Greenville Health System Leverages Absolute's HIPAA-Compliant Data Security and Recovery Service

Greenville Health System is a not-for-profit, patient-centered healthcare network serving upstate South Carolina and the surrounding areas. The system consists of seven hospitals, 200 physician practices, and about 15,000 employees spread across those locations.

Healthcare systems are highly regulated to protect the rights of both patients and doctors. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) have established national standards to protect personal information in electronic healthcare transactions and transfers of information. As Greenville Health System expanded, opening more offices and growing its geographic reach, concerns arose about how to secure devices and sensitive medical information. With 15,000 employees and more than 17,000 devices and systems, there were significant opportunities for data theft as employees worked off-network, traveled with their devices, and occasionally lost them.

Challenges

Greenville Health System wanted to be able to lock down devices and remotely delete sensitive information, regardless of device location, all while proving their systems were encrypted to industry standards. Before they were able to achieve this, they needed to measure their risk exposure across the organization. With such a large and continually growing network of employees and devices, it was vital that Greenville’s security solution be scalable and always-connected - regardless of network connectivity. It was suspected that some employee device theft had occurred, but without monitoring capabilities, it was extremely difficult to pinpoint the extent of the problem. With so many moving parts, Greenville needed to have a complete picture of their current endpoint risks, and what actions to take.

“We had an outdated approach to information security...”

Chris Schmidt, Manager of Information Security at Greenville Health System

Chris Schmidt, manager of Information Security at Greenville Health System, had worked with Absolute at a previous organization. One of the first things he did when he joined Greenville was reach out to Absolute to discuss how they could work together to strengthen Greenville’s information security and application management. “We had an outdated approach to information security,” said Schmidt. “We were immature in our security posture — we didn’t know what was on our network, what inventory was on our workstations or whether the devices were encrypted to compliance standards.”

Solution

Greenville is required to have certain security measures in place to meet HIPAA regulations, which was a challenge with multiple locations and devices constantly on the move. Before they could put the necessary measures in place to secure their devices, Greenville engaged with Absolute to perform an Endpoint Risk Assessment to benchmark their internal controls against HIPAA requirements and security best practices from methodologies such as NIST 800-53 r4, HITRUST v8, and CIS Critical Security Controls v6.1. This combination of consultative techniques and Absolute’s unrivaled visibility provided Greenville with a maturity score across each control area, identifying security gaps. Absolute’s risk assessment professionals then collaborated with Greenville to develop a remediation action plan to improve workflows and ensure security requirements. This valuable report identified previously dark endpoints and was the catalyst to fully utilize Absolute to protect their devices and the sensitive healthcare data they contain.

Absolute’s patented, firmware-embedded Persistence technology ensures Greenville has continuous visibility and can rapidly remediate at-risk devices. This is critical to provide current and historical evidence that data is protected, necessary for HIPAA compliance. Absolute also provides Greenville with insight and automated remediation across other applications they are using, such as Microsoft System Center Configuration Manager.

Within a few months of the Absolute implementation, a subcontractor was caught stealing devices and reselling them. Additionally, a former employee was caught with laptops that should have been returned upon termination. Greenville leveraged Absolute’s investigations services to recover the systems and ensure proper measures were taken to secure the data.

The Absolute team constantly checks in with Schmidt and supports his team to implement the recommendations provided in the Endpoint Risk Assessment. This ensures his team is constantly strengthening its security posture and fully utilizing the Absolute solution.

Results

1
ELIMINATE DARK ENDPOINTS
Endpoint Risk Assessment identified dark endpoints and provided recommendations to strengthen security posture
2
CONTINUOUS DATA VISIBILITY AND PROTECTION
Easily assess risk exposure and protect healthcare information
3
SELF-HEALING PROTECTION
Can achieve HIPAA compliance via embedded self-healing technology, even if a device is tampered with