About The Customer
St. Charles Health System (SCHS), a healthcare delivery system comprised of three hospitals and some twenty clinics in Central Oregon, provides a full range of medical specialties and services. Wanting to ensure HIPAA/EDI compliance, SCHS undertook a Baseline Security Risk Assessment with a healthcare information-security management consulting service to better understand their security posture.
The Business Challenge
With multiple locations and nearly 3,000 caregivers, SCHS wanted to locate all their sensitive data, monitor employee data-policy adherence, and then determine where and how to securely store the data. Their consultant organized a two-week Data Loss Risk Assessment, using Digital Guardian’s Compliance appliance to track sensitive healthcare data throughout the integrated delivery network.
SCHS discovered that one of their hospital information-system vendors had set up a secure point-to-point FTP channel over which the two companies would communicate. However, the vendor misconfigured the system, as a result, data was being sent out via the Internet instead of over the secure channel. Additionally, various business associates (e.g. coders, insurers) were processing sensitive data and emailing it back to SCHS using unencrypted, clear text messages.
Critical Success Factors
- Complete security risk assessment
- Data location and encryption
- Support multiple use cases
- Comply with HIPAA and EDI protocols
The Solution
The Fortra™’s Digital Guardian® appliance was initially installed in a monitor-only mode to analyze network transmissions for sensitive data. When Digital Guardian and the consultant co-presented the findings, SCHS’s IT team became aware of two major communication channels that would require immediate attention.
Digital Guardian’s network appliance is designed for rapid installation and configuration, within minutes of powering it on, SCHS was collecting data. Steve Scott, Infosec Manager, said “Once we saw items that could become major issues for us, we were able to remediate potential problems right away.” This instant visibility meant SCSH could identify issues and correct them before stringent breach notification laws came into effect. “The appliances were easy to setup and configure,” said Steve. “They worked just as advertised. We were up and running in an hour with the basic information in place to begin monitoring our systems.”
The appliances arrived preloaded with a wide range of HIPAA code set, healthcare EDI protocol identifiers, and preconfigured policies. Integrations with the EHR system meant deeper visibility into sensitive, healthcare databases. After SCHS registered their sensitive data/documents, they activated the preloaded policies and reporting templates to begin detecting sensitive healthcare data movement over the network before it was an external leak.
The Results
Based on the successful Data Loss Risk Assessment, SCHS decided to implement the complete Digital Guardian compliance solution for on-going monitoring, blocking and discovery. SCHS can now effectively enforce their data policies. “Our strategy is about educating behavior through our policies. We use Digital Guardian to supervise and reinforce the behavior,” said Scott.