McAfee Secures Patient Data and Helps Berkshire Health Systems Stay Compliant

Berkshire Health Systems (BHS) is the leading provider of comprehensive healthcare services to Berkshire County and surrounding regions in western Massachusetts. A private, not-for-profit organization, BHS employs 5,400 medical and administrative staff in more than 20 locations, including the Berkshire Medical Center, Hillcrest Campus, Fairview Hospital, Berkshire Visiting Nurse Association, BHS physician practices, and long-term care associate Berkshire Healthcare Systems. Recognized nationally for delivering the highest quality, patient-centered care, BHS has experienced significant growth over the past few years.

Explosive Growth Hinders Compliance with Privacy Regulations
“The rapid pace at which we’ve been growing has exacerbated the challenge of complying with Massachusetts CRM17 and HIPAA privacy regulations,” explains Paul Doucette, BHS, senior technical security engineer. “In the past two years, we have added 2,000 systems to our network, more than doubling the total number of endpoints and potential data exit points.”

BHS now has 3,700 PCs, laptops, and servers to protect, and that number continues to grow. “We were particularly concerned with the growth of portable media containing sensitive data,” says Doucette. “We knew we needed to monitor the use of removable data and block sensitive data from leaving without authorization, yet still enable BHS staff to work with the data away from the office.”

Easy to Add Data Protection Thanks to Central Console
To protect data across its growing number of systems and comply with privacy regulations, BHS turned to McAfee—a natural choice given that BHS had already been using McAfee Total Protection for Endpoint and McAfee ePolicy Orchestrator (McAfee ePO) software management console to protect the enterprise’s endpoints from malware. “We loved how easy it is to manage security with McAfee ePO, and the idea of managing data protection as well as endpoint protection from the same, easy-to-use console made a lot of sense,” states Doucette.

Consequently, BHS implemented McAfee Total Protection for Data across its extended enterprise to provide device control, full disk and file and folder encryption, and host data loss prevention. “Just as we expected,” elaborates Doucette, “deployment of the McAfee data protection suite went extremely smoothly, and managing the new data protection functionality is seamless. Now when we look at [McAfee] ePO, we see at-a-glance information on both endpoint and data protection, and we simply click to drill down or produce reports on either.”

Saving Administrative Time and Hassle
“There’s no way our small IT staff could effectively manage protection for all of our endpoints and data without McAfee ePO,” says Doucette. “We added 2,000 systems, more than doubling the number we had initially, with no change in workload, thanks to [McAfee] ePO. It’s a life saver.” In addition to providing at-a-glance visibility into security status, McAfee ePO software also makes it easy to produce reports for auditors and management. For instance, BHS regularly shares McAfee ePO software-generated data loss prevention reports with senior management and the company’s privacy and security committee.

Safer Data and Easier Compliance
With McAfee Total Protection for Data and the McAfee ePO console, BHS can now quickly and easily create and enforce policies to keep patient data safe and to comply with privacy regulations. For instance, all patient records are now automatically encrypted as all events with three or more key identifiers, such as HIPAA disclosure, patient discharge, and medical records information. In addition, all BHS laptops are full disk-encrypted, and every time a removable storage device is used, it is logged as an event that is then reviewed by the Privacy and Security Committee. BHS does not prevent users from storing data on removable drives but they do have policies in place to detect and force encryption.

“We added 2,000 systems, more than doubling the number we had initially, with no change in workload, thanks to McAfee ePO. It’s a life saver.”

Paul Doucette, Senior Technical Security Engineer Berkshire Health Systems

“We now know every time protected health information leaves a system—and we can identify the user, machine, time and date, and files and content affected,” declares Doucette. “Tracking PHI data for the first time produced a few ‘eye openers’ that we would not have caught without the McAfee data protection.” For instance, a medical staff technician was regularly taking PHI data with him on USB drives to work on at home, and a doctor was saving recordings of patient interview—including name, date of birth, and other personal information— as MP3 files on flash drives. BHS IT security staff informed the employees in question and educated them so that they replaced their unsafe practices with safe ones.

Security-as-a-Service Removes Email Management Burden
BHS also simplified security management and freed up additional administrative time by implementing McAfee Security-as-a-Service (SaaS) Email Protection. This McAfee cloud-based service filters incoming email, blocking spam and quarantining suspicious messages before they clutter employee mailboxes—or worse. All 5,700 mailboxes are spam protected now and prior to using McAfee SaaS Email Protection, spam saturated BHS network bandwidth and clogged employee mailboxes. A BHS IT administrator spent several hours each week dealing with hundreds of email-related action requests and identifying new spam. Now the 1,300 messages BHS receives each hour are automatically filtered by the McAfee service, which blocks approximately 92 percent of the messages before they enter the network and quarantines 8 percent, letting through the clean, legitimate email messages that make up less than 1 percent of inbound email traffic.

In addition, BHS is looking into McAfee SaaS Email Archiving. The archiving solution provides tamperproof secure storage to meet many compliance regulations, while also providing powerful email discovery with rapid search functionality for the retrieval of important documents. This easy management of inbound, outbound, storage, retention, retrieval, reports and audit trails is all maintained with continuous feature updates and does not require additional hardware or software purchases.

Simpler, More Effective Security Management
“Plenty of vendors offer similar security functionality in point solutions, but you end up with extra software on each device and multiple management consoles,” explains Doucette. “Having an integrated platform with one central console is so much simpler and more effective. I wouldn’t want to have to do my job without McAfee ePO and the McAfee Security Connected platform. [McAfee] ePO is the only way to go.”

Doucette also adds that while other hospitals in the country were offline for days several years ago because of Blaster and Sasser viruses, Berkshire Health Systems didn’t experience any outbreaks at all. “We are very happy with McAfee as our security partner,” concludes Doucette. “The company and its products make it easier for us to keep our patients’ data safe—and safe is what really matters.”

Berkshire Health Systems

Customer profile

Regional healthcare provider in western Massachusetts

Industry

Healthcare

IT environment

Approximately 3,700 PCs, laptops, and servers (up from 1,700 two years prior) spread across more than 20 locations

Challenges

Comply with HIPAA and state privacy regulations as the number and breadth of devices to manage continues to multiply

McAfee solution

  • McAfee ePolicy Orchestrator software
  • McAfee Total Protection for Data
  • McAfee Total Protection for Endpoint
  • McAfee SaaS Email Protection

Results

  • Removed email management burden and frees up several hours each week
  • Simplified security administration and system management of 3,700 machines
  • Provided comprehensive control of sensitive information to eliminate data loss
  • Allowed a small IT staff complete visibility into all endpoints and data
  • Afforded significant time savings due to centralized management and automated tasks