2
A journey of a thousand miles begins with a single step.
Lao-tzu, The Way of Lao-tzu Chinese philosopher (604 BC - 531 BC)
Reflection
3
• Dignity Health – Organizational Overview
• Goals of Implementation of RSAM
• Challenges
• Current Use Cases
• Sample Metrics
• Future Focus
• Timeline for RSAM GRC Direction
• Additional Use Case Requests – RSAM GRC Direction
• Questions
Overview
4
• Dignity Health, one of the nation’s five largest health care systems, is a 17-state network of 10,000 physicians and 56,000 employees who provide patient-centered care at more than 300 care centers, including hospitals, urgent and occupational care, imaging centers, home health, and primary care clinics.
• Headquartered in San Francisco, Dignity Health is dedicated to providing compassionate, high-quality and affordable patient-centered care with special attention to the poor and underserved. In 2012, Dignity Health provided $1.6 billion in charitable care and services.
Dignity Health – Organizational Overview
STATISTICS (Fiscal Year 2012)
Assets: $13.5 billion
Net Operating Revenue: $10.5 billion
General Acute Patient Care Days: 1.6 million
Community Benefits and Care of the Poor: $1.6 billion
Acute Care Beds: 8,400
Skilled Nursing Beds: 800
Acute Care Hospitals: 39
Active Physicians: 10,000
Total Employees: 56,000
http://www.dignityhealth.org/stellent/groups/public/@xinternet_con_sys/documents/webcontent/232618.pdf
5
• Minimize risk
• Maximize efficiency
• Provide clear process for users to follow
• Be responsiveness to internal and external auditors
• Ensure effective issue tracking from start to resolution
Goals of Implementation Of RSAM
6
• Paper based
• Access management
• Decentralized archival
• Manual workflow
• Difficult to evaluate risk
Challenges
• Stakeholder engagement
• Workflow documentation
• Process documentation
7
• Security Assessments
– Enables online access to vendors
– Multiple internal reviewers can review, track, comment
• CISRT Tracking
– Manages workflow (notifications, deadlines)
– Links to internal policy source
– Enables reporting/trending
• Variance
– Connects to related Security Assessments
– Tracks expirations
• Meaningful Use Risk Assessment
– Connects with remediation plans
• Privacy
– Tracks single reportable incident at multiple locations
Current Use Cases
8
Current State
• Manual process transferred to RSAM.
• Flexibility for dynamic questions to limit unnecessary time on behalf of the business.
Gaps Realized
• Questions need refining to gather specific information, rather than open text fields.
• Dynamic questions have to tie-back to project plans for implementation/remediation.
• Need to drive more uniform approach action plans.
• Leverage SSRS to report out to various audiences
• Implement risk ranking to help prioritize resources
Security Assessments
10
Current State
• Workflow maturity from manual processes.
• Notifications and Escalations added to workflow.
• Handover to compliance once investigation and triage is complete.
Gaps Realized
• Revisit categorizations (cascading sub-categories)
• Build out lessons learned phase.
• SSRS
• Risk ranking
CSIRTs
13
Sample Metrics: Security Incidents - Open/Close
Sample data is displayed. This does not represent actual results
14
Sample Metrics: Incidents by Category
Sample data is displayed. This does not represent actual results
15
Sample Metrics: Details for Top Incident Category
Sample data is displayed. This does not represent actual results
17
Current State
• Manual process put into RSAM workflow.
• Approval process improved.
• Search features and user assignment capability improved “need to know” for business.
Gaps Realized
• Dynamic question set revisions.
• Customize information requested to be appropriate for the specific variance request.
Variances
19
Current State
• Phase 1 complete for those locations with EHR.
• Attestations complete for funding.
• Reports with risk areas and scoring implemented.
Gaps Realized
• Yearly re-attestation process.
• Business Owners needed remediation plans set for them.
• Remediation plans needed to be stored in RSAM with assessment.
Meaningful Use
22
Current State
• Facility Privacy Officials
• Shared assessments across multiple facilities eliminates duplicate work.
Privacy Impact Assessments
24
• Vendor Access is requested by a Dignity Health Employee.
• Run vendor access through F5’s or use offline data gathering.
• Dormant Disable process is run to remove vendor access after a period of time has elapsed.
• Saves time for the Project Managers.
• Improves accuracy of answers for implementations.
Vendor Access
25
• Trending available for leadership decisions.
• Reduced duplication of work during manual processes.
• Ability to look up history for every assessment or event.
• Improved accuracy of data gathered by using multi-select and drop-down fields.
• Centralized storage of risk information partially realized.
Benefits
26
• Global picture - GRC framework from the top down
• Risk weighting/Ranking
• Prioritization of remediation efforts
• Synchronize investigation and reporting
• Refine question sets
• Leverage new functionality in Version 8
• SSRS
• Connections between use cases where duplicate data is needed/used.
Future Focus
27
Timeline for RSAM GRC Direction
Task Name Target FY14 Quarter
General Maintenance Ongoing
Upgrade Hardware Q2
Upgrade to Version 8 Q2
SSRS Reporting Q2
Metrics/Trending Q2
Improvements on Existing Use Cases Q3
Top-Down and Bottom-Up Methodology Change Q3
Industry Standards and Regulatory Compliance Q3
Link Repeatable Information Between Use Cases Q4
Technology Automation for Existing Manual Processes in Security Operations Q4
New Use Cases Needed Q4
28
Additional Use Cases Requested- RSAM GRC Direction
Business Use Case Business Area and Controls Area
IT Compliance - Business Impact Assessment
Ensure BIA’s are updated every year and standardized priority is in place. Drives disaster recovery testing and prioritization.
IT Audit/Compliance Audit finding tracking and remediation in a central repository with links to variance requests and other use cases.
HIPAA Corporate Compliance
HIPAA Compliance Waivers with compensating controls from the business and human resource perspective.
HIPAA IT Compliance HIPAA Transaction Compliance Waivers with compensating controls from an IT perspective.
Software License Tracking for IT
Ensures central location for licensing and reminders for renewals.
Security Ops Forms and Processing
For example: Third Party Access, Elevated Privileges, Smart Phones,
Monitoring and Alerting Systems Imports
Nitro, Rapid7, Varonis, Cisco Intrusion Detection, McAfee EPO, Firewall Log Reviews, Marimba, etc.
Top Related