Twitter.com/aha_solutions
LinkedIn.com/company/AHA-Solutions