This document provides an agenda and presentation materials for a talk on leveraging cloud technology at Dignity Health. The agenda includes an introduction to Dignity Health, trends in healthcare like telehealth and predictive analytics, Dignity Health's current use of cloud services, steps for migrating to the cloud, and cloud security considerations. Key points discussed are Dignity Health's private health information clouds for applications like EMR systems, using the public cloud for file sharing and collaboration, and the importance of complying with regulations like HIPAA when utilizing cloud services and selecting cloud vendors.

1. Draft – For Discussion Purposes
A use case… thoughts on how to leverage your technology and the cloud
Iht2 Conference – Beverly Hills
November 4, 2014
Raymond Lowe
Senior Director Enterprise IT Infrastructure and Technology’

2. Draft – For Discussion Purposes
2
•Dignity Health – Hello Humankindness
•Data Centers and Cloud
–Where are you in the cloud?
•Dignity Health and the cloud
–Big 7 trends in Healthcare
•Steps to the Cloud
•Cloud Security
•Questions and Answers
Agenda

3. Draft – For Discussion Purposes
Dignity Health
3

4. Draft – For Discussion Purposes
Who is Dignity Health
•Assets: $13.1 billion
•Net Operating Revenue: $10.6 billion
•General Acute Patient Care Days: 1.8 million
•Community Benefits and Care of the Poor: $1.4 billion
•Acute Care Beds: 8,800
•Skilled Nursing Beds: 800
•Acute Care Hospitals: 40
•Clinics/Ancillary Care Centers: 150
•Medical Foundations: 11
•Active Physicians: 10,000
•Total Employees: 55,000
4

5. Draft – For Discussion Purposes
Aligning Dignity Health for Future Success
5
Operating company with strong local leadership
Focus on markets, not hospitals
Aligns system and market leaders
Fosters clinical enterprise focus
Enables streamlined decision making
Creates greater accountability for outcomes
Responsive to community needs

6. Draft – For Discussion Purposes
6

7. Draft – For Discussion Purposes
7
https://www.youtube.com/watch?v=K8s8UD211pU#t=34

8. Draft – For Discussion Purposes
Where are you on your technology transformation and your journey to the cloud?

9. Draft – For Discussion Purposes
Source: Vmware

10. Draft – For Discussion Purposes
1.Do you have any ASP hosted applications?
2.Do you use Box, Dropbox, MS OneDrive?
3.Are your backup being electronically stored outside of the walls of your facility?
4.Does your Disaster Recovery and business continuity storage leave your facilities?
Poll the Audience

11. Draft – For Discussion Purposes
Dignity Health – Cloud

12. Draft – For Discussion Purposes
Big 7 Trends in Health Care
1.Personalized Health Services
•Transition from not-for-profit, one-time acute episodes to for-profit, recurring wellness services
2.Consumerism
•Embrace that health care is consumer-driven with many choices of retail experiences
3.Employer Direct
•Market a comprehensive, service-based network direct to employers with a focus on the self-funded employers - instead of relying on insurers and payers
4.Telehealth
•Expand core PCP and specialist services across the continuum of care with global reach and local partnerships for best-in-class hybrid delivery model
5.Cloud
•Provide interoperability with a consumer-focused “outside-in” perspective – integrating across many SaaS/IaaS/PaaS partners for speed-to-market
6.IP-Enabled Medical Devices
•Integrate wearables, implantibles for real-time monitoring, alerting, diagnosing, and prescribing that connect to the Internet of Medical Things
7.Predictive Analytics
•Drive care quality and cost efficiencies with analytics that forge new pathways from chronic to preventative to wellness

13. Draft – For Discussion Purposes
Big Trend #5: The Cloud Is Already Here at Dignity Health
Private PHI Cloud:
Enterprise Data
Warehouse (SAS)
Private PHI Cloud:
EMR (Cerner)
Proprietary DC’s:
- Patient Revenue
Cycle (Lawson)
- Ambulatory EMR
(Allscripts)
- MS Exchange,
Sharepoint
PHI Co-Lo: Disaster Recovery (Switch)
Public Cloud:
Social Collaboration
(Yammer @Microsoft Azure)
Private PHI Cloud:
Patient Portal (MedSeek)
Private PHI Cloud: HIE (MobileMD)
Private PHI Cloud:
Pathology Reporting
(Olympus EndoWorks)
Dignity Health PHI: Clinical Applications in the Cloud
Public Cloud:
File Sharing (Box)

14. Draft – For Discussion Purposes
Steps to the Cloud

15. Draft – For Discussion Purposes
15
1.Define Cloud Security Governance and Policies
2.Define approach to standardize the current architecture
3.Develop and use a target state architecture to define standards
4.Buy commoditized cloud services and capabilities whenever possible without exposing PHI.
5.Migrate existing applications and systems into private/hybrid cloud using phased approach
6.Decommission existing legacy systems as new capabilities come online within your target state environment
Steps to Cloud Computing

16. Draft – For Discussion Purposes
16
Rationalizing, standardizing and consolidation of applications and infrastructure.
Application Migration Strategy

17. Draft – For Discussion Purposes
Cloud Security

18. Draft – For Discussion Purposes
18
Threats, Vulnerabilities, and Exposures are Increasing
April, 2014
4,500,000 individuals
February, 2014
405,000 individuals
Healthcare Industry
HIPAA Breaches and Fines
33,800,000 individuals
September, 2010
6,800 individuals
$4.5M fine May, 2014
Consumer and Business Breaches
July, 2013 4,000,000 individuals
July, 2011
4,900,000 individuals
2011
20,000 individuals
$4M settlement March, 2014
December, 2009
1,200,000 individuals
$3M settlement March, 2014

19. Draft – For Discussion Purposes
19
Situational Analysis:
–Cloud computing has many facets to address for public, private or hybrid cloud solution deployment – including cost, infrastructure, software, platforms, contractual, management oversight, audit and security.
–Important aspects for security in a virtualized environment and security defenses include confidentiality, integrity and availability. Further security analysis includes governance, risk management and compliance; including implementation visibility and auditing rights of security controls.
–However, the most critical business decision point for leadership, assuming appropriate security, legal and audit controls are in place – is the decision point to include HIPAA regulatory requirements and accompanying Business Associate agreements in the cloud decision – as these compliance measures are at the most fundamental core on how Dignity Health protects PHI/ePHI-based business applications.
Business Decision Point for Cloud Computing
Undeniably, Cloud Computing is present at Dignity Health in various forms. However, as additional deployment options are developed driven by strategic business reasons, leadership must address a critical decision point in the deployment of cloud-based solutions at Dignity Health.

20. Draft – For Discussion Purposes
20
Development of a Cloud Security Plan
1. Specific Business Goals
•Regulatory Compliance
•Organization Objectives & Capabilities Risk
•Enable Technologies, Processes and People
•Provide an aggregated view of the risk profile the company accept
•ITILv3, ISO 2700X and NIST
•3rd Party Relationships & Business Associates (HIPAA)
2. Risk Management Program
3. Develop a Security Plan to Support Business Goals
4. Audit, Review and Continuously Improve
•Compliance program, technologies, and processes with very specific results
•HIPAA, HITECH, SSAE 16
•Monitor changing Government & Regulatory Landscape (Omnibus)
•Continue to expand HIPAA Compliance, PCI, Meaningful Use for all Stages
•Risk Assessment as a Continuous Process and ‘Way of Thinking’
Key Considerations
•Security of Enterprise Applications & PHI
•Compliant Managed Cloud Service Provider
•Take an active role in Security & Risk management
4
3
2
1
Enterprise Cloud Security Plan

21. Draft – For Discussion Purposes
21
Regulatory, Compliance & Control Objectives Overview
•The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) drives important protections, that require an entity providing a service to a provider, to control Protected Health Information (“PHI”)
•A Business Associate Agreement (“BAA”) has significant contractual obligations by the service provider for covered entities, such as Dignity Health. A BAA shall have the meaning ascribed to them in HIPAA as contained in 45 CFR parts 160, 162 and 164, and of the American Recovery Act of 2009 (the “HITECH Act”)
•HIPAA regulations include “HIPAA Privacy Regulations” (CFR Parts 160 & 164), “HIPAA Security Regulations” (CFR parts 160 & 164) , “HIPAA Transaction Regulations” ( CFR Parts 160 & 162), and “HIPAA Breach Notification” (CFR Part 164 Subpart D, and the HITECT Act)
Healthcare Regulatory Drivers
•An important security framework which provides a structured methodology for analysis is ISO27001
•Payment Card Industry (“PCI”) has important considerations for cloud provider selection
Security Frameworks and Control Objectives
Drivers and Controls

22. Draft – For Discussion Purposes
22
Business Associate Agreement Responsibilities
BAA Service Objectives
A BAA Upon Commencement of Service Shall Agree to the Following Terms
Security Incidents and Breach of Unsecured PHI
Compliance Audits
Information Safeguards, Mitigation
Subcontractor and Agents
Changing Regulatory and Compliance requirements
Permitted Uses and Disclosures
Accounting Disclosures
Consent, Authorization, and Permission
Designated Record Sets
Minimum Necessary and Limited Data Sets
Right to Terminate for Breach, Effects of Termination, Amendments, and Conflicts
Marketing Use of PHI, Non-Permitted Use, and Uses or Disclosure Restrictions
A BAA has significant contractual obligations, driven by
Federal Regulations - continued oversight is essential.

23. Draft – For Discussion Purposes
23
ISO 27001:2005 Security Domains
Security Objectives
Regardless of Health Care Regulations, Cloud Providers Must Address the Following Security Controls
Human Resources Security
Security Policy
Asset Management
Communications and Operations Management
Environmental and Physical Security
Information Security Governance
Business Continuity Management
Encryption
Information Systems Acquisition
Information Security Incident Management
Compliance
Access Control
Security practitioners for Cloud Providers will baseline control
objectives against these well understood security domains.

24. Draft – For Discussion Purposes
24
Cloud Security Defense Best Practices
Cloud Governance
Align with recognized industry standards, including internal security policies, standards and processes to both internal audits and external certifications.
Security Governance, Risk Management and Compliance
Robust security compliance program. Including physical access, logical access with internal and external auditing.
Problem and Information Security Incident Management
Documented policies and procedures for management and monitoring of security events, including escalation and resolution.
Identity and Access Management
Ensure access is tightly controlled. Privileged user monitoring to ensure enforcement and compliance to customer data protections.
Categorize and Protect Data and Information Assets
Encryption in-flight, @Rest and backups. Key Management if necessary. Protection of portable media and storage device disposal controls.
System Acquisition, Development and Maintenance
Security applied throughout lifecycle, Hypervisors Common Criteria certified and hardened servers
Secure Infrastructure Against Threats and Vulnerabilities
Defense in depth, underpinned with people and technology, IDPS @ boundary, vulnerability scanning, configuration mngt & security zones
Physical and Personnel Security
Strong physical controls, including CCTV, biometric authentication, resiliency tools and door alarms. Employee training of customer data handling and protections.
Secure by Design

25. Draft – For Discussion Purposes
Questions & Answers
25