In-Depth

Case Study: HIPAA Concerns Push Network Security Solutions

A federal regulation forced a medical center to lock down privacy, which coincidentally increased savings.

• By Linda Briggs
• June 13, 2006

Anyone who doubts the clout of federal security and privacy regulations in today’s health-care world should have a chat with Bob Burritt.

As director of technology for Kettering Medical Center Network, Burritt is in charge of the technology infrastructure for a group of five hospitals and 51 medical facilities in the Dayton, Ohio area, all within 40 miles of each other. The network supports some 10,000 users and 6,000 connected devices, ranging from servers to notebook computers and PDAs.

He estimates that if the network ever failed, it could cost his organization a million dollars a day.

Locking down the network can be especially tough for health-care organizations, with their typical mix of paper and electronic records, the need for long record retention, and the move to digital imaging. With the passage of the Health Insurance Portability and Accountability Act (HIPAA) security rule last April, protection of electronic records has been shoved to the forefront. (HIPAA’s privacy rule has been in effect for several years, depending on the size of the organization.)

For a health-care organization such as Kettering, HIPAA is huge, with specific security and patient privacy stipulations. Thanks to the regulation—which Burritt loves, by the way—Kettering underwent a major overhaul of its security infrastructure earlier this year, selecting and installing a variety of Symantec products and services for intrusion prevention, policy compliance, and client security.

Together, the solutions address both Kettering’s security concerns and the patient record handling privacy legally mandated by HIPAA.

The array of threat management products Kettering selected include software (Symantec’s AntiVirus Enterprise Edition, Client Security, and AntiVirus for Handhelds), appliances (Symantec Network Security 7100 Series for intrusion prevention), and an early warning service (Symantec Managed Security Services).

Kettering is running a mostly Windows-based network on Cisco networking hardware, connected via a 2.4G Ethernet ring with high-level redundancy. The majority of the network is in the Dayton area, with the exception of a disaster recovery site 50 miles away in Cincinnati. Kettering has been using digital imaging for medical records for almost nine years, meaning there’s a large amount of data exchanged across the network—information that now must be secured under HIPAA. The network includes over 200 servers, both IBM and Tandem mainframes, and assorted desktops, notebooks, and handheld devices, both wired and wireless.

Kettering’s network is growing steadily. For example, Burritt’s 40-person team (there are 100-plus staff in the IT department, including help desk and support center personnel) are rolling out a physician order-entry and nurse-charting system over the next 18 months that will make all work by doctors and clinical workers completely electronic. Another goal: to give users single sign-on to the approximately 200 departmental applications the IT group currently supports.

The Push for Security and Privacy

Often, security initiatives come after a significant snafu, sometimes one that becomes embarrassingly public. Not so at Kettering. Motivated both by HIPAA and by rapid growth, the organization drew up a detailed RFP for its security and data privacy needs a year before the HIPAA deadline. The HIPAA compliance part was crucial—and support came all the way from the top. “As part of HIPAA, we have an information security and privacy officer,” Burritt explains. “I worked closely with him on all the security aspects.” The HIPAA officer, in turn, obtained executive approval for the plans.

After sorting through RFP responses, Kettering chose three frontrunners, then settled on Symantec. One selling point: Although all three finalists were top names in the field, Burritt says Symantec got the nod partly because it offered a comprehensive package that included a security assessment, technology components, and policy-setting. “Policies were a big thing for us,” Burritt says. “We really didn’t have any security policies in place. Now we have [policies for] encryption, e-mail, [and] workstation use.”

Symantec began by sending two teams to Kettering over a three-week period to perform two assessments—one for compliance and one for network vulnerability.

For HIPAA compliance, Symantec helped Kettering identify more than 20 items it needed to add to its security procedures (including training and education) and policy development.

Although HIPAA was a big driver, Kettering had already realized it needed a network vulnerability assessment on its rapidly growing network, and had budgeted appropriately. “We hadn’t done [an assessment] for four or five years,” Burritt says, “so we were due. Between wireless and [new] LAN lines, we just keep growing.” Kettering will be budgeting for a vulnerability assessment yearly.

Calculating Returns

Burritt confidently predicts solid cost savings of at least $200,000 a year from the new security and privacy system. In addition to directly measurable savings, he says, “we can also take the time that we’re saving, which allows us to put more attention into meeting the business objectives of the organization.”

In calculating the return on investment, Burritt considers several key benefits: blocking worms and viruses before they invade Kettering’s 4,500 workstations, tracking and verifying that policy changes and patches have been made to the 200 servers on the network, and use of Symantec’s monitoring service.

The monitoring service, Symantec’s DeepSight Analyzer, gives Symantec access to Kettering’s logs, which it uses to monitor network activity for aberrations that might indicate an intrusion. “They have a way to process [the event logs] to figure out if something is happening. Then they contact us or page us,” Burritt says. Among other things, Symantec uses a global vulnerability database to give the medical center network warnings of possible threats.

Tracking policy changes to servers is also a key benefit. Symantec’s Enterprise Security Manager “allows us to put policies onto servers,” Burritt says. “As changes are being made, we’ll get reports. We can take a quick look, and verify that a change has taken place [as it should have]. That’s been a key product. … It saves going to 200 servers to make sure they’re configure correctly.”

Much of the anticipated ROI savings came from staff time no longer spent tracking and mitigating viruses and worms. That saves as much as two full-time employees a year, Burritt says, at a savings of $140,000 yearly.

With HIPAA lurking overhead, health-care organizations are forced to lock down networks and introduce better privacy and security policies. With the right planning and products, it needn’t be a nightmare. In fact, Burritt appreciates what the new law has fostered: “One of the things I like about HIPAA is that it’s an ongoing effort. You have to do an assessment each year. … Our HIPAA plan is a living, breathing thing.”