Children’s Hospital and Health System

How the Children’s Hospital and Health System met HIPAA compliance requirements with detailed data access auditing

PDF download

The Customer

Location: Milwaukee, WI

Industry: Healthcare

Products: DatAdvantage

Children’s Hospital and Health System (CHHS) is one of the top ranked pediatric facilities in the United States. It is an award-winning independent health care system that is dedicated exclusively to the health and well-being of children. CHHS comprises fourteen organizations including three pediatric hospitals, a research institute, a network of primary care pediatricians, a philanthropic foundation and wide variety of other medical resources. Together, these people work to improve the lives of children in Wisconsin, the United States and beyond.

DatAdvantage gives us the full solution we need to audit data access and to see user permissions. When it comes to understanding where permissions come from, we don’t have to guess ‘how does this user have access to this data?’

The Challenge

Children’s Hospital and Health System treats hundreds of thousands of children each year in its three hospitals and 70 specialty clinics. Naturally, the medical and hospital professionals who treat these patients need access to electronic patient data to provide the best care possible. CHHS is dedicated to protecting this patient information and ensuring that only those who are authorized can view, update or modify it. Beyond its own high standards of data protection, CHHS must also comply with Health Insurance Portability and Accountability Act (HIPAA) regulations. To meet its own standards and those of HIPAA, CHHS needed visibility into who had access to patient data, who was accessing this data, and who should have access to the data.

As Chuck Klawans, Information Security Officer for Children’s Hospital and Health System explained, “We really needed to understand who was accessing data and what they were doing with it. It wasn’t even easy to determine what permissions users and groups had.” That’s challenging for an organization of any size, and even more so for CHHS which has hundreds of thousands of patients, multiple terabytes of data, and thousands of employees who need access to the data to provide care and do their jobs.

While CHHS clinical information systems store patient data in databases, a variety of data is stored on file servers. Though not part of the official medical record, many of these documents contain patient data. Examples include letters referencing diagnosis, treatment, or financial matters, spreadsheets used for tracking and research, and notes (e.g., summaries of patient status, etc.) used to expedite shift changes. Sometimes, other hospitals send digital x-rays or other diagnostic scans. As is the case with many business environments, users store this information where they can get to it quickly to get their work done – often in folders on file servers.

Evaluation Parameters

In looking for solutions to these challenges, CHHS wanted an auditing solution that could track data access so they could monitor actual data use, conduct forensic investigations and demonstrate HIPAA compliance. “We need to be able to understand how users are accessing data, and if access patterns are changing over time; for example if someone has a new job function”, said Klawans. They also wanted a solution that could show them the access permissions users had, how users got those permissions, and could keep pace with changes in group membership and file share data. Keeping up with day-to-day changes was key, as was being able to address longer term changes as well. Klawans noted, “Five years ago we had two terabytes of data, today we have fifteen to twenty”.

Based on the visibility they are experiencing with this first phase, CHHS already sees other ways to leverage DatAdvantage to simplify IT operations. These include the day-to-day administration of users and groups, as well as help desk support for deleted or “misplaced” data – such as when users inadvertently drag and drop one folder into another. After this, CHHS foresees the opportunity to conduct fullscale “entitlement reviews”, where data access entitlements can be further aligned with business needs.

The Solution

CHHS chose Varonis DatAdvantage for the organization’s data access and permissions auditing needs. In looking for commercial solutions, Mr. Klawans realized there was no other way to effectively audit data access on Windows file shares. Some solutions can read Windows audit logs, but the performance impact of turning on logging in the first place renders these solutions impractical. DatAdvantage provides full data access auditing.

In the first phase of incorporating DatAdvantage into their IT operations, CHHS is using the product to address their need to protect the privacy and security of patient data and ensure HIPAA compliance. Specifically, they use DatAdvantage to address Section 164.308, “Administrative safeguards”, portions (a)(4)(ii)(b) “Access authorization” and (a)(D) “Information system activity review”. After managing an initial 1 terabyte of data, CHHS will roll the solution out to manage the many terabytes of patient data in their data center.

Business Benefits

Detailed audit log of all data access

Children’s Hospital and Health System’s own security standards and HIPAA compliance requirements demand detailed data access auditing. This audit log needs to be available on demand and cannot disrupt file server performance or availability. Varonis DatAdvantage enables CHHS to monitor all data and/or selected files, folders and individuals as situation and information sensitivity demands.

Full visibility of data permissions and how they were inherited

CHHS has to know who can access sensitive patient data, and whether that access is based on business need or inheritance. Operating system tools and conventional products cannot provide this visibility. Varonis DatAdvantage provides comprehensive visibility of which users can access any given data set and whether access entitlement was granted explicitly or inherited.

Access revocation recommendations

The data access needs at CHHS evolve and change over time. Job roles and responsibilities change, projects end, and medical residents and medical students finish their multi-year stays. CHHS also has consultants and contractors that may need permissions assigned for just a few days, weeks or months. Varonis DatAdvantage monitors and analyzes user-to-data access patterns, and recommends revocations on the basis of that analysis.