Overseeing healthcare mergers from a security perspective
- When much of a healthcare organization’s growth is derived from acquisition, there are undoubtedly a lot of moving parts. As the parent organization takes on new hospitals or practices, it must ensure that its IT and business strategies are implemented within the recent acquisitions.
Ray Hawkins, Genesis Healthcare information security officer (ISO), told HealthITSecurity.com in Part 2 of this Q&A that Genesis has a limited but very consistent application portfolio and it makes every effort to get new organizations onto that portfolio. For Hawkins, a synchronous environment is critical to managing IT security.
Our job post-acquisition is to work as quickly as we can to pull new employees at new sites into our IT processes and systems. We’ll swap out desktops and laptops so the new organization’s infrastructure is matching the rest of our sites. It’s far easier for us to do that in the short run versus extending it out because we run into support issues if we have too many different architectures out there in our environment. Not much is virtual, as we have one single data center and we do a tremendous amount of virtualization within the data center. So the preponderance of our server systems from production tier 1 on through any sort of testing environments, more than 50 percent of what we have is virtualized.
What is Genesis’s mobile strategy?
We have a fairly robust mobile deployment. I think we’re on the front edge of putting mobile into our environment. We definitely see a strategic, business-aligned fit with moving to mobile systems and mobile applications. The future is really not seeing those carts on wheels all over a clinical setting and instead seeing the caregivers using smaller and more nimble devices. We’re two years into that type of deployment, so we feel fairly comfortable that we not only went through the process of doing that early, we also received a lot of lessons learned. We’re better positioned long-term to build on that strategy, where it won’t just be cost savings but also enable our clinical workers to not have such monolithic equipment that they have to call around just to do their work.
Are there any current projects your team is working on?
In terms of projects, the big things on my team’s plate that we stay very focused on is constant improvement within our SIM. I think you’re going to see higher expectations from auditors to really look at how well we can monitor events that happen on a network and while being able to articulate what users are doing and when they’re doing it. As the risk landscape becomes more challenging to us, we have to have really strong systems that can aggregate all of these neat tools that we’re putting out there and make sense of them for us. We’re really pushing vendors to provide strong solutions in that space.
Another area that a lot of organizations are dealing with is how to address texting issues with physicians and other caretakers. The way they’re personally use mobile is creeping into the work place. How can we provide a strong solution or mitigate risk around users texting between each other during work. The solution space isn’t the strongest around that, but that’s certainly a project that we’re evaluating.
How has the HIPAA Omnibus Rule affected the way you connect with vendors?
The thing that gave vendor management a lot more urgency and color was the amount of retailer breaches last year, such as Target or Neimann Marcus. We want to do vendor management right from the engagement part through the way we structure the BAAs. We need to know who our vendors are that have access to patient or employee data, what agreements are in place and which ones are the high-risk vendors.
From a physical security standpoint, for example, we don’t centrally manage how and when an organization locks their doors. That’s their domain to handle, but we have to put out guidance for the right ways to engage vendors.