Mercy Health and Aged Care Central Queensland Limited

How Mercy Health meets compliance standards and achieves a least privilege model

PDF download

The Customer

Location: Central Queensland: Rockhampton, Yeppoon, Gladstone, Bundaberg and Mackay

Industry: Healthcare

Products: DatAdvantage, DataPrivilege

Mercy Health and Aged Care Central Queensland Limited (MHAC) is a not-for-profit catholic organisation committed to delivering the highest quality of health and aged care to the community of Central Queensland. It has dedicated professional staff working in a team environment to deliver relevant, compassionate, innovative and responsive care. MHAC currently employs approximately 1,400 people working across:

  • 5 Private Hospitals located in Mackay, Rockhampton, Gladstone, Bundaberg and Yeppoon
  • 3 Residential Aged Care Facilities in Rockhampton
  • 2 Retirement Villages in Rockhampton
  • Day Respite and Day Therapy Centres in Rockhampton
  • Mackay Day Surgery Unit
  • Linen and Food Services in Rockhampton
  • Corporate Office located in Rockhampton

It believes in providing services to all people, guided by values of compassion, human dignity, justice, service and special concern for the poor.

With its complete audit trail and reporting capabilities Varonis DatAdvantage and DataPrivilege easily allow us to demonstrate compliance with various Industry Security standards.

– Marcia Healy, Information Security Officer, Mercy Health and Aged Care Central Queensland Limited

The Challenge

With various information security standards to adhere to, MHAC needed transparency into who was accessing its data, and what they were doing with it. In addition, with nearly 400 workstations, and a user base of 600, MHAC also needed an easier, holistic, approach to control access to its data.

Marcia Healy, Information Systems Officer for MHAC, explains, “As part of compliance with various legislatures, we needed a mechanism to provide visibility into who was accessing our data. We were also conscious that our IT team were receiving, and provisioning, access requests which, although technically capable, they did not have adequate data context, value or other relevant insight on which to base these decisions.”

Evaluation Parameters

MHAC knew it needed to improve visibility, and control, of users’ access rights. Marcia explains, “We knew that certain groups had various access rights, through NFTS permissions. However, this was exceptionally complicated as we did not have a holistic view. We needed transparency to be able to monitor who was accessing information and identify what they were doing to it.”

Due to the nature of the organisation, MHAC’s workforce includes a large percentage of shift workers further complicating users’ access permissions. MHAC did evaluate alternative solutions to audit and manage shared folders and files. However it found that these other solutions, instead of retaining the NTFS permissions, were building an extra private access layer. This was an obvious risk should the system ever need to be uninstalled or stop functioning for any reason. The Varonis system solved this issue as it retains all the NTFS permissions so all shared files would still be protected even if it were ever uninstalled or stopped working in the future.

The Solution

Varonis DatAdvantage and DataPrivilege ensures MHAC can meet these challenges. The solution allows MHAC to identify who is accessing its information and what they are doing with it. With a complete audit trail, MHAC can prove policies are in place, and being adhered to, to satisfy compliance with various national and international information security standards.

Starting with one of its Aged Care facilities, MHAC used Varonis to maintain the management of data ownership. From this point it nominated, with the help of the system, data owners who were then trained in managing their own data privileges. Marcia explains, “The solution automatically identifies who the likely data owners are and they are then empowered to assign the permissions for their information. Any one who needs access to files can raise a request which is directed to the relevant data owner automatically who provisions the request. It also allows us to remove access rights from groups, without having to go through them one by one, when someone terminates their employment which previously was a huge job.”

MHAC has already started to classify data, and identify data owners, in other parts of its business. In the coming months, it will meet with all its clinical quality and risk staff to introduce them to the system and train them in its use, before fully rolling out across the organisation. Marcia clarifies, “From our first integration we discovered that its user friendly interface means it’s very easy for people to use and training isn’t too arduous. The fact that it’s also supported by automated workflows, in email, is a real benefit as it’s simplistic and users are familiar with the interface.”

Speaking specifically about the improvements MHAC has been able make, Marcia concludes, “An immediate benefit is, by removing the onus of this responsibility from IT, the process of provisioning users becomes far more efficient as people are now dealing direct with managers who can action the request immediately. It also strengthens security to sensitive data as the appropriate person is making the decision of who does and doesn’t have access. This is great both morally and administratively. Although we haven’t made a full cost analysis, we predict ROI within three to six months, which is just phenomenal.” MHAC expects to complete its integration across the entire organisation by end of September 2012.

Business Benefits

Demonstrate Compliance with information security standards

With a complete audit trail, MHAC can prove policies are in place, and being adhered to, to satisfy compliance with various national and international information security standards. It also strengthens security to sensitive data as the appropriate person is making the decision of who does and doesn’t have access – great both morally and administratively.

Transparency into who is accessing its data, and what they are doing with it

MHAC can not only classify its data, but also identify who is accessing the information and what they are doing with it.

An easier, holistic approach to control access

The process of provisioning users becomes far more efficient as people are now dealing direct with managers who can action the request immediately. Marcia explains, “The solution automatically identifies who the likely data owners are and they are then empowered to assign the permissions for their information. Any one who needs access to files can raise a request which is directed to the relevant data owner automatically who provisions the request. It also allows us to remove access rights from groups, without having to go through them one by one, when someone terminates their employment which previously was a huge job.”