HIPAA Security Risk Analysis Baystate Health System ~ A Case Study ~ Information Security Officer & HIPAA Project Manager

Transcription

1 HIPAA Security Risk Baystate Health System ~ A Case Study ~ Presented by Jim DiDonato Information Security Officer & HIPAA Project Manager

2 Agenda Description of Baystate Strategy for Risk Analysis Researching HIPAA Risk Analysis Decision Time Do it in-house, externally or with software tool Vendor Selection Process On-site vendor work Off-site vendor work Results Lessons Learned

3 Description of Baystate 699 beds 572 Baystate Medical Center, Springfield, Ma 96 Franklin Medical Center, Greenfield, Ma. 31 Mary Lane Hospital, Ware, Ma. Also include: numerous outpatient facilities and programs, an ambulance company, home care and hospice services, employed primary care provider group with multiple sites 9,000 employees in Mass, Ct, Vt & NH $1.4 billion gross revenue Named one of the nation s top 50 integrated healthcare networks

4 Strategy for Risk Analysis Self-education ~ What is it that I need to do? Follow NIST ~ Not required, but best practice Scope: Entire health system & ephi as well as sensitive business information Use Final Recommendations in Workplan Pre-April 05 completion Post-April 05 completion Use new skills for future risk management plan ~ On-going compliance

5 Researching HIPAA Risk Analysis (climbing the learning curve) Read NIST Special Publication , Risk Management Guide for Information Technology Systems Attend conferences and WEDI/SNIP RSA workshops New England HIPAA Workgroup (NEHW) Held conference calls with consultants & software vendors ~ with Baystate team

6 Decision Time Do it in-house, externally or with software tool? Considered availability of internal staff support Considered skill set of internal staff support Considered cost & availability of funding Considered internal, competing HIPAA security and organizational initiatives Considered software options and consultant firms Decision ~ Engage outside consulting firm

7 Vendor Selection Process Build skill-set for internal 4-member team Reviewed sample risk analysis proposals, statements of work and final deliverables from consulting firms Provided potential firms with Baystate s IT & Organizational profile Developed RFP for half dozen firms based on initial conference calls Developed comparison table Conducted reference checks Held follow-up discussions with consulting firms

8 On-site vendor work Team of consultants Held initial Kick-off meeting early Monday morning for selected IT & client staff/managers Full week of interviews & facility tours Internal network vulnerability scans Modem sweeps Additional information gathering Policies Network diagrams Sample forms and other documents requested during interviews.

9 Off-site vendor work Review & analyze documentation External vulnerability testing Develop final deliverables Identify security risk to IT assets, including Electronic protected health information Business Data IT infrastructure components A documented risk analysis covering both EPHI and business data Identification of threats, vulnerabilities, likelihood of threat occurrence Documentation of current safeguards in place Recommendations to remediate vulnerabilities and to address risk Description of the impact of each recommendation Prioritized Recommendations A work plan outlining the steps and estimated costs for completing any remediation (risk management plan)

10 Results 1 undocumented WAP Windows server admin accounts with blank passwords MSSQL admin accounts with blank passwords 4 default FTP accounts Rogue modems (PCAnywhere) Medical Records moved by courier without sufficient tracking & receipt Risk Mgmt & Facilities Planning Depts not integrated into business resumption planning No media classification policy

11 Lessons Learned Learn as much as you can about the standards NIST, Octave, etc. and the Various consulting firm methodologies What s the difference in scope, staffing, report, etc What altitude are they working at (50,000 ft? 5,000 ft?) Ensure internal team skill-set & communication Understand the detailed plans & duration of the on-site visit ~ week by week Ensure you can provide close supervision & have knowledge sharing ~ learn from the experience.

12 Contact Information Jim DiDonato Information Security Officer & HIPAA Project Manager Phone: (413)