THE IT&S 2015 ANNUAL REPORT
2015AnnualReport
2015AnnualReport
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>REPORT</strong> AFTER <strong>REPORT</strong> from the FBI, the Secret Service, and<br />
other government agencies indicated that healthcare companies<br />
were being maliciously, relentlessly targeted in <strong>2015</strong>. In fact,<br />
the FBI revealed that, on the black market, a medical record is<br />
worth ten times the value of a credit card. Behind the scenes<br />
at HCA, though, we stood strong in defense against outside<br />
threats. Information Protection worked with every hospital<br />
division, Parallon, Sarah Cannon, Physician Services Group, and<br />
HCA International to strengthen each organization’s information<br />
protection program.<br />
Our <strong>2015</strong> accomplishments adhere to the Framework for<br />
Improving Critical Infrastructure Cybersecurity, released by<br />
the National Institute of Standards and Technology (NIST). This<br />
framework is a nationally recognized set of industry standards<br />
and best practices for managing cybersecurity risks and<br />
establishes a big picture structure for our enterprise Information<br />
Protection program. The framework allowed us to focus on the<br />
following specific areas in <strong>2015</strong>.<br />
<strong>THE</strong> BIG PICTURE: TO PROTECT AND SERVE<br />
Every day HCA’s sensitive data is targeted for financial gain and<br />
other malicious purposes. The Information Protection team<br />
works with all HCA employees to protect our patients, our<br />
people, and our business.<br />
Identification of Our Assets<br />
and Our Risks<br />
Understanding what information we need to protect and what<br />
risks our organization faces are foundational activities for the<br />
Information Protection team. This understanding enables us to<br />
prioritize efforts and resources, making risk-based decisions<br />
consistent with business needs.<br />
Key accomplishments in <strong>2015</strong> included:<br />
• FORMALIZING <strong>THE</strong> STRATEGY<br />
AND RISK MANAGEMENT<br />
TEAM IN INFORMATION<br />
PROTECTION TO FOCUS<br />
ON RISK MANAGEMENT<br />
STRATEGY FOR <strong>THE</strong><br />
ENTERPRISE<br />
• MATURING <strong>THE</strong><br />
INFORMATION PROTECTION<br />
DATA GOVERNANCE COUNCIL<br />
AND FACILITY SECURITY<br />
COMMITTEES, WHICH ARE<br />
DESIGNED TO FACILITATE<br />
RISK-BASED DECISIONS AND<br />
INCLUDE KEY STAKEHOLDERS<br />
FROM LEADERSHIP, CLINICAL,<br />
FINANCIAL, LEGAL, HUMAN<br />
RESOURCES, AND IT&S<br />
• REFRESHING PHYSICAL,<br />
ADMINISTRATIVE, AND<br />
TECHNICAL ASSESSMENTS<br />
FOR ALL HOSPITALS AND<br />
AMBULATORY SURGERY<br />
CENTERS; DOCUMENTING<br />
RISKS; AND DEVELOPING<br />
CORRECTIVE ACTION PLANS<br />
• CREATING HIPAA SECURITY<br />
RISK ANALYSIS AND RISK<br />
MANAGEMENT DOCUMENTS<br />
FOR EACH FACILITY TO<br />
PROVIDE A CONSOLIDATED<br />
VIEW OF <strong>THE</strong> HOSPITAL’S<br />
APPROACH TO SECURITY<br />
RISK ANALYSIS AND RISK<br />
MANAGEMENT<br />
78<br />
79