d8 hitrust framework a practical tool for your information ... · a practical tool for your...
Post on 06-Jun-2018
217 Views
Preview:
TRANSCRIPT
HITRUST FRAMEWORK
1
HITRUST FRAMEWORK –A PRACTICAL TOOL FOR YOUR INFORMATION YOUR INFORMATION SECURITY RELATED AUDITSJOHAN LIDROS, CISA, CISM, CGEIT, CRISC, ITIL-F, HITRUSTCCSFP
NPRESIDENTEMINERE GROUP
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org
Contents
Introduction
2
IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase Study
2012 AHIA Annual Conference - www.ahia.org
Objectivesj
Understanding of tools to enable effective and
3
Understanding of tools to enable effective and efficient Information Security Governance.Knowledge about current IT and Information Knowledge about current IT and Information Security standards.Knowledge about specific healthcare security Knowledge about specific healthcare security standards.Understanding of the HITRUST framework.Understanding of the HITRUST framework.Understanding of the how to utilize the framework for information security audits.for information security audits.
2012 AHIA Annual Conference - www.ahia.org
Healthcare IT Security Characteristics y
Diversified IT environment
4
Diversified IT environmentMedical Devices and IT System coming togetherMeaningful use and HIE are changing the IT Meaningful use and HIE are changing the IT environment Many regulatory requirements Many regulatory requirements Immature IT/Information Security C l d h i i f i i Constantly new and changing information security threats/risks
2012 AHIA Annual Conference - www.ahia.org
IT Security Changes…y g
HIPAA security status
5
yMeaningful use requirements
IT-security risk analysis Stage 1 The CMS Meaningful Use core measure Number Fourteen requires that The CMS Meaningful Use core measure Number Fourteen requires that an eligible provider “Conduct or review a security risk analysis and correct identified security deficiencies as per 45 CFR 164.308” (HIPAA Security Rule3). The scope of this risk assessment is limited to the Electronic Health Record application and is only applicable when Electronic Health Record application and is only applicable when applying for the associated incentives under this program.
HITECH security requirementsBreach notificationBreach notificationAudits Business associates Et Etc.
2012 AHIA Annual Conference - www.ahia.org
IT Security Changes…y g
Audits – Regulatory Oversight6
“The Department of Health and Human Services recently awarded a $9.2 million contract to the consulting firm KPMG to launch the audit program as mandated by the HITECH Act.”Three phases Three phases
Phase 1 Creation of a comprehensive set of protocols for how audits will be conducted and what measures will be used to measure compliance. Phase 2 Pilot audits “maybe 20, in order to field test ... the protocols that have been developed,“. Phase 3 Finalize formal program for as many as 150 on-site audits will continue through the end of 2012will continue through the end of 2012.Audits will continue 2013
Other requirementsPCIPCIState requirementsEtc.
Unexpected Downtimep
Gartner *40% by operational errors40% by application errors (most often misconfigurations)20% by actual platform errors
(network, operating systems or hardware)
Stress the need for policies and procedures“Manage the process, not the technology”*
72012 AHIA Annual Conference - www.ahia.org
GRC
G Governance (Corporate Governance)G Governance (Corporate Governance)R Risk (Enterprise Risk Management)C C liC Compliance
IT Governance
Information Security Governanceo a o Secu y Go e a ce
82012 AHIA Annual Conference - www.ahia.org
Shift the IT Security Perspective: y p9
Area From To
Scope: Technical problem Enterprise problem
Ownership: IT Enterprise
Funding: Expense Investment
Goal: IT security Enterprise ycontinuity/resilience
Application: Platform/practice Process
Approach: Adhoc Managed & Strategic
IT SECURITY RISK MANAGEMENT-S C it iSuccess Criteria
10
Security strategies should be driven by
Security strategies need clear goals and should be driven by
Business Risks, not just technical risks
need clear goals and be measured on regular basis
RISKS COSTRISKS COST
PROCESSES CONTROLS/
SECURITY FRAMEWORK Well trained personnel Security should be process driven
– The “best control”
Do not invent the wheel again – Use accepted standardsstandards
Contents
Introduction
11
IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase StudyQ&A
2012 AHIA Annual Conference - www.ahia.org
Enterprise Governancep12
“ i f ibili i d i i d b “… is a set of responsibilities and practices exercised by the board and executive management with the goal of
“Providing strategic directiong g“Ensuring that objectives are achieved“Ascertaining that risks are managed appropriately“Verifying that the enterprise’s resources are used responsibly” “Verifying that the enterprise’s resources are used responsibly”
“… is about“Conformance: adhering to legislation, internal policies, audit g g , p ,requirements, etc.“Performance: improving profitability, efficiency, effectiveness, growth, etc.” g ,
What is IT Governance?
IT governance is a subset of enterprise governance.
13
IT governance is a subset of enterprise governance.
“Governance of IT encompasses several initiatives for board b d ti tmembers and executive management.
They must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate, measure performance, understand risk and obtain assurance.”
IT Governance Institute
2012 AHIA Annual Conference - www.ahia.org
Balance of IT Governance Goals14
The board must direct the balance between conformance and performance goals.
IT Governance Areas – IT Security GovernanceGovernance
IT security is a iti l d critical and
integrated part of the five IT governance areas as defined by th IT G the IT Governance Institute.
Process Maturity Rating0 Non-existent: The process (control/procedures) does not exist.
1 Initial/Ad hoc: The process is informal, undocumented and reactive.
2 Repeatable: The process is repeatable but may be applied inconsistently as needed.
3 Defined: The process is documented and communicated.
4 Managed: The process is implemented and measurable.
5 Optimizing: Managed process with continuous performance improvements utilizing best practices.
N/A Not Applicable: The process is not applicable to the review or has not been reviewed for other reasons.
15
Value of IT Governance16
How the Masters of IT Deliver More Value and Less Risk – IT Policy Compliance Group, December 2010
How High Performance Organizations Manage IT – IT Policy Compliance Group April 2011Group, April 2011
Value of IT Governance17
Mature IT Governance has a strong business value that improves the organization’s performance The most performance. The most mature organizations show:7% higher profit margins g p g
than average 7-8% higher
customer/patient satisfaction and retention satisfaction and retention than averageLess than half in
regulatory compliance spending
Profile – Masters of IT: Practices of Best Performers Best Performers
Revenue and profits that are 75 percent higher than industry peers
Customer retention-rates that are 50 percent higher than industry peers
Spending on IT budgets that is 30 percent higher than industry peers
S di i f ti it th t i 37 t hi h th Spending on information security that is 37 percent higher than peers
Business disruptions that are 100 percent lower than industry peers
Data loss or theft incidents that are 75 percent lower than industry peers
Audit deficiencies that are 65 percent less than industry peers
Page 182012 AHIA Annual Conference - www.ahia.org
Best Performers – Masters of IT
IT Balanced Scorecards that are linked to business Balanced Scorecards
Ongoing IT Portfolio revision for effective management of asset use, growth strategy, value and risk
Strategic IT Maps that align value and risk between the business of the enterprise and IT
Standardization on COBIT, ISO and CIS benchmarks to preserve value, manage controls and mitigate riskg
Page 19
2012 AHIA Annual Conference - www.ahia.org
Best Performers – Masters of IT
Electronic systems of record in IT GRC systems for values, policies, controls, risks, assets and regulatory mandates
Automation of key procedures to manage value and risk
Daily, weekly and bi-monthly assessments to manage value and risky, y y g
Dashboards, scorecards and reporting focused on operating units, business units, business functions, regulatory mandates, across silos and people
Page 202012 AHIA Annual Conference - www.ahia.org
IT Governance
“you can not manage what you can not measure.”
212012 AHIA Annual Conference - www.ahia.org
Roles and Responsibilities
Major/Main Responsibilities
Board Strategic DirectionP
erform R
Resou
CEO D li f St t
Accounta
mance M
ea
Risk M
anag
urce Mana
CEO Delivery of Strategy
ability
asuremen
gement
agement
CIOImplementation
of Strategy
t
222012 AHIA Annual Conference - www.ahia.org
Roles/Responsibilities/ p
ACCOUNTABILITY Accountability applies to those who own the required resources and have the authority to approve the execution and/or accept the outcome of an activity within specific Risk IT processes.
RESPONSIBILITY: Responsibility belongs to those who must ensure that the activities are completed successfullycompleted successfully.
Legend of the table:When a cell is green the role carries responsibility and/or partial When a cell is green, the role carries responsibility and/or partial accountability for the processWhen a cell is red, the role carries main accountability for the process. Only one role can be the main accountable for a given process.
232012 AHIA Annual Conference - www.ahia.org
Responsibilities & Accountability
242012 AHIA Annual Conference - www.ahia.org
IT Governance Architecture
H dHeader25
Drivers PERFORMANCE: Business Goals
CONFORMANCEHIPAA, PCI, etc.
Enterprise Governance COSOBalanced Scorecards
IT Governance
RISK
COBIT
Best Practice Standards
Processes and
RISKIT
IT Risk
ITIL ISO27000/HITRUST
IT S i Security/Risk
PMI CMMi
Project S t
(adapted from ITGI, 2007, p. 12)
Processes and Procedures
IT RiskManagement
IT Service Management
Security/RiskPrinciples
jManagement
PrinciplesSystem
Development
Contents
Introduction
26
IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase StudyQ&A
2012 AHIA Annual Conference - www.ahia.org
ISACA 2010 IT Governance Global Study
W ll k f k d l tiWell-known frameworks and solutions.
Selected IT governance frameworks27
2012 AHIA Annual Conference - www.ahia.org
IT Governance Framework28
COSO
COBIT
ISO 9000NIST
WHAT HOW
ITIL
SCOPE OF COVERAGE
IT , IT Security Standards & Reference tools , y
IT
29
ITCOBITRISK ITITIL ITIL Unified Compliance Framework
Information SecurityISO 27000-serieBITSNIST HITRUST
2012 AHIA Annual Conference - www.ahia.org
COBIT 530
Governance of Enterprise IT
IT Governanceope
Management
C t ltion
of s
co
Val IT 2.0(2008)
Control
AuditEvo
lut
Risk IT(2009)
COBIT 5COBIT4.0/4.1COBIT3COBIT2COBIT1
2005/7200019981996 2012
An business framework from ISACA, at www.isaca.org/cobit
COBIT 531
COBIT Principles and Enablers
COBIT 5 Enterprise Enablers
322012 AHIA Annual Conference - www.ahia.org
COBIT – Principle 5p33
COBIT 5 Processes
34
COBIT 5 – Information Securityy35
Business Model for Information Security (BMIS)
The focus on information security management system (ISMS) in the align, plan and organize (APO) management domain APO13 Manage (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework.
Enterprise Risk Management – RISK IT
Enterprise Riskp
Strategic Risk Environmental Risk Market Risk Credit Risk Operational Risk Compliance Risk
IT-related Risk
IT Benefit/Value Enablement IT Program and IT Operations and /Risk Project Delivery Risk Service Delivery Risk
•Technology enabler for new business i iti ti
•Project relevance•Project qualityP j t
•IT Service interruptions•Security issuesinitiatives
•Technology enabler for efficient operations
•Projects overrun•…
•Security issues•Compliance issues•…
•…
362012 AHIA Annual Conference - www.ahia.org
Risk to Controls37
What is ITIL38
ITIL is a set of booksDocuments best practices for IT servicesConsidered de facto standard
Creates a framework for IT Service Management – how you respond to customer needsD l d i th l t 1980 b th Offi f Developed in the late 1980s by the Office of Government Commerce in the UKIncorporates both public and private sector best Incorporates both public and private sector best practicesV2 currently in wide-spread useV3 is here, but not fully adopted yet
ISO 27000 Serie
ISO/IEC 27000 - introduction to the family of standards plus a glossary of common terms (published in 2009)
39
terms (published in 2009) ISO/IEC 27001 - standard for the establishment, implementation, control and improvement of the Information Security Management System ISO/IEC 27002 - code of practiceISO/IEC 27003 — Information security management system implementation guidanceISO/IEC 27003 Information security management system implementation guidanceISO/IEC 27004 - standard on information security management measurements (security metrics) (published at the end of 2009) ISO/IEC 27005 - designed to assist the satisfactory implementation of information security based on a risk management approachISO/IEC 27006 - a guide to the certification/registration process (published in 2007). ISO 27011 - information security management guidelines for the telecommunications industryISO/IEC 27031 - Guidelines for information and communications technology readiness f b
/for business continuityISO/IEC 27033 - Network security overview and conceptsISO/IEC 27035 - Security incident managementISO 27799 – Information Security Management - Healthcarey g
2012 AHIA Annual Conference - www.ahia.org
ISO 27000 – in works
ISO/IEC 27007 — Guidelines for information security management systems f
40
auditing (focused on the management system)ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC ISO/IEC 27013 Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001ISO/IEC 27014 — Information security governance frameworkISO/IEC 27015 — Information security management guidelines for the finance and insurance sectorsand insurance sectorsISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)ISO/IEC 27034 — Guideline for application securityISO/IEC 27036 — Guidelines for security of outsourcingISO/IEC 27037 G id li f id tifi ti ll ti d/ i iti d ISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence
2012 AHIA Annual Conference - www.ahia.org
BITS
Risk management Information security policy
41
Information security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition Development and maintenance I id t d t t Incident and event management Business continuity management Compliance Privacy
Financial regulation as well as ISO27002, PCI, COBIT
Expanding into other industries including Healthcare
2012 AHIA Annual Conference - www.ahia.org
Contents
Introduction
42
IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase StudyQ&A
2012 AHIA Annual Conference - www.ahia.org
Information Security Challenges H lthHealthcare
Different regulartory requirements
N i d i h i i i /b i (ISO )
43
Not integrated with exisisting common/best practices (ISO etc)
Changing frequently
Regional differences
Historically no healthcare specific common practices (except 27799)
Regulatory requirements not specific in several areas
Auditers uses different ratings of ”acceptable”
Departments using different frameworks to measure, assess, design, implement information security
Audit (COSO, COBIT)
IT (ITIL, NIST, CMMi etc)
Finance (IFAC)
Clinical (Joint Commission, etc)
Diversified IT environment
Tool complexity
Increased cost for security/compliance
ASP/Cloud computing/outsourcing increasing
Different terminology and risk acceptancegy p
SAS70 Reports not sufficient from an information security perspective
Historically Lack of tool to manage all the requirements with policies, common practices etc.
HITRUST Introduction44
During 2008 the industry collaborated and came together in support of HITRUST to During 2008, the industry collaborated and came together in support of HITRUST to develop the Common Security Framework (CSF). The goal was a framework that was:Prescriptive, certifiable, and scalable based on complexity and riskLeverages existing standards and best practices, includingg g p , g
ISO 27001, 27002 and 27799NIST 800-53 and 800-66Health Insurance Portability and Accountability Act
(HIPAA)CoBITCoBITPCI Data Security Standard (PCI DSS)Federal and state regulationsg
Information Security Implementation Manual
Standards and Materials
Leveraged
U S Healthcare
HITRUST member experience
NIST 800 SeriesU.S. Healthcare
Industry Implementation
Standards
Health InformaticsISO 27799
Others
Control ObjectivesPrimary Ref: ISO/IEC 27002:2005
& ISO/IEC 27001:2008
Application/System Configuration Packs
FTC Red Flags
Joint Commission
HITRUST NIST COBIT HIPAA
Standards and Regulations Cross Reference Matrix
Compliance Reporting System
Self Assessment Process
g
EHNAC & HITSP
CMSCntrl 1 X X
Cntrl 2 X X
Cntrl 3 X
Certification Process
CMS
Ongoing Enhancements45
HITRUST HITRUST 2012 AHIA Annual
Conference - www.ahia.org
HITRUST HITRUST Common Security FrameworkCommon Security Framework
Existing Standards and Regulation CCoverage
46
Existing Standards and Regulation CCoverage
47
Common Security Framework (CSF) -K V l Key Values
48
Prescriptive to ensure clarity (requirements and audit)Certifiable to enable common understanding and acceptanceScales according to type, size, and complexity of an organizationAddresses business specific requirements for each segment of the industry. These segments include:
l h l dHealth plan, PBM, providerPharmacy, pharmaceutical manufacturerData exchange and clearing house
Risk-based approach to ensure organizations adopt the appropriate level of l Thi i l dcontrols. This includes:
Risk contributing factors – elements that drive risk in an organizationMultiple levels of implementation requirements determined by risks and thresholds
Fl ibl t ll f i t h lt t t l t b tili dFlexible to allow for circumstances where alternate controls must be utilizedAlternate Control process
Leverages existing globally recognized standards and avoids introducing additional redundancy and ambiguity into the industryOn going Maintenance to address changes in regulatory requirements andOn-going Maintenance to address changes in regulatory requirements and common security standards
ISO 27002 Security Domains/Areasy /49
Minimum Level
Maturity Metric0=Non existent 1=initial/ad-hoc 2=Repeatable but intuitive 3=Defined process 4 Managed and Measurable
ISO27002 – Information Security Program Maturity
Area 0 1 2 3 4 5Area 0 1 2 3 4 5
4=Managed and Measurable 5=Optimized
Risk Assessment
Security policy
Security organization
Asset classification
HR security
Risk Assessment
Security policy
Security organization
Asset classification
HR securityHR security
Physical and environmental security
Communications and operations management
Access control
Acquisition, systems development and
HR security
Physical and environmental security
Communications and operations management
Access control
Acquisition, systems development and maintenance
Business continuity management
Incident Management
Compliance
maintenance
Business continuity management
Incident Management
Compliance
Maturity Levels 1-5y50
Levels – Type of Organizationyp gLevel 1
Bi T h O i ti < $100 000 S d R h d D l t P Y
51
BioTech Organizations: < $100,000 Spend on Research and Development Per YearPharmacy Companies: < 10,000,000 Prescriptions Per YearThird Party Processor: < 10,000,000 Records Processed Per YearPhysician Practice: < 60,000 Visits Per Year
Medical Facilities / Hospital: < 1,000 Licensed BedsHealth Plan / Insurance: < 1,000,000 Covered Lives
IT Service Providers (Vendors): < 500 EmployeesIT Service Providers (Vendors): 500 Employees
Level 2BioTech Organizations: > $100,000 Spend on Research and Development Per YearThird Party Processor: > 10,000,000 Records Processed Per YearPhysician Practice: > 60 000 Visits Per YearPhysician Practice: > 60,000 Visits Per Year
Medical Facilities / Hospital: > 1,000 Licensed BedsHealth Plan / Insurance: > 1,000,000 Covered LivesIT Service Providers (Vendors): > 500 Employees
Pharmacy Companies: > 10,000,000 Prescriptions Per Year
Level 3 BioTech Organizations: > $200,000,000 Spend on Research and Development Per YearThird Party Processor: > 60,000,000 Records Processed Per YearPhysician Practice: > 180,000 Visits Per Year
Medical Facilities / Hospital: > 10,000 Licensed Beds/ pHealth Plan / Insurance: > 7,500,000 Covered LivesIT Service Providers (Vendors): > 2,500 Employees
Pharmacy Companies: > 70,000,000 Prescriptions Per Year
System Levelsy
Level 1
52
Processing PHI: No - AND -Accessible from the Internet: NoExchanges Data with a Business Partner: NoThird Party Support: NoPublicly Accessible: NoyNumber of Interfaces to Other Systems: < 25
Level 2Processing PHI: Yes - AND -A ibl f h I YAccessible from the Internet: YesExchanges Data with a Business Partner: YesThird Party Support: YesPublicly Accessible: YesNumber of Interfaces to Other Systems: > 25
Level 3Processing PHI: Yes - AND -Accessible from the Internet: YesNumber of Users: > 5 500Number of Users: > 5,500Third Party Support: YesNumber of Interfaces to Other Systems: > 75
2012 AHIA Annual Conference - www.ahia.org
Organization Profile & Risksg53
Determining Factor Sample providerN b f l 15000Number of employees 15000+Volume of business ‐ number of beds 950Volume of business ‐ number of visits/year 921,000Number of applications 170
Organization Domain Risk Profile
Control Category Implementation RequirementLevel 1 Level 2 Level 3
f0 – Information Security Management System X
2 ‐ Human Resources Security X
3 ‐ Risk Assessment X
4 S it P li X4 ‐ Security Policy X
5 ‐ Organization of Information Security X
6 ‐ Compliance X
7 Asset Management X7 ‐ Asset Management X
8 – Physical and Environmental Security X
Systems Profile and Risksy54
System Name ePHI Internet Access Third Party C i i
Users Transactions Operating SystemConnectivity
HIM Yes No Yes 12000+ 100,000/day Windows 2000
MRI (Medical Device) Yes No Yes 150 720/day Windows 2000
Desktops Yes Yes No 15000+ N/A Windows XP
*Financial System No No No 200 2500/day Windows 2003
*Email Yes Yes No 5000+ 150,000/day Windows 2003
Data Warehouse Yes No No 15 100,000/day Windows 2000
Physician Portal Yes Yes Yes 200 3000/day Unix
System Profile & Risksy55
System Domain Risk Profile ‐ 1
Control Category HIM Desktops Financial System
Implementation Requirement Implementation Requirement Implementation Requirement
Level 1 Level 2 Level 3 Level 1 Level 2 Level 3 Level 1 Level 2 Level 3Level 1 Level 2 Level 3 Level 1 Level 2 Level 3 Level 1 Level 2 Level 3
1 – Access Control X X X
9 – Communications and Operations Management X X X
10 – Information Security Acquisition,
Development and Maintenance
X X X
11 – Information Security Incident Management X X X
12 – Business Continuity Management X X X
HITRUST CSF Samplep56
HITRUST CSF Sample (Cont’d)p ( )57
Scales according to type, size and complexity of the organization and system as determined by a predefined criteria.
HITRUST CSF Sample (Cont’d)p ( )58
Prescriptive to ensure clarity and p yconsistency of implementation.
Page 58
HITRUST CSF Sample (Cont’d)p ( )59
Follows a risk-based approach to allow organizations to identify the appropriate level of controls. This
includes multiple levels of Implementation Requirements as
determined by risk.determined by risk.
HITRUST CSF Sample (Cont’d)p ( )60
Consistency in audit procedures allows
standardizedcomparisons and
i h improves the secure exchange of data
throughout the information’s lifecycle.
HITRUST CSF Sample (Cont’d)p ( )61
Leverages existing globally and nationally recognized standards to expand on the implementation requirements of the framework and to avoid introducing
additional redundancy and ambiguity into the industry.
HITRUST CSF Sample (Cont’d)p ( )62
Allows organizations to drill down into the authoritativesources referenced in each control.
HITRUST CSF Sample (Cont’d)p ( )63
Structured in accordance with ISO 27001 / 27002 standard.
Certifiable to assure common implementation and acceptance.
Certifications and Benchmarks
HITRUST Validations
64
Self-Assessment
Remote Assessment
On-site Assessment
HITRUST Certification
On-site Assessment – Requires a quality level of 3 to be certified
Benchmarks
PCI
FISMA
HIPAA
HITECH
State
Joint Commission
CMS
Contents
Introduction
65
IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase StudyQ&A
2012 AHIA Annual Conference - www.ahia.org
Contents
Introduction
66
IntroductionIT Governance PerspectiveIT & Information Security StandardsIT & Information Security StandardsHITRUST OverviewC S dCase StudyQ&A
2012 AHIA Annual Conference - www.ahia.org
Question & AnswersPage 67
Question & Answers2012 AHIA Annual Conference - www.ahia.org 67
Save the Date: August 25-28 2013August 25-28, 2013
32nd Annual Conference Chi ILChicago, IL
68
top related