INEVITABLE RISKSCreating a Business Resilience and

Assurance Program to Minimize Risk

Since 1974, HMS has been enterprising healthcare, and providing a broad range of healthcare cost containment solutions in the industry – all to help payers improve performance.

Medicaid Managed Care Organizations Medicare Advantage plans Group and individual plans Self-funded employers

Medicaid agencies CHIPs (Children’s Health Insurance Programs) State employee health benefit plans

Centers for Medicare and Medicaid Services

U.S. Department of Veterans Affairs Department of Defense

Business Drivers Brand and Reputation Value

Patient Information Protection – Confidentiality, Integrity, and Availability

Mandatory Federal Regulations

Client Contractual Obligations

Existing and Future Policy

Legislation Impacting the Field of Healthcare

Business Continuity and the Sustainability of Business Services

Industry Drivers OCR (HIPAA) and CMS (EHR Meaningful Use) audits reveal serious

weaknesses There is an ever-increasing number of privacy complaints to the OCR There is an increasing number and amount of settlements for privacy

and security issues Major HIPAA breaches have reached a 1K milestone, with 1 in every 10

people in the U.S. impacted The current cost of a breach is estimated at $188 per record. The

average # of records in a breach = 23,647; or $4.4M per breach Identity theft may be the most frequent, costly, and pervasive crime in

the U.S., with increasing sophistication

Business Resilience and Assurance Program

Content Sharing

Centralized Risk Governance

Security Risk Management Framework (RMF)

Visibility into Key Risk Factors

Provides an HMS-centric Policy-Standards-Procedure Mapping Foundation

Authoritative Source Guidance

Mapped to a Common Core of Control Standards - Security Framework

Security Risk Program Foundation

To help safeguard electronic protected health

information (PHI), HMS established a Common

Security Framework built on HITRUST.

Combining the HITRUST CSF with industry best

practices, HMS was able to offer a scalable

security process designed to support the

Security and Privacy of healthcare information.

This uniquely holistic foundation ensures that our

security program meets our regulatory

obligations from a people, process, and

technology standpoint.

How We Identify & Manage Risk

Incident Management

Issues Management Policy Management Vendor

Management Compliance

Management Asset Management Risk Register Threat

Management

How We Monitor Risk

Control Procedures Ownership

Business Processes toadhere to control objectives

Control self-Assessments to continuously monitor control objectives

• Control Procedures

Ownership

• Business Processes

Implementation

• Control Self Assessment

Continuous Monitoring

Status Summaries Threshold Monitoring Trend Reporting Historical Metrics Customized Dashboard &

Alerting

Tracking and Reporting

1. Define a Common Security Framework – HITRUST CSF

2. Define the Methodology for Assessment and Treatment of Security Risks

3. Integrated Foundational Components4. Increase Transparency & create a

Risk-Aware Culture5. Improve Visibility into Key Risk Factors6. Improve HMS’s Risk Posture7. Support the Business Mission8. Ensure Business Continuity

Intended Outcomes

PolicyProcess

ImplementationMeasuredManaged

THANK YOU

George M. MacrelliSenior Director, Security Assurancegmacrelli@hms.com

Daryl HykelSecurity Assurance AnalystDaryl.Hykel@hms.com

Scott PettigrewVP, Chief Security Officerspettigrew@hms.com

Sean MillerSecurity Assurance AnalystSean.miller@hms.com