1 Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint Kurt Hagerman, Chief Information Security Officer, FireHost Andy Woods, Director, Regulatory Compliance and Risk, Availity HITRUST Health Information Trust Alliance
2 Obtaining HITRUST Certification Why obtain certification and lessons learned April 2014 Aaron Miri, Chief Technology Officer 2 Privileged and Confidential
3 Overview Why HITRUST certification Certification Process How did we get started? Lessons Learned
4 Overview Mission: To make life better for children Dallas, Texas Vision: Children s will be among the very best medical centers in the nation Background: Serves fourth largest metro area in U.S. Highest projected growth of pediatric population over next 20 years Three campuses: Dallas, Plano and Southlake with 559 licensed beds $1B in assets, $2B in gross revenue, AA3 bond rating Plano, Texas Over 5,000 employees and 1,000 physicians Over 100K inpatient days, 300K outpatient visits, 100K emergency visits Academic affiliation with University of Texas Southwestern Medical School Only Level I pediatric trauma center in North Texas (1 of 22 in U.S.) Only U.S. pediatric hospital with six Joint Commission disease-specific certifications Nursing Magnet status; <10% of hospitals in nation have achieved Southlake, Texas Top 10 children s hospital in nation (U.S. News & World Report 2009) IT Recognition: 2013 HIMSS Enterprise Davies Award of Excellence Winner HIMSS EMR Adoption Stage 7; first hospital in Texas to achieve this level Top 200 U.S. companies by InformationWeek 500 for IT HITRUST Common Security Framework Certification Most Wired by Hospitals & Health Networks eight times
5 Why HITRUST CSF Certification? The healthcare legislative landscape is constantly evolving Legislative Milestones: 2013: Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic & Clinical Health (HITECH) Omnibus Final Rule 2013: Breach Notification Rule 2013: Texas House Bill 300 (TXHB300) 2010: U.S. Department of Health and Human Services (HHS) Guidance on Risk Analysis Requirements under the HIPAA Security Rule 2009: American Recovery and Reinvestment Act (ARRA) / Health Information Technology for Economic & Clinical Health (HITECH) 1996: Health Insurance Portability and Accountability Act (HIPAA) 5 Privileged and Confidential
6 Why HITRUST Certification Fines for non-compliance can be several million dollars Clear framework : Common Security Framework (CSF) Integrate information security risk management into overarching enterprise risk management programs 1996 HIPAA 2009 HITRUST CSF 2009 HITECH ACT 2010 OCR Endorses HITRUST 2012 Texas HB Omnibus Final Rule 2013 THSA HITRUST Demonstrate controls for HIPAA Compliance
7 Certification Process: CSF Self-Assessment against CSF HITRUST reviews for recommendation Common Security Framework 3 rd party assessment Results submitted to HITRUST Update and implement needed changes Demonstration of Security Across an Organization
8 How did we get started? Leadership: It takes leadership from the top down in order to set the tone and the culture Concept: Must have buy-in at all levels of the organization, including the grassroots Funding: Organization must be willing to invest time and resources into people, processes, technology 8
9 Children s-specific milestones for CSF Availability and dedication of Children s resources to support Availability of relevant technical and non-technical staff for interviews and data gathering Onsite reviews of a sample set of MyChildren s Clinics, Carrollton Data Center, Dallas main hospital, and Boulder disaster recovery facility Ability to rapidly respond to inquiries from HITRUST regarding assessment and validation Organizational patience and significant investment 9
10 Lessons Learned Documentation: Key for every process Time: The process can be lengthy and resource intensive Savings: Once the processes are engrained your team is more efficient Culture: If you don t refine your organizational culture, CSF certification becomes extremely difficult Partnerships: Internal & external partnerships critical
11 HITRUST Panel: Obtaining Certification - Lessons Learned and Why Do It April 22, 2013
12 Why HITRUST for WellPoint Highly regulated industry resulting in multiple compliance programs Customers require extensive security questionnaires and audits Control requirements and interpretations may vary depending on standard and company CSF security framework aligns with healthcare industry requirements Consistent, structured, prescrip:ve and assures clients of our strong security prac1ces 12
13 WellPoint HITRUST Certification Journey Pre-Certification Assessment (late 2010/early 2011) Assessed against all CSF controls (135 at that :me) A number of opportuni:es for enhancement iden:fied. Priori:zed remedia:on ac:vi:es executed over a 24 month period 2013 Certification Assessment Assessed against 2013 CSF requirements u:lizing new MyCSF tool and assessment methodology Organiza:on factors required 282 baseline control statements across 19 domains New scoring and assessment model required 1,410 wrisen ra:ngs and responses 13
14 Lessons Learned Organizational Support Organiza:onal buy- in from the top- down is key given cross func:onal needs Cri:cal to sustain focus on importance of the CSF Communication Open channel between en:ty, assessor, and HITRUST is key to ensure consistent interpreta<on of requirements and expecta:ons Documentation Substan:al documenta:on requirements on en:ty Focus early to support a more efficient cer:fica:on cycle Formal Program HITRUST support program is necessary for long- term success and repeat cer:fica:ons 14
15 Recognized Value of HITRUST Certification Reputation Demonstrates focus on being a leader in the marketplace and trustworthy business partner Ins:ll greater customer confidence that their informa:on is protected Compliance Provide method for on- going compliance monitoring Ensures alignment and adherence to security related regulatory requirements Time and Cost Savings Reduces client and customer audit requests and internal assessment <me. Average cost avoidance of ~300K each :me cer:fica:on can be used in lieu of performing an external assessment requested by client or customer Recognized ~900K in cost avoidance in
16 HITRUST Certification The FireHost Journey Kurt Hagerman Chief Information Security Officer HITRUST April, 2014
17 HIMSS Lunch and Learn: Security PHI SPEAKER BIO Kurt Hagerman FireHost Chief Informa:on Security Officer Kurt Hagerman oversees all compliance related and security ini:a:ves. He is responsible for leading FireHost in asaining ISO, PCI, HIPAA and other cer:fica:ons, which allows FireHost customers to more easily achieve their own compliance requirements. He regularly speaks and writes on informa:on security topics in the payments and health care spaces as well as on cloud security. Kurt Hagerman Phone x8073
18 Who is FireHost? Value of HITRUST Certification
19 AICPA Service Organization Control Reports Secure Hosting Overview BEYOND COMPLIANCE FireHost s Security Validation Auditor and security assessment friendly infrastructure PCI DSS Compliant FireHost has been validated as a Level 1 Service Provider under PCI DSS for our services. Our validation includes specific PCI DSS controls on which customers can rely. SERVICE ORGANIZATIONS SOC aicpa.org/soc Formerly SAS 70 Reports SSAE 16 SOC 1 / SOC 2 FireHost has received SOC 1 Type 2, SOC 2 Type 2, SOC 3 and ISAE 3402 reports. These reports demonstrate the viability of FireHost s control program over time. HIPAA/HITRUST FireHost has been certified against the Common Security Framework (CSF) from the Health Information Trust Alliance (HITRUST) to address HIPAA security rule compliance requirements. ISO FireHost has received a certificate of approval for our control program against the ISO/IEC 27001:2005 standard for Information Security Management Systems.
20 HITRUST Certification A Look Inside: VALUE OF CERTIFICATION Why FireHost Got HITRUST Certified Security and Compliance are core values Third party attestation against a recognized controls framework focused on HIPAA security rule Added credibility to our security program Mapping of our controls to show how we help our customers achieve their own compliance with HIPAA Marketing and Sales Too many CSPs tout being HIPAA compliant with no proof Allows us to avoid the trust us we re compliant messaging we have a recognized certification Differentiation from competitors that has helped us win business
21 OBTAINING CSF CERTIFICATION LESSONS LEARNED AND WHY DO IT? Andy Woods Director, Regulatory Compliance and Risk Availity, LLC
22 BACKGROUND Founded in 2001, Availity is one of the largest health care information networks in the nation. The Availity Health Information Network extends to more than 350,000 active providers; 2,700 hospitals; 575 vendor partners; and, all health plans nationwide. 22 Availity, LLC. All rights reserved.
23 CSF AT AVAILITY Obtained HITRUST Certification in 2011 Just completed our second assessment cycle CSF internally used by: Information Security Privacy Compliance Risk Management Internal Audit 23 Availity, LLC. All rights reserved.
24 WHY DO IT? CSF is a robust platform that consolidates: Federal and state regulations Industry standards and best practices Trends in risk management Improves your ability to stay current: Regular updates by HITRUST to reflect changes to regulations, standards, and trends Provides a consolidated way to manage the multitude of changes Improves efficiencies: Criteria and baseline requirements guide in the interpretation of regulatory requirements and application to business processes Ensure all regulatory requirements and standards are considered in managing covered risks Saves time and resources in tracking regulatory changes Framework can be leveraged in responding to third-party audit requests Enables efficient onboarding of new employees Demonstrates to Availity s business partners the importance of privacy and security at Availity while supporting the flow of health care information 24 Availity, LLC. All rights reserved.
25 LESSONS LEARNED Where the value of the CSF is realized: Policy, process, and implementation is the foundation for a compliant business Measuring and managing to baselines is how you ensure compliance Efforts must be focused on measuring and bringing visibility to the effectiveness of processes HITRUST certification gives additional rationale for the business in upholding high standards Regulatory requirements are minimum expectations we are holding ourselves to higher standards 25 Availity, LLC. All rights reserved.
BS 11000 Collaborative Business Relationships It s your choice Your implementation guide BS 11000 - Collaborative Business Relationships Background BS 11000 is a recognized standard for ensuring mutually
ISO 9001 It s in the detail Your implementation guide ISO 9001 - Quality Management Background ISO 9001 is the world s most popular quality management system standard and is all about keeping customers
Behavioral Health Care Accreditation: Provides a framework for organizational structure and management Strengthens community confidence in the quality and safety of care, treatment and services Provides
A REPORT FROM THE FINANCIAL INDUSTRY REGULATORY AUTHORITY Report on Cybersecurity Practices FEBRUARY 2015 Contents Executive Summary 1 Background 3 Governance and Risk Management for Cybersecurity 6 Cybersecurity
Assessing the Audit Impact of Cloud Computing kpmg.com 1 Assessing the Audit Impact of Cloud Computing Cloud Computing Cloud computing is becoming an important IT strategy for entities that need varying
Stronger: OCC s heightened expectations Enhancing risk management and driving growth Produced by the Center for Regulatory Strategies In the financial services industry, the attention given to managing
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
Information Technology Outsourcing GTAG Partners AICPA American Institute of Certified Public Accountants www.aicpa.org CIS Center for Internet Security www.cisecurity.org CMU/SEI Carnegie-Mellon University
Information Technology Outsourcing 2nd Edition Global Technology Audit Guide (GTAG ) 7 Information Technology Outsourcing 2nd Edition June 2012 GTAG Table of Contents Table of Contents...1 Executive Summary...2
Summary of Responses to an Industry RFI Regarding a Role for CMS with Personal Health Records Table of Contents EXECUTIVE SUMMARY... 4 1. INTRODUCTON... 7 2. CMS ROLE WITH PHRs... 9 What PHR functionalities
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
A fresh start for the regulation and inspection of adult social care Working together to change how we inspect and regulate adult social care services The Care Quality Commission is the independent regulator
The Microsoft Office 365 Buyer s Guide for the Enterprise Guiding customers through key decisions relative to online communication and collaboration solutions. Version 2.0 April 2011 Note: The information
Data Intensive Storage Services for Cloud Environments Dimosthenis Kyriazis National Technical University of Athens, Greece Athanasios Voulodimos National Technical University of Athens, Greece Spyridon
A STRATEGIC GUIDE WITH INSIGHT FROM A Strategic Guide for Local Government On: OUTSOURCING A Strategic Guide for Local Government On: Outsourcing Table of Contents ABOUT THE GUIDE..........................................3
U.S. Nuclear Regulatory Commission 2011 Data Center Consolidation Plan and Progress Report Version 2.0 September 30, 2011 Enclosure Contents 1 Introduction... 2 2 Agency Goals for Data Center Consolidation...
manufacturing service small business nonprofit government education health care Baldrige Excellence Builder Key questions for improving your organization s performance Improve Your Performance The Baldrige
Regulatory and Market Imperatives Place Cyber Security High on Agendas Written by Scott Corzine // Managing Director, Risk Practice, FTI Consulting, Inc. Insurance carriers, with their large repositories
A P P L I C A T I O N S A WHITE PAPER SERIES SYNTEL, A U.S.-BASED IT SERVICE PROVIDER WITH AN EXTENSIVE GLOBAL DELIVERY SERVICE, SUGGESTS SPECIFIC BEST PRACTICES FOR REDUCING COSTS AND IMPROVING BUSINESS
A Forrester Consulting Thought Leadership Paper Commissioned By Trend Micro Key Strategies To Capture And Measure The Value Of Consumerization Of IT Enterprises Achieve A Wide Range Of Benefits By Deploying
Cloud Infrastructure Operational Excellence & Reliability Page 1 Operational Excellence & Reliability Microsoft has invested over $15 billion in building one of the world s largest global cloud infrastructures.
Network Security & Privacy Risks in the Health Care Industry May 2012 Aon Broking - Professional Risk Solutions 2012 Aon plc Brief Description: Conditions are ripe for health care organizations to fall