Clearwater HIPAA Compliance BootCamp™
Beauty In Breaches“One Organization’s Journey”
Presented byMeredith R. Phillips, MHSA, CHC, CHPC
Chief Information Privacy & Security OfficerHenry Ford Health System
Founded in 1915 and comprised of◦ 5 Acute Care Facilities (Approx. 2000+ beds)◦ Substance Abuse Facility ◦ Behavioral Health Facility◦ Approx. 31,000 workforce members (FTEs, Contract, etc.)◦ 1300+ Member Medical Group ◦ 900+ Member Physician Network (Non-Employed & Private Practice)◦ Health Plan serving approximately 640,000 members◦ Home Health, Retail Pharmacy, Optical Care, Hospice, Occupational
Health, Extended Care Divisions
In 2011◦ Awarded the prestigious Malcolm Baldrige National Quality Award
2
THE HFHS LANDSCAPE
3
BREACH (2010)
Physician’s Assistant leaves office door open so his secretary can get
peanuts to snack on while he was at a meeting. His unencrypted non-IT purchased laptop was stolen along
with the patient information of approximately 4000 patients.
Reported this incident to the CEO, COO & Board alerting them that this will be a media reportable data breach
Pulled together loosely developed teams to respond to the data breach with no external breach support
Conducted a Root-Cause Analysis to determine the program gaps and support necessary to strengthen the privacy & security program
Effectively shared with the Executive Leadership that this is more “cultural” than it is “procedural”
Shared with the Board that our incident history shows that we will have more of these reportable incidents in the future
4
OUR RESPONSE
5
BEAUTIFUL RESULT #1
Restructured Privacy & Security Program and Revised
Purchasing Processes
IPSO MISSIONTo establish a system-wide culture of
confidentiality through education, accessibility, and a customer focus where privacy & security is
viewed as paramount in our daily operations.
HFHS MISSIONTo improve people's lives through excellence in the science and art of
health care and healing.
MISSION & VISION
6
IPSO VISION
Cultivating a collective mindset where protecting privacy & security is a part of our
standard of care
HFHS VISION
Transforming lives and communities through health and wellness - one
person at a time.
7
Information Privacy Program
Enterprise Risk
Assessment Program
Information Security Program Incident Response Program
Information Privacy & Security OfficePolicy Development, Education, Access Controls
Administration, Business Associate Management, Patient Rights Management
IPSO PROGRAM STRUCTURE
Any routine investigations and incidents that may result in a breach must be forwarded to the IPSO for a Code A(ssessment) and potential Code B(reach) Alert
Investigations are led by the IPSO in conjunction with operational management and Human Resources
All investigative documentation (i.e., notes, interview transcripts, audit logs, etc.) should be stored in our centralized repository to ensure the ability for metric reporting and auditing
Corrective Action always recommended by the IPSO in accordance with the outcome of the investigation◦ Application of corrective action is consistent across business units and
employee types
Re-education required for the entire department within 30 days of investigation closure not just the offender
CENTRALIZED INVESTIGATIVE PROCESS
8
Workgroups established to address issues or topics of interest:
◦ The HFHS Privacy & Security Council is an
oversight council that approves System policies and procedures related to privacy & security regulations
◦ The Code B Alert Team is a rapid-response workgroup established to centrally respond and manage all System data breaches
◦ The Office for Civil Rights Response Team will review all OCR data requests related to privacy & security violations and respond on behalf of the System and/or specific business unit
9
IPSO COUNCILS & RESPONSE TEAMS
IPSO
Worked with our partners is Supply Chain, Corporate Legal Affairs, Accounts Payable and Physician Relations to create a framework that would require additional sign-offs before IT Equipment can be purchased◦ Policy/Process Revisions◦ Policy Re-Education for Senior Staff & Mid-Level Providers◦ System wide communication provided to all workforce members to raise
awareness
Senior Staff and Mid-Level Providers have been prohibited from purchasing any IT equipment with their professional development accounts
Properly purchased IT equipment must be delivered to the Information Technology Department to ensure proper security protocols are enforced
Accounts Payable will not reimburse for any equipment not “signed-off” by the Information Privacy & Security Department
PURCHASING PROCESS CHANGES
10
11
BREACH (2011)
Pharmacy resident lost his unencrypted flash drive in the McDonald’s parking lot. The
flash drive stored a spreadsheet of compiled patient information of approximately 4000 patients.
Reported this incident to the CEO, COO & Board again ◦ Compared the list of affected patients to see if we had any frequent
flyers…we did!◦ Immediately called the COO and informed him that he will have the
pleasure of calling these patients directly.
Realized that we needed help and contacted an external breach response partner that assisted in decreasing our response and notification time: 56 days to 18 days
Conducted a Root-Cause Analysis again to determine the program gaps
Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural”
12
OUR RESPONSE
13
BEAUTIFUL RESULT #2
Branded Programs, Initiatives & Communication Plans
Code A(ssessment) Alerts◦ Alerts issued by the Information Privacy & Security Office led by the Chief
Information Privacy & Security Officer
◦ Communication limited to the Information Privacy & Security Office, Public Relations, Corporate Legal Affairs, Risk Finance & Insurance and affected Business Unit Privacy and Security Champions
◦ Alert provides a summary and initial analysis of potential data breach
◦ Includes initial data analysis culminating in an official breach risk assessment to determine if an actual breach has occurred
◦ Once a “Breach” has been called, the Code B Alert (Rapid Response) Team assembles to respond to the breach
CODE B ALERT PROGRAM
14
Code B(reach) Alerts◦ Issued and managed by the Information Privacy & Security Office for all
media reportable data breaches or data breaches with significant risk
◦ Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level
External: Includes the notification to the prominent media outlets and OCR
Internal: Typically includes a copy of the communication to the patients, FAQs about the breach and instructions for forwarding patient inquiries to toll-free call center
◦ Requires immediate attention by all System leadership
and should be shared with staff
◦ All Code B Alerts are active for a 90 day period
CODE B ALERT PROGRAM
15
Branded System wide program coordinated by the IPSO to safeguard “system” information
Phase I: Targeted portable storage devices◦ Required employees to visit one of 20 “IT staffed” stations to turn in all
personal flash drives for our approved IronKey solution; register any portable hard drives or personal laptops for follow-up by IT
◦ Employees could enter a drawing for an iPad 2 by completing a crossword puzzle based on our privacy & security policies
◦ Removed 5000 flash drives in 4 weeks
Phase II: Targeted “culture” through educational modules (97%) Phase III: Focused on reducing our printer “unsecured” footprint Phase IV: Targeted the culture again to reinforce HITECH/Omnibus (98%) Phase V: BYOD & Mobile Device Management
16
THE iCOMPLY PROGRAM
17
BREACH #3 (2011)
FDA approved iMac device was stolen from a secured infectious
disease research lab as a result of a door being propped open while the employee ran to the restroom. This device stored the testing results for
520 HIV/AIDS patients.
Reported this incident to the CEO, COO & Board again ◦ Compared the list of affected patients to see if we had any frequent
flyers…we didn’t! Thank God!
Offered an internal reward of $5000 for the return of the device
Required the Research Administrator to co-sign the notification letter to the affected patients
Conducted a Root-Cause Analysis again to determine the program gaps
Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural” and communicated such to the all workforce members
18
OUR RESPONSE
19
BEAUTIFUL RESULT #3
Shifted the Culture Through Communication,
Education & Repetition
20
HOW DO WE COMMUNICATE OUR STRATEGY?Our Workforce• Morning Post Messages & System Emails – Scheduled to deliver key
privacy & security messages• Annual Mandatory Education – iComply & Job Specific• Privacy & Security refresher trainings conducted by the IPSO team• Manager’s Update – Monthly email to all leaders detailing key messages
Our Board Members• Quarterly privacy & security Board updates• Annual submission to the Trustee newsletter
Our Patients & Communities• “privateTALK” or “secureSPEAK” with the CIPSO – Scheduled chat
sessions where questions can be addressed in an online forum• Intranet Webpage, Internet Webpage & Social Media Sites
21
QUESTIONS
Meredith R. Phillips, CHC, CHPCChief Information Privacy &
Security Officer
Henry Ford Health SystemOne Ford Place, Suite 2A10
Detroit, MI 48202
Twitter: @mphillipschc