RISK MANAGEMENT PROCESS For Healthcare Organizations
1
2
Operating Snapshot
Starting this year, providers can be fined up to $1.5
million for a HIPAA violation• Security is Not Optional
Number of volunteers and 3rd party personals
supporting hospitals is just too large that it is generally
impossible to manually control access
• Large Number of Temporary Workers
Clinicians are often overworked and intuitively bring tools to help improve
productivity
• Consumer Devices need to be Secured
Hospitals tend to rely on multitudes of applications, often hosted and managed
by 3rd party vendors
• Need to Adapt and Federate
Patient care is of utmost importance and hence the
access to patient data must be available in case of
emergencies
• Break Glass Functionality
Clinicians on the floor typically share computers
and (most often password)• Quick switching
We Know the Healthcare Environment
3
Common Risks
Data and Information Explosion Data volumes are doubling every 18 months.
Storage, security, and discovery around information context is becoming increasingly important.
Care Continuum The chain is only as strong as the weakest link.
Partners need to shoulder their fair share of the load for compliance and the responsibility for failure.
Patients Expect Privacy An assumption or expectation now exists to
integrate security into the infrastructure, processes and applications to maintain privacy.
Compliance fatigue Organizations are trying to maintain a balance
between investing in both the security and compliance postures.
Emerging Technology Virtualization and cloud computing increase
infrastructure complexity.
Web 2.0 and SOA style composite applications introduce new challenges with the applications being a vulnerable point for breaches and attack.
Wireless World Mobile platforms are developing as new means of
identification.
Security technology is many years behind the security used to protect PCs.
Risk ManagementP
eo
ple • Drug Testing
• Background Testing
• NDAs
• HIPAA Compliance Training
Pro
cess
• Identify what needs to be audited and controlled
• Define Who needs Access to What
• Establish auditing and control processes
Too
ls • Restricted physical access
• Restricted equipment access
• Restricted network access
• Restricted data access
• Email & Web Monitoring
People- Onboarding Checklist
Calance employees sign Non-Disclose Agreements with specific to the client.
Every employee signs a “ Work for Hire” contract for the client transferring the intellectual property to the client.
Background checks and drug testing
All Calance employees, in Healthcare COE, have to go through background checks and 10 panel drug testing.
Calance HR maintains a chain of custody for all records
Customers are provided a copy of the reports, if needed
Onboarding Process
People-Training
Compliance Training
Calance uses an in-house LMS for training
and skills assessment
Every employee is required to complete
mandatory HIPAA Compliance and Privacy
training*
At the end of the training, the employees
are prompted for test scenarios
HIPAA compliance training can be
scheduled periodically, based on client
needs * Training material sourced from certified trainers or based on client requirementshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/training/
Training
Tools- Restricted Office Space
Calance can create physical separation of staff in Gurgoan (India) and Buena
Park, CA offices
Restricted office space uses bio-metric scanners and RFID cards
Access to the restricted floor requires a PIN, changed periodically
Single on-boarding and off-boarding process, shared with the client
Data Center access requires additional approvals from System Engineering
and a VP
Tools- Network and Equipment
Network and Equipment Access
Healthcare clients are cordoned in their own subnet
Point -to-point encryption between client network and
Calance
Encrypted Hard Disks and/or Bitlocker
All computers utilize client specific software images
No admin access to install personal software
No access to USB ports
No backup devices are allowed on the restricted floor
Use two factor authentication for access the network
Equipment& Access Control
TECHNOLOGY AND AUDITING
9
Process Overview
Administration & Auditing
Administration and Auditing
Calance has a 24x7 NOC in Buena Park, CA, monitoring
infrastructure hosted in our data center, client
locations, co-location facilities and public cloud
Systems Engineering works with the compliance and
security architects to create Role Based Access
Besides typical monitoring, Calance NOC can audit
emails and web traffic for any policy violations
Federated Cloud Security Solutions
Calance employees are certified in architecting and
setting-up enterprise systems on Amazon EC2 and
Microsoft Azure*
*See HIPAA Compliant Hybrid Cloud Service Offering
Technology Partnerships
We have established strategic
partnerships with the industry
leaders for Identify & Access
Management solutions in the
Healthcare industry
Calance has deployed custom
solutions at reputed Healthcare
organizations using these tools
Process- Audit and Process Improvements
Calance employs an independent agency for yearly audit of security procedures
Current CertificationsContinuous
Improvement
CMM Level 5 and ISO 9001: 2008 Certified for quality and project management processes.
SSAE 16 Type II certified datacenter, help desk, application & desktop support.
CONTACT US
Calance Healthcare Group2018, 156th Ave NESuite 100Bellevue, WA 98007
Gaurav GargVice [email protected]: 425-605-0716Cell: 818-620-0329
13
www.calance.com
866-736-5500 (Toll-Free)
Healthcare page: www.calanceus.com/solutions/healthcare/
Top Related