To address compliance and IT security, Piedmont Healthcare chose to establish baseline metrics for IT security risk.
To address compliance and IT security, Piedmont Healthcare chose to establish baseline metrics for IT security risk.
Last year, the new director of IT security for Piedmont Healthcare, Nadia Fahim-Koster, decided to reassess the compliance requirements of the organization, using a systematic and organized approach. She chose to establish baseline metrics for IT security risk, which would provide a picture of the compliance status of the hospital network today and for future comparisons. “This would be a great way to show compliance and progress to the executive team,” says Fahim-Koster. “We needed the baseline for historical trending, also. In addition, we wanted to adjust security-configuration controls and comply with new regulations. These metrics deliver clear, actionable compliance-measurement reports quarter over quarter.” Fahim-Koster was confronted with several challenges to this goal, including:
- a large, diverse, constantly shifting IT network, totaling between 7,000 and 10,000 assets;
- an incomplete, centralized view of all IT assets and their configuration controls;
- no fast and easy way to classify assets; and
- a broad compliance standard (HIPAA) that left some aspects of reporting open to interpretation.
“The tasks involved in meeting these goals seemed insurmountable, considering the early stages of evolution of our centralized information-security program and the attendant lack of information/IT visibility, limited resources and the inability to classify assets according to a clear, measurable compliance framework,” Fahim-Koster explains.
Piedmont Healthcare has been providing healthcare for patients in metropolitan Atlanta and northern Georgia for more than 100 years. Its network includes four hospitals, Piedmont Heart Institute, Piedmont Clinic, Piedmont Medical Care Corp. and Piedmont Philanthropy. The Piedmont Healthcare IT network encompasses hospitals, doctors’ offices, clinics, outpatient centers, research facilities and other business units spread throughout north Georgia. Piedmont’s network includes a wide variety of servers and technology that process and store electronic-protected health information (e-PHI).
The hospital is subject to compliance with various regulatory standards, including HIPAA. It was among the first hospitals to undergo a HIPAA-compliance audit with the Department of Health and Human Services (HHS) Office of Inspector General (OIG) in 2007. Compliance audits ensure that all applicable laws and regulations are being followed.
Extensive Security Precautions
OIG audited Piedmont’s administrative, physical and technical safeguards, including the hospital’s policies and procedures relating to e-PHI access; the risk assessment relative to e-PHI; electronically transmitting e-PHI; preventing, detecting, containing and correcting security violations; monitoring systems; remote access; wireless security; antivirus mechanisms; firewalls; and other e-PHI security requirements.
Because so much of their clinical and business information is generated and contained within their computer systems, Piedmont employees protect their computer systems and the information contained in them by not sharing passwords and by reviewing and adhering to their information-security policies and guidance.
To secure this information, Fahim-Koster turned to the SecureFusion software suite from Gideon Technologies, an information-security solution that helps prioritize and measure IT risk against policy and compliance objectives. Piedmont chose Securefusion to help it achieve compliance with international industry standards, ensuring accountability by analyzing the data gathered, and identifying the risks.
First, an accurate foundation of asset discovery was conducted, capturing all IT assets connected to the network (both managed and unmanaged). The software continuously tracks the assets connected to the network, including additions, removals, changes and criticality ratings. Scanning and data-collection processes are controlled via the SecureFusion portal, a central service-oriented architecture dashboard that gives a detailed view of all IT assets and configurations.
“Asset discovery is the key to starting an effective IT security program,” says Fahim-Koster. “If you don’t know what you are protecting, you don’t know what to protect.”
From there, the software continuously gathered standards-based IT risk metrics into the central portal, where Fahim-Koster and her team could view all IT assets, vulnerabilities, configuration details and policy-compliance metrics. The portal provides real-time, dynamic reporting of security and asset-management information, tailored for all audiences within the organization.
Fahim-Koster decided to measure Piedmont Healthcare’s IT security controls in accordance with the National Institute of Standards and Technology (NIST)-recommended security controls for federal information systems. The Centers for Medicare and Medicaid (CMS) earlier announced it would use the NIST framework as a bridge to achieving HIPAA compliance, since the NIST provides more-detailed guidance for classifying assets and applying security controls.
Clear Metrics and Reporting
Following the CMS lead, Fahim-Koster established a framework for classifying and measuring security controls across the Piedmont Healthcare network – one that would also enable clear metrics and reporting for executives. In addition, SecureFusion comes pre-loaded with the NIST framework, and was designed to provide consistent, automated measurement of the IT environment against IT control requirements.
The software enables Fahim-Koster to classify assets in accordance with NIST. All configuration details associated with each asset are also captured. The solution provides Fahim-Koster with an up-to-date baseline of the IT environment, down to the configuration-control level. From there, staff can prioritize IT security projects according to risk and sensitivity and provide clear, repeatable benchmarks for executives that report Piedmont’s compliance with the NIST standard.
Using SecureFusion’s asset-discovery module, Fahim-Koster was able to eliminate the use of generic user IDs that were being used to log onto nursing-station computers. “This initiative occurred at a very granular level in the network and it would have been next to impossible to pinpoint those workstations without SecureFusion,” notes Fahim-Koster.
Her team also completed a software-license review and was able to find and encrypt every laptop connected to the network. “Each of these projects has reduced or eliminated IT security risks in a very specific and measurable way,” she adds.
“Selecting the NIST framework as our measurement framework meant that we had to classify all of our IT assets the same way,” explains Fahim-Koster. “Once this was completed, we could begin to capture the existing security controls and perform a gap analysis to see where we needed to make improvements. Without the automation and continuous data collection from SecureFusion, we would never see an end to this phase, and that’s before we ever get to make security improvements.”
Fahim-Koster’s team has finished using the software to review all Piedmont Healthcare servers and classify them according to the NIST framework. “We identified our servers as high, medium or low impact based on the type of information they contain,” she says. “Now, when we see the gaps in compliance controls, we can not only prioritize which servers to address first – the high-impact servers – but we can even prioritize which controls to start with because SecureFusion gives us that level of granularity.”
The software produces reports on Piedmont Healthcare’s compliance with NIST configuration controls. Fahim-Koster can select different metrics to focus on, depending on the audience. “I used to feel like I was asking the executives to take my word for it when it came to our compliance metrics,” she says. “But now it will be quite clear to everyone. The reports we will generate will show the level where we need to be according to the NIST standard and where we actually are.”
Most compliance reporting is presented as a gap analysis that tends to emphasize failures without focusing on success. “Our compliance measurement is so much more than simply checking a box,” she says. “We will have a standard, organized method for meeting our IT security requirements and proving that we’ve done so for executives, auditors and anyone else. It keeps a continued focus on our successes.”
Fahim-Koster established a framework for classifying and measuring security controls across the Piedmont Healthcare network – one that would also enable clear metrics and reporting for executives.
Currently, the information-security team for Piedmont Healthcare is the primary user of SecureFusion, but PC techs are also using it for a continuous and accurate asset inventory. Network administrators and engineers are using it to identify virtual LANs and other network connections, and to capture security controls.
Fahim-Koster expects all departments within IT will be able to use SecureFusion to monitor information-security controls for their assets. “We are all responsible for information security, so it makes sense that the application administrators, the technical services team and other IT groups would use the tool to discover any rogue assets, and to maintain compliance with the NIST security controls,” she says.
“We plan to use it to understand how virtualization impacts our configuration settings and our vulnerabilities,” says Fahim-Koster. “From a risk perspective, the software helps us look at our environment honestly. We know our asset inventory is accurate and, as a result, we can trust that we’re capturing all vulnerabilities and all configuration details. This enables us to make educated decisions about how to reduce risk and meet compliance requirements.
“SecureFusion is like a security camera that’s always filming from all kinds of angles,” Fahim-Koster explains. “I’ve been able to do things I never thought were possible in terms of discovery, inventory, classifying the data and benchmarking our progress.”
From the Catalog
According to www.gideontechnologies.com : SecureFusion automates and orchestrates compliance measurement and reporting. It gathers standards-based IT risk metrics into a central service-oriented architecture portal where all IT assets, vulnerabilities, configuration details and policy compliance metrics can be viewed. SecureFusion is built on the additive intelligence of four core capabilities: asset discovery performs continuous audits of managed and unmanaged assets with no impact to the network; vulnerability management conducts ongoing, active vulnerability detection and reporting for operating systems, infrastructure, network applications and databases; configuration management continuously compares system configuration and compliance with IT security standards; and policy management initiates, reviews, publishes and maintains security policies.
For more information on
Gideon Technologies solutions:
www.rsleads.com/912ht-203
