Solving Technology Challenges in the Healthcare Industry
Supporting the IT needs of a company that has grown from a small regional player to an enterprise covering much of the Eastern United States in four short years has brought many challenges. Doing it in the healthcare space with the attendant regulatory requirements adds to the complexity of our undertaking. As we acquire other practices and locations, we must make sure that patient data is secured, doctors can easily do their jobs and we can track the financial aspects of each office. Some of the challenges we face and how we handle them are outlined below.
PCI Security Standards and HIPAA Compliance
As a company that operates in both the healthcare and retail sectors, we are subject to numerous governmental regulations and industry standards designed to protect patients and consumers against unauthorized access to their personal data. Therefore, we must implement policies, processes and technologies that protect our payment processes from breaches and data theft in accordance with the PCI Security Standards and additional security to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
To achieve our security goals, we schedule regular audits and self-assessments to inform improvements and catch problems that might have been missed during an acquisition. We’ve also found that working with firms with technological compliance expertise has been vital to achieving and maintaining compliance. They make sure we are current in our processes and procedures.
• Schedule regular audits and self-assessments
• Consult experts in technological compliance
Mobile Device Management
The current trend is for workers use their personal mobile devices as work productivity tools. We install our Mobile Device Manager (MDM) configured with a secure VPN and password complexity for all individuals who access data remotely. This requirement increases data security and allows us to confidently wipe the device if it is lost or stolen or the employee leaves the company.
To achieve our security goals, we schedule regular audits and self-assessments to inform improvements and catch problems that might have been missed during an acquisition
We also use this software to manage the iPads that doctors use during examinations. We have a limited set of approved apps and users are unable to add others because our devices auto configure themselves whenever they are turned on and connect to the internet.
To simplify deployment of new devices in the field, we use the Apple DPM program. This has worked well for us because each device is registered to our company before it is delivered, so a user can’t wipe it to take ownership.
• Require MDM applications on all personal devices
• Require secure VPN and password complexity
• Auto configure devices when powered on
• Employ anti-theft measures
We needed an effective tool to increase flexibility and performance and manage problem implementations. We tried to install MPLS Fiber wherever possible, which gave us great network performance, but was expensive. We also had issues with broadband service availability and excessive construction requirements. This resulted in delays in converting new offices to our point of sale and phone systems and made it harder to track the profitability of new acquisitions.
We found that SDWAN, a software-defined network solution, efficiently addressed our need for faster installs at a lower cost and resolved our challenges in installing MPLS circuits. We now use SDWAN for all new installs and are in the process of converting troubled implementations to SDWAN. This allows us to use the existing data infrastructure, but it has the MPLS attributes of being on the network. I like to refer to it as giving us the illusion of MPLS. Some of the benefits we’ve realized from this process are a shortened network installation timeline (from months to days) and reduced monthly expenses, yet with the same reliability as MPLS.
• Consider SDWAN for faster, less expensive installs
The greatest challenge we face is how to accommodate our increased system needs as we continue to expand. Simply adding additional hardware only solves some of the growth problems. We need more long-term, broad-based solutions. A second significant challenge is providing email, a vital tool in the organization, but a challenge to administer.
We’ve found the best way to keep ahead of our growth and ensure business agility is to locate our entire network infrastructure in the cloud. This strategy allows us to constantly refine the underlying infrastructure and develop better ways to run it. Some of the key attributes we looked for in a cloud service provider was their approach to security, the types of services and monitoring they provided and whether email was available for purchase as a commodity. Our solution? We switched to Office 365 and haven’t looked back.
• Use cloud storage
• Purchase email as a commodity
This is the area that keeps me up at night. Although great firewalls worked in the past, insider threats are our biggest issue today. The typical insider we encounter is the inadvertent actor. We’ve done phishing tests and our users fail. We have malware and ransomware that continue to infect the endpoints. Fortunately, we don’t keep sensitive data on any endpoint device, we simply reimage or remove infected machines as it is no longer efficient to assign a tech to clean up the mess. What is the bottom line here? Keeping users aware of the potential dangers of phishing emails requires training and regular testing, but is worth the extra effort.
We spent a lot of time and money to put together a threat intelligence system that has security analytics to look at all our infrastructure and endpoints. We track privileged users’ activities and regularly analyze the security of our applications and website, checking for new vulnerabilities. We also have several scheduled security reviews with both our internal team and our outside security vendor. For us, setting and reviewing goals has been the key to measuring how successful we are at implementing new safeguards on the network.
• Set and review goals
• Regularly train and test users
• Deploy a threat intelligence system with security analytics
• Track privileged users
• Regularly analyze application and website security
• Schedule regular security reviews
Roadmap for the Future
As we move forward into the future we continue to establish new security management processes based on standards and best practices, as well as changes in the technology environment. Recently, we completed the ISO 27001 assessment on our organization. That gave us a clear idea of how to fill in gaps that we hadn’t concentrated on before. We also created RACI charts for all our security applications and systems, so there is no ambiguity as to where responsibility lies for all aspects of the system. We continue to conduct vulnerability assessments and revise our security policies based on industry trends. Finally, we’ve added 24x7 monitoring to our infrastructure to provide a more proactive incident response and improve security operations. Our goal is continuous improvement in technology and processes.