Copyright 2015 AHA Solutions, Inc. 155 North Wacker Drive, Suite 400, Chicago, IL | | AHA Solutions Signature Learning Series events are exclusive offered to hospital personnel. There is no charge to attend. Facebook.com/AHASolutionsLinkedIn.com/company/AHA-SolutionsTwitter.com/aha_solutions Title Subtitle Date HIPAA Compliance Demands Information Risk Management Maturity Featuring a Case Study with Sentara Healthcare June 9, 2015 The audio to this webinar will be streaming through your computer, please make sure the speakers are turned on. If you prefer to access the audio portion via phone, please dial: When prompted by the operator, give the Passcode: 89517 2 Agenda Slide Introduction by Monique Showalter, AHA Solutions, Inc. HIPAA Compliance Demands Information Risk Management Maturity Featuring a Case Study with Sentara Healthcare Kathy Jobes, Chief Information Security Officer, Sentara Healthcare Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, CEO & Founder, Clearwater Compliance Question and Answer Session 3 4 About this webinar This educational event has been developed by AHA Solutions, Inc. together with Sentara Healthcare and Clearwater Compliance. We thank these organizations for their willingness to share their expertise. Health Care Information Privacy, Security, Compliance & Risk Management Solutions from Clearwater Compliance have earned the exclusive Endorsement of The American Hospital Association. 5 Kathy Jobes Kathy has over 25 years of experience working in health care; beginning her career in hospital operations, she worked in clinical, financial and IT roles before settling in IT security. Kathys experience includes stints at Shands HealthCare, Bon Secours Health System, Inc., afterwhich Ms. Jobes joined one of the nations top integrated health care systems, Sentara Healthcare, in As the Chief Information Security Officer at Sentara she is responsible for providing IT Security leadership and vision in the areas of identity and access management (IAM), Security Risk Management, governance, education, assurance and threat management. She is a trusted member of Sentaras senior leadership team, providing regulatory, operational and technical security guidance to senior executives, the Board and other members of the team. Ms. Jobes earned her B.S. in Health Sciences / Health Care Administration from the University of West Florida, and holds a certificate in Medical Informatics. Kathy Jobes Chief Information Security Officer Sentara Healthcare 6 Bob Chaput Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US Chief Executive Officer Clearwater Compliance LLC om CEO & Founder: Clearwater Compliance LLC 35+ years in Business, Operations and Technology 25+ years in Healthcare Executive | Educator | Entrepreneur Global Executive: GE, JNJ, HWAY Responsible for largest healthcare datasets in world Industry Expertise and Focus: Healthcare Covered Entities and Business Associates, Financial Services, Retail, Legal Member: ACAP, AEHIS Foundation, IAPP, ISC 2, HIMSS, ISSA, ISACA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards 7 HIPAA Compliance Demands Information Risk Management Maturity Featuring a Case Study with Sentara Healthcare Kathy Jobes Chief Information Security Officer Sentara Healthcare Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US Chief Executive Officer Clearwater Compliance LLC 8 Discussion Flow 1.Setting / Situation / Challenges - Kathy 2.Turning Point (Information Risk Management Maturity) Kathy 3.Call to Arms Kathy & Bob 9 Sentara Background 125-year not-for-profit history Headquartered in Norfolk, VA Sentara includes 12 hospitals, 5 medical groups, 3,800-provider medical staff, Optima Health plan, Advanced imaging centers, Home health and hospice, Nightingale air ambulance, Rehab and therapy centers, Nursing and assisted living centers Ranked as one of the nation's top integrated healthcare systems by Modern Healthcare for more than a decade. Complexity, High-Growth, Lots of End Points 10 Setting / Situation 1.Narrowly Focused IT Security Efforts 2.Silo-ed Risk Assessment approach: business line / focus area 3.Multiple Roles & Hats: Care Provider, Health Plan, Business Associate, Vendor 4.Increasing Participation in Federal Programs 5.Meaningful Use Attestations 11 9. Please submit a copy of XYZ Hospitals most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. (a)(l)(ii)(A). If no risk analysis has been performed, please state so. Standard OCR Investigation Letter Request 12 The Inevitable Audits OCRs permanent HIPAA audit program slated to begin in 2015 ~200 Covered Entities to be selected for desk audits Equal number or less BAs selected for desk audits Greater number of on site audits, but no specific number given yet. Only documentation submitted on time is reviewed All documentation must be current as of the date of the request Auditors will not be able to contact the entity for clarifications or ask for additional information Critical that documentation accurately reflects the program 2015 CE Desk Audit Scope Risk Analysis and risk managementSecurityRisk Analysis and risk management BreachContent and timeliness of breach notifications PrivacyNotice of Privacy Practices and Access 2015 BA Desk Audit Scope Risk Analysis and risk managementSecurityRisk Analysis and risk management BreachBreach reporting to covered entities 13 Recent FBI Healthcare Alerts: April / August 2014 Because the healthcare industry is not as resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII). Healthcare is the Next Cyber Security Battleground 14 Links in the Security Chain: Management Operational Technical Controls Adversaries attack the weakest link where is ours? Priorities / Challenges December Un-quantified Risk = Undefined Risk Tolerance 2.Distributed Security Functions and Responsibilities 3.Flat Landscape: Everything is treated Equal 4.Framework and Strategy 5.Information Security Integration: business, workforce, organization risk 6.Governance 15 Discussion Flow 1.Setting / Situation / Challenges - Kathy 2.Turning Point (Information Risk Management Maturity) Kathy 3.Call to Arms Kathy & Bob 16 Turning Point Q Set Strategy and Vision 2.Identified and Vetted Candidate Partners 3.Choose Partner with Compatible Vision / Strategy to Create a Platform and Teach Us How to Fish 4.Adopted NIST Framework Embraced Information Risk Management Capability Advancement Model (IRMCAM) 17 NIST Security Framework NIST SP Revision 1 Guide for Conducting Risk Assessments NIST SP Contingency Planning Guide for Federal Information Systems NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP final_Managing Information Security Risk NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and OrganizationsNIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and Organizations NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans NIST SP Technical Guide to Information Security Testing and Assessment MU Stage 2 Hospital Core 7 Protect Electronic Health Info CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals CMS Security Risk Assessment Fact Sheet (Updated ) NIST Risk Management Framework 2009 Remember! Security Rule is Based on NIST! 18 NIST Risk Management 19 Actions Taken 1.Assigned Responsibility and Authority 2.Formed Clearwater Partnership 3.Defined Program Elements: categorize, select, implement, assess, authorize, monitor (begin again) 4.Centralized Documentation 5.Standardized Tracking and Reporting Protocols 6.Engaged Leadership 7.Assessed Maturity Level 20 Outcomes 1.Completed Bona Fide Risk Analyses: A.11 Hospitals B.133 EPs 2.Added Staff 3.Started Knowledge Transfer 4.Created Reporting Format 5.Established Governance 6.Initiated Executive Dashboard Development 7.Formalized Risk Response Approach 8.Expanded Program to other Business Units 21 Discussion Flow 1.Setting / Situation / Challenges - Kathy 2.Turning Point (Information Risk Management Maturity) Kathy 3.Call to Arms Kathy & Bob 22 Bottom Line Up Front (BLUF) 1.HIPAA Compliance Demands Information Risk Management 2.Too many BOD / C-Suites are not educated and, therefore, far too disengaged from information risk management 3.Too few organizations are working to complete bona fide risk management AND mature their information risk management processes 4.Too many people trying to check-list their way to security with Top Challenges Facing CISOs-type lists 5.Too few people understand risk, not to mention information risk analysis and risk management 6.Its a patient safety/quality of care/information risk issue not a HIPAA compliance issue WE MUST CHANGE THE CONVERSATION! 23 Types of Risk Think what causes loss or harm to stakeholders? 1.Legal 2.Regulatory Compliance 3.Financial 4.Operational 5.Strategic 6.Reputational 7.Clinical 8.Others 9.Information Risk, Anyone? 24 First, Do No Harm. -Hippocrates, 4 th Century, B.C.E. OR -Auguste Franois Chomel (17881858), Parisian pathologist and clinician Its a Patient Safety / Quality of Care Journey Not a HIPAA Compliance Destination 25 My PHI / ePHI PHI, PII Credit Card, Intel. Prop. The Risk Problem Were Trying to Solve What if my Protected Health Information is not complete, up-to-date and accurate? What if my Protected Health Information is shared? With whom? How? What if my Protected Health Information is not there when it is needed? CONFIDENTIALITY INTEGRITY AVAILABILITY Dont Compromise C-I-A! 26 Connect the Dots! Timely Care Access to Care Quality and Safe Care AvailabilityIntegrityConfidentiality 27 How Clearwater Assisted Sentara Healthcare Clearwater teaches Customer how to perform gap assessments & risk analyses AND to measure information risk management maturity levels to establish continuous process improvement. Proven, Flexible Engagement Model - 100s of Successes | We Want Our Customers to Become Self-Sufficient Clearwater provides content, strategy, leadership, tools, software and resources to complete gap assessments and risk analyses. Customer reviews recommendations. Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations. Customers Role Clearwaters Role We do it with you We train you to do it We do it for you 28 Specific Solutions Provided by Clearwater 1.Clearwater IRM|Analysis Software 3.Clearwater Information Risk Management Capability Advancement Model (IRMCAM) 2.Clearwater Trade-marked Professional Services WorkShop 29 1.Be both!! Tactical-Technical- Spot welding and Strategic- Business-oriented- Architectural! 2.Do a real, comprehensive risk analysis ASAP to understand your risks! 3.Initiate the process of a IRM Program Strategic Assessment and determine your current maturity level. Its a Patient Safety / Quality of Care Journey Not a HIPAA Compliance Destination 30 We Invite Your Questions! To submit a question, please type your question on the left-hand side of your presentation screen. Health Care Information Privacy, Security, Compliance & Risk Management Solutions from Clearwater Compliance have earned the exclusive Endorsement of The American Hospital Association. 31 Contact Information Kathy Jobes Chief Information Security Officer Sentara Healthcare Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US CEO & Founder Clearwater Compliance Monique Showalter AHA Solutions, Inc For more information on AHA Solutions or Clearwater Compliance please visitsolutions.orgwww.aha- solutions.org Follow us! #AHASealServes 32 Join Us Upcoming AHA Solutions Signature Learning Series Webinars Care Transitions: Using Remote Patient Monitoring to Improve Outcomes, Cost and Patient Experience Wednesday, June 10, noon 1 pm Central Spotlight on Case Management Excellence Featuring Stephen Ricks from Seton Family of Hospitals Thursday, June 11, noon 1 pm Central To learn more or to register Call or visit 33 A New Network for Health Care Leaders Launched by the American Hospital Association, AHA SmartMarket is a FREE social collaboration website for health care professionals. Customize your experience Create a personal profile to deliver custom information based on trending issues facing health care leaders. Build a circle of trust Connect with peers and industry experts to build your professional network specific to health care. Share your experiences Join discussions to share successes achieved and efficiencies gained. Find answers, ideas and innovation View ratings and reviews from trusted connections in your network, and leave your own ratings and feedback on whats worked effectively for your organization. Register now at AHASmartMarket.com Copyright 2015 AHA Solutions, Inc. 155 North Wacker Drive, Suite 400, Chicago, IL | | AHA Solutions Signature Learning Series events are exclusive offered to hospital personnel. There is no charge to attend. Facebook.com/AHASolutionsLinkedIn.com/company/AHA-SolutionsTwitter.com/aha_solutions Thank You! AHA Solutions, Inc. values your participation and interest in our Signature Learning Series events. For further information on other educational events and our endorsed products, please visit