Data Loss Prevention Case Studies

Mammoth Hospital's Prescription for Info Security Includes DeviceLock®

Mammoth Hospital’s great advantages and challenges start with its location in California’s Eastern Sierra mountain range, the spectacular country that lies southeast of Lake Tahoe and east of Yosemite National Park. The hospital system includes a 17-bed acute care hospital in Mammoth Lakes and 13 clinics spread across two remote mountain counties. The Mammoth health care system serves both permanent residents and the many tourists who visit surrounding wilderness areas and ski resorts. "On a busy holiday weekend, we see almost as many patients as a city hospital," says Paul Fottler, Mammoth’s IT Operations Supervisor.

On the topic of digitizing patient health information Fottler explains, "The transition to electronic medical records is not slowed by Mammoth’s relatively small size and remote locations. In fact, it may be happening faster because we see so many non-resident patients with high expectations that we’ll be able to match care and communicate seamlessly with their home providers." Regarding Mammoth’s approach to information security and recent purchase of DeviceLock endpoint data leak prevention software, he adds, "Likewise, we need to meet nation-wide health care data security standards. We’re implementing DeviceLock on all local PCs to help ensure that patient health care records won’t be walking away on flash drives or other personal devices."

Online Access to Patient Data Contributes to Higher Quality Care

Mammoth Hospital is currently about half-way through a five-year transition to full support for electronic medical records. As a result, it has scaled up the use of PCs. Every work area has a computer, and doctors, nurses and administrative staff have come to rely on them.

In the back office, IT Operations oversees some 45 servers. Most of the servers are running the MS Windows O/S, but the core application for patient registration and billing, electronic scheduling and patient census runs on an IBM iSeries® server.

The next phase of the digitization process will add clinical documentation to the patient record. Then a doctor or nurse will be able to see a patient’s vital stats on their screens. Mammoth Hospital has its own onsite radiology, laboratory and pharmacy facilities; and, they too will soon be integrated into the Health Information System. For example, if a doctor has ordered a lab test, the results will then show up in the electronic patient record. Likewise, any medications that have been delivered to the patient through the pharmacy will be easily pulled up and verified. This will go a long way toward speeding up many care procedures and reducing opportunity for error.

Delivering on this promise hinges on Mammoth IT Operations’ ability to keep systems up, running and secure. "The IT staff is not wearing scrubs, but we have a key role in ensuring that Mammoth patients receive the best medical care possible," explains Fottler.

"Those of us on the decision-making team for IT tools and equipment never lose sight of the fact that improved patient care is the goal. Among our greatest challenges are finding that middle ground between data usability/accessibility and security, and finding solutions that respect the hospital’s need to always strive for affordable care. Every expenditure, even IT expenditures, are going to have an impact on the cost of health care for our customers. So we like to find solutions, like DeviceLock, that meet our functional as well as price/performance goals."

IT Operations is one of five separate divisions inside the IT Department. It teams with the Health Information Systems Group, a biomedical group charged with maintaining imaging and scanning equipment, and a one-man telecom department. Mammoth also has an Information Security Officer that reports to the Director of IT and is responsible for validating compliance with patient privacy standards. DeviceLock was evaluated and selected among its market competitors by a committee that included both these individuals and Fottler.

Data Leakage Won’t Be a Mammoth Problem

As patient records become more complete, organized and accessible for care givers, the job of securing them becomes a bigger responsibility for IT Operations. According to Fottler, "Our approach starts with setting clear policies and then training all staff in the behaviors that support those policies. We’ve really had no problem yet with employees violating patient record privacy. However, to go along with our policy against unauthorized downloading of patient data to devices, we needed a control in place. HIPPA requires that hospitals have a way of validating and providing evidence that no violation has occurred. DeviceLock provides both the control and auditing features that we needed to be compliant."

Fottler and his team liked that DeviceLock used a native Microsoft Windows mechanism, Active Directory, for user account access and audit policies. Another attractive feature is the ability to turn on auditing and tracking, without necessarily controlling access to ports and drives. They need to be able to see what is going on, more than to lock down everything. Today, they are not turning access off at any local PCs. In this first stage, they are just using DeviceLock as a monitoring platform. It’s a multitasking system that gives useful information. They want to observe and to have the ability to hold someone accountable if they upload or download contrary to policy.

"Eventually, we expect there will be a few places where we will be locking down permissions. If we start seeing things show up that shouldn’t happen, we will talk to the employees involved," says Fottler. "With DeviceLock in place, we have the ability to turn on the control features overnight if needed. The problem could be just a lack of awareness of policy and could be solved with education. An effective educational program is really the first line of defense. When everyone is trained, you have a self-policing workforce. If other employees were ever to see someone using devices in violation of policy, it would be reported."

Future Plans for DeviceLock at Mammoth

Mammoth Hospital is the only hospital within the over 3000 square miles that comprise Mono County, and it’s also the closest acute care facility for many people in neighboring Inyo County, another vast territory. Its network of clinics is crucial to extending care to its widely dispersed patient community. Mammoth’s IT Operations team also must stretch time and resources to keep computer services running at two remote clinics and two remote administrative offices located in Bishop, California, one of the region’s larger cities. "We really appreciate that DeviceLock gives us centralized management of remote installations. We could update permissions on a PC in Bishop from our DeviceLock console in Mammoth Lakes, if that were needed. That saves us a 30 to 40 minute drive," comments Fottler.

Remote staff use a VPN secure connection to the network when they access patient records from the Mammoth Health Information System. In normal work flow situations, there is no need to store this data locally on their servers or to move patient health data from a local server to personal storage, such as a flash drive. Still, Fottler and Mammoth’s Info Security Officer have noted the proliferation of devices in hospital work areas – music players, personal organizers, smart phones as well as flash drives. So they’ve been explicit in setting policy that prohibits moving patient records off the network onto these devices. Moreover, they have let employees know that DeviceLock is auditing in the background and reinforcing the policy.

Mammoth IT sees the promise as well as the peril of new device technology reaching their hospital. Today, Mammoth doctors and nurses don’t use handheld devices; but once clinical information is in the patient record that may change. Fottler predicts that there will be demand for a network-connected PDA-type device that care givers can conveniently carry, making it possible to reference and update patient records at the bedside. "Faster, more accurate data at the point of service could enhance the quality of care - this is our ultimate mission," summarizes Fottler. With DeviceLock in place, this vision can be implemented securely and within compliance standards.

Download a free trial copy and try DeviceLock® now!