Location: Seattle, Washington
Products: DatAdvantage, DataPrivilege
Seattle Cancer Care Alliance (SCCA) is a leader in the prevention and treatment of cancer. SCCA unites world-class surgeons, medical oncologists, radiation oncologists, and pathologists. By uniting resources from Fred Hutchinson Cancer Research Center, University of Washington Medical Center and Seattle Children’s Hospital, SCCA is in a unique position to offer outstanding outpatient services that leverage leading-edge research. With access to clinical trial data from the latest cancer-fighting techniques and technologies, SCCA doctors deliver revolutionary cancer treatment to their patients.
Before DatAdvantage, we could never be sure that a file wasn’t accessed when a password was compromised. Now I can confirm to management that we’re in the clear and no breach has occurred.
Besides managing the implementation of health applications and other systems, the IT Infrastructure Group at Seattle Cancer Care Alliance was also responsible for HIPAA data compliance and other data governance tasks. With their limited staff and resources, they were having difficulty meeting their HIPAA obligations while working on their other tasks and projects.
The SCCA IT department was looking for access management software that would let it reduce the time they spent meeting HIPAA compliance requirements. The software was also required to operate in a multi-platform environment.
Managing the IT services for a world-class institution means that every minute counts. As a medical health care organization, Seattle Cancer Care falls under HIPAA data security regulations. SCCA takes its compliance obligations very seriously, but they had a major challenge in managing the resources to run its key IT projects and initiatives while still meeting data security and privacy requirements.
According to Robert Nelson, Infrastructure Architect at Seattle Cancer Care Alliance, part of his data governance work involves tracking down unstructured data in files that have very broad permissions. Nelson was even occasionally coming across Excel spread sheets containing sensitive medical information. Under HIPAA’s Access Control standard, healthcare organizations like SCCA must ensure that that this protected health information, or PHI, is not viewed by unauthorized users. For Nelson and his IT team, this effectively means they’re required to review carefully permissions for files. Without proper automation software, the IT group was spending between 30 to 40 hours per week in manually analyzing permissions and securing information.
“When the user, manager, or business administrator asked us to secure a folder in a special way because of HIPAA, it was a time consuming process,” says Nelson. “We didn’t really have up to date permission information because people were changing their groups and inheritance chains were very broken in directory hierarchies. Unfortunately, we were getting requests from data owners that were based on stale or inaccurate information. So we found ourselves doing some head scratching in trying to satisfy our users’ demands while keeping the permission structure consistent.”
Before coming to the Infrastructure Group, Nelson was working in another area in IT when he heard about Varonis from one of SCCA’s consulting firms. He was sold on Varonis from the start. “A consultant that I trusted and had worked with a number of times first told me about Varonis,” recalls Nelson. “I always read his emails closely. DatAdvantage just sounded like a really cool product, so I kept it in mind.”
Now that he was in charge of data governance operations in the Infrastructure Group, Nelson was able to get a purchase order approved for Varonis DatAdvantage and DataPrivilege. The Varonis installation went very smoothly, and Nelson and his team benefited from DatAdvantage almost from the beginning. After letting it collect file and user metadata for a few weeks, they began a serious analysis of their file systems.
From DatAdvantage’s reporting, they could tell where duplicate permissions were on the tree, what the groups were, and who the members were, and how the permissions actually work in detail. For example, IT admins learned which groups gave an employee access to any given folder along a given different tree. “Once I received those reports and cleaned up our key folders, I was able to adapt the reports from DA to be most useful for our needs,” says Nelson. After cleaning up permissions and user groups with DatAdvantage, the Infrastructure team had a far easier time in correcting HIPAA compliance issues. Since they could see which groups “lit up” when they clicked on a folder in DatAdvantage, they would immediately know whether there was the potential for unauthorized access. This would have been very difficult before Varonis arrived on the scene. Nelson immediately gained a productivity boost as well: in the past, HIPAA compliance tasks that would have required the full-time attention of a technician could now be accomplished as part of one of many tasks performed by an admin.
The team also learned to use DatAdvantage to meet another HIPAA regulation, the Breach Notification Rule, which requires hospitals to detect when PHI has been accessed by outsiders. Nelson has been using DatAdvantage to examine files that may have been accessed by employees whom he suspects have been the subject of a phishing attack.
“Before DatAdvantage, we could never be sure that a file wasn’t accessed when a password was compromised,” emphasizes Nelson. “Now I can confirm to management that we’re in the clear and no breach has occurred.”
After the team became comfortable with DatAdvantage, they implemented DataPrivilege to allow data owners to self-manage the permissioning process. “With DatAdvantage, they now have up-to-date permission information. The only folders that show up in DataPrivilege are the ones with unique permissions that can be managed by the owners,” notes Nelson. “They only really needed to contact us when they are having a problem with that, or are trying to do something that they don’t know how to do.”
Another big win for the Infrastructure Group was that with DataPrivilege, overall data governance was now in the hands of the hospital administrators, who were in a far better position to manage access rights and ultimately protect sensitive folders and files from unauthorized access.
The IT team discovered other important benefits outside of just compliance and data security challenges. With DatAdvantage’s ability to report event counts related to user access, they had for the first time the ability to spot underutilized resources. Those files or folders that were hardly ever accessed could be archived, thereby saving space on their crowded file system.
Nelson also found other unexpected uses for DatAdvantage. “Someone is always accidentally dragging or dropping a folder to another location, so that people can’t find what they are looking for,” says Nelson. “In the past, we would have had to do restore, but now we just go and look at the report in Varonis and see where the stuff got moved.”
In the near future, the IT managers at SCCA have plans to extend Varonis DatAdvantage and DataPrivilege to analyze Microsoft Exchange and Active Directory servers– just as they had done with the file system. They are hoping to understand how permissions work in Exchange and to spot and remove old mailboxes. According to Nelson, there are a lot of similar questions yet to be answered about these other environments.
With Varonis DatAdvantage, IT managers at Seattle Cancer Care Alliance are able to save administrators between 30 and 40 hours of week in correctly permissioning files and folders. They no longer have to manually hunt down group memberships and find the right data owners. Varonis DataPrivilege also frees up additional resources by allowing hospital administrators to self-manage the permissions for their own content—a task formerly done by IT.
With Varonis, the IT department can more efficiently meet HIPAA’s access and breach regulations for protecting data against unauthorized access. DatAdvantage lets IT technicians quickly see which groups and users have access to folders. Since DatAdvantage keeps track of all access events, the IT team can also detect when files been viewed or copied, and then look for unusual patterns that would indicate hacking or other types of attack.
The IT group now has a full visibility into who has access to data and who is accessing data across their multi-platform environment. The team can also see recommendations on where to reduce access, and simulate access control changes in a sandbox before making production changes. As a result, access controls have been improved, access to critical data is monitored, and data is better protected.