Health Organization Manages PHI in Complex Networks with Spirion-First Approach

To maintain its culture of security and privacy at all endpoints, athenahealth needed to locate and secure PHI to achieve several goals — including reducing data risks, increasing user awareness, and meeting HIPAA and HITECH compliance requirements.

athenahealth deployed Spirion as the nerve center of its endpoint HIPAA and HITECH security compliance to help overcome security gaps left by data-inmotion DLP, whole disk encryption, and user behavior activity software, so the company can limit its exposure and meet regulatory requirements.

Spirion helped athenahealth automatically discover and classify medical record numbers, Social Security numbers, credit card numbers, insurance numbers, and ICD 9 and 10 codes spanning all servers and endpoints, with best-in-class accuracy — ensuring optimized security compliance.

athenahealth’s mission is to empower doctors to focus on patient care by handling recordkeeping and other administrative burdens associated with maintaining an efficient medical practice. Protecting sensitive information and maintaining rigorous compliance standards is a core tenant of its mission.

“Ensuring security and reducing the risk of data breaches is the company’s top priority,” stated Melissa Verrill, Information Security Program Manager for Risk Management.

athenahealth identified three primary risk vectors to control: sensitivedata on lost or stolen laptops, accidental mishandling of sensitive information, and accidental exposure of sensitive information. athenahealth’s previous data-in-motion solutions, DLP scanning, and
endpoint whole disk encryption only covered part of the complete data lifecycle. Spirion added data-at-rest management to close the gap.

Installing Spirion’s server took less than one hour and only a few days to deploy the software to all 5,500 endpoints. Within one week, the IT team was creating athenahealth’s first comprehensive sensitive data heat map, corporate policies, and workflows.

athenahealth uses Spirion on a weekly or bi-weekly basis to scan its devices for databases, Words documents, Excel files, emails, PDF files, text files, USB drives, and more using automated workflows. After a Spirion scan and remediation, admins are better informed to confidently say sensitive data is likely not at risk under any scenario.

athenahealth admins are impressed with Spirion’s low false-positive result rate thanks to its advanced validation algorithms. For example, rather than matching any 9-digit number as a Social Security number, Spirion uses Social Security Administration data combined with keyword
searches, file-type-specific analysis, and proprietary analysis to significantly reduce false-positive results.

Admins are also pleased that Spirion automatically creates a robust PHI data inventory that demonstrates system-wide HIPAA compliance and gap analysis, persistent classification, detailed reports, and real-time dashboard analysis.

Depending on their role at athenahealth, multiple employees work with PHI, PII, and credit card numbers on a regular basis. “A top security risk at any company is that an employee will accidentally mishandle sensitive data,” stated Melissa.

Since launching Spirion, the IT Security team has been able to quantifiably improve employee data-security behavior. “Spirion helps us ensure people are doing so securely and safely,” notes Jake McAleer, Senior Manager of IT Security, athenahealth.

Perhaps the biggest lesson has been that employees are far more receptive to data security when they can see reports and run their own scans. With Spirion, employees can see where sensitive data resides and take corrective action when appropriate. Letting them clean their own system has been more successful than taking a centralized approach.

With Spirion’s active scanning technology, athenahealth is confident that its endpoints contain the minimum sensitive information possible (ideally none), reducing the risk that data is accidentally exposed.

Going forward, Spirion continues to successfully remediate athenahealth’s sensitive data — helping the company achieve its goals of risk reduction, user awareness, and regulatory compliance, while also safeguarding its reputation and market value.