THE HFHS LANDSCAPE

1. Clearwater HIPAA Compliance BootCamp™Beauty In Breaches“One Organization’s Journey”Presented byMeredith R. Phillips, MHSA, CHC, CHPCChief Information Privacy & Security OfficerHenry Ford Health System

2. THE HFHS LANDSCAPE • Founded in 1915 and comprised of • 5 Acute Care Facilities (Approx. 2000+ beds) • Substance Abuse Facility • Behavioral Health Facility • Approx. 31,000 workforce members (FTEs, Contract, etc.) • 1300+ Member Medical Group • 900+ Member Physician Network (Non-Employed & Private Practice) • Health Plan serving approximately 640,000 members • Home Health, Retail Pharmacy, Optical Care, Hospice, Occupational Health, Extended Care Divisions • In 2011 • Awarded the prestigious Malcolm Baldrige National Quality Award

3. BREACH (2010)Physician’s Assistant leaves office door open so his secretary can get peanuts to snack on while he was at a meeting. His unencrypted non-IT purchased laptop was stolen along with the patient information of approximately 4000 patients.

4. OUR RESPONSE • Reported this incident to the CEO, COO & Board alerting them that this will be a media reportable data breach • Pulled together loosely developed teams to respond to the data breach with no external breach support • Conducted a Root-Cause Analysis to determine the program gaps and support necessary to strengthen the privacy & security program • Effectively shared with the Executive Leadership that this is more “cultural” than it is “procedural” • Shared with the Board that our incident history shows that we will have more of these reportable incidents in the future

5. BEAUTIFUL RESULT #1Restructured Privacy & Security Program and Revised Purchasing Processes

6. MISSION & VISION

7. IPSO PROGRAM STRUCTURE

8. CENTRALIZED INVESTIGATIVE PROCESS • Any routine investigations and incidents that may result in a breach must be forwarded to the IPSO for a Code A(ssessment) and potential Code B(reach) Alert • Investigations are led by the IPSO in conjunction with operational management and Human Resources • All investigative documentation (i.e., notes, interview transcripts, audit logs, etc.) should be stored in our centralized repository to ensure the ability for metric reporting and auditing • Corrective Action always recommended by the IPSO in accordance with the outcome of the investigation • Application of corrective action is consistent across business units and employee types • Re-education required for the entire department within 30 days of investigation closure not just the offender

9. IPSO COUNCILS & RESPONSE TEAMS • Workgroups established to address issues or topics of interest: • The HFHS Privacy & Security Council is an oversight council that approves System policies and procedures related to privacy & security regulations • The Code B Alert Team is a rapid-response workgroup established to centrally respond and manage allSystem data breaches • The Office for Civil Rights Response Team will review all OCR data requests related to privacy & security violations and respond on behalf of the System and/or specific business unit IPSO

10. PURCHASING PROCESS CHANGES • Worked with our partners is Supply Chain, Corporate Legal Affairs, Accounts Payable and Physician Relations to create a framework that would require additional sign-offs before IT Equipment can be purchased • Policy/Process Revisions • Policy Re-Education for Senior Staff & Mid-Level Providers • System wide communication provided to all workforce members to raise awareness • Senior Staff and Mid-Level Providers have been prohibited from purchasing any IT equipment with their professional development accounts • Properly purchased IT equipment must be delivered to the Information Technology Department to ensure proper security protocols are enforced • Accounts Payable will not reimburse for any equipment not “signed-off” by the Information Privacy & Security Department

11. BREACH (2011)Pharmacy resident lost his unencrypted flash drive in the McDonald’s parking lot. The flash drive stored a spreadsheet of compiled patient information of approximately 4000 patients.

12. OUR RESPONSE • Reported this incident to the CEO, COO & Board again • Compared the list of affected patients to see if we had any frequent flyers…we did! • Immediately called the COO and informed him that he will have the pleasure of calling these patients directly. • Realized that we needed help and contacted an external breach response partner that assisted in decreasing our response and notification time: 56 days to 18 days • Conducted a Root-Cause Analysis again to determine the program gaps • Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural”

13. BEAUTIFUL RESULT #2Branded Programs, Initiatives & Communication Plans

14. CODE B ALERT PROGRAM • Code A(ssessment) Alerts • Alerts issued by the Information Privacy & Security Office led by the Chief Information Privacy & Security Officer • Communication limited to the Information Privacy & Security Office, Public Relations, Corporate Legal Affairs, Risk Finance & Insurance and affected Business Unit Privacy and Security Champions • Alert provides a summary and initial analysis of potential data breach • Includes initial data analysis culminating in an official breach risk assessment to determine if an actual breach has occurred • Once a “Breach” has been called, the Code B Alert (Rapid Response) Team assembles to respond to the breach

15. CODE B ALERT PROGRAM • Code B(reach) Alerts • Issued and managed by the Information Privacy & Security Office for all media reportable data breaches or data breaches with significant risk • Branded communication plan consistently utilized throughout the system and managed corporately instead of at the business unit level • External: Includes the notification to the prominent media outlets and OCR • Internal: Typically includes a copy of the communication to the patients, FAQs about the breach and instructions for forwarding patient inquiries to toll-free call center • Requires immediate attention by all System leadership and should be shared with staff • All Code B Alerts are active for a 90 day period

16. THE iCOMPLY PROGRAM • Branded System wide program coordinated by the IPSO to safeguard “system” information • Phase I: Targeted portable storage devices • Required employees to visit one of 20 “IT staffed” stations to turn in all personal flash drives for our approved IronKey solution; register any portable hard drives or personal laptops for follow-up by IT • Employees could enter a drawing for an iPad 2 by completing a crossword puzzle based on our privacy & security policies • Removed 5000 flash drives in 4 weeks • Phase II: Targeted “culture” through educational modules (97%) • Phase III: Focused on reducing our printer “unsecured” footprint • Phase IV: Targeted the culture again to reinforce HITECH/Omnibus (98%) • Phase V: BYOD & Mobile Device Management

17. BREACH #3 (2011)FDA approved iMac device was stolen from a secured infectious disease research lab as a result of a door being propped open while the employee ran to the restroom. This device stored the testing results for 520 HIV/AIDS patients.

18. OUR RESPONSE • Reported this incident to the CEO, COO & Board again • Compared the list of affected patients to see if we had any frequent flyers…we didn’t! Thank God! • Offered an internal reward of $5000 for the return of the device • Required the Research Administrator to co-sign the notification letter to the affected patients • Conducted a Root-Cause Analysis again to determine the program gaps • Reinforced again with the Executive Leadership that this is more “cultural” than it is “procedural” and communicated such to the all workforce members

19. BEAUTIFUL RESULT #3Shifted the Culture Through Communication, Education & Repetition

20. HOW DO WE COMMUNICATE OUR STRATEGY?

21. QUESTIONS Meredith R. Phillips, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System One Ford Place, Suite 2A10 Detroit, MI 48202 313-874-5168 cipso@hfhs.org Twitter: @mphillipschc