University Health Care System 1 HTM 660 Systems Management and Planning May 2014

Introduction/Purpose Background Process Utilized Chart linking projects to HCO’s strategies and goals Prioritized Portfolio with Budget Tactical Plan Questions & Answers 2

Introduction/Purpose /Background The project steering committee is requesting approval for the acquisition of FireEye security system. Objective - In order to prevent future data breaches that our organization has recently experienced when thousands of patients health records were accessible online, our project will focus on acquiring a high level software security application called FireEye. The software product, FireEye, will meet all of the needs of the project. 3

Project Steering Committee 4 CIO CFO CNA Project manager Representatives from nursing, medical assistants, and office manager. IT support will be engaged in the last phase of implementation.

Background HIPPA Violation Post Breach Response Record $4 Million Settlement Preventative Action Plan 5

Scope of Work FireEye: 95% of All Networks are Compromised (FireEye.com)FireEye.com Upgrade Current Security System Server Upgrade Integration Timeline Project Measurement and Budget Maintain - Speed, Accuracy Protection for clinicians and patients data 6

Scope of Work Continued 7 Timeline - 1 Year 3 Phases Fiscal Year 2015 Department Needs - Representatives from all sectors * Our project team is dedicated to deliver advanced data threat protection of patients health information by acquiring FireEye throughout the University Health Care system.

8 Ensure communication modes and data storage points, including web browsing, , content security, endpoint security, and forensic analysis are secure. Develop New Protocol - Firewall Virus scanner Reporting Universal adoption of FireEye technology in every hospital and medical center, which would enable a uniform standard of security across the healthcare system. Measured - Decrease % Leaks Increase Security Decrease Organizational Liability Increase % Leaks Identified at Stage 1 Deliverables

9 High % of staff who use the system successfully Low incidence of lost data Physical modes of security can still be implemented: Security guards monitor computers All employees must change passwords every three months All staff must file a report for every breach Finally, these reports must be filed to HIPAA authorities within a timely manner of the incident. FireEye is believed to be a means to make EHR data more secure and breaches more easily identified. Deliverables Continued

10 Timeline TaskDeadline Analysis and contractingSeptember Hard ware and software installationOctober Registration interfaceNovember Update HER systemDecamber Staff TrainingDecember System set upJanuary IT staff trainingJanuary Go live dateJanuary

11 Budget Highlight Project NameOperating Cost Capital budget$100,000 Software$30,000 Hardware$15,000 Access points$10,000 Operation Maintenance cost$10,000 First year services$15,000 Security guard on computer$6,500 Simulation test (trial period)$5,000 Staff training$8,500

Major Stakeholders Project Manager Project Steering Committee C Level Executives Current IT Staff New IT Staff FireEye Vendor Solutions Team 12

13 All hospital executives (CEO, CIO, CFO) are responsible for making policies to keep the system compliant with HIPAA regulations. The entire IT department must develop and maintain a tightly monitored electronic information system employing a firewall, antivirus software and a two-factor authentication access. Finally, all hospital staff, all the way down to the custodial staff, must remain vigilant of their own and others’ behavior. Any unauthorized verbal or written sharing of patient information must be immediately reported, and the offending employee given a warning or reprimanding. *The system encourages proper resources be maintained post procurement of information systems. Without access to support, the possibility of a fall could occur. Project Support and Authority

University Health Care employees are willing to change business operations to take advantage of the functionality offered by the new FireEye security technology. Management will ensure that project team members are available as needed to complete project tasks and objectives. The project team will participate in the timely execution of the FireEye Project Plan (i.e., focus meetings when required). 14 Assumptions and Dependencies

15 Failure to rollout new security system within the time specified in the project timeline will result in project delays. Project team members will adhere to all project guidelines. Mid and upper management in including nurse management leaders will foster support to the project goals and objectives. The FireEye Project Plan may change as new information and issues are revealed. Assumptions and Dependencies Continued

Constraints 16 Project funding sources are limited. Due to the estimated budget cost resource availability is inconsistent. Internet connections could be affected due to slower rate of connectivity because of the new implemented security system.

Known Risks 17 Cost - $100,00 per Installation Operating Costs & Hidden Costs Additional Risks Unknown *Furthermore, access is never 100% secure. The system is designed to be highly accessible to authorized figures, but must be closely guarded against unauthorized use. If a password leaks, a logged in computer is left unattended or any patient information is written on paper and left unattended, this could constitute a security breach, even with FireEye. If any part of confidential patient information (no matter how small) is leaked, it constitutes a breach of patient privacy.

Procurement Items 18 Identifying relevant information systems Conducting a risk assessment Implementing a risk management program Acquiring IT systems and services Creating and deploying policies and procedures

Creating and Deploying Policies and Procedures 19 All policies and procedures will receive a refresh post acquisition allowing staff time to assimilate to new critical measures. New items will align with HIPPA regulations and also take into account any new software or hacking awareness learnings from recent retail data breaches in a sister industry. Content has the ability to be procured and distributed in a wide ranging variety across the internet and the challenge will be to learn from those around us in creating a new set of privacy policies and procedures to protect patients.

Q/A Thank You 20