Date post: | 11-Jul-2015 |
Category: |
Education |
Upload: | health-it-conference-iht2 |
View: | 671 times |
Download: | 1 times |
Draft – For Discussion Purposes
A use case… thoughts on how to leverage your technology and the cloud Iht2 Conference – Beverly Hills November 4, 2014 Raymond Lowe Senior Director Enterprise IT Infrastructure and Technology’
Draft – For Discussion Purposes Draft – For Discussion Purposes 2
• Dignity Health – Hello Humankindness
• Data Centers and Cloud
– Where are you in the cloud?
• Dignity Health and the cloud
– Big 7 trends in Healthcare
• Steps to the Cloud
• Cloud Security
• Questions and Answers
Agenda
Draft – For Discussion Purposes Draft – For Discussion Purposes
Dignity Health
3
Draft – For Discussion Purposes Draft – For Discussion Purposes
Who is Dignity Health
• Assets: $13.1 billion
• Net Operating Revenue: $10.6 billion
• General Acute Patient Care Days: 1.8 million
• Community Benefits and Care of the Poor: $1.4 billion
• Acute Care Beds: 8,800
• Skilled Nursing Beds: 800
• Acute Care Hospitals: 40
• Clinics/Ancillary Care Centers: 150
• Medical Foundations: 11
• Active Physicians: 10,000
• Total Employees: 55,000
4
Draft – For Discussion Purposes Draft – For Discussion Purposes
Aligning Dignity Health for Future Success
5
Operating company with strong local leadership
Focus on markets, not hospitals
Aligns system and market leaders
Fosters clinical enterprise focus
Enables streamlined decision making
Creates greater accountability for outcomes
Responsive to community needs
Draft – For Discussion Purposes Draft – For Discussion Purposes 6
Draft – For Discussion Purposes Draft – For Discussion Purposes 7
https://www.youtube.com/watch?v=K8s8UD211pU#t=34
Draft – For Discussion Purposes
Where are you on your technology transformation and your journey to the cloud?
Draft – For Discussion Purposes Source: Vmware
Draft – For Discussion Purposes
1. Do you have any ASP hosted applications?
2. Do you use Box, Dropbox, MS OneDrive?
3. Are your backup being electronically stored outside of the walls of your facility?
4. Does your Disaster Recovery and business continuity storage leave your facilities?
Poll the Audience
Draft – For Discussion Purposes
Dignity Health – Cloud
Draft – For Discussion Purposes
Big 7 Trends in Health Care
1. Personalized Health Services • Transition from not-for-profit, one-time acute episodes to for-profit, recurring wellness
services 2. Consumerism
• Embrace that health care is consumer-driven with many choices of retail experiences 3. Employer Direct
• Market a comprehensive, service-based network direct to employers with a focus on the self-funded employers - instead of relying on insurers and payers
4. Telehealth • Expand core PCP and specialist services across the continuum of care with global reach
and local partnerships for best-in-class hybrid delivery model 5. Cloud
• Provide interoperability with a consumer-focused “outside-in” perspective – integrating across many SaaS/IaaS/PaaS partners for speed-to-market
6. IP-Enabled Medical Devices • Integrate wearables, implantibles for real-time monitoring, alerting, diagnosing, and
prescribing that connect to the Internet of Medical Things 7. Predictive Analytics
• Drive care quality and cost efficiencies with analytics that forge new pathways from chronic to preventative to wellness
Draft – For Discussion Purposes
Big Trend #5: The Cloud Is Already Here at Dignity Health
Private PHI Cloud: Enterprise Data Warehouse (SAS)
Private PHI Cloud: EMR (Cerner)
Proprietary DC’s: - Patient Revenue Cycle (Lawson) - Ambulatory EMR (Allscripts) - MS Exchange, Sharepoint
PHI Co-Lo: Disaster Recovery (Switch)
Public Cloud: Social Collaboration (Yammer @Microsoft Azure)
Private PHI Cloud: Patient Portal (MedSeek)
Private PHI Cloud: HIE (MobileMD)
Private PHI Cloud: Pathology Reporting (Olympus EndoWorks)
Dignity Health PHI: Clinical Applications in the Cloud
Public Cloud: File Sharing (Box)
Draft – For Discussion Purposes
Steps to the Cloud
Draft – For Discussion Purposes Draft – For Discussion Purposes 15
1. Define Cloud Security Governance and Policies
2. Define approach to standardize the current architecture
3. Develop and use a target state architecture to define
standards
4. Buy commoditized cloud services and capabilities whenever
possible without exposing PHI.
5. Migrate existing applications and systems into private/hybrid
cloud using phased approach
6. Decommission existing legacy systems as new capabilities
come online within your target state environment
Steps to Cloud Computing
Draft – For Discussion Purposes Draft – For Discussion Purposes 16
Rationalizing, standardizing and consolidation of applications and infrastructure.
Application Migration Strategy
Draft – For Discussion Purposes
Cloud Security
Draft – For Discussion Purposes 18
Threats, Vulnerabilities, and Exposures are Increasing
April, 2014 4,500,000 individuals
February, 2014 405,000 individuals
Healthcare Industry HIPAA Breaches and Fines
33,800,000 individuals
September, 2010 6,800 individuals
$4.5M fine May, 2014
Consumer and Business Breaches
July, 2013 4,000,000 individuals
July, 2011 4,900,000 individuals
2011 20,000 individuals
$4M settlement March, 2014
December, 2009 1,200,000 individuals
$3M settlement March, 2014
Draft – For Discussion Purposes Draft – For Discussion Purposes 19
Situational Analysis:
– Cloud computing has many facets to address for public, private or hybrid cloud solution deployment – including cost, infrastructure, software, platforms, contractual, management oversight, audit and security.
– Important aspects for security in a virtualized environment and security defenses include confidentiality, integrity and availability. Further security analysis includes governance, risk management and compliance; including implementation visibility and auditing rights of security controls.
– However, the most critical business decision point for leadership, assuming appropriate security, legal and audit controls are in place – is the decision point to include HIPAA regulatory requirements and accompanying Business Associate agreements in the cloud decision – as these compliance measures are at the most fundamental core on how Dignity Health protects PHI/ePHI-based business applications.
Business Decision Point for Cloud Computing
Undeniably, Cloud Computing is present at Dignity Health in various forms. However, as additional deployment options are developed driven by strategic business reasons, leadership must address a
critical decision point in the deployment of cloud-based solutions at Dignity Health.
Draft – For Discussion Purposes 20
Development of a Cloud Security Plan
1. Specific Business Goals
• Regulatory Compliance
• Organization Objectives & Capabilities Risk
• Enable Technologies, Processes and People
• Provide an aggregated view of the risk profile the company accept
• ITILv3, ISO 2700X and NIST
• 3rd Party Relationships & Business Associates (HIPAA)
2. Risk Management Program
3. Develop a Security Plan to Support Business Goals
4. Audit, Review and Continuously Improve
• Compliance program, technologies, and processes with very specific results
• HIPAA, HITECH, SSAE 16
• Monitor changing Government & Regulatory Landscape (Omnibus)
• Continue to expand HIPAA Compliance, PCI, Meaningful Use for all Stages
• Risk Assessment as a Continuous Process and ‘Way of Thinking’
Key Considerations • Security of Enterprise Applications & PHI
• Compliant Managed Cloud Service Provider
• Take an active role in Security & Risk management
4
3
2
1
Enterprise Cloud Security Plan
Draft – For Discussion Purposes 21
Regulatory, Compliance & Control Objectives Overview
• The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) drives important protections, that require an entity providing a service to a provider, to control Protected Health Information (“PHI”)
• A Business Associate Agreement (“BAA”) has significant contractual obligations by the service provider for covered entities, such as Dignity Health. A BAA shall have the meaning ascribed to them in HIPAA as contained in 45 CFR parts 160, 162 and 164, and of the American Recovery Act of 2009 (the “HITECH Act”)
• HIPAA regulations include “HIPAA Privacy Regulations” (CFR Parts 160 & 164), “HIPAA Security Regulations” (CFR parts 160 & 164) , “HIPAA Transaction Regulations” ( CFR Parts 160 & 162), and “HIPAA Breach Notification” (CFR Part 164 Subpart D, and the HITECT Act)
Healthcare Regulatory Drivers
• An important security framework which provides a structured methodology for analysis is ISO27001
• Payment Card Industry (“PCI”) has important considerations for cloud provider selection
Security Frameworks and Control Objectives
Drivers and Controls
Draft – For Discussion Purposes Draft – For Discussion Purposes 22
Business Associate Agreement Responsibilities
BAA Service Objectives
A BAA Upon Commencement of Service Shall Agree to the Following Terms
Security Incidents and Breach of Unsecured PHI
Compliance Audits
Information Safeguards, Mitigation
Subcontractor and Agents
Changing Regulatory and Compliance requirements
Permitted Uses and Disclosures
Accounting Disclosures
Consent, Authorization, and Permission
Designated Record Sets
Minimum Necessary and Limited Data Sets
Right to Terminate for Breach, Effects of Termination, Amendments, and Conflicts
Marketing Use of PHI, Non-Permitted Use, and Uses or Disclosure Restrictions
A BAA has significant contractual obligations, driven by Federal Regulations - continued oversight is essential.
Draft – For Discussion Purposes Draft – For Discussion Purposes 23
ISO 27001:2005 Security Domains
Security Objectives
Regardless of Health Care Regulations, Cloud Providers Must Address the Following Security Controls
Human Resources Security
Security Policy
Asset Management
Communications and Operations Management
Environmental and Physical Security
Information Security Governance
Business Continuity Management
Encryption
Information Systems Acquisition
Information Security Incident Management
Compliance
Access Control
Security practitioners for Cloud Providers will baseline control objectives against these well understood security domains.
Draft – For Discussion Purposes 24
Cloud Security Defense Best Practices
Cloud Governance Align with recognized industry standards, including internal security policies, standards and processes to both internal audits and external certifications.
Security Governance, Risk Management and Compliance
Robust security compliance program. Including physical access, logical access with internal and external auditing.
Problem and Information Security Incident Management
Documented policies and procedures for management and monitoring of security events, including escalation and resolution.
Identity and Access Management
Ensure access is tightly controlled. Privileged user monitoring to ensure enforcement and compliance to customer data protections.
Categorize and Protect Data and Information Assets
Encryption in-flight, @Rest and backups. Key Management if necessary. Protection of portable media and storage device disposal controls.
System Acquisition, Development and Maintenance
Security applied throughout lifecycle, Hypervisors Common Criteria certified and hardened servers
Secure Infrastructure Against Threats and Vulnerabilities
Defense in depth, underpinned with people and technology, IDPS @ boundary, vulnerability scanning, configuration mngt & security zones
Physical and Personnel Security Strong physical controls, including CCTV, biometric authentication, resiliency tools and door alarms. Employee training of customer data handling and protections.
Secure by Design
Draft – For Discussion Purposes
Questions & Answers
25