RISK MANAGEMENT PROCESS For Healthcare Organizations

1

2

Operating Snapshot

Starting this year, providers can be fined up to $1.5

million for a HIPAA violation• Security is Not Optional

Number of volunteers and 3rd party personals

supporting hospitals is just too large that it is generally

impossible to manually control access

• Large Number of Temporary Workers

Clinicians are often overworked and intuitively bring tools to help improve

productivity

• Consumer Devices need to be Secured

Hospitals tend to rely on multitudes of applications, often hosted and managed

by 3rd party vendors

• Need to Adapt and Federate

Patient care is of utmost importance and hence the

access to patient data must be available in case of

emergencies

• Break Glass Functionality

Clinicians on the floor typically share computers

and (most often password)• Quick switching

We Know the Healthcare Environment

3

Common Risks

Data and Information Explosion Data volumes are doubling every 18 months.

Storage, security, and discovery around information context is becoming increasingly important.

Care Continuum The chain is only as strong as the weakest link.

Partners need to shoulder their fair share of the load for compliance and the responsibility for failure.

Patients Expect Privacy An assumption or expectation now exists to

integrate security into the infrastructure, processes and applications to maintain privacy.

Compliance fatigue Organizations are trying to maintain a balance

between investing in both the security and compliance postures.

Emerging Technology Virtualization and cloud computing increase

infrastructure complexity.

Web 2.0 and SOA style composite applications introduce new challenges with the applications being a vulnerable point for breaches and attack.

Wireless World Mobile platforms are developing as new means of

identification.

Security technology is many years behind the security used to protect PCs.

Risk ManagementP

eo

ple • Drug Testing

• Background Testing

• NDAs

• HIPAA Compliance Training

Pro

cess

• Identify what needs to be audited and controlled

• Define Who needs Access to What

• Establish auditing and control processes

Too

ls • Restricted physical access

• Restricted equipment access

• Restricted network access

• Restricted data access

• Email & Web Monitoring

People- Onboarding Checklist

Calance employees sign Non-Disclose Agreements with specific to the client.

Every employee signs a “ Work for Hire” contract for the client transferring the intellectual property to the client.

Background checks and drug testing

All Calance employees, in Healthcare COE, have to go through background checks and 10 panel drug testing.

Calance HR maintains a chain of custody for all records

Customers are provided a copy of the reports, if needed

Onboarding Process

People-Training

Compliance Training

Calance uses an in-house LMS for training

and skills assessment

Every employee is required to complete

mandatory HIPAA Compliance and Privacy

training*

At the end of the training, the employees

are prompted for test scenarios

HIPAA compliance training can be

scheduled periodically, based on client

needs * Training material sourced from certified trainers or based on client requirementshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/training/

Training

Tools- Restricted Office Space

Calance can create physical separation of staff in Gurgoan (India) and Buena

Park, CA offices

Restricted office space uses bio-metric scanners and RFID cards

Access to the restricted floor requires a PIN, changed periodically

Single on-boarding and off-boarding process, shared with the client

Data Center access requires additional approvals from System Engineering

and a VP

Tools- Network and Equipment

Network and Equipment Access

Healthcare clients are cordoned in their own subnet

Point -to-point encryption between client network and

Calance

Encrypted Hard Disks and/or Bitlocker

All computers utilize client specific software images

No admin access to install personal software

No access to USB ports

No backup devices are allowed on the restricted floor

Use two factor authentication for access the network

Equipment& Access Control

TECHNOLOGY AND AUDITING

9

Process Overview

Administration & Auditing

Administration and Auditing

Calance has a 24x7 NOC in Buena Park, CA, monitoring

infrastructure hosted in our data center, client

locations, co-location facilities and public cloud

Systems Engineering works with the compliance and

security architects to create Role Based Access

Besides typical monitoring, Calance NOC can audit

emails and web traffic for any policy violations

Federated Cloud Security Solutions

Calance employees are certified in architecting and

setting-up enterprise systems on Amazon EC2 and

Microsoft Azure*

*See HIPAA Compliant Hybrid Cloud Service Offering

Technology Partnerships

We have established strategic

partnerships with the industry

leaders for Identify & Access

Management solutions in the

Healthcare industry

Calance has deployed custom

solutions at reputed Healthcare

organizations using these tools

Process- Audit and Process Improvements

Calance employs an independent agency for yearly audit of security procedures

Current CertificationsContinuous

Improvement

CMM Level 5 and ISO 9001: 2008 Certified for quality and project management processes.

SSAE 16 Type II certified datacenter, help desk, application & desktop support.

CONTACT US

Calance Healthcare Group2018, 156th Ave NESuite 100Bellevue, WA 98007

Gaurav GargVice Presidentggarg@calance.comTel: 425-605-0716Cell: 818-620-0329

13

www.calance.com

info@calance.com

866-736-5500 (Toll-Free)

Healthcare page: www.calanceus.com/solutions/healthcare/