CHRMN Presentations Sept 16 2015

Download Report

Transcript CHRMN Presentations Sept 16 2015

IBM Security Systems
Modern security threats and
Anatomy of an attack
Prepared for
Canadian Healthcare
Risk Management Network
September 2015
©
1 2013 IBM Corporation
© 2012 IBM Corporation
IBM Security Systems
Michael Gervais
MPS-IA, CISSP
Senior Managing Consultant
Security Services
Paul Lewis
CISSP CIPP/C CIPT
Executive Consultant
Security Services
©
2 2013 IBM Corporation
© 2012 IBM Corporation
IBM Security Services
Security
Incidents
3
© 2013 IBM Corporation
IBM Security Services
Why is this happening? An increase in sophistication and motives
Stuxnet, Aurora, APT-1
Lulzsec, Anonymous
Zeus, ZeroAccess
 The number and variety of new adversaries and threats continues to grow
 Old threats don’t always disappear – while new threats continue to add to the total landscape
4
© 2013 IBM Corporation
IBM Security Services
Early detection and rapid response are the best defense against
rising cyber threats and sophisticated attacks
Time span of events by percent of breaches
Compromises take days or more to discover in 96% of cases; and over 91% weeks or more to contain
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
5
© 2013 IBM Corporation
IBM Security Services
Here is a chronological illustration of the potential events involved in
a hypothetical external security incident scenario.
7:00AM
A hospital experiences network
latency—suspicious traffic is
discovered on their network.
8:00AM
Unknown malware attacks are
detected as generating from the
traffic—causing disruption to
business operations.
2:30PM
The incident response team
struggles to restore services—the
attack replicates to partner
organizations.
5:00PM
Real-time applications are down
and production databases are lost.
7:00PM
12:30PM
The hackers attack internal
systems and steal sensitive data.
6
The lack of a unified and tested
incident response process renders
every attempt to recover from the
attack unsuccessful.
© 2013 IBM Corporation
IBM Security Services
The effects of a single security incident can prove to be devastating
to the business.
In a security incident scenario, there could be multiple damages within
hours of the attack:
 Claims that cyber attackers are taking down the organization are spreading throughout media channels
 Sensitive patient information is posted to public domains
 Password list is stolen and made public
 Patient databases have been deleted
 Internal communications and most applications are down
 Design documents and source codes of the company’s flagship products have been stolen
 The organization’s reputation is in jeopardy
 Patients are angry and decide to terminate contracts
 Regulators start investigations
 There is a huge potential for financial loss
But How? The preparation of cyber attackers may be much more elaborate than your preparation for the
security incident. Some of the techniques are simple
7
to execute.
© 2013 IBM Corporation
IBM Security Services
Attackers usually follow this 5-Stage attack chain
1
Break-in
Reconnaissance, spear phishing,
and remote exploits to gain access
Latch-on
Malware and backdoors
installed to establish a foothold
Expand
Lateral movement to increase
access and maintain a presence
Gather
Acquisition and aggregation
of confidential data; setting up
command-and-control
2
Command
& Control (CnC)
3
4
5
Command
& Control (CnC)
8
Exfiltrate
(and Execute)
Data exfiltration to external
networks; and execute additional
destructive attacks
© 2013 IBM Corporation
IBM Security Services
These common methods and attack surfaces are typically used
during a cyber attack
9
Social & Phishing
Malware, Zero-Day & Botnets
Target:
Purpose:
Target:
Purpose:
Individual Users
• Pre-attack Intelligence Recon
• Build trust using fake social profiles
• Initial infection
Endpoint Systems and Servers
• Obtain access to systems
• Create backdoors
• Establish command-and-control over
large network of devices
Passwords & Configs
Distributed Denial-of-Service
Target:
Purpose:
Target:
Purpose:
Endpoint Systems and Servers
• Initial penetration
• Expansion of reach
• Escalation of privileges
Network & Application Infrastructure
• Cause operational disruption
• Create diversion for other attacks
Smart & Mobile Hacking
SQL Injection
Target:
Purpose:
Target:
Purpose:
Mobile and Embedded Devices
• New attack surface / entry point
to enterprise network
• Gain access to user data through
vulnerable mobile OS and apps
Database servers
• Obtain account and user credentials
• Steal sensitive data
© 2013 IBM Corporation
IBM Security Services
It typically starts here: Reconnaissance before attack
has become a new playground
for attackers
Social Media top target for attacks
and mobile devices are expanding
those targets
-Pre-attack intelligence gathering
-Criminals selling accounts
-Campaigns enticing user to click on
malicious links
10
© 2013 IBM Corporation
IBM Security Services
What exactly can you find on social media?

Or automate the search
with tools like Harvester and
Recon-ng to get hundreds
sometimes thousands results
within a few commands
*
11
Not only can attackers easily
find a set of “targets”,
they now know a bit, or a lot,
about your infrastructure
© 2013 IBM Corporation
IBM Security Services
Human emotions are easily manipulated – get to know them!
Meet Freddi
Of those who responded, 82 were
leaking personal information:
•
•
•
•
•
Freddi made 87 friends
41% of those approached
in 2 weeks
•
one or more
72% divulged
email address
their
84% listed
full date of birth
provided details about their
87% education or workplace
listed their current
78% address or location
their current
23% listed
phone number
their instant
26% provided
messaging screen name
Source: www.sophos.com/en-us/press-office/press-releases/2007/08/facebook.aspx
12
© 2013 IBM Corporation
IBM Security Services
Attackers then launch phishing or spear phishing campaigns
against selected targets, with malicious attachments or links
“
13
The spear phisher thrives on
familiarity. He knows your name,
your email address, and at least
a little about you.
© 2013 IBM Corporation
IBM Security Services
Attackers use malware planted on websites or attachments to
phishing or spam emails to cause initial infection
The malware attackers use
may be custom crafted or
simply bought as a kit
14
© 2013 IBM Corporation
IBM Security Services
The malware is usually tested against multiple anti-malware
agents to make sure that detection is as sparse as possible
15
© 2013 IBM Corporation
IBM Security Services
Some even offer “Exploits as a Service” (EaaS) like this one
RoboPak
• Rental fee = $30/day or $150/week or $500/month
• Loaded with Java, PDF, and IE exploits
• Heavily obfuscates it’s JavaScript exploit attack code
16
© 2013 IBM Corporation
IBM Security Services
The infected systems “phone home”, establishing a botnet
with the attacker having command and control
17
© 2013 IBM Corporation
IBM Security Services
Once the attacker is in, it is time to blend in and expand
 Time to secure access…
– Disable security tools, or at least reduce their capability, especially AV and the personal
firewall…
– Create a local account and escalate your privileges to local Administrator…Upload more
attack tools/scripts/malware…and hide them…
– Make your compromise persistent…that way you can ensure you can get back in…
 Erase tracks and hide from detection…
– Clearing logs (Metasploit clearev),
– Hide files, attack tools and encrypt stolen materials
– Disable security defences (personal firewall, AV, etc.)
– Proxy from a trusted IP address, preferably from an internal one on the same network
 Expand reach to other systems…
– Use existing trusted accounts, don’t create new ones
– Obtain credentials by hacking the passwords
– Or get in by exploiting unpatched vulnerabilities on internal systems
18
© 2013 IBM Corporation
IBM Security Services
SQL Injection remains the most common breach paradigm, and
the most direct way to gain access to records in the database
still reliable for breaching databases
of tracked
disclosed
breaches
Low risk / high reward
 Old CMS installations
 CMS Plugins
 Forum software
 Other popular 3rd party scripts
19
© 2013 IBM Corporation
IBM Security Services
The result? Loss of sensitive and confidential information
 Patient data
and other privacy and compliance data
 Financial data
– Earning results….before they are published
(manipulate the stock market)
– Credit Card data
(sell or produce cards)
– User credentials for on-line services including banks
(empty bank accounts or take out loans, etc.)
 Product plans, blueprints, designs, etc.
– New drug prototypes
 Details about proposed patents
But you won’t see the data flowing out the door –
they are likely encrypted by the attacker!
20
© 2013 IBM Corporation
IBM Security Services
And they can do much more than just stealing
Host malicious activities or attacks from your network
 Encrypt your data and demand payment to decrypt (ransomware)
 Run Spam campaigns using their mailservers (adds legitimacy via DKIM,
reputational scoring, etc.) but ruins their reputation.
 Store stolen material on their servers (not just their stolen material), they have
more space than you…
 Run attack scripts, DDoS campaigns, from their infrastructure…again, they have a
big fat pipe so why not use it?
Cause disruption, downtime, or even physical damage
 Wipe hard drives
 Delete active directory
 Erase backups
 Or damage infrastructure devices
21
© 2013 IBM Corporation
IBM Security Services
What do most organizations do WHEN or IF they find out?
Panic!
 Damage evidence by trying to fix the problem
themselves…
 Underestimate the level of compromise
and the how long they have been
compromised…
 Miscalculate the amount of data
being stolen or systems
being misused…
22
© 2013 IBM Corporation
IBM Security Services
We’ve just looked at a few methods and attack surfaces, but there
are many more… yet attackers only need one weakness to get in
Crumbling Logical and Physical Perimeter
 Legacy business model non-investment
 VPNs, Wireless, Walk-In Vector
 Contractors, partners, customers
Evolving Threats
 Automated attacks,
zero-day worms
 Organized Cyber Crime
Operational Complexity
 New business, new applications
 Mergers and acquisitions
23
© 2013 IBM Corporation
IBM Security Services
Oh wait and there’s worse, it’s not just servers and desktop
computers or laptops you need to worry about…
24
© 2013 IBM Corporation
Now what? What can we do to
protect ourselves?
25
IBM Security
© 2013 IBM Corporation
IBM Security Services
Top Reasons WHY Compromises Occur
End Users / Endpoints
Double-clicking “on anything”
Disabling endpoint security settings
Using vulnerable, legacy software and hardware
Failing to install security patches
Failing to install anti-virus
Failing to report lost/stolen device
Connecting endpoint to a network from an insecure
access point (ie. Starbucks)
8. Using a second access point (ie. AirCard) creating a
bypass
9. Using weak/default passwords and/or using business
passwords for personal use
10. Giving passwords over the phone
1.
2.
3.
4.
5.
6.
7.
Infrastructure
1.
Connecting systems/virtual images to the Internet
before hardening them
2. Connecting test systems to the Internet with
default accounts/passwords
3. Failing to update or patch systems/applications
on a timely basis.
4. Failing to implement or update virus detection
software
5. Using legacy/EOLed software and hardware
6. Running unnecessary services
7. Using insecure back end management software
8. Failing to remove old or unused accounts end
user accounts.
9. Implementing firewalls with rules that don't stop
malicious or dangerous traffic-incoming or
outgoing.
10. Failing to segment network and/or adequately
monitor/block malicious traffic with IDS/IPS
80-90% of all security incidents can be easily avoided!
26
© 2013 IBM Corporation
IBM Security Services
Key controls make the difference: IBM developed ten essential
practices required to achieve better security.
Essential practices
1. Build a risk-aware culture
and management system
7. Address new complexity
of cloud and virtualization
8. Manage third-party
security compliance
Manual
3. Defend the mobile and
social workplace
Maturity based approach
Automated
2. Manage security incidents
with greater intelligence
6. Control network access
and help assure
resilience
4. Security-rich services,
by design
5. Automate security
“hygiene”
27
Reactive
Proactive
9. Better secure data and
protect privacy
10. Manage the identity
lifecycle
© 2013 IBM Corporation
IBM Security Services
Key takeaways for CISOs/CROs and the security
team
Don’t forget the basics
scanning, patching, configurations, passwords
Always be prepared and ready
with both proactive and responsive capabilities
Defragment your Mobile posture
constantly apply updates and review Security & BYOD policies
Optimize ahead of Attackers
identify critical assets, analyze behavior, spot anomalies
28
© 2013 IBM Corporation
IBM Security Services
Key takeaways for All
Employees
Day-to-day best practices
use strong passwords, turn on anti-malware and firewall agents
Understand and participate
security is every employee’s responsibility; follow company policies
Avoid common attack surfaces
phishing mails, social updates, web drive-by, removable media, etc.
Social Defense needs Socialization
educate users and engender suspicion
29
© 2013 IBM Corporation
IBM Security Services
Key takeaways for IT and
Application teams
Practice secure engineering
for internal and external products, from requirements to production
Be a good data custodian
enforce segregation and need-to-know access for critical data
Manage third party security
ensure security and compliance from product supply chains
Work closely with your security team
pay extra attention with workloads being virtualized or put in the cloud
30
© 2013 IBM Corporation
IBM Security Services
Key takeaways for internal Client
Facing teams
Know your crown jewels
identify and locate critical information assets and trade secrets
Keep sensitive data to a minimum
retain only what’s required for the length of time set by policy
Understand compliance req’ts
such as HIPAA and PCI to protect consumer privacy and PII data
Practice work-life separation
do not use work devices for personal purposes and vice versa
31
© 2013 IBM Corporation
Defend Yourself
 Create depth of defense
including social awareness, physical
security and operational processes
less likely target
 Be ready to respond,
1
Prioritize
Your business objectives and
set your risk tolerance
to become a
contain, and recover quickly
 Know your adversaries
before and during an attack
2
3
DOWNLOAD
32
IBM Security
4
Protect
Your organization with a
proactive security plan
Prepare
Your response to the inevitable:
a sophisticated attack
Promote
Your culture of security
awareness
© 2013 IBM Corporation
Get Help When Needed
If you experience a cyber incident or attack
Call IBM
33
IBM Security
© 2013 IBM Corporation
IBM Security Services
Our ‘Cyber911’ CSIRT team is standing by 24x7x365, globally.
20 YEARS OF OPERATIONS
BROAD CAPABILITIES
 Two decades of cybersecurity assessment and response
operations that started in the US and expanded globally
 Emergency response services
 Over 260 clients in 35 countries for incidents response
 Cyber stress testing
 Conducts over 400 penetration tests and application
assessments for over hundreds of clients worldwide
 CSIRP development
 Active threat assessment
 Payment card industry (PCI) forensics
MATURE METHODOLOGY
DELIVERY EXCELLENCE
IR
Workshops
 Around-the-clock incident hotline
 Responds to over 500 calls every
year
 Calls are answered by a skilled
incident analyst
 Triage to determine if it is an event or
an incident – approximately 50/50
events to incidents ratio
 Each incident is investigated and
assigned severity – 60 percent of
incidents are further engaged
Incident
Response
CSIRP
Gap Analysis
IBM
CSIRT
Remote
Support
Active
Threat
Assessment
Threat
Intelligence
 Every project is delivered by IBMers
around the globe, unless prohibited by
law or special circumstances
 Each member of the CSIRT team
– has on average 10 years of
experience
– holds multiple industry
certifications
– is equipped with US$20,000 worth
of hardware, software, and forensic
tools
– gets at least US$5,000 of
continued education every year
SUPPORTS IBM CIO OFFICE’S INTERNAL CYBER RESPONSE OPERATIONS
 Over 2,000 major sites
 Over 170 countries
34
 Over 400,000 employees
 Approximately 200,000 contractors
 Over 1 million traditional endpoints
 Around 50 percent of employees
are mobile
© 2013 IBM Corporation
IBM Security Services
IBM has proven security consultancy practices and dedicated security
research capabilities across the globe.
Zurich, CH
Waltham, US Fredericton, CA
Belfast, N IR
Delft, NL
Ottawa, CA
Boulder, US
Almaden, US
Toronto, CA
TJ Watson, US
IAS Americas
Costa Mesa, US
Wroclaw, PL
Detroit, US
New Delhi, IN
Pune, IN
Atlanta, US
Atlanta, US
Tokyo, JP
Herzliya, IL
Haifa, IL
Raleigh, US
Austin, US
IAS Europe
Brussels, BE
Tokyo, JP
Bangalore, IN
Taipei, TW
Bangalore, IN
Singapore, SG
Atlanta, US
Nairobi, KE
Brisbane, AU
Security operations centers
Security research centers
Security solution development centers
IAS Asia Pacific
Hortolandia, BR
Institute for advanced security branches
Perth, AU
10 billion analyzed web pages
IBM research
Gold Coast, AU
150 million intrusion attempts, daily
40 million spam and phishing attacks
46 thousand documented vulnerabilities
Worldwide managed
security services coverage
 Over 20,000 devices under contract
 Over 3,700 MSS1 clients worldwide
 Over 15 billion events managed per day
 Over 1,000 security patents
 133 monitored countries (MSS)
35
1MSS-
Managed security services
© 2013 IBM Corporation
IBM Security Services
Some final words…
 Be aware.
Do vulnerability assessments and stress
testing for visibility and prioritization for
proper risk management strategy
 Be proactive.
Manage against vulnerabilities for realtime protection against sophisticated
attacks
 Be prepared.
Have an incident response plan in place to
quickly respond and remediate against a
breach
36
© 2013 IBM Corporation
IBM Security Services
?
Backup section follows with additional details
37
© 2013 IBM Corporation
IBM Security Services
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
IBM’s sole
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s
sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
38
© 2013 IBM Corporation
CHRMN Annual Conference: September 16 ,2015
The Patient Voice in Quality Improvement Initiatives
Diane Mckenzie, SJHC, Patient-Family Advisor
Walter Rojenko, Corporate Director;
Patient Family Experience and Community Engagement
Advancing the Health of Our Community by being
Canada’s Best Community Teaching Health Centre
Overview:
• Our History of Patient involvement
• Evolving the Voice of The Patient
• Ensuring tangible deliverables to impact
outcomes
40
“St. Joe’s”:
• Founded by the
Sisters of Saint
Joseph's in 1921
• Proud history of
teaching
• Toronto’s West End
Community Hospital
41
“St. Joe’s”numbers:
42
4 Elements of Patient Experience:
Safety
Culture
Patient
Experience
Quality
Service
The Beryl Institute, 2012
43
What Is Quality Health Care - ECFAA Definition:
Believe in the importance of our system of publicly funded health care services and the need to ensure its future so that all Ontarians, today
and tomorrow, can continue to receive high quality health care;
Believe that the patient experience and the support
critical element of ensuring the future of our health care system;
of patients and their caregivers to realize their best health is a
Recognize that a high
quality health care system is one that is accessible, appropriate, effective, efficient,
equitable, integrated, patient centred, population health focussed, and safe;
Are committed to ensuring that health care organizations are responsive and accountable to the public, and focused on creating a positive
patient experience and delivering high quality health care;
Believe that quality is the goal of everyone involved in delivering health care in Ontario, and that ultimately, each health care organization
should hold its executive team accountable for its achievement;
Believe that everyone involved in delivering health care in Ontario has a role to play in ensuring the quality of the system;
Recognize the importance of providing
Ontario’s health care providers with support to help them plan for and
improve the quality of the care that they deliver based on the best available scientific evidence;
Recognize the value of transparency in the health care system;
Share a vision for a Province where excellent health care
services are available to all Ontarians, where professions
work together, and where patients are confident that their health care system is providing them with
excellent health care;
44
What is Quality Health Care – JAMA, 1988:
Health care quality refers to a level of value of any health care resources as
determined by some a measurement. The goal of health care is to provide medical
resources of high quality to all who need them. Researchers use many different
measures to attempt to determine health care quality, including counts of a
therapy's reduction or lessening of diseases identified by medical diagnosis, a
decrease in the number of risk factors which people have following preventive care,
or a survey of health indicators in a population who are accessing certain kinds of
care.
Donabedian, A (23 September 1988). "The quality of care. How can it be assessed?". JAMA: the Journal of the American Medical
Association 260 (12): 1743–8. doi:10.1001/jama.1988.03410120089033. PMID 3045356.
Jump up
45
Embedding Voice of the Patient In Everything We Do
• Both our Patient Family Advisors/PFA’s and the new
Community Engagement Council (CEC) supports our
broader engagement with our patients, families and
community.
46
Why is this the right thing to do?
Legislators, Health Care Leaders, Research and Patient and Families agree
that patient participation improves patient experience and influences health outcomes.
47
Patient Partnering and Impacts on Health Outcomes
Why does improving patient experience have this positive impact? One contributor illustrated the
point with a famous Chinese proverb:
“Tell me, I’ll forget. Show me, I’ll remember. Involve me, I’ll understand.” Beryl Institute
One survey reported that 79% of recently hospitalized patients want to take an active role in their
medical decision-making. Furthermore it has become clear that improving patient-centered communication
can reduce expenditures on diagnostic tests, increase adherence to treatment and improve health
outcomes.
Studies have found that better patient experiences — even more than
adherence to clinical guidelines — are associated with better outcomes.
Performance of public health outcomes in England
Wokingham Borough Council
Civic Offices, Shute End, Wokingham, Surrey, RG40 1BN
Tel: 01189 746 000
136 deaths per year from causes considered
preventable per 100,000
48
PFA’s involvement – gaining more traction
Patient, Family Advisors Can Play Key Role in
Practices
Patient and family advisors give feedback
based on their experience, help improve the
patient experience and quality of care for
those with chronic conditions and work with
the practice team for short- or long-term
commitments. (Doctors Lounge, August 2015)
Patient-Family Centred Care: Measuring
Perceived Service Quality Following a Critical
Care Services Experience
The study examines the predictive validity of
the measure by relating its three dimensions *
to perceived patient-family quality for critical
care services. (Journal of Health Management,
September 2015)
*Communication and Support, Participation and Tangibles.
49
Our History of Patient Involvement
Tri-stakeholder Panels
provided a
collaborative space for
the collective voices of
our:
 Patients & Families
 Community Agencies
 Staff
>Also our discussions
uncovered
opportunities to evolve
our relationship and
partnership
Mental Health &
Addictions
Population Panel
Women’s
Population Panel
Seniors’
Population Panel
Citizens
Reference
Panel 2014*
*Influenced our
Strategy
50
Need for Change – listening to our patient panels
Panels Input
Future Directions
• Problematic
alignment
• Role confusion
• Lack of follow-up
• Need to close the
loop
• Poor internal traction
• Internal leadership
change, with
different priorities
• External system
change, contributing
to competing
priorities
• Appropriate
governance
structure
• Clear role
accountability and
mandate
• More specific goal
oriented and time
limited projects
• Adequate resourcing
for new engagement
structure
• See and celebrate
the outcome of their
efforts
Outcomes
•
Patient and Family
Advisors
embedded in
Programs and
Department
change items
•
Community
Engagement
Council
co-designing
initiatives
51
Voice of the Patient Profiles
POPULATION PANELS
PATIENT-FAMILY
ADVISORS/PFA’s
COMMUNITY
ENGAGEMENT
COUNCIL/CEC
VOLUNTEERED
SELECTED
HIRED
Passion based
Experience based
Criteria based
No Job Description
Role and Responsibilities Roles and
Responsibilities and
Terms of Reference
Awareness and
Education
Orientation and
Handbook
Orientation, Handbook
and Governance
Reporting unclear and
inconsistent
Report to PFE&CE and
dotted line to
Units/Councils
Report to CEO and
dotted line to PFE&CE
52
PFA Role Description
53
PFA Recruitment Strategy, 1of 2:
• Primary recruitment AIM
 WIN-WIN for the PFAs & staff
 Finding the right match
• Recruitment process
– St. Joe’s website
– Social media
• Twitter and Facebook
–
–
–
–
–
Hospital e-newsletter
Posters
Tent cards in public waiting spaces
Electronic boards
Targeted invitations
54
PFA Recruitment Strategy, 2 of 2:
PATIENTS CANADA Website
55
PFA Selection Strategy, 1 of 2:
Expression of Interest Form
– Phase #1 screening
• St. Joe’s experience
• Personal interest in the hospital
journey
• Reasons for wanting to be an
advisor
• Availability
56
PFA Selection Strategy, 2 of 2:
Face to Face Conversation
- Phase #2 screening
• Meet and greet
• Interest for wanting to be an
advisor
• Hope accomplish
• Appropriate experience & skills
–
–
–
–
listening
group/team dynamics
problem solving
conflict resolution
57
PFA’s Selected: Diane and Alies!
Final Selection
PFA “YES” & Staff “YES”
58
Community Engagement Council - Mandate
The mandate of the CEC is to assist the Health Centre in ensuring
patients, families and the broader community are involved in the Health
Centre’s strategic and major capital planning processes and in improving
the patient and family experience in each of the services it offers
Three Main Responsibilities
1. Assist in the recruitment & selection of patient & family
advisors who can assist clinical programs in their planning /
quality changes (eg: Model of Care, Hand Hygiene)
2. Recruit patients, families and residents to assist in time-limited,
issue-based corporate projects (eg: Education materials, ER
Door Entrance, QIP, Declaration of Values)
3. Act as reference, advisory and consultation body for major
projects that impact neighbourhood (eg: Master Planning,
Website).
59
Community Engagement Council Recruitment Strategy
To promote council, its purpose and recruit diverse, skills based members, SJHC
following three main tactics based on recent research and work of peer hospitals.
Tactic
Action
Word of Mouth
• Reaching out past population panel members including strategic
plan community reference panel
• Presentations to community service groups
• Booth at Etobicoke MPPs Community Services Fair.
Local Media
• Paid / Earned media in Neighbourhood newspapers
• Press releases to Multicultural newspapers
• Social Media
In Hospital
Materials and
Website
•
•
•
•
Asking Clinical leaders to identify new patient / family volunteers
Lead stories in Connections / Website
Promotional material throughout site
Web panel solicitation
60
CEC Recruitment: Community Newspaper Insert
•
•
•
Community through planning process and our panel working group volunteers advised it wanted us
to advertise in local papers.
Insert issued last week promotes our strategy commitment to the community, tells stories of how
community is helping to build our future and calls for recruitment.
Focus on volunteers who helped us – not SJHC staff – to emphasize diversity.
CEC Recruitment: On Line Promotion & Recruiting Video
Community Engagement Council – Hiring Strategy
Tactic
Action
Eligibility
• Neighbourhood based
• Specific Skills Sets
• Diverse background and experience
Selection
Process
• Interview Panel: mix of Administration, Clinical and Community
Members
• Worked with HR ie. Questions and Scoring
• Vetted 104 Applicants and narrowed to 18 interviews
• 12 Hired plus 2 from our Foundation
• 40 business hours of team work!
63
Volunteers, PFA’s and CEC Members Involvement:
Volunteers
PFA’s
CEC
Service based ie.
Wayfinding, Gift Shops
Grass-roots experience eg.
Supertrack ED,
ER Entrance Accessibility,
Lab-Integration Project,
Dx Automated
Appointment Reminder
Community Thought
Leaders eg. Health Services
for the Future, Physical
Footprint, Sentiments of
Community, Branding.
Clinical Support eg.
Therapy Dogs
Council Members eg.
Nursing Practice, Med Rec
QIP, Point of Care Teams,
Palliative Care Redesign
Organizational Operations
Advisors eg. PT Declaration
of Values, QIP.
Operations eg. Hand
Hygiene Audits
Partners eg.
Recruitment/hiring,
Branding Sessions, Website
Redesign, Community
Garden
Future: support PFA
oversight, Council’s vision .
64
PFA’s and CEC Members Impact on Quality Care
PFA’s
CEC
65
Risks and mitigation:
Risks
Mitigation
Privacy
Code of Conduct
Confidentiality
Confidentiality and Security
Agreement
Conduct
1. Welcome Handbook: How
To Be An Effective Team
Member
2. Coaching
3. Health Centre ID Badge
66
Lessons Learned:
Did Wells
Opportunities
Synergy of group
Less hospital language
Openness of staff
Flexibility with meeting times
Alignment to strategy
More time to work on project
Productive
Ensure Regular Senior
Management Participation
Feel I’m making a difference
Did Wells
Opportunities
Synergy of group
Focus on deliverables vs.
process
Well Organized Meetings
Realistic expectations
Valuable insights gained from
PFA’s
Ensure right stakeholder
participation
67
Thinking about the future:
Active Participation
.Involve>Collaborate>Empower
.Involve in Decisions
Consultation
.Collaborate in shaping Decisions
.Empower to make Decisions
.2 way relationship
.Patients provide feedback on
pre-defined Health Centre issues
Information
.1 way relationship
.Health Centre delivers information
to Patients
68
69
Preparing for CCB Hearings
Canadian Healthcare Risk
Management Conference
September 16, 2015
Mélanie de Wit, J.D., M.P.H.
Borden Ladner Gervais LLP
Agenda
• How to prepare effectively for 4 common
CCB hearings
•
•
•
•
Involuntary admission (Form 16, 17)
Community treatment order (Form 48)
Incapacity to consent to treatment (Form A)
Incapacity to manage property (Form 18)
Involuntary Admissions under the
Mental Health Act
Forms 3 & 4: Certificate of Involuntary
Admission/ Renewal
Different Physician
•MD who completes Form 3 cannot be same MD who
completed Form 1
OIC duties
•Forms 3 & 4 must be filed with OIC
•OIC must review Forms 3/4 to ascertain if properly
completed
• if not, the OIC must inform the MD; unless the
person is re-examined and released or properly
admitted, the OIC must release the person
Forms 3 & 4 (cont’d)
• Form 3 provides authority to detain, restrain, observe
and examine patient for not more than 2 weeks
• 1st Form 4 provides authority for further 1 month;
• 2nd Form 4 provides further authority for 2 mths;
• 3rd and subsequent Forms 4 provide further authority for 3mths each
• How to calculate dates
• If no Form 4 is completed prior to expiration of the prior
Form 3/4, the patient becomes informal or voluntary
• Patient can become informal or voluntary patient by
completing Form 5
Forms 3 & 4 (cont’d)
Notice requirements
• MD who completes a Form 3/4 must ‘promptly’ give
the patient a written notice (Form 30) and notify a
rights adviser
• The rights advisor has an obligation to ‘promptly’
meet with the patient (completes Form 50)
CCB hearing
• Anyone can request a CCB hearing (Form 16)
• OIC must notify CCB of every 4th Form 4 completedautomatic hearing (Form 17)
Involuntary Admissions Update:
P.S. v. Ontario 2014 ONCA 900
 Patient involuntarily admitted for over 19 years on
multiple Form 4s
 The C.A. found that the Mental Health Act
provisions that allowed for “indeterminate”
involuntary admission to be of no force and effect
as they violate section 7 of the Charter
 The Court severed the words "or subsequent" from
s. 20(4) which provides that a third "or subsequent"
certificate of renewal will remain in force for a
period of three additional months.
 Caps involuntary admissions to 6 months
P.S. v. Ontario (cont’d)
 Declaration of invalidity and severance are
suspended for 12 months to allow Ontario sufficient
time to amend the legislation
 Ripple effects:
 Will amendments include greater powers for the
Consent and Capacity Board to impose conditions on
involuntary admissions similar to powers of Review
Board?
 Will there be increased pressure to resolve treatment
capacity issues?
The Voluntary & Informal Patient
• “Informal patient” means a person who is a patient in a
psychiatric facility, having been admitted with the
consent of their SDM
• SDM can consent to admission required for treatment,
except if patient is 16+yrs, admission is psychiatric, and
patient objects to admission
• Is the patient truly voluntary or informal?
• Explaining the nature of the status of the admission,
and documenting that discussion
• Status can be changed to involuntary by completing
Form 3 and filing it with OIC
Child (12-16yrs) as an informal patient
• Child can apply to the CCB to challenge admission
every 3 mths (Form 25)
• OIC must give written notice to the child and notify a
rights advisor (Form 27)
• Child is deemed to apply to the CCB every 6 months;
OIC must file notice to CCB (Form 26)
• CCB test is
•
(a) needs observation, care and treatment that facility can provide;
•
(b) whether needs can otherwise be adequately met;
•
(c) whether there is an available alternative;
•
(d) the child’s views and wishes if they can be reasonably ascertained
•
(e) any other relevant matter.
Officer in Charge
• OIC “means the officer who is responsible for the
administration and management of a psychiatric
facility”
• Some duties can be delegated – need to clearly
confer authority – hospital policy
• Who are MHA forms filed with? Who reviews the
forms? What is the source of their authority to do so
as OIC delegate?
Community Treatment Orders
What is a CTO?
•A legislated framework for outpatient treatment of
mental illness
•Specifically designed for the ‘revolving door’ patient
•A comprehensive plan of community based treatment
and supervision that is “less restrictive than being
detained in a psychiatric facility”
Six criteria for a CTO
1. During prior 3yrs, the person
 Has been a patient in a psychiatric facility on 2+
occasions or for a total of 30 days; or
 Has been the subject of a previous CTO
2. Community Treatment Plan (CTP) developed by (1)
patient or SDM, (2) issuing MD, (3) any other HCP
named in CTP
Criteria for CTO (cont’d)
3. Within 72 hrs before CTP, MD examines the person and
is of the opinion that:
• Person needs continuing treatment/care and continuing
supervision in the community due to mental illness
• The person meets the criteria for a Form 1 (if not currently
an inpatient)
• Person would meet criteria for involuntary admission
absent community care/supervision
• The person is able to comply with the CTP
• The treatment, care and supervision set out in the CTP
are available in the community
Criteria for CTO (cont’d)
4. The physician has consulted with the HCPs or other
persons proposed to be named in the CTP
5. The physician is satisfied that the person subject to
the order AND his/her SDM have consulted a rights
adviser and been advised of their legal rights
6. The person OR his/her SDM have consented to the
CTP
Other obligations after criteria are met
 The CTO (Form 45) must contain:
 The date of the examination that must take place
within 72 hours prior to entering in to the CTP
 The facts on which the physician relies to form an
opinion that the person meets the criteria
 A description of the CTP
 An undertaking by the person that he or she will
comply with his or her obligations or an undertaking
by the SDM that she or she will make bests efforts to
ensure that the person complies
Notice Requirements
 The physician must give person a Notice of Intention to
issue or renew CTO (Form 46, 49)
 Can be renewed for a period of 6 months at any time
before its expiry and within 1 month after its expiry (Form
49)
 The physician who issues the CTO must provide copy of
the CTO and CTP to:
 Patient, SDM, OIC (if inpatient), any HCP named in the
HCP
 MD can require reports from other HCPs named in the
CTP
Withdrawal of consent, Failure to Comply &
CCB hearing
• If consent withdrawn, examination within 72hrs
• The patient must attend appointments and comply with
the CTP
• If patient fails to comply with CTO, MD can issue order
for examination (Form 47)
• Police can take patient to hospital within 30 days
• Patient can request CCB hearing to review CTO, and MD
must trigger mandatory review at issuance of every 2nd
CTO (Form 48)
Capacity to Consent to Treatment
Consent to Treatment
• Consent from capable patient or incapable patient’s
SDM for treatment or plan of treatment
• Consent must be:
• Informed (Benefits, risks, side effects, alternatives)
• Specific to a treatment (eg. Each class of treatment
proposed)
• Voluntary (No misrepresentation)
• Consent includes variations/adjustment in treatment so
long as benefits/risks/side effects not materially
different
Consent to Treatment
• Capacity may vary with time and with treatment
• Finding of incapacity must be documented
• Note information provided for each class of
medication proposed
• Reflect an assessment of the two parts of test:
ability to understand information and appreciate the
consequences
• Does not have to agree with diagnosis; but do they
see that they suffer from manifestations of the
illness?
Notice of Finding of Incapacity
• In voluntary or informal patient, HCP must provide
patient with information about the consequences of
the finding
• If patient aged 14+ yrs, and treatment is for a mental
disorder, physician must ensure that notice is given
to the patient (Form 33) and a rights adviser is
‘promptly’ notified of the finding of incapacity
• Patient has right to CCB hearing (Form A)
Defending a finding of treatment
incapacity before the CCB
New LAO funding structure means increased scrutiny of
CCB decisions
Need corroborating evidence (Anton v Bhalerao)
Documentation in patient record by MD and other
providers, collateral/historical information, etc. Second
opinion where warranted (limited)
Evidence on both parts of the test
Ability to understand the relevant information – low
threshold
Ability to understand the reasonably foreseeable
consequences of a decision
Defending a finding of treatment
incapacity before the CCB
Evidence of discussion re each class of medication,
even if part of a treatment plan (Masih, Reinhardt)
Risks, benefits, side effects – to assess how they apply
the information to themselves
But there is a difference between discussing risks,
benefits, side effects for capacity assessment vs for
informed consent (Armstrong)
Notice, documentation re notice, MHA forms, rights
advice, OIC delegate responsibilities
A clinically sound finding can be invalidated on
procedural grounds
Treatment Pending CCB hearing or Appeal
• Basic Rule: Treatment that has not commenced cannot
begin if patient/another person intends to apply to CCB
or appeal CCB decision
• Exceptions:
• Patient has a guardian or POA-PC authorized to use
force to restrain for treatment
• Emergency as defined in s.25 of HCCA
• “…if the person… is apparently experiencing severe
suffering or is at risk, if the treatment is not
administered promptly, of sustaining serious bodily
harm”
• Court order for interim treatment
Treatment Pending Appeal (cont’d)
• Treatment can begin when:
• 48hrs have elapsed without a CCB application
• CCB application is withdrawn
• CCB renders decision (unless told there will be
appeal)
• If told there will be appeal, when 30 days elapses
without notice of appeal
• When appeal “finally disposed of”
Motions for interim treatment:
What are the criteria?
1. The treatment is likely to substantially improve the
condition (which won’t improve without tx) OR the
condition will deteriorate substantially or rapidly without
treatment (and the tx will substantially reduce the rate or
extent of deterioration)
2. The benefits of treatment outweigh harms
3. The treatment is the least restrictive and least intrusive
treatment that meets the requirements of (1) and (2); and
4. The person’s condition makes it necessary to administer
the treatment before the final disposition of the appeal
Motions for interim treatment:
Things to consider
 Establish criteria for an emergency
 The order doesn’t authorize treatment; the order
authorizes you to seek SDM consent for treatment
 Expediting the appeal vs motion for interim tx
 Need to demonstrate why treatment pending appeal is
necessary (eg. Irreparable harm, serious bodily harm to
self or others)
 Sets a fairly high threshold, will require affidavit and oral
evidence
 The patient can’t consent to treatment, but he/she can
consent to an order for interim treatment (!?)
Capacity to Manage Property
Mandatory examination on admission
•
MD must assess capacity to manage property on
admission (unless patient has guardian or PoA)
•
Discretionary assessment at any other time
•
MD must chart determination with reasons
•
If incapable, MD issues Form 21
Incapacity & OIC responsibilities
•
OIC must provide Form 21 + financial statement
(Form 22) to the PGT; PGT is then statutory
guardian of property
•
If PGT should be involved asap, the OIC (or the MD
who examined the patient, if the OIC is absent) must
notify PGT asap
Cancellation of Certificate
• Attending MD may, after examining the patient for
that purpose, cancel the certificate
• OIC must transmit a notice of cancellation to the
PGT (Form 23)
Examination before Discharge
• Within 21 days before discharge where a certificate of
incapacity has been issued, the attending MD must
examine the patient to determine whether they are
capable of managing property
• If not capable, MD issues a notice of continuance
(Form 24) and ‘promptly’ notify the patient and rights
advisor
• OIC must provide copy of Form 24 to the PGT and
notify the PGT upon the patient’s discharge
CCB hearing
• Patient may request CCB hearing to review capacity
to manage property every 6mths (Form 18)
• Application may continue to be dealt with by the
Board even after the patient is discharged from the
psychiatric facility
Thank you!
[email protected]