inevitable risks - cso50 conference · 2017-03-03 · business drivers brand and reputation value...
TRANSCRIPT
![Page 1: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/1.jpg)
![Page 2: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/2.jpg)
INEVITABLE RISKSCreating a Business Resilience and
Assurance Program to Minimize Risk
![Page 3: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/3.jpg)
Since 1974, HMS has been enterprising healthcare, and providing a broad range of healthcare cost containment solutions in the industry – all to help payers improve performance.
Medicaid Managed Care Organizations Medicare Advantage plans Group and individual plans Self-funded employers
Medicaid agencies CHIPs (Children’s Health Insurance Programs) State employee health benefit plans
Centers for Medicare and Medicaid Services
U.S. Department of Veterans Affairs Department of Defense
![Page 4: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/4.jpg)
Business Drivers Brand and Reputation Value
Patient Information Protection – Confidentiality, Integrity, and Availability
Mandatory Federal Regulations
Client Contractual Obligations
Existing and Future Policy
Legislation Impacting the Field of Healthcare
Business Continuity and the Sustainability of Business Services
![Page 5: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/5.jpg)
Industry Drivers OCR (HIPAA) and CMS (EHR Meaningful Use) audits reveal serious
weaknesses There is an ever-increasing number of privacy complaints to the OCR There is an increasing number and amount of settlements for privacy
and security issues Major HIPAA breaches have reached a 1K milestone, with 1 in every 10
people in the U.S. impacted The current cost of a breach is estimated at $188 per record. The
average # of records in a breach = 23,647; or $4.4M per breach Identity theft may be the most frequent, costly, and pervasive crime in
the U.S., with increasing sophistication
![Page 6: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/6.jpg)
Business Resilience and Assurance Program
Content Sharing
Centralized Risk Governance
Security Risk Management Framework (RMF)
Visibility into Key Risk Factors
Provides an HMS-centric Policy-Standards-Procedure Mapping Foundation
Authoritative Source Guidance
Mapped to a Common Core of Control Standards - Security Framework
![Page 7: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/7.jpg)
Security Risk Program Foundation
To help safeguard electronic protected health
information (PHI), HMS established a Common
Security Framework built on HITRUST.
Combining the HITRUST CSF with industry best
practices, HMS was able to offer a scalable
security process designed to support the
Security and Privacy of healthcare information.
This uniquely holistic foundation ensures that our
security program meets our regulatory
obligations from a people, process, and
technology standpoint.
![Page 8: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/8.jpg)
How We Identify & Manage Risk
Incident Management
Issues Management Policy Management Vendor
Management Compliance
Management Asset Management Risk Register Threat
Management
![Page 9: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/9.jpg)
How We Monitor Risk
Control Procedures Ownership
Business Processes toadhere to control objectives
Control self-Assessments to continuously monitor control objectives
• Control Procedures
Ownership
• Business Processes
Implementation
• Control Self Assessment
Continuous Monitoring
![Page 10: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/10.jpg)
Status Summaries Threshold Monitoring Trend Reporting Historical Metrics Customized Dashboard &
Alerting
Tracking and Reporting
![Page 11: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/11.jpg)
1. Define a Common Security Framework – HITRUST CSF
2. Define the Methodology for Assessment and Treatment of Security Risks
3. Integrated Foundational Components4. Increase Transparency & create a
Risk-Aware Culture5. Improve Visibility into Key Risk Factors6. Improve HMS’s Risk Posture7. Support the Business Mission8. Ensure Business Continuity
Intended Outcomes
PolicyProcess
ImplementationMeasuredManaged
![Page 12: INEVITABLE RISKS - CSO50 Conference · 2017-03-03 · Business Drivers Brand and Reputation Value Patient Information Protection –Confidentiality, Integrity, and Availability Mandatory](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1930dde2906a48693315ba/html5/thumbnails/12.jpg)
THANK YOU
George M. MacrelliSenior Director, Security [email protected]
Daryl HykelSecurity Assurance [email protected]
Scott PettigrewVP, Chief Security [email protected]
Sean MillerSecurity Assurance [email protected]