SEMHIMA Presentation Final 06052012

HFHS Overview ◦ Landscape ◦ Then vs. Now

HIPAA/HITECH Overview

Use of PHI

Disclosures of PHI

Operational Considerations ◦ Breach Response Plan ◦ Risk Tolerance Assessment ◦ Rapid Response Teams ◦ Branding Opportunities ◦ Communication Strategy ◦ Breach Response Partners ◦ Continuous Education ◦ Elimination of Immediate Risk ◦ Breach Insurance (Cyber Insurance) ◦ Social Media Exposure

2

Founded in 1915 and comprised of

◦ 4 Acute Care Facilities (Approx. 2000 beds)

◦ 1200 Member Medical Group & 500 Member Physician Network

◦ Health Plan serving approximately 640,000 members

◦ Home Health, retail pharmacy, optical care, Hospice, Occupational

Health, Extended Care divisions

In 2011

◦ Awarded the prestigious Malcolm Baldrige National Quality Award

◦ Approximately 31,000 workforce members

◦ 3.3 million outpatient visits; 89,000 surgical procedures; 101,396

patients admitted to HFHS hospitals

◦ Revenue, $4.22 billion; net income, $21.5 million; uncompensated

care, $210 million

3

HFHS is entering into new territory to ensure synergy

between Privacy & Security – Culture of Confidentiality

Then…

◦ Privacy was a subset of Corporate Compliance

◦ Security was a subset of Information Technology

◦ Competing priorities diminished the focus on both

◦ Decentralized approach throughout the System

◦ Lean resources to carry out the Privacy & Security Mission

Observation

◦ Due to lean resources, competing priorities and fragmented

oversight, Privacy & Security compliance was misaligned with the

HFHS Mission & Vision

4

Now…

◦ Established the new Information Privacy Office with an expanded

scope to include all confidential data and not just patient focused

◦ IPO is a subset of Information Technology under the leadership of

the Chief Information Officer which creates better opportunities for

synergy with the Information Security Office

◦ Priorities are streamlined and standardized between the two

offices…confidentiality foundation.

◦ Centralized corporate IPO resources to ensure consistency in

approach System wide

Observation

◦ This will be the catalyst in creating a culture of confidentiality

related to any sensitive data protected by various regulations and

laws

5

Convened a workgroup to create an incident response plan

prior to the 2009 compliance date

◦ Reviewed HITECH regulations and documented process and plan

◦ Conducted research with other organizations to determine how to

address the “risk of harm” standard

◦ Created manual process for conducting breach risk assessments

◦ Applied plan to previous breaches to vet approach

6

Stolen Laptop with patient information of approximately 4000

exposed patients

Data stored in a compiled spreadsheet by a clinician

Laptop was unencrypted and the physical security of the

office was compromised due to an open door

Breach response was an internal effort utilizing HFHS staff

members

◦ Call center support, notification management, etc.

◦ Assessment Notification: 56 Days

7

The 56 day response time was outside of our service standards and proved that our response plan was flawed

Assuming responsibility for the entire breach response lifecycle was extending our response time

A breach response partner, with proven experience, was necessary to ensure that we could meet our 4-week target response deadline

Communication of our incident response plan failed due to lack of branding and continuous reinforcement (8 x 8 Rule)

The workforce didn’t understand the urgency during the assessment phase due to flawed communication and education plan

8

Secured a breach response partner that had a strong focus in

the healthcare market

◦ Wanted a partner and not an out-sourced solution

◦ ID Experts (www.idexpertscorp.com)

Chartered a Code B Alert (Rapid Response) Team

Branded a breach response communication plan

◦ Code B Alert Program

◦ Internal Communication to Workforce

◦ External Communication to Patients, Media & OCR

Immediately engaged our breach response partner during our

next incident

◦ Assessment Notification: 18 Days

9

Led by the Chief Privacy Officer and the Chief Information

Security Officer

◦ Includes representation from Legal, Public Relations, Human

Resources, Risk Management, Business Unit Leadership

◦ All incidents begin with a Code A(ssessment) that assesses and

determines if a breach has occurred

Includes representation from Legal, IPO & ISO

Once a “Breach” has been called, the Code B Alert (Rapid

Response) Team works with our breach response partner to

respond to the breach

Branded communication plan consistently utilized throughout

the system and managed corporately instead of at the

business unit level

10

Flash Drive Lost

◦ Approximately 3000 patients affected with significant risk to harm

◦ Even though response time was decreased and communication

plan was effective, we found another concern, portable storage

devices

How do we protect the data?

How do we encrypt the data?

What is our policy around flash drives and their usage within

HFHS?

How do we protect the integrity/security of our network?

How do we decrease the flash drive footprint at HFHS?

Our answer…The iComply Program!

11

System wide effort coordinated by the Information Privacy &

Information Security Offices

All employees were required to visit one of 20 “IT staffed”

stations to turn in all personal flash drives for our approved

IronKeys solution

◦ Registered hundreds of external hard drives and personal laptops

The stations were also a place to enter into the drawing for an

iPad2

◦ Entries were a crossword puzzle based on our privacy & security

policies

Approximately 5000 flash drives collected within a 4 week

period

12

Create a “secret shopper” monitoring program to test your

privacy policies and practices

Consider pushing the cost to respond to the data breach to

the offending department once education has occurred

system-wide

Utilize contests/incentives to drive workforce members to your

privacy & security policies

◦ Crossword puzzles

◦ Scavenger hunts

◦ Encourage department “friendly” competition

13

iComply – Phase 2

◦ Security and encryption of mobile devices

◦ Consumer device usage by guests/patients

◦ Continuous education

◦ Apple support program (i.e., iPads, iPhone, etc.)

Social Media Monitoring

iPad Patient Rounding

Data Loss Prevention Program Implementation

Increased Synergy between Privacy & Security Departments

to reinforce our culture of confidentiality

14

Assess your organizations culture to determine the best

approach for breach response

◦ Risk Tolerance Assessment

◦ Rapid Response Teams

◦ Branding Opportunities

◦ Communication Strategy

◦ Breach Response Partners

◦ Continuous Education

◦ Elimination of Immediate Risk

◦ Breach Insurance (Cyber Insurance)

15

16

Meredith R. Phillips, CHC, CHPC

Chief Privacy Officer

Henry Ford Health System

One Ford Place, Suite 2A

Detroit, MI 48202

313-874-5168

[email protected]

Twitter: @mphillipschc