Jash mehta rca

HEALTHCARE CONSULTING GROUP

JASH MEHTA 1

ASSIGNMENT 3: RCA

JASH MEHTA

GROUP 3

Mentor: Kshitij Chug

Weekly meeting time (Group meeting): Wednesday 3-4pm

Weekly meeting time (Group + Mentor meeting): Wednesday 4-

5pm

Venue: Ice Box, Hinds Hall


JASH MEHTA 2

CONTEXT Healthcare in the USA is going through a serious crisis.

The spending of the USA on healthcare is 2X per capita than other industrialized nations.

Medical bills are a major factor in more in more than 60% of the personal bankruptcies in the USA, 75% have health insurance.

Between 2000 and 2006 health insurance premiums rose 87% and the average wages rose by 3.8%. In spite of this the USA ranks 37th in healthcare system.

The fully insured plans are expensive and hence one of the reason for the crisis in healthcare

economy.

The alternative to fully insured plan is the self-insured plan. In this, the employer retains a

portion of the risk and instead of large premiums the employer pays the administrative bills and

stop loss company’s bills which are generally much lower than the monthly premium of fully

insured.

Healthcare self-insurance and consulting Group offer customers with variety of services to clients. HCG

encourages many wellness activities, promote self-management through healthcare Apps and increased

patient clinician interaction. Providing such services requires building an IT infrastructure and systems

which can support huge volume of customers. In this document we are finding the root cause of a

problem which HCG is experiencing. There is a data breach at HCG and they are unable to trace the

source of the breach. In this document we identify the root cause of the problem, its impact and create

an action plan to contain and then resolve the problem.

In this document we have designed an ERD to capture the requirements of the back end. Design a

system such that it can queried to get all kinds of data. Our system is wellness tracking system and we

capture all kinds of health metrics before wellness activity and after wellness activity, feedback, wellness

activity team participation etc. These metrics are captured to analyze and make decisions on the success

of wellness activities.


JASH MEHTA 3

FISH BONE DIAGRAM


JASH MEHTA 4

ROOT CAUSE-5 WHY TECHNIQUE

SYMPTOM CAUSES 5 WHYs

1) Lack of System security Why there is lack of system security? Current system doesn’t not support any system security

Why current system doesn’t not support any system security? Company uses traditional tools and techniques for their processes

Why does the company use traditional tools and techniques for their processes? The company has not updated and upgraded their systems to be technologically advanced

Why has the company not updated and upgraded their systems to be technologically advanced? The company didn’t feel the need to invest into technology till now

Why the company did didn’t feel the need to invest into technology till now? Till now all the processes were efficient and secure

ROOT CAUSE: Till now all the processes were efficient and secure

2) Lack of External and Internal System Integration

Why there is lack of external and internal system integration? Few internal systems adopts new technology and few systems are old. External system are not compatible with internal systems

Why few internal systems adopts new technology and few systems are old? Systems are purchased from different vendors

Why external system are not compatible with internal systems? Systems are purchased from different vendors

Why are the systems purchased from different vendors?


JASH MEHTA 5

The systems were purchased as and when required without planning into future

Why were the systems purchased as and when required without planning into future? There was no vision for IT ROOT CAUSE: There was no vision for IT

3) Access to unauthorized people Why there is access to unauthorized people? No controls assigned in the current system Also hackers can access sensitive data due to poor system security.

Why are there no proper controls assigned in the system? The system is mix of old and new technologies, hence assigning controls is difficult in such environment.

Why is there mix of old and new technologies? Company had lack of vision for IT ROOT CAUSE: There was no vision for IT

4) Poor Data Collection and Storage techniques

Why there are poor data collection and storage techniques? Because HCG uses traditional methods and old tools to store and collect data

Why HCG uses traditional methods and old tools to store and collect data? The company has not updated and upgraded their methods and tools to be technologically advanced

Why the company has not updated and upgraded their methods and tools to be technologically advanced? The company didn’t feel the need to invest into technology till now

Why the company didn’t feel the need to invest into technology till now? Till now all the storage and collection processes were efficient and secure ROOT CAUSE: Till now all the processes were efficient and secure


JASH MEHTA 6

5) Lack of Auditing Why there is lack of auditing? HCG does its own internal audit

Why HCG does its own internal audit? HCG did not assign budget for external audit

Why HCG did not assign budget for external audit? Management did not feel the need for external audit

Why management did not feel the need? Lack of vision for data security ROOT CAUSE: Lack of vision for data security

6) Lack of Background check on people Why there is lack of background check on people? HCG never felt the need to check employees’ background because no one leaked data in the past.

Why no one leaked data in the past? Data did not have value in the past. Today the business are data driven hence data has much value. ROOT CAUSE: Data did not have value in the past

7) Too many external key partners Why there are too many external key partners? As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals, pharmacies and wellness partners.

ROOT CAUSE: As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals, pharmacies and wellness partners.

8) Lack of Awareness Why there is lack of awareness? No training

Why there is no training? No vision for data breach

Why there is no vision for data breach? The company has faced theft/cyber-attack/ leakage for the first time. HCG did not anticipate such a data breach.


JASH MEHTA 7

ROOT CAUSE: HCG did not anticipate the data breach

9) Lack of Ethics Why there is lack of ethics? Lack of Training

Why there is lack of training on ethics? Lack of budget for training on ethics

Why there is lack of budget? Lack of Management

Why there is lack of management in this area? Lack of vision for data security. ROOT CAUSE: Lack of vision for data security

10) No information security policies No data sharing and retention policies

Why there are no information security policies? Customer health data and information has to be shared with doctors and hospitals. Also, customer’s health metrics are monitored by capturing data from wellness partners. There was relationship of trust with wellness key partners and doctors/hospitals.

Why was there was relationship of trust? They have been key partners with HCG for several years, HCG did not expect them to leak confidential patient data.

Why HCG did not expect the key partners to leak the data? These companies have the same customer base so HCG trusted that key partners will not leak data ROOT CAUSE: HCG trusted key partners and did not expect them to leak the data.

11) Poor agreements or No Agreements Why there are poor agreements or no agreements? HCG did not include data breach/ data leak clauses in the agreement with key partners.

Why HCG did not include data breach/ data leak clauses in the agreement with key partners? HCG did not consider data breach as potential threat.


JASH MEHTA 8

Why HCG did not consider data breach as potential threat? Lack of vision for data security ROOT CAUSE: Lack of vision for data security


JASH MEHTA 9

RESOLUTION TABLE

The Major root causes derived from the 5 Why’s are-

Till now all the processes were efficient and secure

Symptoms

o Lack of System security

o Poor Data Collection and Storage techniques

There was no vision for IT

Symptoms

o Lack of External and Internal System Integration

o Access to unauthorized people

Lack of vision for data security.

Symptoms

o Poor agreements or No Agreements

o Lack of Ethics

o Lack of Auditing

Data did not have value in the past

Symptoms

o Lack of Background check on people

As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals,

pharmacies and wellness partners

Symptoms

o Too many external key partners

HCG did not anticipate the data breach.

Symptoms

o Lack of Awareness

HCG trusted key partners and did not expect them to leak the data.

Symptoms

o No information security policies

o No data sharing and retention policies


JASH MEHTA 10

ROOT CAUSE SYMPTOM CAUSES BPR IT SYSTEM RISK MITIGATION

Till now all the processes were efficient and secure

Lack of System security

The manual process of sending excel sheets across departments and to external partners will be replaced by centralized system.

There will be a central database for storing the customer data for extracting and loading the data. There will be website and healthcare Apps for customer services such as registering for: Healthcare appointments, tracking of health and registering for wellness activities. Hence registration data will be stored in centralized data base.

RISK: If the central database is hacked, then entire information of customers can go in the hands of unauthorized people. RISK MITIGATION: As the processes are becoming automated, stringent system security algorithms and firewalls need to be in place to be protected against malware, phishing, viruses etc.

Poor Data Collection and Storage techniques

There will be sophisticated and automated data entry into the system.

There will be a central database for storing the customer data for extracting and loading the data. There will be website and healthcare Apps for customer services such as registering for: Healthcare appointments, tracking of health and registering for wellness activities. Hence registration data will be

RISK: If the central database shuts down then the processes of data collection and storage is shut. RISK MITIGATION: Data needs to be replicated from time to time. Power shuts should not hinder the processes, so power generators need to be in place.


JASH MEHTA 11

stored in centralized data base.

There was no vision for IT Lack of External and Internal System Integration

As there are many key partners involved with the company their systems need to be integrated to the highest possible level.

The attendance tracking and health tracking need to have centralized and compatible systems. If doctors/hospitals and wellness activities use ORACLE DB or DB2 then HCG also need to use the same Database to be compatible with them.

Access to unauthorized people

As sending out emails from outlook and excel sheets will be replaced by automated systems, the human involvement will decrease. Proper controls will be assigned hence unauthorized access will be eliminated

Proper controls according to hierarchy in the company needs to be assigned by the database expert in the company. For example: the employees in payroll department cannot see data of enrolment department.

RISK: Example: Sometimes payroll employee may need to access the data from other departments, if controls are assigned then payroll cannot function smoothly. RISK MITIGATION: Example: The IT admin can assign temporary control to payroll to access important information.

Lack of vision for data security.

Poor agreements or No Agreements

As the processes are becoming more and more


JASH MEHTA 12

data driven and there is a risk of data breach at every stage of process hence proper agreements should be signed by the companies involved.

Lack of Ethics

There will be education and enough training for the employees. Employees need to be taught about the company culture. They also need to be taught about integrity and ethics.

Lack of Auditing

HCG will be taking proper steps for internal and external audit of the systems. HCG will assign proper budget for audits.

Data did not have value in the past

Lack of Background check on people

HCG will be doing proper background checks on the employees before hiring them. HCG will check work history and the reason for recruits leaving their last job. HCG will also check criminal history of recruits such as hacking into company’s system, data theft, data leakage etc.

RISK: There may be data theft or leakage by employees in the company in spite of proper background check on recruits. RISK MITIGATION: While the new recruits join the company


JASH MEHTA 13

As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals, pharmacies and wellness partners

Too many external key partners

HCG will choose its key partners carefully. HCG will not compromise security with untrustworthy partners.

HCG did not anticipate the data breach

Lack of Awareness

HCG will be very vigilant all the times as their business is now going to be very data driven and technologically advanced.

HCG trusted key partners and did not expect them to leak the data

No information security policies

HCG cannot trust any partners. They need to enter into proper verbal and written agreements with other key partners to avoid possible data leakages. They also need to redesign their internal policies as cyber security is becoming a very important issue for companies these days.

No data sharing and retention policies

HCG cannot trust any partners. They need to enter into proper verbal and written agreements with other key partners to avoid possible data leakages. They also need to redesign their internal


JASH MEHTA 14

policies as cyber security is becoming a very important issue for companies these days.


JASH MEHTA 15

Jash mehta rca

Data & Analytics

Transcript of Jash mehta rca