A connected healthcare ecosystem leads to it risk security and compliance management challenges
1 / 18

A Connected Healthcare Ecosystem leads to IT Risk, Security and Compliance Management Challenges - PowerPoint PPT Presentation

  • Uploaded on

A Connected Healthcare Ecosystem leads to IT Risk, Security and Compliance Management Challenges.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' A Connected Healthcare Ecosystem leads to IT Risk, Security and Compliance Management Challenges' - daphne-aguirre

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A connected healthcare ecosystem leads to it risk security and compliance management challenges
A Connected Healthcare Ecosystem leads toIT Risk, Security and Compliance Management Challenges

Implementing new solutions for the current healthcare ecosystem that help address industry issues such as improving quality of care, controlling costs, and increasing access can lead to increased risk and compliance challenges.


Pharma / Suppliers




It security risk compliance management challenges
IT Security, Risk & Compliance Management Challenges




Vulnerability and

Identity Management

Industry &

Technical Standards


  • PCI

  • NIST

  • FDA

  • State Data Protection Requirements

  • ISO



  • PCI

  • Validation/evaluation of existing architecture

  • Threat Identification: Malware, Identity/ Access Management Hacker, Partner, Employee

  • Business continuity management - - Risks due to disaster recovery/emergency preparedness are unknown

  • Costs of risk identification failure, inability to implement technology, or compliance failures

Policy Management: Enforceable, manageable and address multiple conflicting standards


  • Flawed policy

  • Inconsistent policy implementation

  • Regulatory Policies and Contractual Commitments

  • Policy is not complete or not current

  • Requirements have not been mapped to existing organization, processes or systems

  • Validation/evaluation of existing policy


The extended enterprise comes with new security challenges










The Extended Enterprise Comes With New Security Challenges

Application security

Measuring against risk

Meeting multiple compliance requirements

Data protection /data loss prevention

Partner/supplier security due diligence

Managing security with reduced resources

Business continuity

Ongoing monitoring and management

Consumer/employee mobility

Security log data handling

The extended enterprise perimeter is expanding dissolving
The Extended EnterprisePerimeter is Expanding, Dissolving

The evolving security market changes require a new approach






The Evolving Security Market Changes Require a New Approach

WiderSecurity controls should span the Extended Enterprise and should be executed where they are most effective and cost-efficient

DeeperSecurity should span the entire IT stack, including the network, data, applications, and users

SmarterSecurity decisions should be based on risk, not on just threats and vulnerabilities

Some stats us healthcare industry in 2009
Some StatsUS Healthcare Industry in 2009

Healthcare spending will continue to outpace all other industries, growing 7% annually through 2014

16,100 = nursing homes

58,515 = hospitals

83,000 = home care providers

243,000 = pharmacists

766,000 = physicians

951,045 = staffed beds

4,700,000 = nurses

5,400,000 = hospital employees

37,529,270 = total admissions

$300,000,000,000 = pharmaceutical industry

$690,073,646,000 = total hospital expenses

$2,600,000,000,000 = US Healthcare Industry

Some jargon
Some Jargon

  • Regulatory

    • HITECH Act: $20B component of ARRA to modernize healthcare

    • Meaningful Use: criteria that must be met to qualify for HITECH funds

    • HHS: Health and Human Services; federal agency responsible for healthcare

    • ONC: Office of National Coordinator for Health IT; part of HHS responsible for HIT

    • PHI: Protected Health Information: individually identifiable health information

    • CE: Covered Entity; health plan, clearinghouse, or provider who transmits ePHI

    • BA: Business Associate; anyone performing functions on behalf of CE that involve use of PHI

  • BAA: Business Associate Agreement; contract between BA and CE

  • Payers: insurance companies, CMS

  • EMR: Electronic Medical Record; healthcare firm owned

  • PHR: Personal Health Record; patient owned

  • HIE: Health Information Exchange; common platform that enables organizations in a region to share healthcare info

  • RHIO: Regional Health Information Organization; similar to HIE, connects to NHIN

Note: see [7] for more terms.

Hitech act overview
HITECH ActOverview

= Health Information Technology for Economic and Clinical Health

  • Title 13 of ARRA

  • $20B

  • Objectives

    • Develop standards for electronic exchange of PHI

    • Incentives to encourage doctors and hospitals to digitize

    • Save government $10B

    • Strengthen privacy and security to protect healthcare information

      • Mandates public notification of data breaches

      • Stricter compliance and accounting for ePHI requests

      • Responsibility for managing PHI at Business Associates

Some more stats healthcare industry security
Some More StatsHealthcare Industry Security

The risk of non-compliance and insecurity is rising faster in healthcare industry than in any other!

10.9% of IT budget spent on security – not enough!

Hacker attacks against healthcare clients doubled during 4Q09

80 million breached records in 2009

Average cost of breached medical record is $282

Impact of a data breach over a two-year period is $2 million

Hitech act 3 new security requirements
HITECH Act 3 New Security Requirements

Hitech act enforcement and penalties
HITECH ActEnforcement and Penalties

In Nov ’09 OIG issued report criticizing HHS for failing to be proactive in enforcing HIPAA rules

Criminal penalties can now be applied to individuals (not just companies)

New system of civil monetary penalties that incorporates concept of “willful neglect”

Establishment of methodology to distribute to harmed individuals a portion of civil penalties collected

State attorneys general can bring civil action on behalf of residents whose privacy has been violated

Requires HHS secretary to periodically audit CEs, BAs

OCR responsible for enforcing HIPAA Security and Privacy Rules

Hitrust certification
HITRUST Certification

Helps organizations address the complexities of meeting numerous standards and requirements

The HITRUST Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access, or exchange electronic health

Primary Benefits of CSF

  • Helps address risks and requirements associated with business partners

  • Based on well accepted, familiar security standards

  • Scales based on risk and complexity

  • Accepted across provider, payer, and partner communities

HITRUST Common Security Framework (CSF)

The Common Security Framework (CSF) is a comprehensive set of tools developed to aid organizations that create, store, access, or exchange electronic health information

Primary Benefits

  • Helps protect information assets

  • Manage related risks, costs and complexities

Three components:

  • Information Security Implementation Manual: List of sound security governance practices and sound security control practices that scales according to the type, size and complexity of each organization to provide prescriptive implementation guidance

  • Standards and Regulations Cross-Reference Matrix: tool to help reconcile the framework to common and different aspects of generally adopted standards

  • Readiness Assessment Toolkit: toolkit that enables assessment (self or third party) and scoring of an organization’s information security environment against the practices and controls outlined in the Information Security Implementation Manual

Overview of csf assurance program
Overview of CSF Assurance Program

  • Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations

  • Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments

  • The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place


Hitrust applicability existing issues for covered entities
HITRUST ApplicabilityExisting Issues for Covered Entities

Covered entities are dealing with the following issues:

Complex contracting process due to unique security requirements

Low response rate of questionnaires

Inaccurate and incomplete responses

Inadequate due diligence of questionnaires

Difficulty monitoring the status and effectiveness of corrective action plans

Difficulty tracking down appropriate contacts at business associate

Costly and time-intensive data collection, assessment and reporting processes

Inability to proactively identify and track risk exposures at business associate

Lack of visibility into downstream risks related to business associate (i.e., business associate’s own business partners)

Lack of consistent reporting to management on business associate risks


Background what is a business associate
BackgroundWhat is a Business Associate?

  • Person or entity that performs certain functions or activities that involve the use or disclosure of PHI

  • Work on behalf of, or provides services to, a Covered Entity (CE)

  • Member of the CE’s workforce is not a BA

  • May include:

    • Accountants

    • Consultants

    • Pharmacy

    • Payers (health insurance provider)

    • Labs (e.g.: LabCorp)

    • Software Vendors (EHR, PHR, etc.)

    • HIOs, RHIOs, HIEs

  • How many BAs?

    • United Healthcare Group: 3600+ BAs

    • Humana: 2400+ BAs

    • Medco: ~900 BAs

Business associates challenges
Business Associates Challenges

  • Complex contracting process due to unique security requirements

  • Broad range and inconsistent expectations for responses to questionnaires – inability to effectively leverage responses across organizations

  • Complex processes:

    • Maintaining broad range of reporting requirements

    • Tracking to varied expectations around corrective action plans

    • Tracking down appropriate contacts at customers

    • Expensive and time-intensive audits by customers

    • Inability to consistently and effectively report to and communicate with customers

    • Risk exposure to inconsistent responses from different business units of the business associate