Methodist Healthcare Ministries

Challenge

Methodist Healthcare Ministries of South Texas, Inc., the largest, private funding source of healthcare services for the uninsured in South Texas, faced several challenges:

• The need to enforce HIPAA compliance across the entire organization
• Advanced malware threats in the healthcare industry
• A geographically dispersed IT team with limited security expertise

HIPAA compliance served as the primary justification for Methodist Healthcare Ministries’ acquisition of Tenable.sc Continuous View.

About Methodist Healthcare Ministries of South Texas, Inc.

Methodist Healthcare Ministries is a private, faith-based not-for-profit organization dedicated to creating access to health care for the uninsured in South Texas through direct services, community partnerships and strategic grant-making. The mission of the organization is “Serving Humanity to Honor God” by improving the physical, mental and spiritual health of those least served in the Rio Texas Conference area of The United Methodist Church. The mission also includes Methodist Healthcare Ministries’ one-half ownership of the Methodist Healthcare System, the largest healthcare system in South Texas, which creates a unique avenue to ensure Methodist Healthcare System continues to be a benefit to the community by providing quality care to all and charitable care when needed, and it provides revenue to Methodist Healthcare Ministries for its programs.

The Problem

One of the main reasons for acquiring Tenable.sc Continuous View was HIPAA compliance. Mark Holliday, Director of Information Technology & Services at Methodist Healthcare Ministries, explains. “We are a non-profit organization that provides direct services and invests in partner organizations through strategic investments, so we are connected to a variety of health systems including managing a health information exchange. We wanted to set a HIPAA precedent for all our partners, to stay ahead of the game and set a high compliance standard. We used the HIPAA use case to justify funding for Tenable.sc Continuous View.”

A second reason for deploying Tenable.sc Continuous View was the need to scan systems as new healthcare providers join Methodist Healthcare Ministries and before they go online.

The third driver for Tenable.sc Continuous View was reporting. Locating vulnerabilities and reporting them out to the appropriate teams was time-consuming and inefficient. And reporting up to executives was also a challenge.

The Tenable Solution

Methodist Healthcare Ministries installed Tenable.sc Continuous View with a 1,000 IP license in December 2014.

Holliday explains that the organization’s leadership wanted to establish a high standard for HIPAA compliance both internally and with external partners. “We expect our partners and providers to be HIPAA compliant to a minimum standard. For example, one project involves sending out data, predictors and analytics for diabetic patients. We need to make sure they are doing vulnerability scanning on the systems that house their healthcare data. We have to make sure that they are monitoring connections in and out of that system.”

Holliday is a proponent of the Center for Internet Security (CIS) Critical Controls. “While CIS is not specific to HIPAA, and Tenable.sc Continuous View includes HIPAA templates, we at Methodist Healthcare Ministries decided to set up Tenable.sc dashboards for CIS compliance as our HIPAA program. If you are compliant with CIS, it almost guarantees that you are HIPAA compliant. The HIPAA Security Rule is incredibly vague about details, and we needed more than just due diligence checkboxes to set up HIPAA standards for the organization. We now audit each partner’s systems against our CIS templates to assure compliance with our high security standards. That assures our Board of Directors that our best practices are followed across the entire organization.”

Holliday is currently overseeing efforts to produce automated reports for the organization’s executive officers.

“We get a lot of information from Tenable.sc Continuous View,” Holliday explained. “Automated reporting helps to put our data into a vehicle that enables timely decisions and identifies opportunities for improvement before they turn into potential vulnerabilities.”

James Kahl, CCNA and Network Administrator at Methodist Healthcare Ministries also points out the convenience of this particular solution. “With Tenable.sc, we have one tool that pictures the entire infrastructure. Not just vulnerability management and HIPAA compliance. Passive scanning is fantastic; Nessus Network Monitor sniffs out outgoing traffic so I can make sure that PHI is not shared inappropriately. LCE has replaced our older event logs, and I can now search for specific types of events from one central console. We also use LCE for forensics. Without leaving the management console, I can see packets flying through the network. I get everything I need in one solution.”

The Results

Once Tenable.sc Continuous View was deployed, Kahl noted the results were immediate. “The Nessus scanner discovered that one of our intranet servers was available to the outside through http with no encryption. It also found Heartbleed on that server. We were able to quickly close off access and use another vendor for those services.”

They also discovered devices that were not inventoried. “You miss a lot of systems as you grow or if someone leaves,” Kahl explained. “For example, we had a web server that was set up by an outside vendor for our PR department. Web designers didn’t manage the box; they just used the services on the machine. Someone needs to manage each server appropriately, but that wasn’t always happening. It’s a classic case of shadow IT. Tenable.sc really helped us make better decisions about asset control.”

Recommendation

Mark Holliday doesn't hesitate to recommend Tenable.sc Continuous View for other healthcare organizations. “I have nothing but excellent recommendations for the product and the company. My only advice to customers is to plan ahead before you deploy Tenable.sc. Dedicate someone to its operations. Know what you want it to do for your organization. One solution does it all, and Tenable.sc is excellent at what it does.”

*http://www.mhm.org/