Proactive IT Risk Management Mary Washington Healthcare embraces phased risk management approach

Similar documents
Getting Smart with Identity Protection

Practical Enterprise Mobility

Managed Services. Business Intelligence Solutions

Total Protection for Compliance: Unified IT Policy Auditing

Strategic Planning. Key Initiative Overview

The Healthcare Cloud:

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Payment Card Industry Data Security Standard

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Strategies for Protecting Virtual Servers and Desktops

Assessing the Opportunities Presented by the Modern Enterprise Archive

DETECT. LEARN. ADAPT. DEFEND. WIN EVERY ATTACK.

VMware Solutions for an Epic Environment

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Rx for mthreats in Today s Healthcare Institutions. Daniel W. Berger, President and CEO, Redspin, Inc. P: E: dberger@redspin.

GOVERNMENT USE OF MOBILE TECHNOLOGY

Avoiding the Top 5 Vulnerability Management Mistakes

Secure Your Mobile Device Access with Cisco BYOD Solutions

Contact Center Security: Moving to the Cloud

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

How Cisco IT Reduced Costs Through PC Asset Management

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

End-to-end Secure Cloud Services a Pertino whitepaper

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Comodo Endpoint Security Manager SME Software Version 2.1

Microsoft Windows 7 and Office. Key Initiative Overview

Developing a Policy for Bring Your Own Device. Report to the Joint Legislative Oversight Committee on Information Technology

Top 5 Reasons to Choose User-Friendly Strong Authentication

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Contact Center Security: Moving to the True Cloud

FIVE WAYS WIRE DATA ANALYTICS ENABLES REAL-TIME HEALTHCARE SYSTEMS

Whitepaper: 7 Steps to Developing a Cloud Security Plan

The Challenge of Securing and Managing Data While Meeting Compliance

Navigating the NIST Cybersecurity Framework

Managing the Growing Appification of Business

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Aragon Research RESEARCH NOTE. Workplace Service. Mobile Security in a BYOD World

The Fortinet Secure Health Architecture

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Migrating to a Managed Service Model through Automation

Leveraging the Cloud for Your Business

Enforcing IT Change Management Policy

Security Administration R77

Achieving Stage One of Meaningful Use: Critical Success Factors and Lessons Learned. Customer Insights

Metro Health Giving Time Back to Its Care Providers with VMware Horizon View

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

Want a Quality EHR? Ask Doctors What They Want.

Data Security and Healthcare

2012 Endpoint Security Best Practices Survey

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Give us an example of how you enforce your compliance program. After all, you re a utility, so you ve got lots of compliance to worry about.

7 things to ask when upgrading your ERP solution

What are your firm s plans to adopt x86 server virtualization? Not interested

2012 North American Managed Security Service Providers Growth Leadership Award

EMC PERSPECTIVE. The Private Cloud for Healthcare Enables Coordinated Patient Care

Shaping the Cloud for the Healthcare Industry

2011 Forrester Research, Inc. Reproduction Prohibited

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

AdvancedHosting SM Solutions from SunGard Availability Services

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Desktop Solutions SolutioWhitepaper

TELEHEALTH TECHNOLOGY SUPPORT SERVICES

Best Practices Brochure. Best Practices for Optimizing Social CRM Maximizing the Value of Customer Relationships. Customer Care

SOC & HIPAA Compliance

I D C M A R K E T S P O T L I G H T. T h e I m p a c t of the Consumerization of IT

MIPRO s Business Intelligence Manifesto: Six Requirements for an Effective BI Deployment

Demystifying Virtualization for Small Businesses Executive Brief

Best Practices: Single Sign-On Drives Productivity, Security, and Adoption When Used with EHR at The Johns Hopkins Hospital

Reducing Cost, Complexity and Achieving Compliance for Healthcare Providers

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

2014 HIMSS Analytics Cloud Survey

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Preventive Treatment for the Provider s Back-office

SITUATION SOLUTION BENEFITS SUPPORT PRODUCTS

Integration for your Health Information System

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Audit of the Board s Information Security Program

2013 North American Unified Communications Server Virtualization Product Leadership Award

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Own, launch, grow and support your cloud backup and recovery offering

Enterprise Security Tactical Plan

Eric Hess, CEO, KeyPoint Government Solutions OPM Data Breach: Part II House Committee on Oversight and Government Reform June 24, 2015

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

Meaningful Use and Engaging Patients: Beyond Checking the Box

Understanding the Total Cost of Ownership for Endpoint Security Solutions. A TCO White Paper

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

The Business Case for Migrating from Oracle to the SharePoint Platform: The Cost Advantages

Virtualization Essentials

Company Overview. Enterprise Cloud Solutions

7 Habits for Effectively Leading Healthcare Interoperability Initiatives

Metrics that Matter Security Risk Analytics

How To Support Bring Your Own Device (Byod)

Leveraging mobility in your organisation. Building an effective enterprise mobility environment that delivers competitive advantage

How Our Cloud Backup Solution Protects Your Network

University of Strathclyde: Information Services Directorate Operational Plan for 2014/15

Professional Services Overview

Transcription:

Mary WAShington Healthcare CASE STUDY BY Proactive IT Risk Management embraces phased risk management approach Mike Vida (left), Sr. Security Analyst, Security Program Office, Joyce Hanscome (center), SVP and CIO, and David Bailey (right), Manager, Security Program Office, Physicians at were frustrated with the support they were receiving from IT. Their requirements weren t being translated into IT solutions. As a result, in late 2009, the healthcare provider recruited Joyce Hanscome to the role of director of Physician Services with the charter to restore physician-it relationships by creating technology solutions to meet their most pressing requirements. One of the most noteworthy projects that she spearheaded was an electronic medical record system. She also led an effort to form a physician advisory council for IT. When the previous CIO at Mary Washington Healthcare left in early 2011, Hanscome was asked to serve as interim CIO. She was named permanent senior vice president and CIO in early 2012. Hanscome inherited an IT group that was lacking strategic direction and standard operating procedures. The most pressing requirement was the development of a strategic plan. She engaged an external consultant for guidance in developing it and a new governance model. These elements were essential building blocks if Hanscome was to transform the IT department from a service provider to a strategic healthcare enabler. Yet success wasn t far away; she and her team were able to get both the strategic plan and governance model into place by mid-summer. As an organization, we have a great strategic planning process, Hanscome notes. For the IT strategic plan, we simply tied it into that larger process and aligned with its critical objectives. In addition to facilitating interaction between IT and the rest of the organization, including physicians, Hanscome worked to embed IT into four subcommittees tasked with developing Mary Washington Healthcare s annual financial plan. This is helping to streamline and facilitate communications between 46 CIO Digest January 2013

IT and business owners and physicians. Forming a Security Program Office Security was another area Hanscome and her team sought to tackle. In early 2010, determined that it needed a dedicated Security Program Office and recruited David Bailey as its manager. The organization understood the importance of regulatory compliance and the critical nature of protecting our IT infrastructure and patient information, Hanscome explains. David had a breadth of risk management experience and was most certainly the right person for the job. The maturation of the IT organization also brought about the need for a formal risk management governance model with associated measurements. Bailey led efforts to build out a committee in that area as well. has an IT governance board that meets every quarter as well as an enterprise risk committee. I sit on the enterprise risk committee and report to the IT governance board, Bailey notes. Good IT governance is something every healthcare entity must ensure. For Mary Washington Healthcare, this initiative translated into security standards and risk management measurements. HIPAA and PCI compliance are at the top of the list, Bailey says. But our risk management efforts are much broader than just that. The launch of the electronic medical record system required that we meet certain compliance indicators. Meaningful use is a critical concern here. If we cannot satisfy those indicators, then federal funding is put at risk, and we are not doing what we believe is the right course of action for patient care. Hanscome adds: The need to exchange patient data, as stipulated by the Patient Protection and Affordable Care Act, increases risk, and we sought to ensure that we had the right tools and processes in place based on pre-determined policies and standards. Secure the endpoint Upon arriving, Bailey found that a solid commitment to information security existed. It starts with the endpoint, he says. Senior Security Analysts Michael Vida and Douglas Hanback, members of Bailey s team, oversaw the upgrade to Symantec Endpoint Protection from Symantec AntiVirus several years ago. We were able to consolidate our different endpoint security infrastructure components into one toolset, Vida says. This gave us substantial cost savings while helping us to improve the productivity of our IT staff. In 2011, the Mary Washington Healthcare team started their upgrade to Endpoint Protection 12. We get better performance on our virtual data center servers as a result of the new SONAR scan engine and an improved risk posture through the reputationbased security approach, Vida says. will be using nearly all Endpoint Protection functionality from antivirus and antispyware, to network access control and intrusion prevention, to application and device control. Our Endpoint Protection deployment has scaled with the proliferation of endpoints, including the introduction of more and more IP-enabled biomedical devices, Bailey adds. All of these must be protected. In total, Mary Meaningful use is a critical concern here. If we cannot satisfy those indicators, then federal funding is put at risk. David Bailey, Manager, Security Program Office, Washington Healthcare protects over 4,000 endpoints. Most of Mary Washington Healthcare s data center is virtualized using VMware vsphere. Endpoint Protection has done a great job helping protect virtual servers Video and integrates seamlessly with our VMware investment, Vida says. As part of the team s larger risk management approach, Bailey is in Proactive risk management is a strategic the process of migrating data center endpoint security over to Symantec initiative for Mary Washington Healthcare at go.symantec.com/ Critical System Protection. We will be able to marywashington-video. define endpoint security policies and track those using Symantec Control Compliance Suite, he says. Tight integration between Critical System Protection and VMware is another factor. It will give us a more proactive approach Mary Washington Healthcare Location: Fredericksburg, Virginia Founded: Late 1800s Facilities: 2 hospitals (Mary Washington and Stafford Hospital) and 28 additional facilities Employees: 3,600 Website: www.marywashingtonhealthcare.com symantec.com/ciodigest 47

CASE STUDY Mary WAShington Healthcare From the Lab to CIO Joyce Hanscome began her career at Central Maine Healthcare as a medical technologist. She worked in the medical laboratory for a number of years, eventually being named assistant director. Looking to gain a broader background in healthcare, Hanscome completed a master s in healthcare administration and took on a new role overseeing the physician practice. This afforded me with a great opportunity, Hanscome says. I was able to get to know physicians and their habits what they like and don t like. When I started, I covered just the internal medicine and family practice about 10 doctors. The assignment had expanded to about 200 physicians when I left. I had a chance to gain experience across a breadth of different functions from acquisitions to patient services to HR to finance. In 2010, Mary Washington Healthcare, looking to transform the working relationship between IT and physicians, recruited Hanscome as director of Physician Services. She was named SVP and CIO in early 2012 when the former CIO left the organization. to managing and monitoring endpoint security in our data center environment. Proactive threat management As part of their larger phased risk management strategy, Bailey and his team wanted to create a proactive security awareness and prevention program. With this in mind, they worked in-house to implement standard dashboards that would identify and track threats and security events. But shortly after doing so, we found that this was extremely time consuming and virtually impossible for my staff of three and me to do on an ongoing basis, Bailey says. As a result, Bailey, in concert with Hanscome, determined that a managed security service would be a better option. Mary Washington Healthcare looked at several different solutions and ultimately chose Symantec Managed Security Services. We are able to focus on maturing our security and compliance strategies instead of worrying about threat detection and prevention, Bailey says. Managed Security Services allows us to focus on building out our threat management posture while delivering 365 24 7 proactive protection of our IT environment. It has been a win-win scenario for us. Bailey and his team generate daily threat reports using Symantec DeepSight Security Intelligence that are sent to Hanscome. They also create weekly and monthly reports that are given to the IS Governance Board. But this is just the first phase of the risk management program that is putting into place. The next step is to begin tracking and reporting compliance with established security standards. We re still in the process of building out all of our security standards, Hanscome reports. HIPAA and PCI are most certainly areas we ll need to address. But there are some other standards that we will be adding as we prepare to roll out our compliance initiative. Bailey s team will use Symantec Control Compliance Suite to build out compliance policies and then proactively report on them. As part of this process, we ll use the Standards Manager and Policy Manager in Control Compliance Suite to identify and create policies that map to our compliance requirements, Bailey says. Risk Manager will enable us to provide regular risk management updates to our executive management team. Once Control Compliance Suite is in place, the Mary Washington Healthcare team plans to turn their attention to data loss prevention. We re currently performing a data loss prevention assessment and will give the results to our executive management team, Bailey states. The tight integration between our current Symantec investments and Symantec Data Loss Prevention will help us move to the third phase of our risk management transformation. The broader investment in Symantec technologies will create additional value for s investment in Managed Security Services at the same time. Integration between Managed Security Services and our Endpoint Protection deployment provides deeper views into our endpoint security posture, Bailey says. And we ll gain even further risk management insights as additional Symantec solutions such as Critical System Protection are deployed. Risk management to executive leadership Raising risk management to the executive level was one of the objectives Hanscome and Bailey established. It came out of a discussion that I had with our CEO, Fred Rankin, who noted that he really wanted to get a better understanding of the organization s strategic technology providers, Hanscome relates. Since 48 CIO Digest January 2013

The need to exchange patient data, as stipulated by the Patient Protection and Affordable Care Act, increases risk. Joyce Hanscome, SVP and CIO, we consider Symantec as one of our strategic technology providers, we decided to begin with Symantec. The Symantec account team worked with Hanscome and Bailey to set up a two-hour event in the boardroom involving the entire executive leadership team. We pinpointed different areas of risk and quantified the potential risk associated with each one, Bailey says. The session raised the risk awareness of our executive leadership team and provided them with a foundation for making strategic decisions. It was very well received. User authentication User authentication is another area that the Mary Washington Healthcare team addressed. Previously, Mary Washington Healthcare maintained two remote access methods that were inefficient to manage. It was an adaptive authentication approach that granted access to inpatient systems and our physician portal to physicians, Bailey explains. Another SSL-based VPN solution was used to provide access to associates and vendors. The former had two-factor authentication but was a hard-token solution. It was expensive and difficult to manage, he adds. On the flip side, the SSLbased VPN solution did not have two-factor authentication and posed other risks. Seeking to consolidate onto one identity protection toolset, Bailey and his team examined several different solutions. After evaluating each one, they selected Symantec Validation and ID Protection (VIP) Service in late 2012 and are on track to have it fully implemented in early 2013. Symantec VIP Service proved to be extremely cost effective while providing us with additional functionality, Bailey notes. It also affords us with different multifactor options for the second form of authentication with software-based tokens available for desktop, laptop, and mobile devices. Early phases of the prescription While they have moved quickly, Hanscome, Bailey, and the rest of the IT team have much left to do in Joyce Hanscome, SVP and CIO, administering their IT prescription. Mobility is something we will be tackling early next year, Hanscome notes. Our physicians and caregivers want to use mobile devices to access information and services, including when meeting with patients. This presents a number of different security and compliance challenges, one that is accentuated since Mary Washington Healthcare plans Podcast to enable a bring your own device Portions of the interview with Joyce Hanscome and David (BYOD) policy. We Bailey are available as an are evaluating Executive Spotlight Podcast Symantec App Center at go.symantec.com/ marywashington-podcast. on the basis that we can create virtual containers on personal devices and manage information and services securely on them without any impact on personal applications and services they also contain, Bailey explains. symantec.com/ciodigest 49

CASE STUDY Mary WAShington Healthcare FROM THE PENTAGON TO HEALTHCARE While an undergraduate in college, David Bailey joined the United States Air Force ROTC program and was commissioned in 1993. He spent almost nine years in the Air Force, serving in a variety of different functions as a communications and information officer. Ordinary is not a David Bailey Manager, Security Program Office, Mary Washington Healthcare word that one would use to describe his time in the Air Force. His initial assignment was at the Pentagon. My team provided networking services as well as desktop, database, and phone support, all of the typical things you would do at an Air Force base, he recounts. The only difference is that it was at the Pentagon. After several years, he got involved as a systems analyst and then in tactical communications. He deployed to Saudi Arabia, traveling around southwest Asia conducting force protection vulnerability assessments, which included examination of communications systems. This experience helped pave the way for my security career, he relates. He returned to support the Air Force and United States Space Command as a director of Information Operations Testing. In this role he conducted vulnerability and risk assessments of mission-critical space systems. When Bailey left the Air Force, he leveraged his background and experience in security and IT risk management, serving as a consultant with classified clearance to various Federal government entities, including the Pentagon. In early 2010, his career took a completely different turn when Mary Washington Healthcare recruited him to build the Security Program Office and institute a risk management strategy from the ground up. From the standpoint of security standards, there are similarities, Bailey reflects. For example, both the Federal government and healthcare use National Institute of Standards and Technology (NIST) standards. But there are certainly differences at the same time. Bailey is thoroughly enjoying the challenges of healthcare. On average, we have 6,000 or 7,000 users accessing our systems every day, often for life-critical services. While the challenges may differ, the end result is just as critical. We were able to consolidate our different endpoint security infrastructure components into one toolset. Mike Vida, Sr. Security Analyst, Security Program Office, But that is just one of many initiatives that are planned. With the first phase of our risk management strategy complete, we are rapidly moving into the second and third phases, Hanscome states. Compliance with meaningful use is at the forefront of what we re working to accomplish. Each of the steps that we ve taken and are taking will help ensure that we achieve meaningful use and thus meet both the challenges and opportunities of our rapidly evolving world of 21 st - century healthcare. Adds Bailey: And with technology partners like Symantec, we have the tools and services to help ensure that we are successful. n Patrick E. Spencer (Ph.D.) is the editor in chief and publisher for CIO Digest. Managing Risk with Symantec > Symantec Endpoint Protection > Symantec Critical System Protection > Symantec Managed Security Services > Symantec Validation and ID Protection (VIP) Service > Symantec DeepSight Security Intelligence > Symantec Data Loss Prevention > Symantec Control Compliance Suite (planned implementation) 50 CIO Digest January 2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information