Methodist Healthcare Ministries
Key Business Needs
Methodist Healthcare Ministries of South Texas, Inc., the largest private funding source of healthcare services for the region’s uninsured, faced several concurrent security challenges: the need to ensure HIPAA compliance for its new and existing partners, a geographically diverse IT team with limited security expertise, and increasing malware threats in the healthcare industry.
Tenable Products Selected
Methodist chose Tenable SecurityCenter View™ (CV) for its comprehensive vulnerability scanning, compliance, and reporting capabilities — a critical need to help it achieve HIPAA compliance across the organization.
Tenable helped Methodist set a HIPAA precedent and high compliance standard for all of its partners. Methodist can now audit each new partners’s systems against its templates to assure compliance and follow best practices. In addition, SecurityCenter CV’s passive scanning, risk assessment and automated reporting capabilities enable timely decisions and identify opportunities for improvement before they turn into vulnerabilities.
Methodist Healthcare Ministries of South Texas, Inc., the largest, private funding source of healthcare services for the uninsured in South Texas, faced several challenges:
- The need to enforce HIPAA compliance across the entire organization
- Advanced malware threats in the healthcare industry
- A geographically dispersed IT team with limited security expertise
HIPAA compliance served as the primary justification for Methodist Healthcare Ministries’ acquisition of SecurityCenter Continuous View™.
About Methodist Healthcare Ministries of South Texas, Inc.
Methodist Healthcare Ministries is a private, faith-based not-for-profit organization dedicated to creating access to health care for the uninsured in South Texas through direct services, community partnerships and strategic grant-making. The mission of the organization is “Serving Humanity to Honor God” by improving the physical, mental and spiritual health of those least served in the Rio Texas Conference area of The United Methodist Church. The mission also includes Methodist Healthcare Ministries’ one-half ownership of the Methodist Healthcare System, the largest healthcare system in South Texas, which creates a unique avenue to ensure Methodist Healthcare System continues to be a benefit to the community by providing quality care to all and charitable care when needed, and it provides revenue to Methodist Healthcare Ministries for its programs.
One of the main reasons for acquiring SecurityCenter CV was HIPAA compliance. Mark Holliday, Director of Information Technology & Services at Methodist Healthcare Ministries, explains. “We are a non-profit organization that provides direct services and invests in partner organizations through strategic investments, so we are connected to a variety of health systems including managing a health information exchange. We wanted to set a HIPAA precedent for all our partners, to stay ahead of the game and set a high compliance standard. We used the HIPAA use case to justify funding for SecurityCenter CV.”
A second reason for deploying SecurityCenter CV was the need to scan systems as new healthcare providers join Methodist Healthcare Ministries and before they go online.
The third driver for SecurityCenter CV was reporting. Locating vulnerabilities and reporting them out to the appropriate teams was time-consuming and inefficient. And reporting up to executives was also a challenge.
The Tenable Solution
Methodist Healthcare Ministries installed SecurityCenter CV with a 1,000 IP license in December 2014.
Holliday explains that the organization’s leadership wanted to establish a high standard for HIPAA compliance both internally and with external partners. “We expect our partners and providers to be HIPAA compliant to a minimum standard. For example, one project involves sending out data, predictors and analytics for diabetic patients. We need to make sure they are doing vulnerability scanning on the systems that house their healthcare data. We have to make sure that they are monitoring connections in and out of that system.”
Holliday is a proponent of the Center for Internet Security (CIS) Critical Controls. “While CIS is not specific to HIPAA, and SecurityCenter CV includes HIPAA templates, we at Methodist Healthcare Ministries decided to set up SecurityCenter dashboards for CIS compliance as our HIPAA program. If you are compliant with CIS, it almost guarantees that you are HIPAA compliant. The HIPAA Security Rule is incredibly vague about details, and we needed more than just due diligence checkboxes to set up HIPAA standards for the organization. We now audit each partner’s systems against our CIS templates to assure compliance with our high security standards. That assures our Board of Directors that our best practices are followed across the entire organization.”
Holliday is currently overseeing efforts to produce automated reports for the organization’s executive officers.
“We get a lot of information from SecurityCenter CV,” Holliday explained. “Automated reporting helps to put our data into a vehicle that enables timely decisions and identifies opportunities for improvement before they turn into potential vulnerabilities.”
James Kahl, CCNA and Network Administrator at Methodist Healthcare Ministries also points out the convenience of this particular solution. “With SecurityCenter, we have one tool that pictures the entire infrastructure. Not just vulnerability management and HIPAA compliance. Passive scanning is fantastic; PVS sniffs out outgoing traffic so I can make sure that PHI is not shared inappropriately. LCE has replaced our older event logs, and I can now search for specific types of events from one central console. We also use LCE for forensics. Without leaving the management console, I can see packets flying through the network. I get everything I need in one solution.”
Once SecurityCenter CV was deployed, Kahl noted the results were immediate. “The Nessus scanner discovered that one of our intranet servers was available to the outside through http with no encryption. It also found Heartbleed on that server. We were able to quickly close off access and use another vendor for those services.”
They also discovered devices that were not inventoried. “You miss a lot of systems as you grow or if someone leaves,” Kahl explained. “For example, we had a web server that was set up by an outside vendor for our PR department. Web designers didn’t manage the box; they just used the services on the machine. Someone needs to manage each server appropriately, but that wasn’t always happening. It’s a classic case of shadow IT. SecurityCenter really helped us make better decisions about asset control.”
Mark Holliday doesn'’'t hesitate to recommend SecurityCenter CV for other healthcare organizations. “I have nothing but excellent recommendations for the product and the company. My only advice to customers is to plan ahead before you deploy SecurityCenter. Dedicate someone to its operations. Know what you want it to do for your organization. One solution does it all, and SecurityCenter is excellent at what it does.”