Meeting “meaningful use” requirements
Under the 2009 U.S. Health Information Technology for Economic and Clinical Health (HITECH) Act, the Department of Health and Human Services set forth “meaningful use” guidelines for electronic health records (EHRs.) These guidelines help to ensure that healthcare organizations achieve specific clinical objectives with the use of EHRs and confirm the privacy and security of all electronic health data.
Healthcare organizations that meet meaningful use requirements can be eligible for millions of dollars in federal incentives. Those that don’t comply can be subject to new penalties.
For Eddy Stephens, chief information officer of Infirmary Health System, IT security has always been a top priority. However, with a growing infrastructure, the increase of security threats worldwide, and new federal regulations, such as meaningful use requirements, Stephens and his team found it difficult to keep pace using point technologies and manual processes.
It often took IT administrators up to two months to apply software patches or deploy new applications across the organization’s more than 4,000 workstations. Likewise, consolidating and correlating security events from disparate data sources for investigations and auditing took days or weeks.
“To meet meaningful use requirements, we must ensure all of our workstations and servers have the latest security patches, are properly configured and can be locked down to protect data,” Stephens explains. “However, we needed a lot of feet on the ground to manage the sheer volume of work. Our goal was to find a better way to manage this increasingly complex problem.”
Return to challenge
A comprehensive solution for endpoint and event management
A strong security posture depends on numerous activities—patching systems, stopping malware and other threats before they arrive, controlling endpoint access, understanding exactly who is accessing what applications, servers and data, and much more.
As Stephens and his team evaluated new approaches, they sought a comprehensive and integrated solution that could help them effectively and efficiently address the full range of endpoint and event management requirements. They turned to ESM Technology, a recognized IBM solution provider with a practice in security and service management. ESM is headquartered in New York City with satellite offices in the Southeast United States.
“We evaluated several solutions and found that the ESM solution based on IBM security software met all of our requirements and was easy to deploy,” says Stephens. “ESM also provided the expertise and know-how to help us more quickly achieve our goals.”
A “closed loop” system to identify and correct attacks, threats, and non-compliant conditions
ESM Technology’s iT Server Mgmt in-a-box™ Health Care (Security & Compliance) Edition solution uses IBM endpoint management and security intelligence solutions to provide healthcare organizations with a unified and turnkey security platform for addressing Health Insurance Portability and Accountability Act (HIPAA) and meaningful use requirements.
For example, the IBM® BigFix® solution helps Infirmary Health IT staff keep the organization’s 4,000 workstations secure, up-to-date, compliant, and running at peak performance.
IBM QRadar® Security Intelligence Platform software, including IBM Security QRadar Log Manager and IBM Security QRadar SIEM, collects and analyzes data from network and security devices, services and operating systems, and applications to help staff quickly see developing threats. Because of this, the organization has comprehensive visibility and can detect and identify “real-time” offenses and threats—something which it could not do before. Secondly, Infirmary Health IT personnel also can monitor user activity, allowing them to improve security policies and guidelines. Finally, they can monitor compliance and provide audit reports for auditors.
Through the tight integration of IBM security solutions, the organization gains a “closed loop” system that can identify threats and alert security administrators to take the necessary corrective action based on observed conditions. For example, using the information collected by the BigFix solution, IBM QRadar software can see immediately if someone is trying to exploit an operating system vulnerability, and then alert the security team to use the BigFix solution to remediate the condition, such as applying a software update.
Return to transformation
Proactively defending against internal and external threats
According to Stephens, IBM security software offers critical capabilities to meet meaningful use requirements including:
Continuous patching of endpoints for zero-day protection. “We’ve gone from an average of 40 percent patch compliance to 90 percent patch compliance and I am confident that we have stopped malware and other vulnerabilities because these machines are properly patched,” says Stephens.
Near-real-time protection from malware and other malicious threats through cloud-based virus definitions instead of traditional signature files. “When we used Symantec antivirus products, we had issues with new-to-the-market viruses,” says Stephens. “The move to IBM BigFix has been a positive one and helped us stop this type of problem.”
Secure transmission of patient information. “Workstations that are used to access and transmit patient information are secured and locked down using IBM security software,” says Stephens.
360-degree visibility of enterprise security to help IT staff detect threats that might otherwise be missed. “With IBM QRadar software, we can now better defend against internal and external threats,” Stephens says. “We can see exactly who is doing what. We know if there are external attacks or unauthorized people trying to get into our networks. We can monitor for compliance policy violations and provide the reports auditors require. And with the new intelligence we’ve gained, we’ve applied new settings that strengthen our security posture and reduce the number of potential security incidents significantly."
Qualifying for meaningful use dollar incentives from the federal government
The solution helps Infirmary Health System not only meet HIPAA and meaningful use requirements for data security, but also easily demonstrate compliance for federal incentives. Audit reports that once took Stephens’ team weeks to create can now be generated in minutes.
“We can now quickly, easily and accurately produce audit reports for HIPAA and meaningful use compliance,” says Stephens. “This has helped us obtain a considerable amount in meaningful use incentive dollars.”
Managing physicians’ mobile devices
For Stephens, the solution also enables his team to secure physicians’ mobile devices, and clear a device of sensitive data if it is lost or stolen.
“The Bring-Your-Own-Device trend is becoming more of an issue for healthcare as physicians look to access applications and data using their own mobile devices,” says Stephens. “With IBM mobile device management capabilities, we have a unified platform that enables us to give our physicians the access they need, while confirming that access is secure.”
Reducing operational costs with improved endpoint management
While compliance mandates drove the organization’s investment in a new solution, the IT team has also used the solution to reduce operating costs and improve the end-user experience.
Here are just a few improvements that Stephens says the organization has realized with near-real-time visibility and control of its endpoints:
Reduced licensing costs and enhanced licensing compliance with greater visibility into software usage. “Microsoft did not do an audit this year because we could provide comprehensive usage analysis reports,” says Stephens. “And, with a better view of how software is being used, we have saved countless hours tabulating license inventory and avoided compliance fines from various vendors.”
Improved end-user experience and extended the useful life of workstations. “Other antivirus solutions tend to use up CPU performance,” he says. “With BigFix, our workstations run without user slowdown times as with other antivirus software.”
Reduced the time to deploy software by 95 percent. “We deployed our EPIC EMR applications to all our desktops in just a few days,” says Stephens. “Before, this would have taken us nearly eight weeks.”
Improved IT planning by delivering accurate asset inventory in minutes. “In the past, we had to physically go out to each site to take inventory, which could take weeks,” says Stephens. “Now, I can get the same information within a few minutes, which expedites planning and support tremendously.”
Decreased the time to resolve help desk requests by 50 percent with remote control capabilities.
“We can handle the rapid change and address evolving requirements without having to increase our staffing requirements,” says Stephens. “Without this solution, we would have never been able to keep up.”
Return to results