Liberty Behavioral Management provides substance abuse and mental health services at outpatient clinics and hospitals throughout the northeastern United States. Five hundred of the company’s 1200 employees regularly access its computer network in the HR and business offices, and in the next year it expects to increase that number to 700-800 users as it moves from a paper-based system to one that will allow nurses, doctors and therapists to access confidential patient records online.

Security of confidential documents is inherent to the health care business, and attention on the issue has grown since the 1996 enactment of the Health Insurance Portability and Accountability Act (HIPAA). The goal of HIPAA is to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange and by establishing national standards for such records. Liberty takes compliance very seriously.

Pre-McAfee: Three key security challenges

1. A distributed environment with limited IT staff
   While the majority of Liberty’s employees are spread across 17 small offices, outpatient clinics and hospitals, its entire IT staff and NOC is located in New York. That used to be a major concern for IT operations manager Greg Hopke, who worried about the lack of visibility into the network.
   
   "With no physical IT presence at any of our remote outpatient sites or hospitals, we just didn’t have a good handle on who was plugging into our network, and it was impossible for us to know what was really going on out there," Hopke said. "We’d have instances where auditors or sales people would bring in laptops and just plug right in, and that could have led to serious problems for the security of the entire network."
2. Internal threats
   In addition to geographical issues, Hopke said that Liberty’s own employees, however unintentionally, posed a threat to security. "Educating busy employees on security policies takes a lot of time and effort, and it’s hard to cover everything in such a limited amount of time. As a result, a lot of uneducated users don’t understand the damage they can do just by opening an email attachment or sharing a password. And the reality is that people sometimes bypass certain policies for convenience, which opened the network up to risk."
3. Healthcare is a 24/7 operation
   Downtime was another major area of concern for Hopke. The highly demanding healthcare business leaves little room for scheduling even routine network maintenance.
   
   "Admitting patients and inputting data is an around-the-clock operation, so acceptable windows for downtime are few and far between, and any unplanned downtime due to a security incident is a huge concern for us,” he said. “Before moving to McAfee we used a competitor’s product, and unfortunately we experienced pockets of downtime for up to three days because of virus issues."

Post-McAfee: Secure, centralized control of the network with limited downtime and full HIPAA compliance
Hopke became a McAfee customer in 2003 and remains one today. This month’s issue of Security Insights includes a detailed technical piece on the specific products he uses, which are fully integrated and offer him complete visibility into his well-protected network, as well as compliance with HIPAA standards.

Hopke said the most important benefit of using McAfee’s integrated products is that he now has centralized control over his network. "The best thing about McAfee is that it allows us to have our arms around the whole network, even though we’re not physically there," he said.

As for employee training on security policies, "all our new employees continue to go through training, and even more education will have to happen once our records are transferred to a digital format," Hopke said. "But finding the middle of the road between protecting the network and allowing people the access they need to perform their jobs can be a tough balance. McAfee alleviates that problem by providing that extra layer of control that’s critical to the overall security of the network."

Since switching to McAfee, Liberty hasn’t experienced downtime due to viruses of any kind. Hopke continues to do physical audits, but not as often because McAfee allows his team to conduct them remotely. He’s also cut down his patching schedule from monthly to quarterly. And creating HIPAA compliance reports is quick and simple.

Reliable products, reliable support
Hopke said he originally chose McAfee on the recommendations of friends in the industry who were customers. "From the beginning I’ve had a positive experience with McAfee, and one of the main reasons I remain a customer is because the support we get is top notch," he said. "We don’t have a big team, so we often don’t have the time to research problems and fix them ourselves. Knowing we can call for support and get issues resolved in a short amount of time is a big deal for us."

Hopke said he’s always evaluating Liberty’s security policies and looking for ways to improve, but overall he’s a lot more comfortable with the company’s security posture than when he first came on board. "HIPAA compliance, data loss, spam and spyware/malware continue to top our list of things to watch out for, but McAfee’s products do a great job of keeping these issues from becoming real problems. We have strict standards on monitoring what comes in and goes out via email, and spam is more of a headache now than a threat. The bottom line is that McAfee’s products work really well."

Spreading the word
"I get invited to security seminars all the time, and it seems like half the people are using McAfee products and are very happy with them, and the other half aren’t using McAfee and are looking for something better," Hopke said. "Since I switched to McAfee, I’m always telling people how thrilled I am."

Sounds like a satisfied customer.