A CHIME Leadership Education and Development Forum in collaboration with iHT2

Creating an Effective Cyber Security Strategy

________Key Attributes for Success, Challenges and

Critical Success Factors

● Angela Duncan Diop, ND, CHCIO, VP of Information Systems

Unity Health Care, Inc. ●

#LEAD14

ANATOMY OF A BREACH

A CHIME Leadership Education and Development Forum in collaboration with iHT2

INTRODUCTION

Unity Health Care, Inc.Federally

Qualified Health Center

Over 100,000 unique patients

in 2013

30 sites; health centers,

homeless service sites, school based health

centers, correctional sites, and a mobile site Mission

Promoting healthier communities through compassion and comprehensive health and human services, regardless of ability to pay.

4

5

Unity’s Patients• Patient population is

racially and ethnically diverse and largely minority

• Substantial health disparities and poor health outcomes exist

• Great need for accessible and comprehensive primary care services

THE INCIDENTData is like water – it always flows through the cracks

Description• A personal laptop

containing data from a nutrition and exercise program

• Student assisting in the analysis of data saved it to a flash drive.

• Loaded to a personal computer.

• Stolen from a student’s home in a burglary.

FreeDigitalPhotos.net

Description

• Type of Incident: Theft

• Location of Breach: Laptop computer - unencripted

• Approximate number of individuals affected by the breach: 305

FreeDigitalPhotos.net

THE CALLTo breach or not to breach – that is the question.

Type of PHI Involved

• Demographic information – name and DOB

• Clinical Information -diagnosis/conditions

• The data consisted of names, dates of birth, weight, body mass index, and for a limited number of participants, information regarding a history of hypertension or diabetes.

Risk Assessment

• Consulted our HIPAA auditor• Consulted our attorney• Met/discussed with our Executive

Management team• Decided to treat the incident as a

breach

THE RESPONSENever let a good crisis go to waste

Created a Team

• Appointed a breach response team– Privacy Officer– VP of Information

Systems– Legal Counsel– VP of Clinical

Administration– Deputy Chief Medical

Officer– VP of Human Resources

Gap Analysis &Corrective Action Plan

• Overall responsibility – Privacy Officer or VP of IS

• Identifies the steps that led to incident

• Captures key info surrounding the incident– Description– Issues/Gaps– Lead – Due date

Incident Response Plan

• Plan that the team creates and follows to address the incident– Investigation– Risk Assessment– Notifications –

Patients, HHS, Staff Exe Man Team, Exe. Board

– Corrective actions

EPILOGUEMilk the crisis for all it’s worth

Benefits Gained

• Blue print for responding to a breach

• Breach team• Breach management policy• Breach insurance• Retraining of staff• Heightened awareness by senior

leadership and Board

Q & AAngela Duncan Diop, ND, CHCIO

adiop@unityhealthcare.org

A CHIME Leadership Education and Development Forum in collaboration with iHT2

@AngelaDiop@UnityHealthCare