InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

February 15, 1999

Catholic Healthcare West: Healthy Security

By Bob Violino and Amy K. Larsen

Related links:

Automated-Policy VPNs Become Top Priority

And from our sister publications:

Network Computing Finally! A Light At The End Of The Tunnel

T security is particularly important in the health-care field because of the primacy placed on patient privacy. But most health-care providers are still behind the average company in their strategic application of all kinds of information technology. Catholic Healthcare West, a nonprofit hospital system in Phoenix, is grappling with both sets of challenges.

CHW, which owns 55 hospitals and other medical facilities in Arizona, California, and Nevada, didn't even have a public Web site until last year. So it's little surprise that once the hospital system was ready to embrace

E-business, deploying an effective IT security framework and the appropriate procedures were fuzzy concepts.

Part of the issue was internal culture. CHW had always operated its hospitals as autonomous units. In terms of IT, the company supplied the infrastructure backbone but often didn't manage the facilities themselves. CHW's IT organization would issue only minimal technology and policy standards for the branches.

So when it came to setting security procedures, it was apparent the independent hospital units needed guidance. "When we were starting up our Internet applications, we had no real corporate direction on security," says Gary Mattson, CHW's senior lead of enterprise network management and security. "But then the driver for these applications was coming from the non-technology side."

Security: An E-Biz Asset

First Union: Rigorous Standards

E-Trade: An Absolute Priority

Equifax: Who Goes There?

Catholic Healthcare West: Healthy Security

CHW was anxious to put the Web to work for everything from streamlining operations and cutting purchasing costs to selling preventive medicine online. The Web tantalizes medical professionals with its potential to move documents between doctors and administrative centers in a fraction of the time it takes by conventional means. But using such a wide-open mechanism to transport sensitive information is risky.

The first step toward more homogeneous IT and security was CHW's move to one messaging platform: Microsoft Exchange. As a public health-care organization, CHW is required to comply with national standards for transmitting patient information, and the health-care provider wanted to synchronize directories so it could set and enforce E-mail policies, Mattson says. CHW deployed WorldTalk's WorldSecure Server, an E-mail firewall that blends S/MIME encryption and digital signature technology, to guard patient-related data.

CHW formerly conducted all electronic transmissions with doctors over dedicated leased lines. However, as doctors became more Internet-savvy, they started asking about using the Internet to transmit patient information to CHW facilities. CHW responded by setting up secure virtual private network WANs to communicate with affiliate medical personnel. The health-care concern also started handling some transmissions to other medical centers over VPNs.

Mattson says synchronizing disparate hospital systems, technologies, and procedures is always a challenge. To make sure that its partners are securing their transmissions as tightly as it is, CHW conducts a day-long audit of each partner. CHW evaluates things such as how the partner manages its firewalls and how it confirms and revokes access rights. CHW informs the partner if it falls short of any of its standards. The partner then can explain the reasoning behind its security setup or make the requested changes. "This isn't always easy, but it also isn't a dictatorial process," Mattson says, adding that the parties always reach a resolution.

CHW is also taking advantage of extranets as a way to streamline its purchasing and administrative operations. The health-care organization uses the Web to order computers and other administrative supplies. CHW, for instance, orders all of its Cisco equipment over an extranet, and it recently became Dell Computer's biggest health-care customer, with its own Dell Web page for checking the status of orders.

CHW, like other organizations, has had to contend with Web partners or suppliers that use a different type of encryption. Mattson hopes that the health-care field will standardize on one type of encryption, but he doesn't see it happening soon. The big push, he says, will come from end users.

Mattson says CHW's concerns aren't limited to finding the appropriate security technologies to guard data as it moves over the Internet. The IT group knew half the battle was getting the entire organization, from the CEO to the nurses, to understand the risks that accompany the rewards of using the Web. "Tools aren't even the most important part of deploying an effective security system for Internet applications," agrees PricewaterhouseCoopers analyst Murphy. "Consensus-building within the business is."

CHW began sorting out IT security when it began to standardize on Exchange 18 months ago. Mattson says CHW deployed the mail system first and later realized the implications of communicating over the Net. At the same time, CHW's personnel were gaining Web access for research purposes. Concerns about Internet abuse surfaced. Once Mattson's group began to consider the risks associated with letting personnel electronically send and receive information over the Web, it had to find a way to exercise some control. CHW's IT team also assessed Web activity and discovered instances of employees accessing Web sites deemed inappropriate.

Yet CHW's culture values the privacy of both patients and staff. For IT, that meant striking a balance between protecting patients and compromising employee freedom. For instance, given the medical nature of CHW's Web research, the IT staff couldn't block access to sites based on filtering searches for sexually oriented keywords.

The best solution seemed to be some written policy. Early last year, CHW's IT team drafted and circulated a document for every employee, stating rules of E-mail and Internet conduct. Perhaps more important, it made employees aware that their Internet activities weren't going unchecked.

In December, CHW revised the document to include input from across the organization. The revamped policy statement, which every CHW employee now signs, incorporates feedback from the physicians group, legal, risk management, and even the CEO. "We still don't open E-mail, but we do let people know inappropriate behavior is subject to discipline up to termination," Mattson says. Thus far, no incidents have led to punishment.

CHW Webmaster Noel McMichael, who's involved in extranet and intranet planning, says the business' understanding of IT in general and security specifically is improving. However, the nontechnical side of the organization still perceives security as something of an option. "Business in general needs to get away from the perception that security is asset protection," says Mark Lobel, a manager in PricewaterhouseCoopers' technology risk practice. "Security is what enables business to happen, especially on the Web."

Back to This Week's Issue

Send Us Your Feedback

Top of the Page