1

RISK MANAGEMENT PROCESS For Healthcare Organizations

2

Operating Snapshot

Starting this year, providers can be fined up to $1.5

million for a HIPAA violation• Security is Not Optional

Number of volunteers and 3rd party personals

supporting hospitals is just too large that it is generally

impossible to manually control access

• Large Number of Temporary Workers

Clinicians are often overworked and intuitively bring tools to help improve

productivity• Consumer Devices need to be Secured

Hospitals tend to rely on multitudes of applications, often hosted and managed

by 3rd party vendors• Need to Adapt and Federate

Patient care is of utmost importance and hence the

access to patient data must be available in case of

emergencies

• Break Glass Functionality

Clinicians on the floor typically share computers

and (most often password)• Quick switching

We Know the Healthcare Environment

3

Common Risks

Data and Information Explosion Data volumes are doubling every 18 months. Storage, security, and discovery around information

context is becoming increasingly important.

Care Continuum The chain is only as strong as the weakest link.

Partners need to shoulder their fair share of the load for compliance and the responsibility for failure.

Patients Expect Privacy An assumption or expectation now exists to

integrate security into the infrastructure, processes and applications to maintain privacy.

Compliance fatigue Organizations are trying to maintain a balance

between investing in both the security and compliance postures.

Emerging Technology Virtualization and cloud computing increase

infrastructure complexity. Web 2.0 and SOA style composite applications introduce

new challenges with the applications being a vulnerable point for breaches and attack.

Wireless World Mobile platforms are developing as new means of

identification. Security technology is many years behind the security

used to protect PCs.

Risk Management

People

•Drug Testing•Background Testing•NDAs•HIPAA Compliance Training

Proces

s

•Identify what needs to be audited and controlled•Define Who needs Access to What•Establish auditing and control processes

Tools

•Restricted physical access•Restricted equipment access•Restricted network access•Restricted data access•Email & Web Monitoring

People- Onboarding Checklist

Calance employees sign Non-Disclose Agreements with specific to the client.

Every employee signs a “ Work for Hire” contract for the client transferring the intellectual property to the client.

Background checks and drug testing All Calance employees, in Healthcare COE,

have to go through background checks and 10 panel drug testing.

Calance HR maintains a chain of custody for all records

Customers are provided a copy of the reports, if needed

Onboarding Process

People-Training

Compliance Training Calance uses an in-house LMS for training

and skills assessment Every employee is required to complete

mandatory HIPAA Compliance and Privacy training*

At the end of the training, the employees are prompted for test scenarios

HIPAA compliance training can be scheduled periodically, based on client needs * Training material sourced from certified trainers or based

on client requirementshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/training/

Training

Tools- Restricted Office Space

Calance can create physical separation of staff in Gurgoan (India) and Buena Park, CA offices Restricted office space uses bio-metric scanners and RFID cards Access to the restricted floor requires a PIN, changed periodically Single on-boarding and off-boarding process, shared with the client Data Center access requires additional approvals from System Engineering

and a VP

Tools- Network and Equipment

Network and Equipment Access Healthcare clients are cordoned in their own subnet Point -to-point encryption between client network and

Calance Encrypted Hard Disks and/or Bitlocker All computers utilize client specific software images No admin access to install personal software No access to USB ports No backup devices are allowed on the restricted floor Use two factor authentication for access the network

Equipment& Access Control

9

TECHNOLOGY AND AUDITING Process Overview

Administration & AuditingAdministration and Auditing Calance has a 24x7 NOC in Buena Park, CA,

monitoring infrastructure hosted in our data center, client locations, co-location facilities and public cloud

Systems Engineering works with the compliance and security architects to create Role Based Access

Besides typical monitoring, Calance NOC can audit emails and web traffic for any policy violations

Federated Cloud Security Solutions Calance employees are certified in

architecting and setting-up enterprise systems on Amazon EC2 and Microsoft Azure*

*See HIPAA Compliant Hybrid Cloud Service Offering

Technology Partnerships

We have established strategic partnerships with the industry leaders for Identify & Access Management solutions in the Healthcare industry

Calance has deployed custom solutions at reputed Healthcare organizations using these tools

Process- Audit and Process Improvements

Calance employs an independent agency for yearly audit of security procedures

Current CertificationsContinuous

Improvement

CMM Level 5 and ISO 9001: 2008 Certified for quality and project management processes.

SSAE 16 Type II certified datacenter, help desk, application & desktop support.

13

CONTACT US

Calance Healthcare Practice 2018, 156th Ave NE

Suite 100Bellevue, WA 98007

Gaurav Garg Vice President ggarg@calance.com Tel: 425-605-0716 Cell: 818-620-0329

www.calance.cominfo@calance.com866-736-5500 (Toll-Free)