Memorial Hermann Healthcare System, headquartered in Houston Texas, specializes in clinical patient-centered care using leading-edge technology. Its network comprises 14 hospitals and specialty-care facilities including three hospitals in the Texas Medical Center, three heart institutes, and eight suburban hospitals serving residents in the greater Houston community and Southeast Texas.
In addition to ensuring HIPAA compliance and overall data security, Memorial Hermann’s Director of Information Security Randy Yates works diligently with 450 other IT staff to administer to the needs of more than 19,000 employees across the company’s network.
Proactive steps toward encrypting transportable media
In 2006, after weighing the consequences of potentially losing sensitive patient and hospital data on transportable media devices, Memorial Hermann decided to encrypt those devices as part of its IT security standards and policies. After consulting a number of expert sources, including Gartner Group’s Magic Quadrant of recommended security vendors and the company’s value-added reseller (VAR), Yates and his staff narrowed their target list to three data-encryption vendors.
After inviting each vendor to present and further evaluate Memorial Hermann’s encryption needs, Yates spoke to one additional reference, a major university in Texas. He learned that the university had completed its own extensive proof-of-concept and evaluation of McAfee Endpoint Encryption for Devices for preventing unauthorized access to sensitive data. After discovering that the university chose McAfee because it allowed nearly 500 users per device, the choice was clear.
“Hearing such a strong referral for McAfee was the last step in our assessment. We bought McAfee, and we’re confident that our laptop data is secure,” acknowledges Yates.
Preparing for deployment
In October 2007, Memorial Hermann began the Endpoint Encryption for Devices deployment by first identifying all laptops and other transportable medical devices in its IT environment. Then the company identified all locked-down devices that were already secure, as well as devices that did not have confidential data, to exclude from encryption deployment. Lastly, Memorial Hermann validated that Endpoint Encryption integrated well with its standard workstation and laptop images, and overall IT environment.
Once Memorial Hermann identified the order of deployment groups for encrypting its inventory of 2,005 transportable laptops and devices, the company began a detailed communications campaign with employees and staff. The campaign involved Yates presenting during CFO and facility-level administration meetings to ensure everyone was aware of the deployment and how it might affect their work. The campaign also involved sending letters to each employee the week before deployment, two days prior to deployment, and the day of deployment with detailed procedure documentation, to minimize impact on employees’ day-to-day work.
By June 2008, Memorial Hermann had deployed Endpoint Encryption to 98.5 percent of its 2,005 laptops and devices, using controlled deployments of 50 to 100 endpoints simultaneously. During the deployment, Yates’ group received no more than five problem tickets for crashed laptops. “Deploying McAfee was an insignificant event compared to the help desk tickets we usually get for other tech deployments,” says Yates.
Memorial Hermann also enlisted McAfee Professional Services to help with the configurations.
“During a complex implementation like ours, it can be tricky migrating users out of Active Directory into Endpoint Encryption and managing the directory structure,” says Yates. “So having McAfee’s expert team available during the initial configuration was critical to our success.”
Following the Endpoint Encryption installation, Memorial Hermann purchased and implemented McAfee Device Control to enforce device and data policies. This time, Yates and his team used a single group deployment versus a staged deployment.
"We evaluate a security solution’s success by how much it saves us from spending on crisis management if we lose sensitive data. With McAfee, we’re investing in risk-cost avoidance for the long haul."Randy Yates
Director of Information Security, Memorial Hermann
First, the company granted policy exceptions for external storage devices such as USB flash drives that were not catalogued on the network. After further integration testing and evaluations, Memorial Hermann deployed Device Control to 9,000 laptops and workstations of its 15,000 endpoints, bypassing 6,000 devices that Yates determined did not need device control.
“In three days we deployed Device Control to 90 percent of our target device group, and in two weeks we covered 99 percent. As far as deploying the agent for Device Control, there was nothing to it,” says Yates.
Implementing policies and exceptions
In the future, Yates looks forward to using McAfee to help Memorial Hermann streamline its security policies and exceptions, particularly in cataloging certain devices or processes that staff could continue to use but which would not be encrypted or managed.
For example, if a radiology lab technician uses an external drive to create a CD of a patient’s MRI for the physician, Memorial Hermann would simply bypass device encryption and control to allow that process to continue. “In a healthcare environment, you can’t enforce a global security policy that limits your users from accessing certain devices that may be part of their daily work just because you want to secure all data. You have to be flexible and realistic,” says Yates.
Memorial Hermann also uses McAfee ePolicy Orchestrator® (ePO™), a single, centralized management console to oversee Device Control. Yates also plans to integrate Endpoint Encryption soon.
“The ePO console is easy to use and provides reporting and management of the Device Control piece,” says Yates.
With ePO, Memorial Hermann also gains the ability to centralize its audit logs and collect usage data. Now the company can catalog every transportable media device in use.
Managing device encryption and control for the long haul
In the future, Yates looks forward to using ePO for more detailed assessments such as reporting which employees are using what devices, and into which laptops and workstations they are plugging those devices.
“In my opinion, transportable media encryption is no longer an option—it’s the standard for a good security program. If you don’t think it’s necessary, wait until you lose some data on a laptop or a USB drive, then find out how much damage it’s going to cause to your security program and your company’s reputation,” notes Yates.
Yates acknowledges that laptop thefts are a problem. However, since all laptops have been encrypted with Endpoint Encryption, he estimates it has saved the company immeasurable hours of remediation work in notifications and credit monitoring.
“We evaluate a security solution’s success by how much it saves us from spending on crisis management if we lose sensitive data. With McAfee, we’re investing in risk-cost avoidance for the long haul,” says Yates.