SEMHIMA Presentation Final 06052012


Published on

Presentation for the South Eastern Michigan Health Information Management Association

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SEMHIMA Presentation Final 06052012

  1. 1.  HFHS Overview ◦ Landscape ◦ Then vs. Now HIPAA/HITECH Overview Use of PHI Disclosures of PHI Operational Considerations ◦ Breach Response Plan ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) ◦ Social Media Exposure 2
  2. 2.  Founded in 1915 and comprised of ◦ 4 Acute Care Facilities (Approx. 2000 beds) ◦ 1200 Member Medical Group & 500 Member Physician Network ◦ Health Plan serving approximately 640,000 members ◦ Home Health, retail pharmacy, optical care, Hospice, Occupational Health, Extended Care divisions In 2011 ◦ Awarded the prestigious Malcolm Baldrige National Quality Award ◦ Approximately 31,000 workforce members ◦ 3.3 million outpatient visits; 89,000 surgical procedures; 101,396 patients admitted to HFHS hospitals ◦ Revenue, $4.22 billion; net income, $21.5 million; uncompensated care, $210 million 3
  3. 3.  HFHS is entering into new territory to ensure synergy between Privacy & Security – Culture of Confidentiality Then… ◦ Privacy was a subset of Corporate Compliance ◦ Security was a subset of Information Technology ◦ Competing priorities diminished the focus on both ◦ Decentralized approach throughout the System ◦ Lean resources to carry out the Privacy & Security Mission Observation ◦ Due to lean resources, competing priorities and fragmented oversight, Privacy & Security compliance was misaligned with the HFHS Mission & Vision 4
  4. 4.  Now… ◦ Established the new Information Privacy Office with an expanded scope to include all confidential data and not just patient focused ◦ IPO is a subset of Information Technology under the leadership of the Chief Information Officer which creates better opportunities for synergy with the Information Security Office ◦ Priorities are streamlined and standardized between the two offices…confidentiality foundation. ◦ Centralized corporate IPO resources to ensure consistency in approach System wide Observation ◦ This will be the catalyst in creating a culture of confidentiality related to any sensitive data protected by various regulations and laws 5
  5. 5.  Convened a workgroup to create an incident response plan prior to the 2009 compliance date ◦ Reviewed HITECH regulations and documented process and plan ◦ Conducted research with other organizations to determine how to address the “risk of harm” standard ◦ Created manual process for conducting breach risk assessments ◦ Applied plan to previous breaches to vet approach 6
  6. 6.  Stolen Laptop with patient information of approximately 4000 exposed patients Data stored in a compiled spreadsheet by a clinician Laptop was unencrypted and the physical security of the office was compromised due to an open door Breach response was an internal effort utilizing HFHS staff members ◦ Call center support, notification management, etc. ◦ Assessment  Notification: 56 Days 7
  7. 7.  The 56 day response time was outside of our service standards and proved that our response plan was flawed Assuming responsibility for the entire breach response lifecycle was extending our response time A breach response partner, with proven experience, was necessary to ensure that we could meet our 4-week target response deadline Communication of our incident response plan failed due to lack of branding and continuous reinforcement (8 x 8 Rule) The workforce didn’t understand the urgency during the assessment phase due to flawed communication and education plan 8
  8. 8.  Secured a breach response partner that had a strong focus in the healthcare market ◦ Wanted a partner and not an out-sourced solution ◦ ID Experts ( Chartered a Code B Alert (Rapid Response) Team Branded a breach response communication plan ◦ Code B Alert Program ◦ Internal Communication to Workforce ◦ External Communication to Patients, Media & OCR Immediately engaged our breach response partner during our next incident ◦ Assessment  Notification: 18 Days 9
  9. 9.  Led by the Chief Privacy Officer and the Chief Information Security Officer ◦ Includes representation from Legal, Public Relations, Human Resources, Risk Management, Business Unit Leadership ◦ All incidents begin with a Code A(ssessment) that assesses and determines if a breach has occurred  Includes representation from Legal, IPO & ISO  Once a “Breach” has been called, the Code B Alert (Rapid Response) Team works with our breach response partner to respond to the breach Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level 10
  10. 10.  Flash Drive Lost ◦ Approximately 3000 patients affected with significant risk to harm ◦ Even though response time was decreased and communication plan was effective, we found another concern, portable storage devices  How do we protect the data?  How do we encrypt the data?  What is our policy around flash drives and their usage within HFHS?  How do we protect the integrity/security of our network?  How do we decrease the flash drive footprint at HFHS?  Our answer…The iComply Program! 11
  11. 11.  System wide effort coordinated by the Information Privacy & Information Security Offices All employees were required to visit one of 20 “IT staffed” stations to turn in all personal flash drives for our approved IronKeys solution ◦ Registered hundreds of external hard drives and personal laptops The stations were also a place to enter into the drawing for an iPad2 ◦ Entries were a crossword puzzle based on our privacy & security policies Approximately 5000 flash drives collected within a 4 week period 12
  12. 12.  Create a “secret shopper” monitoring program to test your privacy policies and practices Consider pushing the cost to respond to the data breach to the offending department once education has occurred system-wide Utilize contests/incentives to drive workforce members to your privacy & security policies ◦ Crossword puzzles ◦ Scavenger hunts ◦ Encourage department “friendly” competition 13
  13. 13.  iComply – Phase 2 ◦ Security and encryption of mobile devices ◦ Consumer device usage by guests/patients ◦ Continuous education ◦ Apple support program (i.e., iPads, iPhone, etc.) Social Media Monitoring iPad Patient Rounding Data Loss Prevention Program Implementation Increased Synergy between Privacy & Security Departments to reinforce our culture of confidentiality 14
  14. 14.  Assess your organizations culture to determine the best approach for breach response ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) 15
  15. 15. Meredith R. Phillips, CHC, CHPC Chief Privacy Officer Henry Ford Health System One Ford Place, Suite 2A Detroit, MI 48202 313-874-5168 Twitter: @mphillipschc 16