Security Consulting Case Study
Good Samaritan Hospital Gets a Security Check-up (Cont'd)
I wanted to make sure we had a solid approach to how we addressed security--not just the electronic records, but the technology itself.”
Chuck Christian, CIO, Good Samaritan Hospital
About Good Samaritan Hospital
Good Samaritan Hospital Facts
Assess security of patient medical records and strengthen regulatory compliance
HIPAA, HITECH and Meaningful Use Risk Assessment by AT&T Security Consulting
Objective and expert security audit identifies relevant issues and provides an actionable roadmap for reducing security risks
232-bed facility serves a population of 250,000 people
Founded in 1908, Good Samaritan Hospital is a not-for-profit healthcare system serving southwestern Indiana and southeastern Illinois. Good Samaritan operates through a number of care centers and hospital-run programs, both on and off-site, providing a wide range of services including primary care, surgery, emergency medicine and physical therapy. Each year Good Samaritan admits almost 8,000 inpatients, serves more than 32,000 emergency room visits and conducts 250,000 outpatient visits.
The security of patient health information is closely regulated. As the healthcare industry has increased its use of technology to store and access sensitive information, regulations have expanded. Having moved from paper to electronic medical records, Good Samaritan needed to make sure it was taking the right precautions for the privacy and security of patient information. Compliance required Good Samaritan to audit its security systems, policies and procedures. The assessment would be a significant undertaking, requiring more resources than the hospital’s IT department had internally. Good Samaritan wanted an expert’s opinion.
Good Samaritan chose AT&T Security Consulting to assess its security systems. The HIPAA, HITECH and Meaningful Use Risk Assessment reviews systems for regulatory compliance. The AT&T team reviewed Good Samaritan’s access policies, procedures and network security and compared these against industry best practices. AT&T then provided a detailed roadmap with clear, reachable objectives and actions. Armed with new insights into its information security risk and exposure, the hospital is addressing the risks. This will help Good Samaritan demonstrate its compliance if and when regulators conduct an audit.
Keeping a Community Healthy
Located in the historic town of Vincennes, Indiana, population 18,423, Good Samaritan Hospital plays a key role in the community. In addition to being the only healthcare resource of its size in a ten-county area, “we are the largest employer in Knox County,” said Chuck Christian, CIO. Serving the region for more than 100 years, Good Samaritan has been the trusted healthcare provider for generations of local residents. The hospital has grown from a 25-bed building to a 232-bed, state-of-the-art facility, bringing high quality healthcare to the mostly rural region.
They gave us a list of things we’re doing well, things we’re not doing so well, a gap analysis and recommendations. We’ve got a really good roadmap of the things we need to do."
Chuck Christian, CIO, Good Samaritan Hospital
Good Samaritan’s medical services cover a broad spectrum of needs, from routine check-ups and prevention to emergency surgery and ongoing care. The hospital’s 1,700 employees, including its 105-member medical staff, provide primary care and specialty services in areas including cardiac and cancer care, childbirth, diabetes treatment, orthopedics and mental health. Good Samaritan continuously brings in leading-edge technology and processes to expand its offerings. It works in tandem with nearby critical care facilities and has acquired a number of local physician practices.
Good Samaritan extends its reach beyond the hospital’s walls and works to provide healthcare access to those in need. “We do a significant amount of community outreach,” said Christian. “We also run a primary care clinic to provide care to those who have no insurance or are underinsured.” Good Samaritan collaborates with community organizations to offer free health screenings throughout the region. Its traveling clinics conduct annual Women’s Health Days and “tune-ups” for men. The hospital even runs an off-site care center for teens dealing with behavioral issues.
'Stewards of our Patients' Information'
Like all healthcare organizations, Good Samaritan is dealing with the industry-wide move from paper to electronic medical records, which raises new concerns about maintaining patient privacy. Medical records contain highly sensitive information, tracking everything about a patient’s health, from doctors’ notes to test results. Good Samaritan must protect these records. “We are stewards of our patients’ information,” said Christian. It’s not just ethical—protecting patient records is required by law. Several federal and state laws regulate patient health information, the most comprehensive being the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which outlines requirements for information privacy.
Securing electronic information requires the right combination of policy and technology. Security threats can arise from both external and internal sources, and can range from intentional breaches to just careless mistakes. At Good Samaritan, employees have legitimate, job-related reasons to access patient information. From receptionists and technicians to nurses and physicians, hospital staff have varying degrees of access.
Good Samaritan had security policies in place, but policies alone aren’t always enough to deter inappropriate access. “You can have the best policy in place, but sometimes individuals don’t think it applies to them,” said Christian. Security also depends upon a robust IT infrastructure. “It’s kind of like putting locks on your house,” Christian explained. “If somebody wants to get in, they’ll drive a car through it. We want to make sure the right safeguards are in place so it’s not easily done.”
Increased government regulations pressed Good Samaritan to do what it already knew was necessary--conduct a thorough assessment of its information security systems. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 has bolstered HIPAA enforcement. “We lovingly call it HIPAA on steroids,” Christian said. HITECH specifically addresses the increase in online access of patient information.
The rapid growth of mobile devices has created new security needs, as people now access information from many different devices, including hospital-owned and personal laptops, tablets and smartphones. Among other things, HITECH requires organizations to conduct a complete information security audit. Good Samaritan was glad to comply. “Even if we didn’t have the HIPAA requirements, it would be the right thing to do,” said Christian.
Getting an Expert's Diagnosis
Good Samaritan decided to assess its IT systems, but did not want to conduct the audit itself. “I thought it would be like the fox watching the henhouse,” said Christian. “I also didn’t have anyone on my team that I would classify as an expert, someone credentialed who does this work for a living. We’re just not big enough to have an employee do that work full time.” The hospital wanted the objectivity and expertise of an outside company.
After conducting a thorough search, Good Samaritan chose AT&T Security Consulting to conduct its security audit. Having acquired a highly regarded healthcare audit company, AT&T understands the industry’s regulatory requirements. “They knew what we were looking to do and helped guide the conversation,” Christian said.
The AT&T HIPAA, HITECH and Meaningful Use Risk Assessment took a three-pronged approach: reviewing regulatory compliance, assessing Good Samaritan’s data network and providing a technical overview. “I wanted to make sure we had a solid approach to how we addressed security, not just the electronic records, but the technology itself,” explained Christian.
Through extensive onsite interviews and research, AT&T compared Good Samaritan’s information security processes against industry best practices. AT&T also conducted system penetration tests to identify procedural weaknesses and “unlocked doors.” The technical review looked at Good Samaritan’s wireless network, checking for proper configuration and appropriate security measures. “They were able to help us identify some best practices that we hadn’t thought of yet,” said Christian.
AT&T delivered a detailed report to Good Samaritan, thoroughly documenting the assessment process and its findings as related to regulatory requirements. The report identifies Good Samaritan’s existing security risks and recommended actions to address them. “They gave us a list of things we’re doing well, things we’re not doing so well, a gap analysis and recommendations,” said Christian. “We’ve got a really good roadmap of the things we need to do.” The roadmap saves Good Samaritan time and resources, enabling the hospital to get started on making security improvements.
Making Security More Efficient
The audit revealed some holes in Good Samaritan’s systems. “I knew we had some chinks in our armor,” said Christian. The hospital’s IT infrastructure is made up of several different, disconnected systems. The auditors’ holistic approach assessed them as a complete system, allowing AT&T to identify unseen problems. Some were easy to remedy, once all were laid out. “We found several databases in engineering that didn’t even have passwords,” explained Christian. “None of those databases contained patient information, but that’s like leaving your car unlocked and your keys in the ignition. If someone does happen to get inside, then they can easily use that against you.”
The expert audit lends authority to the IT department’s funding requests. Security updates can be costly, and if things are running fine, it can be hard for people to see preventative IT improvements as necessary and urgent. The AT&T assessment helps get senior management on board. “If it’s just me telling them we need to do this, it just doesn’t have the weight of an expert coming in,” said Christian. “We were able to leverage the assessment to get things done.”
Good Samaritan has already made several of the security updates AT&T recommended. The hospital started by expanding its web access oversight. “We changed the rules associated with our secure email so we can appropriately track and capture the information,” said Christian. The hospital is also implementing an identity management solution to better meet physicians’ unique access needs. Their on-line session will be able to securely follow them as they move around the hospital without the need to log back in.
“We’re trying to create a secure but much improved experience,” he said. Physicians need access wherever they are—on site, in their offices, at home, even on vacation. Now, no matter where they are, physicians can log on with the same security that’s in place at the hospital.
Ready for Whatever Comes Next
Having completed the audit and started on its security updates, Good Samaritan is well on its way to achieving regulatory compliance. The hospital is prepared for an actual HIPAA or HITECH audit “It’s not if the auditors come, it’s when the auditors come,” said Christian. “With the AT&T roadmap I’ve got the documentation I need.” In addition, the report demonstrates Good Samaritan’s efforts in case a serious security issue ever does happen. “If we have a breach and people from the government come visit, I want to be able to show that I did this, this and this,” Christian said.
With the AT&T evaluation in hand, Good Samaritan is on the right path. “We have the ability to make the records more secure,” said Christian. His advice to other healthcare organizations is to do the same. “What we’re doing is what most organizations have done, or will need to do,” Christian said, “but they need to do it sooner than later.” And he appreciated the job done by AT&T Security Consulting. “The staff was very good, they were extremely thorough and all very bright,” said Christian. “They bring in experience and help establish best-practices.”
The AT&T assessment also helps set Good Samaritan up for growth. The hospital has new security processes to integrate systems throughout the organization. “We’re able to roll out some of the ideas they gave us to other offices as we acquire them.” said Christian.
As technology becomes even further integrated into healthcare systems, security will continue to be an ongoing issue. AT&T is a resource Good Samaritan plans to use again. “The threats are not stagnant,” Christian explained. “Once we get our updates done, I’d like to have them come back and do a review and find out if there’s anything new we need to be aware of.”