Upload
cole-farrell
View
220
Download
4
Tags:
Embed Size (px)
Citation preview
Customer Imperative: Controlling the Complex World of Extract Transmissions
Stephanie Pestrak
HCSC
09/18/2010
2
Customer Imperative: Controlling Extract Transmissions
Headline News:Identify Theft & Resource Center: 113 of 385 U.S. companies and organizations endure large databreach first half of 2010 are healthcare providers1.2.
How can we mitigate risk in our own organizations?
31) WWW.INTERNETNEWS.COM2) Includes non health care insurers – e.g. institutions, practitioners
Outbound Extract Transmissions Organization Risks
-
• Organization Risks - Why should you care about managing outbound extract transmissions in the health care industry?
• Share HCSC’s efforts in addressing risks• Q & A
4
Workshop Objectives
The HCSC Family of Companies
Other Subsidiaries and Joint Ventures
Life, Disability and Annuities
Dental
Our Mission: Promote the health and wellness of our members and communities through accessible, cost-effective, quality health care
To HCSC, outbound data transmission risk means…
Outbound Extract Transmissions Organization Risks
Potential for incident of data breach in
transferring data to a third party.
An incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.1
1) SecuritySearch.com
Outbound Extract Transmissions
Organization Risks
Total Occurrences Total by Category
Risk Category of FilesCount
Percent of Total Count Count
Percent of Total Count
Claims 21,946 66% 718 40%
Membership 3,669 11% 177 10%
Eligibility 3,152 10% 441 24%
Informational 1,710 5% 196 11%
Financial 1,266 4% 77 4%
Provider 671 2% 73 4%
HCSC Data 351 1% 41 2%
Misc 377 15 86 5$
Total: 33,142 100% 1,809 100%
Monthly Volume of Outbound Transmissions:
Risk of exposure due to lack of consistent tracking and management of outbound large scale extracts transmitted with PHI, PII or other sensitive data.
Possible impacts include: Brand Customer retention Possible legal fees and penalties
• Estimated at $204 per transaction• Most expensive data breach cost about $31M• Least expensive data breach cost was about $750K
Internal operation costs for investigation & recovery
Outbound Extract Transmissions
Organization Risks
Increased Impact to Industry due to Recent LegislativeAction:
Outbound Extract Transmissions
Organization Risks
Recent legal fines implemented November 2009 Through American Reinvestment & Recovery Act(ARRA):
Up to $1.5 Million per occurrence Incident must be reported to media if affected parties
exceeds 500 Employees of health care providers can now be held
personally liable Civil suits may be brought on behalf of individuals or
patients
The Office of Civil Rights is staffing up for amore proactive enforcement
• High Profile Breaches ReportBreaches Listed in Alphabetical Full Information on a breach may be found in the ITRC Breach Report by searching for the ITRC Breadc!D#ITRC Breach #Company or AgencyStatePublish DateBreach TypeBreach CategoryRecords Exposed?Records #_____________________________________________________________________________________________________________ITRC20091111-01^TD Ameritrade (advisory only)US10/27/2009ElectronicBusinessNone - Other 0In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. Thestolen information was later used to spam those customers. Consistently the company has said that while SSNs were in that same database they have investigated the situation and has affirmed that SSNs were not compromised. ITRC has confirmed with a source that worked with Ameritrade on this breach that SSNs were not breached. This is not a breach by ITRC criteria but is listed as an advisory only due to media attention._________________________________________________________________________________________________ITRC20091123-09ACORNCA11/23/2009Paper DataBusinessYes - Unknown #0A private investigator in San Diego found thousands of sensitive documents dumped outside a California ACORN (Association of Community Organizations for Reform Now) office on October 9, just days after the state attorney general announced an inquiry into the community organizing group. "We're talking people's driver's license numbers, dates of birth, Social Security numbers, credit cardnumbers, bank account numbers, tax returns, credit reports" — all tossed in public view in the Dumpster, the investigator said._________________________________________________________________________________________________ITRC20081111-02AIG - Medical Excess LLCUS
10
Increased Impact to Organization thru High Visibility of Breaches -From Identity Theft Resource Center (ITRC) web site:
Outbound Extract Transmissions Organization Risks
11
Outbound Extract Transmission HCSC Risk Management Efforts
1) Established Goals
2) Assessed Needs
3) Defining and Executing Action Plan
Established Goals - Applying an Enterprise Maturity Model
12
Outbound Extract Transmission
HCSC Risk Management Efforts
HCSC Risk Management Efforts Established GoalsApplication of an Enterprise Maturity Model
13Level 1 – Initial No standard processes followed for registration, tracking & monitoring No automation options for registration, tracking & monitoring
Level 2 – Repeatable Partial standard processes followed for registration, tracking & monitoring with ability to
implement across multiple areas Partial automation options for registration, monitoring and control
Level 3 – Defined Department level standard processes followed for registration, tracking & monitoring Department level automation options applied for registration, monitoring and control Department level common layout use enabled
Level 4 – Managed Enterprise standard processes adhered to for registration, monitoring & tracking Enterprise automation of registration, monitoring & tracking Enterpirise common layout use at enterprise level enabled and enforced
Level 5 – Optimized Edit check of internal file characteristics at transmission and recipient verification points at data element
level – vertical & horizontal Automated integration of common layouts for new requests Optimized use of pull opportunities for data to reduce extracts
14
HCSC Risk Management Efforts Assessed Needs
Key capability areas of extract transmission management:
Registration, Tracking & Controlling
Ongoing Monitoring
Audit & Follow Up
Num Data Element
Char
1 Claim ID X(16)
2 Claim Type
X(4)
3 Claim Amt 11v9(2)
15
Request
Registration
Trigger: Customer request for new or changedtransmission or data
Validate
Contract, TPA
Approve
Request
Bus reason
Bus owner
Phi, spi
Frequency
Approved status
…
Verify Existing Layout
Develop & Test
Transmission
Verify Registered
Transmission Approve
Transmission
Bus reason
Bus owner
Phi, spi
Frequency
…
Bus reason
Bus owner
Phi, spi
Frequency
Physical File Name
IP address
Protocol
Approved status
…
Bus reason
Bus owner
Phi, spi
Frequency
Physical File Name
IP address
Protocol
Approved status
…
`
HCSC Risk Management Efforts Assessed NeedsSample Registration, Monitoring & Control Process
16
Results identified need for enterprise initiative to:Establish governance process to centralize data exchange including registration, monitoring and logging functionsSelect and implement a third party product or hosted solution to provide for enterprise management of electronic exchange informationDesign a data reconciliation and consolidation solution to optimize management of extract formats
HCSC Risk Management Approach Assessed Needs
“ Weak human + machine + better process was superior to strong computer alone
and, more remarkably, superior to a strong human + machine + inferior process.“1
- Gary Kasporov, former world chess champ’s observation on tournament amatuer winners’
approach in beating IBM’s Deep Blue
17
HCSC Risk Management Efforts Define & Execute Action Plan
Emphasis on solution addressing integration of people, process & technology:
1) Chess Metaphors: Artificial Intelligence and the Human Mind, Diego Rasskin-Gutman, 2009, Massachusetts Institute of Technology
18
HCSC Risk Management Efforts Define & Execute Action Plan
Emphasis on solution addressing integration of people, process
& technology:
Information Security
Business Partners
Enterprise Information StrategicManagement
Information Technology Audit
Governance Processes
Enterprise Information Delivery
Application
Development
Enterprise
Architect
SolutionsEnterprise Infrastructure
Program Management
Enterprise Workflow Automation
Long Term Mitigation Objectives Build and implement point to point enterprise solution for automated extract transmission management
from customer extract requests through transmission control and monitoring
Ongoing/Intermediate Mitigation Objectives- Build enterprise registration inventory of approved extract transmissions for 100% of inventory for use in extract management and tracking solution
- Conduct thorough policy review and revisions where needed to ensure proper practice in extract transmissions
- Ongoing de-activation of inactive IP firewalls and obsolete transmissions with supporting audit process
- Define enterprise process and procedures for guidance for following standardized tracking and monitoring process1
1) See Appendix A
19
HCSC Risk Management Efforts Define & Execute Action Plan
Num Data Element
Char
1 Claim ID X(16)
2 Claim Type
X(4)
3 Claim Amt 11v9(2)
20
HCSC Risk Management Efforts Define & Execute Action Plan
Sample Phased Approach
Request
Registration
Trigger: Customer request for new or changedtransmission or data
Validate
Contract, TPA
Approve
Request
Bus reason
Bus owner
Phi, spi
Frequency
Approved status
…
Verify Existing Layout
Develop & Test
Transmission
Verify Registered
Transmission Approve
Transmission
Bus reason
Bus owner
Phi, spi
Frequency
…
Bus reason
Bus owner
Phi, spi
Frequency
Physical File Name
IP address
Protocol
Approved status
…
Bus reason
Bus owner
Phi, spi
Frequency
Physical File Name
IP address
Protocol
Approved status
…
`
Automation Ph 2 Automation Ph 1 Automation Ph 3
Long Term Mitigation Objectives Build and implement point to point enterprise solution for automated extract transmission management
from customer extract requests through transmission control and monitoring
Ongoing/Intermediate Mitigation Objectives- Build enterprise registration inventory of approved extract transmissions for 100% of inventory for use in extract management and tracking solution
- Conduct thorough policy review and revisions where needed to ensure proper practice in extract transmissions
- Ongoing de-activation of inactive IP firewalls and obsolete transmissions with supporting audit process
- Define enterprise process and procedures for guidance for following standardized tracking and monitoring process1
1) See Appendix A
21
HCSC Risk Management Efforts Define & Execute Action Plan
Q & A
22
Appendix A -Registration, Monitoring & Control Workflow
Registration, Monitoring & ControlProduction, Monitoring and Control Phase - Overview
4.3)
Pre-Trans. /Outbound Validation
Automated in Network Servers
R
Suspend Production Transmissions
4.6)
NO
A
A
Trigger: Pre-Producton phaseCompleted
ExternalProcess
Periodic Post ProductionEvaluation
Transmit /Log Extract
R
4.4)
4.5)
M
Server Logging Applications
Tech. Analyst
A
Log Archive
Version 4.9 08/03/2010
4.1 Inbound Validation EDI, Proprietary ------------------------ Reject processing ------------------------ Adjudication ------------------------ Remittance
To Trade Partners
Outbound
R
Yes
No
Outbound DataApplication(clm adjud., remittance,Extract Apps. )
In Compliance
4.2)
Inbound
Extract Apps.
23
Valid Agreement?
Registration, Monitoring & ControlPre-Authorization Phase - Overview
No
Trigger: New or Changed Request 1.2)
Review Business Agreement (B/A)
Registration Pre-Authorization - Registration Pre-Authorization -
R R
R = Register/Document Event in Registraton and Tracking System A = Automated Step M = Manual step N = Notification sent to originating request manager L = Log Event
Develop Test Extract / Network
Connection
Develop Test Extract / Network
ConnectionR
1.3) Verify Policy Compliance In Compliance
No
R A R
Account support
Metadata Level: Business, Data, Network
1.1) Enter Trading Partner Transmission
Request
R M
Denial Notificaton N
Business & Technical Mgr.
Version 4.9 08/03/2010
M
B/A reviewer
24
Appendix A -Registration, Monitoring & Control Workflow
Appendix A - Registration, Monitoring & Control Workflow
Registration, Monitoring and ControlDevelopment Phase - Overview
Use Existing Layout
2.4 Configure
Network Connectvity
In Compliance
2.9 Build/Test
transmissiion application
Network Connectivity
Acceptance
Pre-Production Phase
YES
Network/Information Security
Senior Business Analyst
Development Team
Data Envelope / Transmission Connection Approval
DETERMINE RE-USE
Transmission Testing
R
R
RM/A
M/A
RTechnicalAnalyst
Trigger: Approved Request
2.1) Data Structure Re-Use Determination
R
M
2.6ITSM ChangeManagement
Test EnvironmentReview
Development Team
Network Implementation
Development Team
Senior Business Analyst
2.5 Information
Security Approval process
In Compliance
R
Yes
M
No
Yes
Change Authorization Board
RequestorNotification N
ITSM Change Mgmt.
N NM R
2.7CAB Review
Test Connection
Network Engineering
yes
yes
New/changedConnectivity
No
Yes
R
R M
R
2.2,3Develop New Data
Structure
R
Version 4.9 08/03/2010
No
Yes
25
Registration, Monitoring and ControlDevelopment Phase - Overview
Use Existing Layout
2.4 Configure
Network Connectvity
In Compliance
2.9 Build/Test
transmissiion application
Network Connectivity
Acceptance
Pre-Production Phase
YES
Network/Information Security
Senior Business Analyst
Development Team
Data Envelope / Transmission Connection Approval
DETERMINE RE-USE
Transmission Testing
R
R
RM/A
M/A
RTechnicalAnalyst
Trigger: Approved Request
2.1) Data Structure Re-Use Determination
R
M
2.6ITSM ChangeManagement
Test EnvironmentReview
Development Team
Network Implementation
Development Team
Senior Business Analyst
2.5 Information
Security Approval process
In Compliance
R
Yes
M
No
Yes
Change Authorization Board
RequestorNotification N
ITSM Change Mgmt.
N NM R
2.7CAB Review
Test Connection
Network Engineering
yes
yes
New/changedConnectivity
No
Yes
R
R M
R
2.2,3Develop New Data
Structure
R
Version 4.9 08/03/2010
No
Yes
26
Appendix A -Registration, Monitoring & Control Workflow
Registration, Monitoring & ControlProduction, Monitoring and Control Phase - Overview
4.3)
Pre-Trans. /Outbound Validation
Automated in Network Servers
R
Suspend Production Transmissions
4.6)
NO
A
A
Trigger: Pre-Producton phaseCompleted
ExternalProcess
Periodic Post ProductionEvaluation
Transmit /Log Extract
R
4.4)
4.5)
M
Server Logging Applications
Tech. Analyst
A
Log Archive
Version 4.9 08/03/2010
4.1 Inbound Validation EDI, Proprietary ------------------------ Reject processing ------------------------ Adjudication ------------------------ Remittance
To Trade Partners
Outbound
R
Yes
No
Outbound DataApplication(clm adjud., remittance,Extract Apps. )
In Compliance
4.2)
Inbound
Extract Apps.
27
Appendix A -Registration, Monitoring & Control Workflow