hitech and hipaa compliance higher availability privacy auditing
TRANSCRIPT
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
2011 Executive Webinar Series
HITECH and HIPAA Compliance: High Availability Privacy Auditing and Monitoring
View the Replay
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Today’s Agenda
• Introduction
• Privacy Monitoring Availability & Scale– Randy Yates, Memorial Hermann Healthcare System
• Privacy Monitoring Challenges for Large Health Systems– Kurt Long, FairWarning®
• Questions & Answers
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Drivers for Today’s Webinar
• “Always-on” Privacy Monitoring– ARRA HITECH privacy requirements, breach disclosure, penalties, other
– Meaningful use, risk assessments, gaps, future considerations
– Regulatory requirements for increased data retention
– Increased media exposure to major privacy lapses
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial RANDY YATES, DIRECTOR OF SECURITY
MEMORIAL HERMANN HEALTHCARE SYSTEM
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Memorial Hermann Healthcare System
• Randy is responsible for enterprise data security solutions, account management and security risk management. He provides risk assessment services to business owners to ensure that both technology and business objectives are accomplished with secure controls for protection of company confidential and patient data. He oversees HIPAA security, PCI compliance and is currently assessing the impacts of the ARRA HITECH legislations that was recently in acted. He has implemented several security technologies including tape backup encryption, hard disk encryption, email encryption, transportable media encryption and identify management solutions.
• Prior to joining MH, Randy served as a security consultant for IBM Global Services division, Security consultant for Healthlink, a healthcare IT focused professional service firm, CRM consultant for Cambridge technology partners and as an IT audit Manager for International Paper Company. His primary consulting engagements included security strategic planning, security plan development and HIPAA security compliance assessments and implementations. Randy earned a BS in Business Administration from Mississippi State University.
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Memorial Hermann Healthcare System
• Largest not-for-profit healthcare system in Texas and serves the greater Houston community through 11 hospitals, a vast network of affiliated physicians and numerous specialty programs and services.
– Memorial Hermann-Texas Medical Center, the teaching hospital for The University of Texas Medical School at Houston and home of the nation’s busiest Level I trauma center;
– 8 suburban hospitals;
– 3 premier Heart & Vascular Institutes;
– TIRR Memorial Hermann, one of the nation’s top rehabilitation and research hospitals;
– Children’s Memorial Hermann Hospital;
– Memorial Hermann Sports Medicine Institute;
– Mischer Neuroscience Institute;
– 8 comprehensive Cancer Centers; 21 Imaging Centers;
– 8 Breast Care Centers;
– 10 surgery centers;
– 25 sports medicine and rehabilitation centers;
– 19 diagnostic laboratories; and
– PaRC, a substance abuse treatment center.
– Memorial Hermann also operates the Life Flight® air ambulance program as well as the city’s only burn treatment center.
• Award-winning: Most Wired 100, Most Wired 2009, Thomson Reuters 100 Top Hospital
• Employees 20,000
• Total Beds 3,200
• Cerner, McKesson, GE, CGI Sovera, ArcSight
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
The Challenge
• Reporting in each clinical application – some semi-automated, most a manual effort
• No consolidated solution• We tried Sensage but it only worked for our primary EMR – it lacked
reporting and the querying was slow• We tried P2 Sentinel but was a “silo” – only did one application, Cerner
Millennium, and we have 128 different systems
• Wanted reporting across our clinical applications• Wanted proactive breach detection• Wanted advanced reporting with filtering using our HR data, staff
location, etc.
• Needed a scale-able solution• Needed investigative and auditing capability for HIPAA compliance
– Including HIPAA regulations on storing our data
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Why We Chose FairWarning®
• Competitive Bidding Situation
• HP Partner and HP Appliance Servers• ArcSight Partner and Enterprise Security Product Integration • McKesson Partner and McKesson-Certified Application
• The number of clinical applications that FairWarning® had already worked with was by far greater than any other
• Excellent Customer References, KLAS Scores• FairWarning® business-friendly interface and ease of reporting for
our Privacy Office • IT and Security Office evaluated the technical and scaling aspects
and gave full sign-off
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Solution Set Up and Testing
• Followed the FairWarning® Standard for Cerner Millennium data
• Near Real Time Service (hourly)
• Documented our Test Cases; Extensive Testing with the FairWarning® Team
– Tried to ‘break’ FairWarning capabilities with “the big data dump”
– Graphs of processing power “barely a ‘blip’ on the graph”
– Load Testing with Production Level Traffic
– Performance Testing• No Cerner Queuing
– Stability Testing
– Failover Testing with 2 Servers5 different Test Cases
• P2 Sentinel / Sensagedecommissioned from our environment
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Memorial Hermann’s FairWarning® Solution
Patient Privacy Breach Detection and Protection
HIPAA Compliance
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Memorial Hermann’s FairWarning® Solution
• Data Stats:
– Peak hour of data is usually 11am-12pm with up to 200,000 transactions sent from Cerner to FairWarning.
– Daily 6 GB of data being collected and 3 million auditable events being written into FairWarning.
• Experience To-Date
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial KURT LONG, FOUNDER
FAIRWARNING®
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Privacy Monitoring Challenges in a Large Health System
• Availability and scale
• Large numbers of application audit sources
• Filtering out false positives
• Advanced analytics
• Integration with enterprise security
• Real time considerations
• Work-flow supporting reporting, remediation, sanctioning and audits
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Standard & HA Configurations
Others
Best available protocol, https, sFTP, other
Hot-spare
Optional Configuration for High Performance and Availability –Proven and Cost Effective
High Availability and Scaling• Reporting & monitoring failover to hot-spare • Reporting & monitoring can run from Hot-spare (option)• Audit log consumption fail-over to Hot-spare (option)
Architecture• MySQL 5.5 database with partitioning optimized by FairWarning®• Data replication between primary and hot-spare• 2 to 4 years of on-board storage, archival for much longer periods
Primary
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning® Customer Community
• 100 + major enterprise healthcare providers, 18 new in Q4 2010 alone
• Represent 450 hospitals and 2,100 clinics
• United States, Canada, United Kingdom
• 50 % + have received prestigious awards for quality
• Range in size from 1,000 to 50,000 + employees
• Note: FairWarning® now has offices in London, England and Paris, France
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
KLAS & FairWarning®
Based on KLAS interviews with customers:
• 100% indicate FairWarning® is part of their long-term plans
• 100% indicate they would purchase FairWarning® again
• 100% indicate FairWarning® keeps its promises
More information is available at: http://www.KLASresearch.com/
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Privacy Monitoring Challengesand the Patient Privacy Framework
• Large numbers of application audit sources
• Advanced Analytics
• Filtering out false positives
• Integration with Enterprise Security
• Real-time monitoring
• Work-flow supporting reporting, remediation, sanctioning and audits
• No detailed standards, guidelines or data definitions related to healthcare privacy auditing & monitoring
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning® Data Definition Guide
Predictable, consistent integration with EHRs, ERP and identity management
Best data practices
Large numbers of applications
Advanced Analytics & Filtering
Real-time architectures
Available since Summer 2010
Open copyright
FairWarning® Ready SI’s
FairWarning® Ready MPIs
FairWarning® Customers
FairWarning® Patient Privacy FrameworkGuide 1: Data Definition Guide
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Enterprise security Data Definition Guide
ISO visibility for patient incidents
Privacy monitoring & SIEM, DLP cooperative correlation
End-to-end trace
Real-time considerations
Available since Fall 2010
Open copyright
FairWarning® Customers
FairWarning® Ready SIEM-DLP
FairWarning® Patient Privacy FrameworkGuide 2: Enterprise security data definitions
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Implementation Toolkit
The business processes of privacy monitoring
Gaining Board & Executive buy-in
Human resource & legal considerations
Work-flows for remediation
Communication & sanctioning templates
Detailed project plan templates
Available since January 1, 2011
FairWarning® Customers
FairWarning® Ready “Gold”
FairWarning® Patient Privacy FrameworkGuide 3: Implementation Toolkit
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Industry Support FairWarning® Patient Privacy Framework Guides
“Data definitions for EHR enterprise and departmental
system audit logs will prove to be very useful to
healthcare providers seeking to normalize and
automate their response to HITECH’s privacy auditing
requirements surrounding protected health information
(PHI) and consultants and vendors looking to assist
them. The guides should increase their understanding
of the sources and structure of the PHI.”
Barry Runyon, Research VP at Gartner
"For the first time in this industry, there is data that
quantifies the risk of not proactively and systematically
monitoring for breaches. More importantly, this newly
released report proves that policy without enforcement
doesn't work and creates entity-wide risk through
empirical data. For EHRs to be successful and to secure
public trust, the industry as a whole must commit to
establishing ongoing breach monitoring, an environment
of informed compliance and effective risk mitigation."
Mac McMillan, Chair, HIMSS Privacy & Security
Steering Committee, & CEO, CynergisTek
"Security and privacy breaches threaten to undermine the
public's trust in health IT and electronic health information
exchange - just at the time when policymakers are actively
promoting it. This report [Breach Findings] demonstrates that
implementation of industry best practices reduces the risk of
breach and is key to enabling more widespread adoption and
use of e-health technologies."
Deven McGraw, Director of the Health Privacy Project,
Center for Democracy and Technology
"Historically healthcare providers have relied on intensive
and manual procedures to monitor for breaches. As a result,
many of these entities are unaware of the actual number of
breaches within their organizations and therefore unable to
report or thwart these breaches. What should be eye-
opening for these organizations that do not have a reliable
automated monitoring process, is the vast financial and
reputational risk posed by any one of these breaches."
Cliff Baker, Managing Partner, Meditology and Executive
Advisor HITRUST Alliance LLC
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning® Resources
Available after today’s webinar:
High availability configurations
FairWarning® and Meaningful Use
Patient Privacy Framework Guides
ROI Calculator on privacy monitoring
Real-time architecture for privacy monitoring
Breach Damages Estimator Based on breach monitoring deployments as well as
interviews with health systems, legal counsel and 3rd-parties involved with high-profile breaches and audits
White paper on privacy breach findings
Both available by [email protected]
20
10
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial QUESTIONS & ANSWERS