University Health Care System

1

HTM 660 Systems Management and Planning

May 2014

Introduction/PurposeBackground

Process UtilizedChart linking projects to HCO’s strategies and goals

Prioritized Portfolio with BudgetTactical Plan

Questions & Answers

2

Introduction/Purpose /Background

The project steering committee is requesting approval for the acquisition of FireEye security system.

Objective - In order to prevent future data breaches that our organization has recently experienced when thousands of patients health records were accessible online, our project will focus on acquiring a high level software security application called FireEye.

The software product, FireEye, will meet all of the needs of the project.

3

Project Steering Committee

4

• CIO• CFO• CNA• Project manager• Representatives from nursing, medical assistants, and office manager. • IT support will be engaged in the last phase of implementation.

Background

• HIPPA Violation• Post Breach Response• Record $4 Million Settlement• Preventative Action Plan

5

Scope of Work

FireEye: 95% of All Networks are Compromised (FireEye.com)

•Upgrade Current Security System

•Server Upgrade

•Integration Timeline

•Project Measurement and Budget

•Maintain -

•Speed,

•Accuracy

•Protection for clinicians and patients data

6

Scope of Work Continued

7

• Timeline - 1 Year 3 Phases Fiscal Year 2015

• Department Needs - Representatives from all sectors

*Our project team is dedicated to deliver advanced data threat protection of patients health information by acquiring FireEye throughout the University Health Care system.

8

•Ensure communication modes and data storage points, including web browsing, email, content security, endpoint security, and forensic analysis are secure.

•Develop New Protocol - Firewall Virus scanner Reporting

•Universal adoption of FireEye technology in every hospital and medical center, which would enable a uniform standard of security across the healthcare system.

•Measured - Decrease % Leaks Increase Security Decrease Organizational Liability Increase % Leaks Identified at Stage 1

Deliverables

9

• High % of staff who use the system successfully Low incidence of lost data

• Physical modes of security can still be implemented: Security guards monitor computers All employees must change passwords every three months All staff must file a report for every breach

• Finally, these reports must be filed to HIPAA authorities within a timely manner of the incident.

• FireEye is believed to be a means to make EHR data more secure and breaches more easily identified.

Deliverables Continued

10

Timeline

Task Deadline

Analysis and contracting September-15-2014

Hard ware and software installation October-01-2014

Registration interface November-03 -01

Update HER system Decamber-01-14

Staff Training December -15-14

System set up January -05-2015

IT staff training January-12-2015

Go live date January -20-2015

11

Budget Highlight

Project Name Operating Cost

Capital budget $100,000

Software $30,000

Hardware $15,000

Access points $10,000

Operation Maintenance cost $10,000

First year services $15,000

Security guard on computer $6,500

Simulation test (trial period) $5,000

Staff training $8,500

Major Stakeholders

•Project Manager

•Project Steering Committee

•C Level Executives

•Current IT Staff

•New IT Staff

•FireEye Vendor Solutions Team

12

13

•All hospital executives (CEO, CIO, CFO) are responsible for making policies to keep the system compliant with HIPAA regulations.

•The entire IT department must develop and maintain a tightly monitored electronic information system employing a firewall, antivirus software and a two-factor authentication access.

•Finally, all hospital staff, all the way down to the custodial staff, must remain vigilant of their own and others’ behavior. Any unauthorized verbal or written sharing of patient information must be immediately reported, and the offending employee given a warning or reprimanding.

*The system encourages proper resources be maintained post procurement of information systems. Without access to support, the possibility of a fall could occur.

Project Support and Authority

•University Health Care employees are willing to change business operations

to take advantage of the functionality offered by the new FireEye security

technology.

•Management will ensure that project team members are available as

needed to complete project tasks and objectives.

•The project team will participate in the timely execution of the FireEye

Project Plan (i.e., focus meetings when required).

14

Assumptions and Dependencies

15

•Failure to rollout new security system within the time specified in the project

timeline will result in project delays.

•Project team members will adhere to all project guidelines.

•Mid and upper management in including nurse management leaders will foster

support to the project goals and objectives.

•The FireEye Project Plan may change as new information and issues are revealed.

Assumptions and Dependencies Continued

Constraints

16

• Project funding sources are limited.

• Due to the estimated budget cost resource availability is inconsistent.

• Internet connections could be affected due to slower rate of connectivity because of the new implemented security system.

Known Risks

17

• Cost - $100,00 per Installation

• Operating Costs & Hidden Costs

• Additional Risks Unknown

*Furthermore, access is never 100% secure. The system is designed to be highly accessible to authorized figures, but must be closely guarded against unauthorized use. If a password leaks, a logged in computer is left unattended or any patient information is written on paper and left unattended, this could constitute a security breach, even with FireEye. If any part of confidential patient information (no matter how small) is leaked, it constitutes a breach of patient privacy.

Procurement Items

18

• Identifying relevant information systems

•Conducting a risk assessment

• Implementing a risk management program

•Acquiring IT systems and services

•Creating and deploying policies and procedures

Creating and Deploying Policies and Procedures

19

• All policies and procedures will receive a refresh post acquisition allowing staff time to assimilate to new critical measures.

• New items will align with HIPPA regulations and also take into account any new software or hacking awareness learnings from recent retail data breaches in a sister industry.

• Content has the ability to be procured and distributed in a wide ranging variety across the internet and the challenge will be to learn from those around us in creating a new set of privacy policies and procedures to protect patients.

Q/A

Thank You

20