If you work with healthcare providers, you need to weave HIPAA compliance in your DNA. In this presentation, I share my approach for building a consulting team focussed on Healthcare clients.

1. RISK MANAGEMENT PROCESS For Healthcare
Organizations
1

2. 2
Operating Snapshot
Starting this year, providers
can be fined up to $1.5
million for a HIPAA violation
• Security is Not Optional
Number of volunteers and
3rd party personals
supporting hospitals is just
too large that it is generally
impossible to manually
control access
• Large Number of Temporary Workers
Clinicians are often
overworked and intuitively
bring tools to help improve
productivity
• Consumer Devices need to be Secured
Hospitals tend to rely on
multitudes of applications,
often hosted and managed
by 3rd party vendors
• Need to Adapt and Federate
Patient care is of utmost
importance and hence the
access to patient data must
be available in case of
emergencies
• Break Glass Functionality
Clinicians on the floor
typically share computers
and (most often password)
• Quick switching
We Know the Healthcare Environment

3. 3
Common Risks
Data and Information Explosion
 Data volumes are doubling every 18 months.
 Storage, security, and discovery around information
context is becoming increasingly important.
Care Continuum
 The chain is only as strong as the weakest link.
Partners need to shoulder their fair share of the
load for compliance and the responsibility for
failure.
Patients Expect Privacy
 An assumption or expectation now exists to
integrate security into the infrastructure, processes
and applications to maintain privacy.
Compliance fatigue
 Organizations are trying to maintain a balance
between investing in both the security and
compliance postures.
Emerging Technology
 Virtualization and cloud computing increase
infrastructure complexity.
 Web 2.0 and SOA style composite applications introduce
new challenges with the applications being a vulnerable
point for breaches and attack.
Wireless World
 Mobile platforms are developing as new means of
identification.
 Security technology is many years behind the security
used to protect PCs.

4. Risk ManagementPeople
• Drug Testing
• Background Testing
• NDAs
• HIPAA Compliance
Training
Process
• Identify what needs to
be audited and
controlled
• Define Who needs
Access to What
• Establish auditing and
control processes
Tools
• Restricted physical
access
• Restricted equipment
access
• Restricted network
access
• Restricted data access
• Email & Web
Monitoring

5. People- Onboarding Checklist
 Calance employees sign Non-Disclose Agreements
with specific to the client.
 Every employee signs a “ Work for Hire” contract
for the client transferring the intellectual property
to the client.
 Background checks and drug testing
 All Calance employees, in Healthcare COE,
have to go through background checks and 10
panel drug testing.
 Calance HR maintains a chain of custody for
all records
 Customers are provided a copy of the reports,
if needed
Onboarding Process

6. People-Training
Compliance Training
 Calance uses an in-house LMS for training
and skills assessment
 Every employee is required to complete
mandatory HIPAA Compliance and Privacy
training*
 At the end of the training, the employees
are prompted for test scenarios
 HIPAA compliance training can be
scheduled periodically, based on client
needs * Training material sourced from certified trainers or based
on client requirements
http://www.hhs.gov/ocr/privacy/hipaa/understanding/trai
ning/
Training

7. Tools- Restricted Office Space
Calance can create physical separation of staff in Gurgoan (India) and Buena
Park, CA offices
 Restricted office space uses bio-metric scanners and RFID cards
 Access to the restricted floor requires a PIN, changed periodically
 Single on-boarding and off-boarding process, shared with the client
 Data Center access requires additional approvals from System Engineering
and a VP

8. Tools- Network and Equipment
Network and Equipment Access
 Healthcare clients are cordoned in their own subnet
 Point -to-point encryption between client network and
Calance
 Encrypted Hard Disks and/or Bitlocker
 All computers utilize client specific software images
 No admin access to install personal software
 No access to USB ports
 No backup devices are allowed on the restricted floor
 Use two factor authentication for access the network
Equipment
& Access Control

9. TECHNOLOGY AND AUDITING
9
Process Overview

10. Administration & Auditing
Administration and Auditing
 Calance has a 24x7 NOC in Buena Park, CA,
monitoring infrastructure hosted in our data
center, client locations, co-location facilities
and public cloud
 Systems Engineering works with the
compliance and security architects to create
Role Based Access
 Besides typical monitoring, Calance NOC can
audit emails and web traffic for any policy
violations
Federated Cloud Security Solutions
 Calance employees are certified in
architecting and setting-up enterprise
systems on Amazon EC2 and Microsoft
Azure*
*See HIPAA Compliant Hybrid Cloud Service Offering

11. Technology Partnerships
 We have established strategic
partnerships with the industry
leaders for Identify & Access
Management solutions in the
Healthcare industry
 Calance has deployed custom
solutions at reputed Healthcare
organizations using these tools

12. Process- Audit and Process Improvements
 Calance employs an independent agency for yearly
audit of security procedures
 Current Certifications
Continuous
Improvement
CMM Level 5 and ISO 9001: 2008 Certified
for quality and project management
processes.
SSAE 16 Type II certified datacenter, help
desk, application & desktop support.

13. CONTACT US
Calance Healthcare Practice
2018, 156th Ave NE
Suite 100
Bellevue, WA 98007
Gaurav Garg
Vice President
ggarg@calance.com
Tel: 425-605-0716
Cell: 818-620-0329
13
www.calance.com
info@calance.com
866-736-5500 (Toll-Free)