A Connected Healthcare Ecosystem leads to IT Risk, Security and Compliance Management Challenges

1. A Connected Healthcare Ecosystem leads toIT Risk, Security and Compliance Management Challenges Implementing new solutions for the current healthcare ecosystem that help address industry issues such as improving quality of care, controlling costs, and increasing access can lead to increased risk and compliance challenges. Patients Pharma / Suppliers Payers Providers 1

2. IT Security, Risk & Compliance Management Challenges Information Security Requirements Vulnerability and Identity Management Industry & Technical Standards • HIPAA • PCI • NIST • FDA • State Data Protection Requirements • ISO • JCAHO • HITRUST • PCI • Validation/evaluation of existing architecture • Threat Identification: Malware, Identity/ Access Management Hacker, Partner, Employee • Business continuity management - - Risks due to disaster recovery/emergency preparedness are unknown • Costs of risk identification failure, inability to implement technology, or compliance failures Policy Management: Enforceable, manageable and address multiple conflicting standards Policy • Flawed policy • Inconsistent policy implementation • Regulatory Policies and Contractual Commitments • Policy is not complete or not current • Requirements have not been mapped to existing organization, processes or systems • Validation/evaluation of existing policy 2

3. i i i i i i i i i The Extended Enterprise Comes With New Security Challenges Application security Measuring against risk Meeting multiple compliance requirements Data protection /data loss prevention Partner/supplier security due diligence Managing security with reduced resources Business continuity Ongoing monitoring and management Consumer/employee mobility Security log data handling

4. The Extended EnterprisePerimeter is Expanding, Dissolving

5. Threat Information AssetInformation Vulnerability Information The Evolving Security Market Changes Require a New Approach WiderSecurity controls should span the Extended Enterprise and should be executed where they are most effective and cost-efficient DeeperSecurity should span the entire IT stack, including the network, data, applications, and users SmarterSecurity decisions should be based on risk, not on just threats and vulnerabilities

6. Some StatsUS Healthcare Industry in 2009 Healthcare spending will continue to outpace all other industries, growing 7% annually through 2014 16,100 = nursing homes 58,515 = hospitals 83,000 = home care providers 243,000 = pharmacists 766,000 = physicians 951,045 = staffed beds 4,700,000 = nurses 5,400,000 = hospital employees 37,529,270 = total admissions $300,000,000,000 = pharmaceutical industry $690,073,646,000 = total hospital expenses $2,600,000,000,000 = US Healthcare Industry

7. Some Jargon • Regulatory • HITECH Act: $20B component of ARRA to modernize healthcare • Meaningful Use: criteria that must be met to qualify for HITECH funds • HHS: Health and Human Services; federal agency responsible for healthcare • ONC: Office of National Coordinator for Health IT; part of HHS responsible for HIT • PHI: Protected Health Information: individually identifiable health information • CE: Covered Entity; health plan, clearinghouse, or provider who transmits ePHI • BA: Business Associate; anyone performing functions on behalf of CE that involve use of PHI • BAA: Business Associate Agreement; contract between BA and CE • Payers: insurance companies, CMS • EMR: Electronic Medical Record; healthcare firm owned • PHR: Personal Health Record; patient owned • HIE: Health Information Exchange; common platform that enables organizations in a region to share healthcare info • RHIO: Regional Health Information Organization; similar to HIE, connects to NHIN Note: see [7] for more terms.

8. HITECH ActOverview = Health Information Technology for Economic and Clinical Health • Title 13 of ARRA • $20B • Objectives • Develop standards for electronic exchange of PHI • Incentives to encourage doctors and hospitals to digitize • Save government $10B • Strengthen privacy and security to protect healthcare information • Mandates public notification of data breaches • Stricter compliance and accounting for ePHI requests • Responsibility for managing PHI at Business Associates

9. Some More StatsHealthcare Industry Security The risk of non-compliance and insecurity is rising faster in healthcare industry than in any other! 10.9% of IT budget spent on security – not enough! Hacker attacks against healthcare clients doubled during 4Q09 80 million breached records in 2009 Average cost of breached medical record is $282 Impact of a data breach over a two-year period is $2 million

10. HITECH Act 3 New Security Requirements

11. HITECH ActEnforcement and Penalties In Nov ’09 OIG issued report criticizing HHS for failing to be proactive in enforcing HIPAA rules Criminal penalties can now be applied to individuals (not just companies) New system of civil monetary penalties that incorporates concept of “willful neglect” Establishment of methodology to distribute to harmed individuals a portion of civil penalties collected State attorneys general can bring civil action on behalf of residents whose privacy has been violated Requires HHS secretary to periodically audit CEs, BAs OCR responsible for enforcing HIPAA Security and Privacy Rules

12. HITRUST Certification Helps organizations address the complexities of meeting numerous standards and requirements The HITRUST Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access, or exchange electronic health Primary Benefits of CSF • Helps address risks and requirements associated with business partners • Based on well accepted, familiar security standards • Scales based on risk and complexity • Accepted across provider, payer, and partner communities

13. HITRUST Common Security Framework (CSF) The Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access, or exchange electronic health information Primary Benefits • Helps protect information assets • Manage related risks, costs and complexities Three components: • Information Security Implementation Manual: List of sound security governance practices and sound security control practices that scales according to the type, size and complexity of each organization to provide prescriptive implementation guidance • Standards and Regulations Cross-Reference Matrix: tool to help reconcile the framework to common and different aspects of generally adopted standards • Readiness Assessment Toolkit: toolkit that enables assessment (self or third party) and scoring of an organization’s information security environment against the practices and controls outlined in the Information Security Implementation Manual

14. Overview of CSF Assurance Program • Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations • Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments • The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place 14

15. CSF Assurance Program – The Solution 15

16. HITRUST ApplicabilityExisting Issues for Covered Entities Covered entities are dealing with the following issues: Complex contracting process due to unique security requirements Low response rate of questionnaires Inaccurate and incomplete responses Inadequate due diligence of questionnaires Difficulty monitoring the status and effectiveness of corrective action plans Difficulty tracking down appropriate contacts at business associate Costly and time-intensive data collection, assessment and reporting processes Inability to proactively identify and track risk exposures at business associate Lack of visibility into downstream risks related to business associate (i.e., business associate’s own business partners) Lack of consistent reporting to management on business associate risks 16

17. BackgroundWhat is a Business Associate? • Person or entity that performs certain functions or activities that involve the use or disclosure of PHI • Work on behalf of, or provides services to, a Covered Entity (CE) • Member of the CE’s workforce is not a BA • May include: • Accountants • Consultants • Pharmacy • Payers (health insurance provider) • Labs (e.g.: LabCorp) • Software Vendors (EHR, PHR, etc.) • HIOs, RHIOs, HIEs • How many BAs? • United Healthcare Group: 3600+ BAs • Humana: 2400+ BAs • Medco: ~900 BAs

18. Business Associates Challenges • Complex contracting process due to unique security requirements • Broad range and inconsistent expectations for responses to questionnaires – inability to effectively leverage responses across organizations • Complex processes: • Maintaining broad range of reporting requirements • Tracking to varied expectations around corrective action plans • Tracking down appropriate contacts at customers • Expensive and time-intensive audits by customers • Inability to consistently and effectively report to and communicate with customers • Risk exposure to inconsistent responses from different business units of the business associate 18