Clearwater HIPAA Compliance BootCamp™

Beauty In Breaches“One Organization’s Journey”

Presented byMeredith R. Phillips, MHSA, CHC, CHPC

Chief Information Privacy & Security OfficerHenry Ford Health System

Founded in 1915 and comprised of◦ 5 Acute Care Facilities (Approx. 2000+ beds)◦ Substance Abuse Facility ◦ Behavioral Health Facility◦ Approx. 31,000 workforce members (FTEs, Contract, etc.)◦ 1300+ Member Medical Group ◦ 900+ Member Physician Network (Non-Employed & Private Practice)◦ Health Plan serving approximately 640,000 members◦ Home Health, Retail Pharmacy, Optical Care, Hospice, Occupational

Health, Extended Care Divisions

In 2011◦ Awarded the prestigious Malcolm Baldrige National Quality Award

2

THE HFHS LANDSCAPE

3

BREACH (2010)

Physician’s Assistant leaves office door open so his secretary can get

peanuts to snack on while he was at a meeting. His unencrypted non-IT purchased laptop was stolen along

with the patient information of approximately 4000 patients.

Reported this incident to the CEO, COO & Board alerting them that this will be a media reportable data breach

Pulled together loosely developed teams to respond to the data breach with no external breach support

Conducted a Root-Cause Analysis to determine the program gaps and support necessary to strengthen the privacy & security program

Effectively shared with the Executive Leadership that this is more “cultural” than it is “procedural”

Shared with the Board that our incident history shows that we will have more of these reportable incidents in the future

4

OUR RESPONSE

5

BEAUTIFUL RESULT #1

Restructured Privacy & Security Program and Revised

Purchasing Processes

IPSO MISSIONTo establish a system-wide culture of

confidentiality through education, accessibility, and a customer focus where privacy & security is

viewed as paramount in our daily operations.

HFHS MISSIONTo improve people's lives through excellence in the science and art of

health care and healing.

MISSION & VISION

6

IPSO VISION

Cultivating a collective mindset where protecting privacy & security is a part of our

standard of care

HFHS VISION

Transforming lives and communities through health and wellness - one

person at a time.

7

Information Privacy Program

Enterprise Risk

Assessment Program

Information Security Program Incident Response Program

Information Privacy & Security OfficePolicy Development, Education, Access Controls

Administration, Business Associate Management, Patient Rights Management

IPSO PROGRAM STRUCTURE

Any routine investigations and incidents that may result in a breach must be forwarded to the IPSO for a Code A(ssessment) and potential Code B(reach) Alert

Investigations are led by the IPSO in conjunction with operational management and Human Resources

All investigative documentation (i.e., notes, interview transcripts, audit logs, etc.) should be stored in our centralized repository to ensure the ability for metric reporting and auditing

Corrective Action always recommended by the IPSO in accordance with the outcome of the investigation◦ Application of corrective action is consistent across business units and

employee types

Re-education required for the entire department within 30 days of investigation closure not just the offender

CENTRALIZED INVESTIGATIVE PROCESS

8

Workgroups established to address issues or topics of interest:

◦ The HFHS Privacy & Security Council is an

oversight council that approves System policies and procedures related to privacy & security regulations

◦ The Code B Alert Team is a rapid-response workgroup established to centrally respond and manage all System data breaches

◦ The Office for Civil Rights Response Team will review all OCR data requests related to privacy & security violations and respond on behalf of the System and/or specific business unit

9

IPSO COUNCILS & RESPONSE TEAMS

IPSO

Worked with our partners is Supply Chain, Corporate Legal Affairs, Accounts Payable and Physician Relations to create a framework that would require additional sign-offs before IT Equipment can be purchased◦ Policy/Process Revisions◦ Policy Re-Education for Senior Staff & Mid-Level Providers◦ System wide communication provided to all workforce members to raise

awareness

Senior Staff and Mid-Level Providers have been prohibited from purchasing any IT equipment with their professional development accounts

Properly purchased IT equipment must be delivered to the Information Technology Department to ensure proper security protocols are enforced

Accounts Payable will not reimburse for any equipment not “signed-off” by the Information Privacy & Security Department

PURCHASING PROCESS CHANGES

10

11

BREACH (2011)

Pharmacy resident lost his unencrypted flash drive in the McDonald’s parking lot. The

flash drive stored a spreadsheet of compiled patient information of approximately 4000 patients.

Reported this incident to the CEO, COO & Board again ◦ Compared the list of affected patients to see if we had any frequent

flyers…we did!◦ Immediately called the COO and informed him that he will have the

pleasure of calling these patients directly.

Realized that we needed help and contacted an external breach response partner that assisted in decreasing our response and notification time: 56 days to 18 days

Conducted a Root-Cause Analysis again to determine the program gaps

Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural”

12

OUR RESPONSE

13

BEAUTIFUL RESULT #2

Branded Programs, Initiatives & Communication Plans

Code A(ssessment) Alerts◦ Alerts issued by the Information Privacy & Security Office led by the Chief

Information Privacy & Security Officer

◦ Communication limited to the Information Privacy & Security Office, Public Relations, Corporate Legal Affairs, Risk Finance & Insurance and affected Business Unit Privacy and Security Champions

◦ Alert provides a summary and initial analysis of potential data breach

◦ Includes initial data analysis culminating in an official breach risk assessment to determine if an actual breach has occurred

◦ Once a “Breach” has been called, the Code B Alert (Rapid Response) Team assembles to respond to the breach

CODE B ALERT PROGRAM

14

Code B(reach) Alerts◦ Issued and managed by the Information Privacy & Security Office for all

media reportable data breaches or data breaches with significant risk

◦ Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level

External: Includes the notification to the prominent media outlets and OCR

Internal: Typically includes a copy of the communication to the patients, FAQs about the breach and instructions for forwarding patient inquiries to toll-free call center

◦ Requires immediate attention by all System leadership

and should be shared with staff

◦ All Code B Alerts are active for a 90 day period

CODE B ALERT PROGRAM

15

Branded System wide program coordinated by the IPSO to safeguard “system” information

Phase I: Targeted portable storage devices◦ Required employees to visit one of 20 “IT staffed” stations to turn in all

personal flash drives for our approved IronKey solution; register any portable hard drives or personal laptops for follow-up by IT

◦ Employees could enter a drawing for an iPad 2 by completing a crossword puzzle based on our privacy & security policies

◦ Removed 5000 flash drives in 4 weeks

Phase II: Targeted “culture” through educational modules (97%) Phase III: Focused on reducing our printer “unsecured” footprint Phase IV: Targeted the culture again to reinforce HITECH/Omnibus (98%) Phase V: BYOD & Mobile Device Management

16

THE iCOMPLY PROGRAM

17

BREACH #3 (2011)

FDA approved iMac device was stolen from a secured infectious

disease research lab as a result of a door being propped open while the employee ran to the restroom. This device stored the testing results for

520 HIV/AIDS patients.

Reported this incident to the CEO, COO & Board again ◦ Compared the list of affected patients to see if we had any frequent

flyers…we didn’t! Thank God!

Offered an internal reward of $5000 for the return of the device

Required the Research Administrator to co-sign the notification letter to the affected patients

Conducted a Root-Cause Analysis again to determine the program gaps

Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural” and communicated such to the all workforce members

18

OUR RESPONSE

19

BEAUTIFUL RESULT #3

Shifted the Culture Through Communication,

Education & Repetition

20

HOW DO WE COMMUNICATE OUR STRATEGY?Our Workforce• Morning Post Messages & System Emails – Scheduled to deliver key

privacy & security messages• Annual Mandatory Education – iComply & Job Specific• Privacy & Security refresher trainings conducted by the IPSO team• Manager’s Update – Monthly email to all leaders detailing key messages

Our Board Members• Quarterly privacy & security Board updates• Annual submission to the Trustee newsletter

Our Patients & Communities• “privateTALK” or “secureSPEAK” with the CIPSO – Scheduled chat

sessions where questions can be addressed in an online forum• Intranet Webpage, Internet Webpage & Social Media Sites

21

QUESTIONS

Meredith R. Phillips, CHC, CHPCChief Information Privacy &

Security Officer

Henry Ford Health SystemOne Ford Place, Suite 2A10

Detroit, MI 48202

313-874-5168cipso@hfhs.org

Twitter: @mphillipschc