Choose your language:

France
Germany
Hong Kong
India
Ireland
Japan
Malaysia
Netherlands
New Zealand
Singapore
Sweden
United Kingdom
United States

Assuring New York State’s Health Benefits Exchange Meets Information Security Standards

Healthcare Services | Network Infrastructure Services – Information Security



Download PDF

Our client, Computer Services Corporation (CSC), contracted TEKsystems to perform a security assessment on behalf of their customer, the New York Health Benefits Exchange, to evaluate whether the new online health plan marketplace met government mandates and industry standards so it could successfully and securely launch by the federal deadline.

CSC is a global leader of next-generation IT services and solutions. CSC engaged TEKsystems on behalf of their customer, the New York Health Benefits Exchange, a service of the New York State Department of Health, which provides services to more than 19 million New York citizens. CSC has partnered with TEKsystems since 1996.

Today, high-profile security breaches frequently make the headlines. The result of a successful attack can be costly to an organization’s reputation, service performance, and ultimately, their bottom line. According to Hewlett-Packard’s Cost of Cyber Crime Study, attacks can cost an average of $11.6 million and take an average of 32 days to resolve.1 The gravity of big-time security hits can put undue pressure on companies to scramble once their data has been compromised.

In the healthcare industry, where patient privacy and security has always been a concern, the challenge to protect the security of patient records has increased in an ever more electronic industry. These concerns have led to regulatory actions that require healthcare organizations to take specific compliance measures or otherwise face financial penalties. Examples of regulatory actions include:

  • Health Insurance Portability and Accountability Act (HIPAA): This act protects the privacy of individually identifiable health information and sets national standards for the security of electronic-protected health information.
  • Health Information Technology for Economic and Clinical Health Act (HITECH): Enacted as part of the American Recovery and Reinvestment Act, HITECH promotes the adoption and meaningful use of health information technology, and addresses the privacy and security concerns associated with electronic transmission of health information—strengthening the civil and criminal enforcement of HIPAA rules.

Beyond these regulatory pressures, healthcare organizations are also concerned with information security’s impact on their business. And while the regulatory mandates encompass many security measures, they do not cover everything.

For healthcare organizations looking to assure their systems’ security, finding a skilled third-party information security partner with specific healthcare experience is critical. These organizations require support assessing whether their systems meet federal regulations, as well as whether their systems conform to best practices for physical, technical and administrative security protocols. Investing in information security early on, and having the proper tools, processes and people in place, helps businesses mitigate their risk of data loss or compromise.

Our client, Computer Sciences Corporation (CSC), was contracted to build New York state’s official health plan marketplace, called the New York State of Health (commonly referred to as NY State of Health and formerly New York Health Benefits Exchange). The portal would meet the federal mandate under the Patient Protection and Affordable Care Act (ACA), which was created to improve the access and affordability of health insurance. Once launched, NY State of Health would enable New York citizens to purchase health coverage.

CSC designed, built and was operating the marketplace’s IT environment and requested a third-party security assessment (TPSA) of the portal prior to its launch. The assessment would evaluate technical and nontechnical security safeguards. It would ensure their practices were compliant and the health records of New York citizens would be protected and secure, as defined by its system security plan. The TPSA would serve as significant support for CSC’s submission to several agencies (e.g., Centers for Medicare and Medicaid Services (CMS) and Internal Revenue Services (IRS)). Ultimately, it would be part of their application to the New York State Department of Health for its authority to connect and operate in a live environment. Without approval, the NY State of Health marketplace could not open safely to the public by the federal government-set date (Oct. 1, 2013).

The key stakeholders for this engagement would be CSC security operations, the New York State Department of Health, NY State of Health senior management and the New York State Office of Information Technology Services. The success of the engagement would require great partnership among all parties, including the facilitation of various data collection requirements needed for proper analysis. CSC was looking for a partner that had high-level information security expertise, healthcare industry experience and could perform the work in a tight timeframe so the site could be launched by the federal deadline. CSC put the TPSA project out for an open bid.

The scope of the TPSA would include the client’s IT and operating environment, located in Rensselaer, New York. Our TEKsystems® Information Security Services practice proposed providing a consulting team, including one delivery manager, one subject matter specialist / project manager, one network specialist and one business analyst. Specifically, our proposal included resumes of key personnel who would perform the assessment so the client could review their skill sets. Our proposed team’s background included past experience performing similar types of assessments, extensive knowledge of information security compliance and best practices, and significant experience in healthcare and compliance.

The team would perform the on-site data collection activities at the client’s Rensselaer location. We would assess their technical architecture and technical, physical and operating security protocols to determine the adequacy of security mechanisms and assurances, and evaluate the degree of consistency between the system documentation and its implementation.

Our information security team would provide the results in a detailed report, including:

  • Identification of specific findings
  • An outline of operational flaws that could allow violation of security policies that could potentially affect the confidentiality, integrity and availability of the data and information systems
  • Identification of areas that did not meet applicable federal security regulations; and recommendations for remediation and compliance
  • Overall thought leadership that would enable the NY State of Health to receive its authority to connect

Our proposed timeframe for the project would be eight weeks.

Our solution would address key areas of information security; outside of the mandates, our team would share recommendations based on best practices, as the regulatory security standards imposed by HIPAA and the IRS may not address every possible security weakness. The best practices would also cover technical, administrative and physical safeguards.

TEKsystems was awarded the bid because of our Information Security practice expertise and thorough understanding of the subject matter, as evidenced by our submission of a comprehensive and tailored proposal. Organizations can feel very vulnerable about the security of their data and need to know they can trust the people they are working with. With our proposal, CSC felt they knew exactly what they were getting and with whom they would be working.

TEKsystems successfully performed the TPSA. We provided a comprehensive assessment of the NY State of Health IT environment and a risk/gap analysis against CMS, IRS, HIPAA/HITECH and health information best practices, regulations and standards. In addition to the areas identified for immediate remediation efforts, the client was also given recommendations regarding how to continuously track its security environment and conduct reassessments as needed.

The security assessment / compliance report was completed and delivered on time. The client went to the state to receive the authority to connect with our report that identified vulnerabilities found in the environment, and acknowledged that they had been addressed. The state accepted the report and the client was able to launch the benefits exchange by the federal deadline. In fact, New York was one of just a few states to launch its site on time without major technology-related issues. The site has also been one of the country’s most successful exchanges. By April 2014 more than 960,000 New Yorkers had enrolled for coverage through the marketplace; more than 70 percent of them were uninsured at the time of application.2 The state ranked fourth among all states—and second among state-run exchanges, behind California—with the most individuals who have selected a marketplace plan (370,451).3

We worked hand in hand with the client to get the project completed by the promised go-live date. Since we received permission to begin the assessment later than originally anticipated, we condensed our project timeline from eight weeks to six. We offered expert recommendations for how to address potential risks and vulnerabilities as they were identified. By the delivery of the final report, the client had seen most of the recommendations and had remediated the few issues we found. Our report enabled the client to engage in the required remediation activities to attain a secure operating environment and thus obtain the authority to connect and open their services to the public.

The New York Department of Health now feels secure that their health records for citizens across the state are protected and secure.

TEKsystems was able to deliver a successful TPSA through:

  • Flexibility. We were very flexible in order to accommodate the client’s evolving needs. For example, the portal required more time to reach the assessment stage than initially thought. To ensure we still met the deadline, we adjusted our eight-week projection to a six-week execution for the assessment and provided immediate feedback on issues so our client could begin remediation efforts before the full report was complete.
  • Trusted partnership. CSC was prudent in contracting with a third-party provider to perform the assessment and worked closely with our team to get started on remediation activities before the completion of the report so they could meet the timeline. CSC was a great partner and did a thorough job of documenting everything in place, which helped our team and will continue to serve the NY State of Health team well as they work to continue to monitor security risks in the future.
  • Subject matter expertise. The most critical factor was that we provided an experienced team with the requisite subject matter knowledge and project management skill sets. In our proposal, we included the resumes for key people to be assigned to the project. The combination of specific skill sets and experience having done the work was a key component, especially since the team had extensive experience in compliance, a significant part of the project. (The portal had to comply with both state and healthcare-related mandates, as well as abide by IRS security standards.) TEKsystems’ vast technical and industry experience were critical to our ability to aid the successful launch of this high-profile project.

 

1 2013 Cost of Cyber Crime Study, Hewlett-Packard

2 Press Release: NY State of Health Details Information on the Nearly 1 Million Who Enrolled

Through the Marketplace During the First Open Enrollment Period; Published: June 24, 2014

3 Health Insurance Marketplace: Summary Enrollment Report for the Initial Annual Open

Enrollment Period (Oct. 1, 2013-March 31, 2014); Published May 1, 2014