Mary WAShington Healthcare CASE STUDY BY Proactive IT Risk Management embraces phased risk management approach Mike Vida (left), Sr. Security Analyst, Security Program Office, Joyce Hanscome (center), SVP and CIO, and David Bailey (right), Manager, Security Program Office, Physicians at were frustrated with the support they were receiving from IT. Their requirements weren t being translated into IT solutions. As a result, in late 2009, the healthcare provider recruited Joyce Hanscome to the role of director of Physician Services with the charter to restore physician-it relationships by creating technology solutions to meet their most pressing requirements. One of the most noteworthy projects that she spearheaded was an electronic medical record system. She also led an effort to form a physician advisory council for IT. When the previous CIO at Mary Washington Healthcare left in early 2011, Hanscome was asked to serve as interim CIO. She was named permanent senior vice president and CIO in early 2012. Hanscome inherited an IT group that was lacking strategic direction and standard operating procedures. The most pressing requirement was the development of a strategic plan. She engaged an external consultant for guidance in developing it and a new governance model. These elements were essential building blocks if Hanscome was to transform the IT department from a service provider to a strategic healthcare enabler. Yet success wasn t far away; she and her team were able to get both the strategic plan and governance model into place by mid-summer. As an organization, we have a great strategic planning process, Hanscome notes. For the IT strategic plan, we simply tied it into that larger process and aligned with its critical objectives. In addition to facilitating interaction between IT and the rest of the organization, including physicians, Hanscome worked to embed IT into four subcommittees tasked with developing Mary Washington Healthcare s annual financial plan. This is helping to streamline and facilitate communications between 46 CIO Digest January 2013
IT and business owners and physicians. Forming a Security Program Office Security was another area Hanscome and her team sought to tackle. In early 2010, determined that it needed a dedicated Security Program Office and recruited David Bailey as its manager. The organization understood the importance of regulatory compliance and the critical nature of protecting our IT infrastructure and patient information, Hanscome explains. David had a breadth of risk management experience and was most certainly the right person for the job. The maturation of the IT organization also brought about the need for a formal risk management governance model with associated measurements. Bailey led efforts to build out a committee in that area as well. has an IT governance board that meets every quarter as well as an enterprise risk committee. I sit on the enterprise risk committee and report to the IT governance board, Bailey notes. Good IT governance is something every healthcare entity must ensure. For Mary Washington Healthcare, this initiative translated into security standards and risk management measurements. HIPAA and PCI compliance are at the top of the list, Bailey says. But our risk management efforts are much broader than just that. The launch of the electronic medical record system required that we meet certain compliance indicators. Meaningful use is a critical concern here. If we cannot satisfy those indicators, then federal funding is put at risk, and we are not doing what we believe is the right course of action for patient care. Hanscome adds: The need to exchange patient data, as stipulated by the Patient Protection and Affordable Care Act, increases risk, and we sought to ensure that we had the right tools and processes in place based on pre-determined policies and standards. Secure the endpoint Upon arriving, Bailey found that a solid commitment to information security existed. It starts with the endpoint, he says. Senior Security Analysts Michael Vida and Douglas Hanback, members of Bailey s team, oversaw the upgrade to Symantec Endpoint Protection from Symantec AntiVirus several years ago. We were able to consolidate our different endpoint security infrastructure components into one toolset, Vida says. This gave us substantial cost savings while helping us to improve the productivity of our IT staff. In 2011, the Mary Washington Healthcare team started their upgrade to Endpoint Protection 12. We get better performance on our virtual data center servers as a result of the new SONAR scan engine and an improved risk posture through the reputationbased security approach, Vida says. will be using nearly all Endpoint Protection functionality from antivirus and antispyware, to network access control and intrusion prevention, to application and device control. Our Endpoint Protection deployment has scaled with the proliferation of endpoints, including the introduction of more and more IP-enabled biomedical devices, Bailey adds. All of these must be protected. In total, Mary Meaningful use is a critical concern here. If we cannot satisfy those indicators, then federal funding is put at risk. David Bailey, Manager, Security Program Office, Washington Healthcare protects over 4,000 endpoints. Most of Mary Washington Healthcare s data center is virtualized using VMware vsphere. Endpoint Protection has done a great job helping protect virtual servers Video and integrates seamlessly with our VMware investment, Vida says. As part of the team s larger risk management approach, Bailey is in Proactive risk management is a strategic the process of migrating data center endpoint security over to Symantec initiative for Mary Washington Healthcare at go.symantec.com/ Critical System Protection. We will be able to marywashington-video. define endpoint security policies and track those using Symantec Control Compliance Suite, he says. Tight integration between Critical System Protection and VMware is another factor. It will give us a more proactive approach Mary Washington Healthcare Location: Fredericksburg, Virginia Founded: Late 1800s Facilities: 2 hospitals (Mary Washington and Stafford Hospital) and 28 additional facilities Employees: 3,600 Website: www.marywashingtonhealthcare.com symantec.com/ciodigest 47
CASE STUDY Mary WAShington Healthcare From the Lab to CIO Joyce Hanscome began her career at Central Maine Healthcare as a medical technologist. She worked in the medical laboratory for a number of years, eventually being named assistant director. Looking to gain a broader background in healthcare, Hanscome completed a master s in healthcare administration and took on a new role overseeing the physician practice. This afforded me with a great opportunity, Hanscome says. I was able to get to know physicians and their habits what they like and don t like. When I started, I covered just the internal medicine and family practice about 10 doctors. The assignment had expanded to about 200 physicians when I left. I had a chance to gain experience across a breadth of different functions from acquisitions to patient services to HR to finance. In 2010, Mary Washington Healthcare, looking to transform the working relationship between IT and physicians, recruited Hanscome as director of Physician Services. She was named SVP and CIO in early 2012 when the former CIO left the organization. to managing and monitoring endpoint security in our data center environment. Proactive threat management As part of their larger phased risk management strategy, Bailey and his team wanted to create a proactive security awareness and prevention program. With this in mind, they worked in-house to implement standard dashboards that would identify and track threats and security events. But shortly after doing so, we found that this was extremely time consuming and virtually impossible for my staff of three and me to do on an ongoing basis, Bailey says. As a result, Bailey, in concert with Hanscome, determined that a managed security service would be a better option. Mary Washington Healthcare looked at several different solutions and ultimately chose Symantec Managed Security Services. We are able to focus on maturing our security and compliance strategies instead of worrying about threat detection and prevention, Bailey says. Managed Security Services allows us to focus on building out our threat management posture while delivering 365 24 7 proactive protection of our IT environment. It has been a win-win scenario for us. Bailey and his team generate daily threat reports using Symantec DeepSight Security Intelligence that are sent to Hanscome. They also create weekly and monthly reports that are given to the IS Governance Board. But this is just the first phase of the risk management program that is putting into place. The next step is to begin tracking and reporting compliance with established security standards. We re still in the process of building out all of our security standards, Hanscome reports. HIPAA and PCI are most certainly areas we ll need to address. But there are some other standards that we will be adding as we prepare to roll out our compliance initiative. Bailey s team will use Symantec Control Compliance Suite to build out compliance policies and then proactively report on them. As part of this process, we ll use the Standards Manager and Policy Manager in Control Compliance Suite to identify and create policies that map to our compliance requirements, Bailey says. Risk Manager will enable us to provide regular risk management updates to our executive management team. Once Control Compliance Suite is in place, the Mary Washington Healthcare team plans to turn their attention to data loss prevention. We re currently performing a data loss prevention assessment and will give the results to our executive management team, Bailey states. The tight integration between our current Symantec investments and Symantec Data Loss Prevention will help us move to the third phase of our risk management transformation. The broader investment in Symantec technologies will create additional value for s investment in Managed Security Services at the same time. Integration between Managed Security Services and our Endpoint Protection deployment provides deeper views into our endpoint security posture, Bailey says. And we ll gain even further risk management insights as additional Symantec solutions such as Critical System Protection are deployed. Risk management to executive leadership Raising risk management to the executive level was one of the objectives Hanscome and Bailey established. It came out of a discussion that I had with our CEO, Fred Rankin, who noted that he really wanted to get a better understanding of the organization s strategic technology providers, Hanscome relates. Since 48 CIO Digest January 2013
The need to exchange patient data, as stipulated by the Patient Protection and Affordable Care Act, increases risk. Joyce Hanscome, SVP and CIO, we consider Symantec as one of our strategic technology providers, we decided to begin with Symantec. The Symantec account team worked with Hanscome and Bailey to set up a two-hour event in the boardroom involving the entire executive leadership team. We pinpointed different areas of risk and quantified the potential risk associated with each one, Bailey says. The session raised the risk awareness of our executive leadership team and provided them with a foundation for making strategic decisions. It was very well received. User authentication User authentication is another area that the Mary Washington Healthcare team addressed. Previously, Mary Washington Healthcare maintained two remote access methods that were inefficient to manage. It was an adaptive authentication approach that granted access to inpatient systems and our physician portal to physicians, Bailey explains. Another SSL-based VPN solution was used to provide access to associates and vendors. The former had two-factor authentication but was a hard-token solution. It was expensive and difficult to manage, he adds. On the flip side, the SSLbased VPN solution did not have two-factor authentication and posed other risks. Seeking to consolidate onto one identity protection toolset, Bailey and his team examined several different solutions. After evaluating each one, they selected Symantec Validation and ID Protection (VIP) Service in late 2012 and are on track to have it fully implemented in early 2013. Symantec VIP Service proved to be extremely cost effective while providing us with additional functionality, Bailey notes. It also affords us with different multifactor options for the second form of authentication with software-based tokens available for desktop, laptop, and mobile devices. Early phases of the prescription While they have moved quickly, Hanscome, Bailey, and the rest of the IT team have much left to do in Joyce Hanscome, SVP and CIO, administering their IT prescription. Mobility is something we will be tackling early next year, Hanscome notes. Our physicians and caregivers want to use mobile devices to access information and services, including when meeting with patients. This presents a number of different security and compliance challenges, one that is accentuated since Mary Washington Healthcare plans Podcast to enable a bring your own device Portions of the interview with Joyce Hanscome and David (BYOD) policy. We Bailey are available as an are evaluating Executive Spotlight Podcast Symantec App Center at go.symantec.com/ marywashington-podcast. on the basis that we can create virtual containers on personal devices and manage information and services securely on them without any impact on personal applications and services they also contain, Bailey explains. symantec.com/ciodigest 49
CASE STUDY Mary WAShington Healthcare FROM THE PENTAGON TO HEALTHCARE While an undergraduate in college, David Bailey joined the United States Air Force ROTC program and was commissioned in 1993. He spent almost nine years in the Air Force, serving in a variety of different functions as a communications and information officer. Ordinary is not a David Bailey Manager, Security Program Office, Mary Washington Healthcare word that one would use to describe his time in the Air Force. His initial assignment was at the Pentagon. My team provided networking services as well as desktop, database, and phone support, all of the typical things you would do at an Air Force base, he recounts. The only difference is that it was at the Pentagon. After several years, he got involved as a systems analyst and then in tactical communications. He deployed to Saudi Arabia, traveling around southwest Asia conducting force protection vulnerability assessments, which included examination of communications systems. This experience helped pave the way for my security career, he relates. He returned to support the Air Force and United States Space Command as a director of Information Operations Testing. In this role he conducted vulnerability and risk assessments of mission-critical space systems. When Bailey left the Air Force, he leveraged his background and experience in security and IT risk management, serving as a consultant with classified clearance to various Federal government entities, including the Pentagon. In early 2010, his career took a completely different turn when Mary Washington Healthcare recruited him to build the Security Program Office and institute a risk management strategy from the ground up. From the standpoint of security standards, there are similarities, Bailey reflects. For example, both the Federal government and healthcare use National Institute of Standards and Technology (NIST) standards. But there are certainly differences at the same time. Bailey is thoroughly enjoying the challenges of healthcare. On average, we have 6,000 or 7,000 users accessing our systems every day, often for life-critical services. While the challenges may differ, the end result is just as critical. We were able to consolidate our different endpoint security infrastructure components into one toolset. Mike Vida, Sr. Security Analyst, Security Program Office, But that is just one of many initiatives that are planned. With the first phase of our risk management strategy complete, we are rapidly moving into the second and third phases, Hanscome states. Compliance with meaningful use is at the forefront of what we re working to accomplish. Each of the steps that we ve taken and are taking will help ensure that we achieve meaningful use and thus meet both the challenges and opportunities of our rapidly evolving world of 21 st - century healthcare. Adds Bailey: And with technology partners like Symantec, we have the tools and services to help ensure that we are successful. n Patrick E. Spencer (Ph.D.) is the editor in chief and publisher for CIO Digest. Managing Risk with Symantec > Symantec Endpoint Protection > Symantec Critical System Protection > Symantec Managed Security Services > Symantec Validation and ID Protection (VIP) Service > Symantec DeepSight Security Intelligence > Symantec Data Loss Prevention > Symantec Control Compliance Suite (planned implementation) 50 CIO Digest January 2013