We know the healthcare environment where security in not optional. We know the common risks associated with healthcare; Emerging technology, Data and information , explosion , Wireless world, Care continuum, Patients expect , privacy, and Compliance fatigue. We address the three main components of Risk Management: People, Process and Tools. Our process ensure the compliance with HIPAA.
2. 2
Operating Snapshot
Starting this year, providers
can be fined up to $1.5
million for a HIPAA violation
• Security is Not Optional
Number of volunteers and
3rd party personals
supporting hospitals is just
too large that it is generally
impossible to manually
control access
• Large Number of Temporary Workers
Clinicians are often
overworked and intuitively
bring tools to help improve
productivity
• Consumer Devices need to be Secured
Hospitals tend to rely on
multitudes of applications,
often hosted and managed
by 3rd party vendors
• Need to Adapt and Federate
Patient care is of utmost
importance and hence the
access to patient data must
be available in case of
emergencies
• Break Glass Functionality
Clinicians on the floor
typically share computers
and (most often password)
• Quick switching
We Know the Healthcare Environment
3. 3
Common Risks
Data and Information Explosion
Data volumes are doubling every 18 months.
Storage, security, and discovery around information
context is becoming increasingly important.
Care Continuum
The chain is only as strong as the weakest link.
Partners need to shoulder their fair share of the
load for compliance and the responsibility for
failure.
Patients Expect Privacy
An assumption or expectation now exists to
integrate security into the infrastructure, processes
and applications to maintain privacy.
Compliance fatigue
Organizations are trying to maintain a balance
between investing in both the security and
compliance postures.
Emerging Technology
Virtualization and cloud computing increase
infrastructure complexity.
Web 2.0 and SOA style composite applications introduce
new challenges with the applications being a vulnerable
point for breaches and attack.
Wireless World
Mobile platforms are developing as new means of
identification.
Security technology is many years behind the security
used to protect PCs.
4. Risk ManagementPeople
• Drug Testing
• Background Testing
• NDAs
• HIPAA Compliance
Training
Process
• Identify what needs to
be audited and
controlled
• Define Who needs
Access to What
• Establish auditing and
control processes
Tools
• Restricted physical
access
• Restricted equipment
access
• Restricted network
access
• Restricted data access
• Email & Web
Monitoring
5. People- Onboarding Checklist
Calance employees sign Non-Disclose Agreements
with specific to the client.
Every employee signs a “ Work for Hire” contract
for the client transferring the intellectual property
to the client.
Background checks and drug testing
All Calance employees, in Healthcare COE,
have to go through background checks and 10
panel drug testing.
Calance HR maintains a chain of custody for
all records
Customers are provided a copy of the reports,
if needed
Onboarding Process
6. People-Training
Compliance Training
Calance uses an in-house LMS for training
and skills assessment
Every employee is required to complete
mandatory HIPAA Compliance and Privacy
training*
At the end of the training, the employees
are prompted for test scenarios
HIPAA compliance training can be
scheduled periodically, based on client
needs * Training material sourced from certified trainers or based
on client requirements
http://www.hhs.gov/ocr/privacy/hipaa/understanding/trai
ning/
Training
7. Tools- Restricted Office Space
Calance can create physical separation of staff in Gurgoan (India) and Buena
Park, CA offices
Restricted office space uses bio-metric scanners and RFID cards
Access to the restricted floor requires a PIN, changed periodically
Single on-boarding and off-boarding process, shared with the client
Data Center access requires additional approvals from System Engineering
and a VP
8. Tools- Network and Equipment
Network and Equipment Access
Healthcare clients are cordoned in their own subnet
Point -to-point encryption between client network and
Calance
Encrypted Hard Disks and/or Bitlocker
All computers utilize client specific software images
No admin access to install personal software
No access to USB ports
No backup devices are allowed on the restricted floor
Use two factor authentication for access the network
Equipment
& Access Control
10. Administration & Auditing
Administration and Auditing
Calance has a 24x7 NOC in Buena Park, CA, monitoring
infrastructure hosted in our data center, client
locations, co-location facilities and public cloud
Systems Engineering works with the compliance and
security architects to create Role Based Access
Besides typical monitoring, Calance NOC can audit
emails and web traffic for any policy violations
Federated Cloud Security Solutions
Calance employees are certified in architecting and
setting-up enterprise systems on Amazon EC2 and
Microsoft Azure*
*See HIPAA Compliant Hybrid Cloud Service Offering
11. Technology Partnerships
We have established strategic
partnerships with the industry
leaders for Identify & Access
Management solutions in the
Healthcare industry
Calance has deployed custom
solutions at reputed Healthcare
organizations using these tools
12. Process- Audit and Process Improvements
Calance employs an independent agency for yearly
audit of security procedures
Current Certifications
Continuous
Improvement
CMM Level 5 and ISO 9001: 2008 Certified
for quality and project management
processes.
SSAE 16 Type II certified datacenter, help
desk, application & desktop support.
13. CONTACT US
Calance Healthcare Group
2018, 156th Ave NE
Suite 100
Bellevue, WA 98007
Gaurav Garg
Vice President
ggarg@calance.com
Tel: 425-605-0716
Cell: 818-620-0329
13
www.calance.com
info@calance.com
866-736-5500 (Toll-Free)
Healthcare page:
www.calanceus.com/solutions/healthcare/