Jash mehta rca
-
Upload
jash-mehta -
Category
Data & Analytics
-
view
55 -
download
0
Transcript of Jash mehta rca
HEALTHCARE CONSULTING GROUP
JASH MEHTA 1
ASSIGNMENT 3: RCA
JASH MEHTA
GROUP 3
Mentor: Kshitij Chug
Weekly meeting time (Group meeting): Wednesday 3-4pm
Weekly meeting time (Group + Mentor meeting): Wednesday 4-
5pm
Venue: Ice Box, Hinds Hall
HEALTHCARE CONSULTING GROUP
JASH MEHTA 2
CONTEXT Healthcare in the USA is going through a serious crisis.
The spending of the USA on healthcare is 2X per capita than other industrialized nations.
Medical bills are a major factor in more in more than 60% of the personal bankruptcies in the USA, 75% have health insurance.
Between 2000 and 2006 health insurance premiums rose 87% and the average wages rose by 3.8%. In spite of this the USA ranks 37th in healthcare system.
The fully insured plans are expensive and hence one of the reason for the crisis in healthcare
economy.
The alternative to fully insured plan is the self-insured plan. In this, the employer retains a
portion of the risk and instead of large premiums the employer pays the administrative bills and
stop loss company’s bills which are generally much lower than the monthly premium of fully
insured.
Healthcare self-insurance and consulting Group offer customers with variety of services to clients. HCG
encourages many wellness activities, promote self-management through healthcare Apps and increased
patient clinician interaction. Providing such services requires building an IT infrastructure and systems
which can support huge volume of customers. In this document we are finding the root cause of a
problem which HCG is experiencing. There is a data breach at HCG and they are unable to trace the
source of the breach. In this document we identify the root cause of the problem, its impact and create
an action plan to contain and then resolve the problem.
In this document we have designed an ERD to capture the requirements of the back end. Design a
system such that it can queried to get all kinds of data. Our system is wellness tracking system and we
capture all kinds of health metrics before wellness activity and after wellness activity, feedback, wellness
activity team participation etc. These metrics are captured to analyze and make decisions on the success
of wellness activities.
HEALTHCARE CONSULTING GROUP
JASH MEHTA 3
FISH BONE DIAGRAM
HEALTHCARE CONSULTING GROUP
JASH MEHTA 4
ROOT CAUSE-5 WHY TECHNIQUE
SYMPTOM CAUSES 5 WHYs
1) Lack of System security Why there is lack of system security? Current system doesn’t not support any system security
Why current system doesn’t not support any system security? Company uses traditional tools and techniques for their processes
Why does the company use traditional tools and techniques for their processes? The company has not updated and upgraded their systems to be technologically advanced
Why has the company not updated and upgraded their systems to be technologically advanced? The company didn’t feel the need to invest into technology till now
Why the company did didn’t feel the need to invest into technology till now? Till now all the processes were efficient and secure
ROOT CAUSE: Till now all the processes were efficient and secure
2) Lack of External and Internal System Integration
Why there is lack of external and internal system integration? Few internal systems adopts new technology and few systems are old. External system are not compatible with internal systems
Why few internal systems adopts new technology and few systems are old? Systems are purchased from different vendors
Why external system are not compatible with internal systems? Systems are purchased from different vendors
Why are the systems purchased from different vendors?
HEALTHCARE CONSULTING GROUP
JASH MEHTA 5
The systems were purchased as and when required without planning into future
Why were the systems purchased as and when required without planning into future? There was no vision for IT ROOT CAUSE: There was no vision for IT
3) Access to unauthorized people Why there is access to unauthorized people? No controls assigned in the current system Also hackers can access sensitive data due to poor system security.
Why are there no proper controls assigned in the system? The system is mix of old and new technologies, hence assigning controls is difficult in such environment.
Why is there mix of old and new technologies? Company had lack of vision for IT ROOT CAUSE: There was no vision for IT
4) Poor Data Collection and Storage techniques
Why there are poor data collection and storage techniques? Because HCG uses traditional methods and old tools to store and collect data
Why HCG uses traditional methods and old tools to store and collect data? The company has not updated and upgraded their methods and tools to be technologically advanced
Why the company has not updated and upgraded their methods and tools to be technologically advanced? The company didn’t feel the need to invest into technology till now
Why the company didn’t feel the need to invest into technology till now? Till now all the storage and collection processes were efficient and secure ROOT CAUSE: Till now all the processes were efficient and secure
HEALTHCARE CONSULTING GROUP
JASH MEHTA 6
5) Lack of Auditing Why there is lack of auditing? HCG does its own internal audit
Why HCG does its own internal audit? HCG did not assign budget for external audit
Why HCG did not assign budget for external audit? Management did not feel the need for external audit
Why management did not feel the need? Lack of vision for data security ROOT CAUSE: Lack of vision for data security
6) Lack of Background check on people Why there is lack of background check on people? HCG never felt the need to check employees’ background because no one leaked data in the past.
Why no one leaked data in the past? Data did not have value in the past. Today the business are data driven hence data has much value. ROOT CAUSE: Data did not have value in the past
7) Too many external key partners Why there are too many external key partners? As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals, pharmacies and wellness partners.
ROOT CAUSE: As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals, pharmacies and wellness partners.
8) Lack of Awareness Why there is lack of awareness? No training
Why there is no training? No vision for data breach
Why there is no vision for data breach? The company has faced theft/cyber-attack/ leakage for the first time. HCG did not anticipate such a data breach.
HEALTHCARE CONSULTING GROUP
JASH MEHTA 7
ROOT CAUSE: HCG did not anticipate the data breach
9) Lack of Ethics Why there is lack of ethics? Lack of Training
Why there is lack of training on ethics? Lack of budget for training on ethics
Why there is lack of budget? Lack of Management
Why there is lack of management in this area? Lack of vision for data security. ROOT CAUSE: Lack of vision for data security
10) No information security policies No data sharing and retention policies
Why there are no information security policies? Customer health data and information has to be shared with doctors and hospitals. Also, customer’s health metrics are monitored by capturing data from wellness partners. There was relationship of trust with wellness key partners and doctors/hospitals.
Why was there was relationship of trust? They have been key partners with HCG for several years, HCG did not expect them to leak confidential patient data.
Why HCG did not expect the key partners to leak the data? These companies have the same customer base so HCG trusted that key partners will not leak data ROOT CAUSE: HCG trusted key partners and did not expect them to leak the data.
11) Poor agreements or No Agreements Why there are poor agreements or no agreements? HCG did not include data breach/ data leak clauses in the agreement with key partners.
Why HCG did not include data breach/ data leak clauses in the agreement with key partners? HCG did not consider data breach as potential threat.
HEALTHCARE CONSULTING GROUP
JASH MEHTA 8
Why HCG did not consider data breach as potential threat? Lack of vision for data security ROOT CAUSE: Lack of vision for data security
HEALTHCARE CONSULTING GROUP
JASH MEHTA 9
RESOLUTION TABLE
The Major root causes derived from the 5 Why’s are-
Till now all the processes were efficient and secure
Symptoms
o Lack of System security
o Poor Data Collection and Storage techniques
There was no vision for IT
Symptoms
o Lack of External and Internal System Integration
o Access to unauthorized people
Lack of vision for data security.
Symptoms
o Poor agreements or No Agreements
o Lack of Ethics
o Lack of Auditing
Data did not have value in the past
Symptoms
o Lack of Background check on people
As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals,
pharmacies and wellness partners
Symptoms
o Too many external key partners
HCG did not anticipate the data breach.
Symptoms
o Lack of Awareness
HCG trusted key partners and did not expect them to leak the data.
Symptoms
o No information security policies
o No data sharing and retention policies
HEALTHCARE CONSULTING GROUP
JASH MEHTA 10
ROOT CAUSE SYMPTOM CAUSES BPR IT SYSTEM RISK MITIGATION
Till now all the processes were efficient and secure
Lack of System security
The manual process of sending excel sheets across departments and to external partners will be replaced by centralized system.
There will be a central database for storing the customer data for extracting and loading the data. There will be website and healthcare Apps for customer services such as registering for: Healthcare appointments, tracking of health and registering for wellness activities. Hence registration data will be stored in centralized data base.
RISK: If the central database is hacked, then entire information of customers can go in the hands of unauthorized people. RISK MITIGATION: As the processes are becoming automated, stringent system security algorithms and firewalls need to be in place to be protected against malware, phishing, viruses etc.
Poor Data Collection and Storage techniques
There will be sophisticated and automated data entry into the system.
There will be a central database for storing the customer data for extracting and loading the data. There will be website and healthcare Apps for customer services such as registering for: Healthcare appointments, tracking of health and registering for wellness activities. Hence registration data will be
RISK: If the central database shuts down then the processes of data collection and storage is shut. RISK MITIGATION: Data needs to be replicated from time to time. Power shuts should not hinder the processes, so power generators need to be in place.
HEALTHCARE CONSULTING GROUP
JASH MEHTA 11
stored in centralized data base.
There was no vision for IT Lack of External and Internal System Integration
As there are many key partners involved with the company their systems need to be integrated to the highest possible level.
The attendance tracking and health tracking need to have centralized and compatible systems. If doctors/hospitals and wellness activities use ORACLE DB or DB2 then HCG also need to use the same Database to be compatible with them.
Access to unauthorized people
As sending out emails from outlook and excel sheets will be replaced by automated systems, the human involvement will decrease. Proper controls will be assigned hence unauthorized access will be eliminated
Proper controls according to hierarchy in the company needs to be assigned by the database expert in the company. For example: the employees in payroll department cannot see data of enrolment department.
RISK: Example: Sometimes payroll employee may need to access the data from other departments, if controls are assigned then payroll cannot function smoothly. RISK MITIGATION: Example: The IT admin can assign temporary control to payroll to access important information.
Lack of vision for data security.
Poor agreements or No Agreements
As the processes are becoming more and more
HEALTHCARE CONSULTING GROUP
JASH MEHTA 12
data driven and there is a risk of data breach at every stage of process hence proper agreements should be signed by the companies involved.
Lack of Ethics
There will be education and enough training for the employees. Employees need to be taught about the company culture. They also need to be taught about integrity and ethics.
Lack of Auditing
HCG will be taking proper steps for internal and external audit of the systems. HCG will assign proper budget for audits.
Data did not have value in the past
Lack of Background check on people
HCG will be doing proper background checks on the employees before hiring them. HCG will check work history and the reason for recruits leaving their last job. HCG will also check criminal history of recruits such as hacking into company’s system, data theft, data leakage etc.
RISK: There may be data theft or leakage by employees in the company in spite of proper background check on recruits. RISK MITIGATION: While the new recruits join the company
HEALTHCARE CONSULTING GROUP
JASH MEHTA 13
As a consulting firm in healthcare there are many key partners ranging from doctors, hospitals, pharmacies and wellness partners
Too many external key partners
HCG will choose its key partners carefully. HCG will not compromise security with untrustworthy partners.
HCG did not anticipate the data breach
Lack of Awareness
HCG will be very vigilant all the times as their business is now going to be very data driven and technologically advanced.
HCG trusted key partners and did not expect them to leak the data
No information security policies
HCG cannot trust any partners. They need to enter into proper verbal and written agreements with other key partners to avoid possible data leakages. They also need to redesign their internal policies as cyber security is becoming a very important issue for companies these days.
No data sharing and retention policies
HCG cannot trust any partners. They need to enter into proper verbal and written agreements with other key partners to avoid possible data leakages. They also need to redesign their internal
HEALTHCARE CONSULTING GROUP
JASH MEHTA 14
policies as cyber security is becoming a very important issue for companies these days.
HEALTHCARE CONSULTING GROUP
JASH MEHTA 15