Customer Imperative: Controlling the Complex World of Extract Transmissions

Stephanie Pestrak

HCSC

09/18/2010

2

Customer Imperative: Controlling Extract Transmissions

Headline News:Identify Theft & Resource Center: 113 of 385 U.S. companies and organizations endure large databreach first half of 2010 are healthcare providers1.2.

How can we mitigate risk in our own organizations?

31) WWW.INTERNETNEWS.COM2) Includes non health care insurers – e.g. institutions, practitioners

Outbound Extract Transmissions Organization Risks

-

• Organization Risks - Why should you care about managing outbound extract transmissions in the health care industry?

• Share HCSC’s efforts in addressing risks• Q & A

4

Workshop Objectives

The HCSC Family of Companies

Other Subsidiaries and Joint Ventures

Life, Disability and Annuities

Dental

Our Mission: Promote the health and wellness of our members and communities through accessible, cost-effective, quality health care

To HCSC, outbound data transmission risk means…

Outbound Extract Transmissions Organization Risks

Potential for incident of data breach in

transferring data to a third party.

An incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.1

1) SecuritySearch.com

Outbound Extract Transmissions

Organization Risks

  Total Occurrences Total by Category

Risk Category of FilesCount

Percent of Total Count Count

Percent of Total Count

         

Claims 21,946 66% 718 40%

Membership 3,669 11% 177 10%

Eligibility 3,152 10% 441 24%

Informational 1,710 5% 196 11%

Financial 1,266 4% 77 4%

Provider 671 2% 73 4%

HCSC Data 351 1% 41 2%

Misc 377 15 86 5$

Total: 33,142 100% 1,809 100%

Monthly Volume of Outbound Transmissions:

Risk of exposure due to lack of consistent tracking and management of outbound large scale extracts transmitted with PHI, PII or other sensitive data.

Possible impacts include: Brand Customer retention Possible legal fees and penalties

• Estimated at $204 per transaction• Most expensive data breach cost about $31M• Least expensive data breach cost was about $750K

Internal operation costs for investigation & recovery

Outbound Extract Transmissions

Organization Risks

Increased Impact to Industry due to Recent LegislativeAction:

Outbound Extract Transmissions

Organization Risks

Recent legal fines implemented November 2009 Through American Reinvestment & Recovery Act(ARRA):

Up to $1.5 Million per occurrence Incident must be reported to media if affected parties

exceeds 500 Employees of health care providers can now be held

personally liable Civil suits may be brought on behalf of individuals or

patients

The Office of Civil Rights is staffing up for amore proactive enforcement

• High Profile Breaches ReportBreaches Listed in Alphabetical Full Information on a breach may be found in the ITRC Breach Report by searching for the ITRC Breadc!D#ITRC Breach #Company or AgencyStatePublish DateBreach TypeBreach CategoryRecords Exposed?Records #_____________________________________________________________________________________________________________ITRC20091111-01^TD Ameritrade (advisory only)US10/27/2009ElectronicBusinessNone - Other 0In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. Thestolen information was later used to spam those customers. Consistently the company has said that while SSNs were in that same database they have investigated the situation and has affirmed that SSNs were not compromised. ITRC has confirmed with a source that worked with Ameritrade on this breach that SSNs were not breached. This is not a breach by ITRC criteria but is listed as an advisory only due to media attention._________________________________________________________________________________________________ITRC20091123-09ACORNCA11/23/2009Paper DataBusinessYes - Unknown #0A private investigator in San Diego found thousands of sensitive documents dumped outside a California ACORN (Association of Community Organizations for Reform Now) office on October 9, just days after the state attorney general announced an inquiry into the community organizing group. "We're talking people's driver's license numbers, dates of birth, Social Security numbers, credit cardnumbers, bank account numbers, tax returns, credit reports" — all tossed in public view in the Dumpster, the investigator said._________________________________________________________________________________________________ITRC20081111-02AIG - Medical Excess LLCUS

10

Increased Impact to Organization thru High Visibility of Breaches -From Identity Theft Resource Center (ITRC) web site:

Outbound Extract Transmissions Organization Risks

11

Outbound Extract Transmission HCSC Risk Management Efforts

1) Established Goals

2) Assessed Needs

3) Defining and Executing Action Plan

Established Goals - Applying an Enterprise Maturity Model

12

Outbound Extract Transmission

HCSC Risk Management Efforts

HCSC Risk Management Efforts Established GoalsApplication of an Enterprise Maturity Model

13Level 1 – Initial No standard processes followed for registration, tracking & monitoring No automation options for registration, tracking & monitoring

Level 2 – Repeatable Partial standard processes followed for registration, tracking & monitoring with ability to

implement across multiple areas Partial automation options for registration, monitoring and control

Level 3 – Defined Department level standard processes followed for registration, tracking & monitoring Department level automation options applied for registration, monitoring and control Department level common layout use enabled

Level 4 – Managed Enterprise standard processes adhered to for registration, monitoring & tracking Enterprise automation of registration, monitoring & tracking Enterpirise common layout use at enterprise level enabled and enforced

Level 5 – Optimized Edit check of internal file characteristics at transmission and recipient verification points at data element

level – vertical & horizontal Automated integration of common layouts for new requests Optimized use of pull opportunities for data to reduce extracts

14

HCSC Risk Management Efforts Assessed Needs

Key capability areas of extract transmission management:

Registration, Tracking & Controlling

Ongoing Monitoring

Audit & Follow Up

Num Data Element

Char

1 Claim ID X(16)

2 Claim Type

X(4)

3 Claim Amt 11v9(2)

15

Request

Registration

Trigger: Customer request for new or changedtransmission or data

Validate

Contract, TPA

Approve

Request

Bus reason

Bus owner

Phi, spi

Frequency

Approved status

…

Verify Existing Layout

Develop & Test

Transmission

Verify Registered

Transmission Approve

Transmission

Bus reason

Bus owner

Phi, spi

Frequency

…

Bus reason

Bus owner

Phi, spi

Frequency

Physical File Name

IP address

Protocol

Approved status

…

Bus reason

Bus owner

Phi, spi

Frequency

Physical File Name

IP address

Protocol

Approved status

…

`

HCSC Risk Management Efforts Assessed NeedsSample Registration, Monitoring & Control Process

16

Results identified need for enterprise initiative to:Establish governance process to centralize data exchange including registration, monitoring and logging functionsSelect and implement a third party product or hosted solution to provide for enterprise management of electronic exchange informationDesign a data reconciliation and consolidation solution to optimize management of extract formats

HCSC Risk Management Approach Assessed Needs

“ Weak human + machine + better process was superior to strong computer alone

and, more remarkably, superior to a strong human + machine + inferior process.“1

- Gary Kasporov, former world chess champ’s observation on tournament amatuer winners’

approach in beating IBM’s Deep Blue

17

HCSC Risk Management Efforts Define & Execute Action Plan

Emphasis on solution addressing integration of people, process & technology:

1) Chess Metaphors: Artificial Intelligence and the Human Mind, Diego Rasskin-Gutman, 2009, Massachusetts Institute of Technology

18

HCSC Risk Management Efforts Define & Execute Action Plan

Emphasis on solution addressing integration of people, process

& technology:

Information Security

Business Partners

Enterprise Information StrategicManagement

Information Technology Audit

Governance Processes

Enterprise Information Delivery

Application

Development

Enterprise

Architect

SolutionsEnterprise Infrastructure

Program Management

Enterprise Workflow Automation

Long Term Mitigation Objectives Build and implement point to point enterprise solution for automated extract transmission management

from customer extract requests through transmission control and monitoring

Ongoing/Intermediate Mitigation Objectives- Build enterprise registration inventory of approved extract transmissions for 100% of inventory for use in extract management and tracking solution

- Conduct thorough policy review and revisions where needed to ensure proper practice in extract transmissions

- Ongoing de-activation of inactive IP firewalls and obsolete transmissions with supporting audit process

- Define enterprise process and procedures for guidance for following standardized tracking and monitoring process1

1) See Appendix A

19

HCSC Risk Management Efforts Define & Execute Action Plan

Num Data Element

Char

1 Claim ID X(16)

2 Claim Type

X(4)

3 Claim Amt 11v9(2)

20

HCSC Risk Management Efforts Define & Execute Action Plan

Sample Phased Approach

Request

Registration

Trigger: Customer request for new or changedtransmission or data

Validate

Contract, TPA

Approve

Request

Bus reason

Bus owner

Phi, spi

Frequency

Approved status

…

Verify Existing Layout

Develop & Test

Transmission

Verify Registered

Transmission Approve

Transmission

Bus reason

Bus owner

Phi, spi

Frequency

…

Bus reason

Bus owner

Phi, spi

Frequency

Physical File Name

IP address

Protocol

Approved status

…

Bus reason

Bus owner

Phi, spi

Frequency

Physical File Name

IP address

Protocol

Approved status

…

`

Automation Ph 2 Automation Ph 1 Automation Ph 3

Long Term Mitigation Objectives Build and implement point to point enterprise solution for automated extract transmission management

from customer extract requests through transmission control and monitoring

Ongoing/Intermediate Mitigation Objectives- Build enterprise registration inventory of approved extract transmissions for 100% of inventory for use in extract management and tracking solution

- Conduct thorough policy review and revisions where needed to ensure proper practice in extract transmissions

- Ongoing de-activation of inactive IP firewalls and obsolete transmissions with supporting audit process

- Define enterprise process and procedures for guidance for following standardized tracking and monitoring process1

1) See Appendix A

21

HCSC Risk Management Efforts Define & Execute Action Plan

Q & A

22

Appendix A -Registration, Monitoring & Control Workflow

Registration, Monitoring & ControlProduction, Monitoring and Control Phase - Overview

4.3)

Pre-Trans. /Outbound Validation

Automated in Network Servers

R

Suspend Production Transmissions

4.6)

NO

A

A

Trigger: Pre-Producton phaseCompleted

ExternalProcess

Periodic Post ProductionEvaluation

Transmit /Log Extract

R

4.4)

4.5)

M

Server Logging Applications

Tech. Analyst

A

Log Archive

Version 4.9 08/03/2010

4.1 Inbound Validation EDI, Proprietary ------------------------ Reject processing ------------------------ Adjudication ------------------------ Remittance

To Trade Partners

Outbound

R

Yes

No

Outbound DataApplication(clm adjud., remittance,Extract Apps. )

In Compliance

4.2)

Inbound

Extract Apps.

23

Valid Agreement?

Registration, Monitoring & ControlPre-Authorization Phase - Overview

No

Trigger: New or Changed Request 1.2)

Review Business Agreement (B/A)

Registration Pre-Authorization - Registration Pre-Authorization -

R R

R = Register/Document Event in Registraton and Tracking System A = Automated Step M = Manual step N = Notification sent to originating request manager L = Log Event

Develop Test Extract / Network

Connection

Develop Test Extract / Network

ConnectionR

1.3) Verify Policy Compliance In Compliance

No

R A R

Account support

Metadata Level: Business, Data, Network

1.1) Enter Trading Partner Transmission

Request

R M

Denial Notificaton N

Business & Technical Mgr.

Version 4.9 08/03/2010

M

B/A reviewer

24

Appendix A -Registration, Monitoring & Control Workflow

Appendix A - Registration, Monitoring & Control Workflow

Registration, Monitoring and ControlDevelopment Phase - Overview

Use Existing Layout

2.4 Configure

Network Connectvity

In Compliance

2.9 Build/Test

transmissiion application

Network Connectivity

Acceptance

Pre-Production Phase

YES

Network/Information Security

Senior Business Analyst

Development Team

Data Envelope / Transmission Connection Approval

DETERMINE RE-USE

Transmission Testing

R

R

RM/A

M/A

RTechnicalAnalyst

Trigger: Approved Request

2.1) Data Structure Re-Use Determination

R

M

2.6ITSM ChangeManagement

Test EnvironmentReview

Development Team

Network Implementation

Development Team

Senior Business Analyst

2.5 Information

Security Approval process

In Compliance

R

Yes

M

No

Yes

Change Authorization Board

RequestorNotification N

ITSM Change Mgmt.

N NM R

2.7CAB Review

Test Connection

Network Engineering

yes

yes

New/changedConnectivity

No

Yes

R

R M

R

2.2,3Develop New Data

Structure

R

Version 4.9 08/03/2010

No

Yes

25

Registration, Monitoring and ControlDevelopment Phase - Overview

Use Existing Layout

2.4 Configure

Network Connectvity

In Compliance

2.9 Build/Test

transmissiion application

Network Connectivity

Acceptance

Pre-Production Phase

YES

Network/Information Security

Senior Business Analyst

Development Team

Data Envelope / Transmission Connection Approval

DETERMINE RE-USE

Transmission Testing

R

R

RM/A

M/A

RTechnicalAnalyst

Trigger: Approved Request

2.1) Data Structure Re-Use Determination

R

M

2.6ITSM ChangeManagement

Test EnvironmentReview

Development Team

Network Implementation

Development Team

Senior Business Analyst

2.5 Information

Security Approval process

In Compliance

R

Yes

M

No

Yes

Change Authorization Board

RequestorNotification N

ITSM Change Mgmt.

N NM R

2.7CAB Review

Test Connection

Network Engineering

yes

yes

New/changedConnectivity

No

Yes

R

R M

R

2.2,3Develop New Data

Structure

R

Version 4.9 08/03/2010

No

Yes

26

Appendix A -Registration, Monitoring & Control Workflow

Registration, Monitoring & ControlProduction, Monitoring and Control Phase - Overview

4.3)

Pre-Trans. /Outbound Validation

Automated in Network Servers

R

Suspend Production Transmissions

4.6)

NO

A

A

Trigger: Pre-Producton phaseCompleted

ExternalProcess

Periodic Post ProductionEvaluation

Transmit /Log Extract

R

4.4)

4.5)

M

Server Logging Applications

Tech. Analyst

A

Log Archive

Version 4.9 08/03/2010

4.1 Inbound Validation EDI, Proprietary ------------------------ Reject processing ------------------------ Adjudication ------------------------ Remittance

To Trade Partners

Outbound

R

Yes

No

Outbound DataApplication(clm adjud., remittance,Extract Apps. )

In Compliance

4.2)

Inbound

Extract Apps.

27

Appendix A -Registration, Monitoring & Control Workflow