THE HFHS LANDSCAPE
description
Transcript of THE HFHS LANDSCAPE
![Page 1: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/1.jpg)
Clearwater HIPAA Compliance BootCamp™
Beauty In Breaches“One Organization’s Journey”
Presented byMeredith R. Phillips, MHSA, CHC, CHPC
Chief Information Privacy & Security OfficerHenry Ford Health System
![Page 2: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/2.jpg)
Founded in 1915 and comprised of◦ 5 Acute Care Facilities (Approx. 2000+ beds)◦ Substance Abuse Facility ◦ Behavioral Health Facility◦ Approx. 31,000 workforce members (FTEs, Contract, etc.)◦ 1300+ Member Medical Group ◦ 900+ Member Physician Network (Non-Employed & Private Practice)◦ Health Plan serving approximately 640,000 members◦ Home Health, Retail Pharmacy, Optical Care, Hospice, Occupational
Health, Extended Care Divisions
In 2011◦ Awarded the prestigious Malcolm Baldrige National Quality Award
2
THE HFHS LANDSCAPE
![Page 3: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/3.jpg)
3
BREACH (2010)
Physician’s Assistant leaves office door open so his secretary can get
peanuts to snack on while he was at a meeting. His unencrypted non-IT purchased laptop was stolen along
with the patient information of approximately 4000 patients.
![Page 4: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/4.jpg)
Reported this incident to the CEO, COO & Board alerting them that this will be a media reportable data breach
Pulled together loosely developed teams to respond to the data breach with no external breach support
Conducted a Root-Cause Analysis to determine the program gaps and support necessary to strengthen the privacy & security program
Effectively shared with the Executive Leadership that this is more “cultural” than it is “procedural”
Shared with the Board that our incident history shows that we will have more of these reportable incidents in the future
4
OUR RESPONSE
![Page 5: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/5.jpg)
5
BEAUTIFUL RESULT #1
Restructured Privacy & Security Program and Revised
Purchasing Processes
![Page 6: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/6.jpg)
IPSO MISSIONTo establish a system-wide culture of
confidentiality through education, accessibility, and a customer focus where privacy & security is
viewed as paramount in our daily operations.
HFHS MISSIONTo improve people's lives through excellence in the science and art of
health care and healing.
MISSION & VISION
6
IPSO VISION
Cultivating a collective mindset where protecting privacy & security is a part of our
standard of care
HFHS VISION
Transforming lives and communities through health and wellness - one
person at a time.
![Page 7: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/7.jpg)
7
Information Privacy Program
Enterprise Risk
Assessment Program
Information Security Program Incident Response Program
Information Privacy & Security OfficePolicy Development, Education, Access Controls
Administration, Business Associate Management, Patient Rights Management
IPSO PROGRAM STRUCTURE
![Page 8: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/8.jpg)
Any routine investigations and incidents that may result in a breach must be forwarded to the IPSO for a Code A(ssessment) and potential Code B(reach) Alert
Investigations are led by the IPSO in conjunction with operational management and Human Resources
All investigative documentation (i.e., notes, interview transcripts, audit logs, etc.) should be stored in our centralized repository to ensure the ability for metric reporting and auditing
Corrective Action always recommended by the IPSO in accordance with the outcome of the investigation◦ Application of corrective action is consistent across business units and
employee types
Re-education required for the entire department within 30 days of investigation closure not just the offender
CENTRALIZED INVESTIGATIVE PROCESS
8
![Page 9: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/9.jpg)
Workgroups established to address issues or topics of interest:
◦ The HFHS Privacy & Security Council is an
oversight council that approves System policies and procedures related to privacy & security regulations
◦ The Code B Alert Team is a rapid-response workgroup established to centrally respond and manage all System data breaches
◦ The Office for Civil Rights Response Team will review all OCR data requests related to privacy & security violations and respond on behalf of the System and/or specific business unit
9
IPSO COUNCILS & RESPONSE TEAMS
IPSO
![Page 10: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/10.jpg)
Worked with our partners is Supply Chain, Corporate Legal Affairs, Accounts Payable and Physician Relations to create a framework that would require additional sign-offs before IT Equipment can be purchased◦ Policy/Process Revisions◦ Policy Re-Education for Senior Staff & Mid-Level Providers◦ System wide communication provided to all workforce members to raise
awareness
Senior Staff and Mid-Level Providers have been prohibited from purchasing any IT equipment with their professional development accounts
Properly purchased IT equipment must be delivered to the Information Technology Department to ensure proper security protocols are enforced
Accounts Payable will not reimburse for any equipment not “signed-off” by the Information Privacy & Security Department
PURCHASING PROCESS CHANGES
10
![Page 11: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/11.jpg)
11
BREACH (2011)
Pharmacy resident lost his unencrypted flash drive in the McDonald’s parking lot. The
flash drive stored a spreadsheet of compiled patient information of approximately 4000 patients.
![Page 12: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/12.jpg)
Reported this incident to the CEO, COO & Board again ◦ Compared the list of affected patients to see if we had any frequent
flyers…we did!◦ Immediately called the COO and informed him that he will have the
pleasure of calling these patients directly.
Realized that we needed help and contacted an external breach response partner that assisted in decreasing our response and notification time: 56 days to 18 days
Conducted a Root-Cause Analysis again to determine the program gaps
Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural”
12
OUR RESPONSE
![Page 13: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/13.jpg)
13
BEAUTIFUL RESULT #2
Branded Programs, Initiatives & Communication Plans
![Page 14: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/14.jpg)
Code A(ssessment) Alerts◦ Alerts issued by the Information Privacy & Security Office led by the Chief
Information Privacy & Security Officer
◦ Communication limited to the Information Privacy & Security Office, Public Relations, Corporate Legal Affairs, Risk Finance & Insurance and affected Business Unit Privacy and Security Champions
◦ Alert provides a summary and initial analysis of potential data breach
◦ Includes initial data analysis culminating in an official breach risk assessment to determine if an actual breach has occurred
◦ Once a “Breach” has been called, the Code B Alert (Rapid Response) Team assembles to respond to the breach
CODE B ALERT PROGRAM
14
![Page 15: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/15.jpg)
Code B(reach) Alerts◦ Issued and managed by the Information Privacy & Security Office for all
media reportable data breaches or data breaches with significant risk
◦ Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level
External: Includes the notification to the prominent media outlets and OCR
Internal: Typically includes a copy of the communication to the patients, FAQs about the breach and instructions for forwarding patient inquiries to toll-free call center
◦ Requires immediate attention by all System leadership
and should be shared with staff
◦ All Code B Alerts are active for a 90 day period
CODE B ALERT PROGRAM
15
![Page 16: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/16.jpg)
Branded System wide program coordinated by the IPSO to safeguard “system” information
Phase I: Targeted portable storage devices◦ Required employees to visit one of 20 “IT staffed” stations to turn in all
personal flash drives for our approved IronKey solution; register any portable hard drives or personal laptops for follow-up by IT
◦ Employees could enter a drawing for an iPad 2 by completing a crossword puzzle based on our privacy & security policies
◦ Removed 5000 flash drives in 4 weeks
Phase II: Targeted “culture” through educational modules (97%) Phase III: Focused on reducing our printer “unsecured” footprint Phase IV: Targeted the culture again to reinforce HITECH/Omnibus (98%) Phase V: BYOD & Mobile Device Management
16
THE iCOMPLY PROGRAM
![Page 17: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/17.jpg)
17
BREACH #3 (2011)
FDA approved iMac device was stolen from a secured infectious
disease research lab as a result of a door being propped open while the employee ran to the restroom. This device stored the testing results for
520 HIV/AIDS patients.
![Page 18: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/18.jpg)
Reported this incident to the CEO, COO & Board again ◦ Compared the list of affected patients to see if we had any frequent
flyers…we didn’t! Thank God!
Offered an internal reward of $5000 for the return of the device
Required the Research Administrator to co-sign the notification letter to the affected patients
Conducted a Root-Cause Analysis again to determine the program gaps
Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural” and communicated such to the all workforce members
18
OUR RESPONSE
![Page 19: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/19.jpg)
19
BEAUTIFUL RESULT #3
Shifted the Culture Through Communication,
Education & Repetition
![Page 20: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/20.jpg)
20
HOW DO WE COMMUNICATE OUR STRATEGY?Our Workforce• Morning Post Messages & System Emails – Scheduled to deliver key
privacy & security messages• Annual Mandatory Education – iComply & Job Specific• Privacy & Security refresher trainings conducted by the IPSO team• Manager’s Update – Monthly email to all leaders detailing key messages
Our Board Members• Quarterly privacy & security Board updates• Annual submission to the Trustee newsletter
Our Patients & Communities• “privateTALK” or “secureSPEAK” with the CIPSO – Scheduled chat
sessions where questions can be addressed in an online forum• Intranet Webpage, Internet Webpage & Social Media Sites
![Page 21: THE HFHS LANDSCAPE](https://reader036.fdocuments.us/reader036/viewer/2022070405/56813dc9550346895da79071/html5/thumbnails/21.jpg)
21
QUESTIONS
Meredith R. Phillips, CHC, CHPCChief Information Privacy &
Security Officer
Henry Ford Health SystemOne Ford Place, Suite 2A10
Detroit, MI 48202
Twitter: @mphillipschc