HIPAA Compliance Case Study

Document Sample
HIPAA Compliance Case Study Powered By Docstoc
					Case Study | 2006

HealthSouth, one of the nation’s largest providers of outpatient surgery, diagnostic imaging, and rehabilitative healthcare services, operates facilities nationwide.

HealthSouth Corporation


Company Size:
~40,000 employees with revenues of ~$3.6 billion

More than 50,000 nodes in a corporate network scaling across more than 1,200 different facilities One Preventsys Security Risk Management server and three Assessment servers

HealthSouth turned to Preventsys, now a member of the McAfee® corporate family, in 2004 after being referred by Electronic Arts, the world’s leading interactive entertainment software company. In the wake of the Health Insurance Portability and Accountability Act (HIPAA) and other legislation like Sarbanes-Oxley (SOX), HealthSouth needed a system that would enable it to easily demonstrate due care to auditors. Non-compliance, in addition to being a legal headache and a disservice to patients, is costly to healthcare organizations. HealthSouth sought a more efficient way to proactively protect patient data records, comply with HIPAA guidelines, and implement a workflow system that integrated with its help-desk system.
At the time, HealthSouth had not been fully successful in tracking remediation efforts and demonstrating to management the positive impact IT security was providing. For Rusty Yeager, HealthSouth’s chief technology officer (CTO), automated reporting was critical to be able to consistently demonstrate improvement and accountability to the organization’s executive management team.

To cost-effectively report ongoing compliance with published regulations such as HIPAA, SOX, and custom policies across its heterogeneous network

“We were looking for a way to automate a time-consuming, inefficient, and manual process for tracking remediation across our patient and administrative systems and remote facilities.”
—Rusty Yeager, CTO, HealthSouth

McAfee Preventsys solutions enabled HealthSouth to gain a comprehensive view of its security risks, automate reporting on compliance to published security standards, and prioritize the remediation of critical risks across its vast network. With the McAfee Preventsys solutions, HealthSouth cost-effectively protects thousands of confidential patient records, ensures the high availability of critical patient systems, and easily reports compliance to the executive team

After an extensive review, HealthSouth selected McAfee Preventsys™ security risk management solutions for an enterprise deployment in its corporate data center, spanning across 50,000 nodes. Implementation was completed in a timely manner and immediately HealthSouth was able to complete HIPAA compliance audits on time and within trending windows that supported its overall HIPAA certification.

Like many companies, HealthSouth didn’t have a good way of tracking systems compliance to its own internal security policies. HealthSouth’s information security group performed audits using a range of opensource and in-house auditing tools. HealthSouth had information security policies in place to ensure network security; however, it was too resource-intensive to manually audit every single remote facility due to the size of the network and the limited security staff.

Case Study | 2006

• Reporting compliance with regulations such as SOX and HIPAA • Controlling costs associated with manual auditing • Prioritizing the volume of critical remediation tasks • Protecting several thousand system users and patient data records that must be kept secure per HIPAA

Due to the geographically dispersed outpatient centers and rehabilitation hospitals, HealthSouth’s network was large and distributed. Like most large enterprises, its heterogeneous network was comprised of various devices with different requirements for access, control, and security. Each of these devices produced hundreds of reports that measured the latest security risks and threats to the business. This created silos of data across the enterprise that overwhelmed the limited security staff and made it difficult to assess which issues needed to be addressed first. “We needed a way to consolidate independent sources of data from custom, commercial, and open-source tools, correlate this information, and quickly identify situations where security and regulatory policies were not adhered to—avoiding costly mishaps, hefty fines, and legal exposure,” said Yeager.

McAfee Preventsys solution:
• Automated the painful process of reporting against regulations on demand • Created a sustainable and affordable solution to demonstrate compliance • Minimized legal and regulatory exposure • Ensured the prioritization of key issues though integration with the help-desk system

Yeager understood he had to manage his limited resources wisely to ensure the corporate security objectives were being met. In addition, it was his responsibility as CTO to balance the company’s mission to be innovative with the need to be costeffective. He recognized that his team did not have the bandwidth to react to every new threat and risk posed to the organization. With the help of Preventsys solutions from McAfee, HealthSouth incorporated a riskbased security management methodology to identify, proactively manage, and correct network and system security vulnerabilities and configuration errors. First, Yeager and his team identified how they needed to protect their most critical applications. Second, the security team consolidated and correlated information from multiple vulnerability, configuration, and threat management tools into a centralized risk and compliance dashboard. This dashboard would enable the security team to consistently communicate the state of HealthSouth’s security to the executive team.

PolicyLab gave us an automated way to enforce ready-made HIPAA security policy.
—Rusty Yeager, CTO, HealthSouth

Next, the security team determined HealthSouth’s compliance with its established security standards and regulatory policies. Using Preventsys PolicyLab,™ a unique, customizable policy-development environment, HealthSouth imported its corporate policies and security standards into the Preventsys system. PolicyLab technology directly linked compliance requirements to a description of how to technically verify network adherence to each PolicyLab requirement. This provided HealthSouth with the ability to automate the manual audit process and consistently report against established policies, security standards, custom policies, and regulations like HIPAA and SOX. This significantly reduced the costs of pre-audits and provided executivelevel insight to the company’s security-compliance initiatives.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved. 5-cor-hs-psys-001-0906

Shared By: