Managed Services Provider:
HiTech Computers, Ruston, Louisiana. An 18-person shop focusing on healthcare IT networks, founded by President Richard Raue.
Reeves Memorial Medical Center, Bernice, Louisiana, a rural healthcare facility with 10 physicians and close to 90 employees, serving a community of 1,600.
HiTech wanted to present concrete evidence of HIPAA issues, in the order in which they needed to be addressed, to mitigate risks and establish a “Culture of Compliance” at the facility, using network assessment tools.
HiTech Computers had been providing ongoing IT services to Reeves Memorial Medical Center for several years, in addition to serving a roster of other healthcare customer in northern Louisiana. The company approached Scott Dickson, director of information technology at Reeves Memorial, stressing the urgency of HIPAA compliance and offering an assessment in addition to their regular networking services. Like many healthcare entities, the staff at Reeves Memorial was aware of the importance of HIPAA, but had been slow to develop a formal strategy, not knowing how to begin to address such a monumental task.
HiTech had long been using the Network Detective HIPAA Compliance module from RapidFire Tools, along with the accompanying Inspector appliance, to conduct network assessments on its healthcare customers. The combination of tools allows HiTech to conduct “deep-dive,” Layer 2 assessments, and also guides the IT company through the complete HIPAA review process. The data collected is used to create the crucial Risk Assessment and Management Plan reports required by HIPAA regulations—reports that can serve as evidence to document HIPAA compliance and avoid fees during an audit.
“Everyone knew we had to make changes to keep up with evolving HIPAA regulations, but no one knew where to start,” said Dickson. “We’d been approaching compliance by way of random changes, not knowing what the greatest threats to our network were. The vague nature of that approach made it difficult to get administrators on-board with a full-fledged program to improve patient data security.”
The value of the network assessment project was three-fold for Reeves Memorial, says HiTech’s Richard Raue. “It helped the medical center identify any current vulnerabilities, gave them confidence and direction to move forward with an overall HIPAA compliance program, and it assessed our own performance as their IT provider.”
HiTech used the Network Detective tools to craft a detailed presentation for Reeves’ top decision-makers. In addition to important information about the network data, it included recommendations on the center’s physical security policies, ranging from which doors and supply closets were sufficiently locked, to the way that charts were stored, to how patients’ records were displayed on staff desktops. The reports pointed out a series of vulnerabilities, and assigned a level of risk to each one. HiTech gave Reeves Memorial a clear outline of what items needed to be corrected, organizing those items according to their level of urgency.
When faced with a concrete listing of issues, administrators at Reeves were motivated to take immediate action. The center assembled a Risk Assessment Committee to investigate specific breaches. They created a formal staff training that explained how to avoid future breaches, outlined new policies, and raised awareness of both network and physical security concerns. Reeves Memorial was on-board to create a market-leading compliance program.
“When we provide HIPAA-related services, it’s never a break-fix approach. We want to create a culture of compliance within the organization,” said Raue. “Facilities often start out with a lot of apprehension when it comes to compliancy. But once they see the results of a comprehensive network assessment, they embrace the process.”
HiTech was contracted to address the network-based vulnerabilities and infractions revealed by the Network Detective’s HIPAA Compliance tool. These ranged from unauthorized personnel access to software and hardware updates. What’s more, HiTech was hired to conduct the staff trainings, continue network assessments on a regular basis, and execute an overall compliance program.
“We’re on site all the time now at Reeves Memorial,” says Raue. “We’ve got a Network Detective Inspector appliance permanently installed at the facility to conduct quarterly assessments, which includes change reports that indicate any questionable behavioral patterns or new areas of concern.”
Scott Dickson has HiTech’s engineers do regular inspections of the facility at undisclosed times to make sure the staff is compliant with the new policies, by way of both network and physical activities. Overall, the facility has made patient data and network security a priority, assigning it a level of awareness that had never existed before.
“We’ve become a trusted member of their team,” says Raue. “A network assessment is a long-term relationship-builder. When a client reveals their most crucial vulnerabilities to you, and is relying on you to address these issues, it puts you in a position of trust that is difficult to achieve any other way. You become a company that the client wants to keep around, since you’re so intrinsically vested in their business.” This strategy has led to ongoing growth for HiTech as an MSP in the healthcare market.
“HiTech’s assessment services have helped us better mitigate risks, avoid HIPAA penalties, and become a more secure facility with an increasingly robust network,” said Scott Dickson, director of information technology at Reeves Memorial. “Despite being located in a small rural community, this center is now ahead of the curve in its infrastructure and its overall security network policies.”