HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UMass Improves Security and Saves $1M by Using SecureLink’s VPAM Solution

Healthcare organizations typically have dozens of vendors that require access to their internal networks and applications to provide essential services. Providing third parties with access to internal networks is necessary but not without risk.

The hackers behind the 2013 Target data breach obtained credentials from a vendor that had remote access to its energy management system, which were used to gain access to Target’s network. Several managed service providers (MSPs) have been attacked in a similar fashion, and their credentials have been used to gain access to sensitive patient data.

In 2014, Worcester, MA-based UMass Memorial Hospital underwent a third-party security audit and discovered its methods for managing vendor remote access were flawed and posed a major security risk. Had steps not been taken to address the issues, the $2.5 billion non-profit health system could have suffered a devastating data breach.

UMass Memorial Hospital allows vendors to access certain parts of its network and, like many other healthcare organizations, vendors were remotely accessing the network via a variety of methods including VPNs, remote desktop, and third-party remote access tools. There was also little oversight of what vendors did when they were connected. UMass Memorial Healthcare had set up vendor accounts on its network which were being used as group accounts by vendors, with each having different privileges assigned to the accounts.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

“Vendor access to UMass Memorial Healthcare was inconsistent and largely uncontrolled. We had no permanent record of when vendors accessed our network or systems,” said Scott W. Emery, information systems security analyst at UMass Memorial Healthcare. Vendors were allowed to access the network but there was no easy way of tracking their actions once they had connected.

“We engaged several companies who specialized in secure vendor access. We basically were looking for a vendor who could provide: secure access to our network and systems; detailed access logs and history; session information of the vendor; notification of vendor access to our environment; and capabilities to disable or enable the access,” said Emery.

While there were several companies that could provide solutions to address the problem, in almost all cases their products were multifunctional and had many features that the health system did not need; however, SecureLink’s solution was solely concerned with managing secure vendor access.

“From the start, they focused on our problem and not on other potential interests of the solution. They engaged us with our interests in mind and wanted to partner with us in finding a solution to our specific problem of secure vendor access to our environment,” said Emery.

The SecureLink solution addressed all of the security issues surrounding remote vendor access. The Securelink solution includes multi-factor authentication, secure browser access, encrypted traffic, and makes management simple.

The solution records vendor sessions and allows videos of each session to be downloaded for audits and creates detailed logs of each session, down to the keystroke level. Alerts are generated when a vendor accesses resources, a reason is provided why those resources are being accessed, and notifications are generated when the session ends. The solution gives organizations full control over vendor access and makes it easy to set permissions to access specific resources.

Remote access for vendors is managed through a single system that gives full visibility into all remote access sessions in real-time, with systems administrators able to closely monitor the actions of all vendors and individual vendor users.

“Our challenges of implementing this environment were limited,” said Emery. “The main challenge became convincing vendors that their previously unfettered access to our environment would change dramatically and impact their support of their systems or applications. However, once vendors used the SecureLink environment, they became quick supporters.”

Three years after implementing the solution, SecureLink arranged for a third-party company to calculate the return on investment on implementing the solution. While the main purpose of implementing the solution was to address security issues related to remote access, the implementation of the SecureLink system brought major financial benefits.

By simplifying remote access management, eliminating unnecessary labor-intensive steps, and improving security, UMass achieved a 594% annual ROI.

The third-party ROI study confirmed UMass had improved service delivery by improving uptime of critical applications, achieving savings of $700,416. The time saved creating and tracking vendor access accounts saved $98,229, and the reduction in management time, support, and troubleshooting vendor access saved $208,203.

The total savings from implementing the system were $1,006,848.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.