Post on 03-Jul-2020
INEVITABLE RISKSCreating a Business Resilience and
Assurance Program to Minimize Risk
Since 1974, HMS has been enterprising healthcare, and providing a broad range of healthcare cost containment solutions in the industry – all to help payers improve performance.
Medicaid Managed Care Organizations Medicare Advantage plans Group and individual plans Self-funded employers
Medicaid agencies CHIPs (Children’s Health Insurance Programs) State employee health benefit plans
Centers for Medicare and Medicaid Services
U.S. Department of Veterans Affairs Department of Defense
Business Drivers Brand and Reputation Value
Patient Information Protection – Confidentiality, Integrity, and Availability
Mandatory Federal Regulations
Client Contractual Obligations
Existing and Future Policy
Legislation Impacting the Field of Healthcare
Business Continuity and the Sustainability of Business Services
Industry Drivers OCR (HIPAA) and CMS (EHR Meaningful Use) audits reveal serious
weaknesses There is an ever-increasing number of privacy complaints to the OCR There is an increasing number and amount of settlements for privacy
and security issues Major HIPAA breaches have reached a 1K milestone, with 1 in every 10
people in the U.S. impacted The current cost of a breach is estimated at $188 per record. The
average # of records in a breach = 23,647; or $4.4M per breach Identity theft may be the most frequent, costly, and pervasive crime in
the U.S., with increasing sophistication
Business Resilience and Assurance Program
Content Sharing
Centralized Risk Governance
Security Risk Management Framework (RMF)
Visibility into Key Risk Factors
Provides an HMS-centric Policy-Standards-Procedure Mapping Foundation
Authoritative Source Guidance
Mapped to a Common Core of Control Standards - Security Framework
Security Risk Program Foundation
To help safeguard electronic protected health
information (PHI), HMS established a Common
Security Framework built on HITRUST.
Combining the HITRUST CSF with industry best
practices, HMS was able to offer a scalable
security process designed to support the
Security and Privacy of healthcare information.
This uniquely holistic foundation ensures that our
security program meets our regulatory
obligations from a people, process, and
technology standpoint.
How We Identify & Manage Risk
Incident Management
Issues Management Policy Management Vendor
Management Compliance
Management Asset Management Risk Register Threat
Management
How We Monitor Risk
Control Procedures Ownership
Business Processes toadhere to control objectives
Control self-Assessments to continuously monitor control objectives
• Control Procedures
Ownership
• Business Processes
Implementation
• Control Self Assessment
Continuous Monitoring
Status Summaries Threshold Monitoring Trend Reporting Historical Metrics Customized Dashboard &
Alerting
Tracking and Reporting
1. Define a Common Security Framework – HITRUST CSF
2. Define the Methodology for Assessment and Treatment of Security Risks
3. Integrated Foundational Components4. Increase Transparency & create a
Risk-Aware Culture5. Improve Visibility into Key Risk Factors6. Improve HMS’s Risk Posture7. Support the Business Mission8. Ensure Business Continuity
Intended Outcomes
PolicyProcess
ImplementationMeasuredManaged
THANK YOU
George M. MacrelliSenior Director, Security Assurancegmacrelli@hms.com
Daryl HykelSecurity Assurance AnalystDaryl.Hykel@hms.com
Scott PettigrewVP, Chief Security Officerspettigrew@hms.com
Sean MillerSecurity Assurance AnalystSean.miller@hms.com