building hipaa compliance in service delivery teams
TRANSCRIPT
1
RISK MANAGEMENT PROCESS For Healthcare Organizations
2
Operating Snapshot
Starting this year, providers can be fined up to $1.5
million for a HIPAA violation• Security is Not Optional
Number of volunteers and 3rd party personals
supporting hospitals is just too large that it is generally
impossible to manually control access
• Large Number of Temporary Workers
Clinicians are often overworked and intuitively bring tools to help improve
productivity• Consumer Devices need to be Secured
Hospitals tend to rely on multitudes of applications, often hosted and managed
by 3rd party vendors• Need to Adapt and Federate
Patient care is of utmost importance and hence the
access to patient data must be available in case of
emergencies
• Break Glass Functionality
Clinicians on the floor typically share computers
and (most often password)• Quick switching
We Know the Healthcare Environment
3
Common Risks
Data and Information Explosion Data volumes are doubling every 18 months. Storage, security, and discovery around information
context is becoming increasingly important.
Care Continuum The chain is only as strong as the weakest link.
Partners need to shoulder their fair share of the load for compliance and the responsibility for failure.
Patients Expect Privacy An assumption or expectation now exists to
integrate security into the infrastructure, processes and applications to maintain privacy.
Compliance fatigue Organizations are trying to maintain a balance
between investing in both the security and compliance postures.
Emerging Technology Virtualization and cloud computing increase
infrastructure complexity. Web 2.0 and SOA style composite applications introduce
new challenges with the applications being a vulnerable point for breaches and attack.
Wireless World Mobile platforms are developing as new means of
identification. Security technology is many years behind the security
used to protect PCs.
Risk Management
People
•Drug Testing•Background Testing•NDAs•HIPAA Compliance Training
Proces
s
•Identify what needs to be audited and controlled•Define Who needs Access to What•Establish auditing and control processes
Tools
•Restricted physical access•Restricted equipment access•Restricted network access•Restricted data access•Email & Web Monitoring
People- Onboarding Checklist
Calance employees sign Non-Disclose Agreements with specific to the client.
Every employee signs a “ Work for Hire” contract for the client transferring the intellectual property to the client.
Background checks and drug testing All Calance employees, in Healthcare COE,
have to go through background checks and 10 panel drug testing.
Calance HR maintains a chain of custody for all records
Customers are provided a copy of the reports, if needed
Onboarding Process
People-Training
Compliance Training Calance uses an in-house LMS for training
and skills assessment Every employee is required to complete
mandatory HIPAA Compliance and Privacy training*
At the end of the training, the employees are prompted for test scenarios
HIPAA compliance training can be scheduled periodically, based on client needs * Training material sourced from certified trainers or based
on client requirementshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/training/
Training
Tools- Restricted Office Space
Calance can create physical separation of staff in Gurgoan (India) and Buena Park, CA offices Restricted office space uses bio-metric scanners and RFID cards Access to the restricted floor requires a PIN, changed periodically Single on-boarding and off-boarding process, shared with the client Data Center access requires additional approvals from System Engineering
and a VP
Tools- Network and Equipment
Network and Equipment Access Healthcare clients are cordoned in their own subnet Point -to-point encryption between client network and
Calance Encrypted Hard Disks and/or Bitlocker All computers utilize client specific software images No admin access to install personal software No access to USB ports No backup devices are allowed on the restricted floor Use two factor authentication for access the network
Equipment& Access Control
9
TECHNOLOGY AND AUDITING Process Overview
Administration & AuditingAdministration and Auditing Calance has a 24x7 NOC in Buena Park, CA,
monitoring infrastructure hosted in our data center, client locations, co-location facilities and public cloud
Systems Engineering works with the compliance and security architects to create Role Based Access
Besides typical monitoring, Calance NOC can audit emails and web traffic for any policy violations
Federated Cloud Security Solutions Calance employees are certified in
architecting and setting-up enterprise systems on Amazon EC2 and Microsoft Azure*
*See HIPAA Compliant Hybrid Cloud Service Offering
Technology Partnerships
We have established strategic partnerships with the industry leaders for Identify & Access Management solutions in the Healthcare industry
Calance has deployed custom solutions at reputed Healthcare organizations using these tools
Process- Audit and Process Improvements
Calance employs an independent agency for yearly audit of security procedures
Current CertificationsContinuous
Improvement
CMM Level 5 and ISO 9001: 2008 Certified for quality and project management processes.
SSAE 16 Type II certified datacenter, help desk, application & desktop support.
13
CONTACT US
Calance Healthcare Practice 2018, 156th Ave NE
Suite 100Bellevue, WA 98007
Gaurav Garg Vice President [email protected] Tel: 425-605-0716 Cell: 818-620-0329
[email protected] (Toll-Free)