K logix was recently mentioned in the HealthITSecurity article "Developing a health IT security program with new technology". View the article below and read about our work with Lahey Health.
Developing a health IT security program with new technology
Author Name Patrick Ouellette | Date July 22, 2014
Jim Drewett, Lahey Health IT Security Director has been at the organization for 24 years, back when PCs were first becoming popular, and has also watched the healthcare industry evolve from a risk management standpoint.
Drewett has served in a variety of technical roles and at the end of 2011 there were a lot of changes at the top, such as the CEO, COO, CIO and David became the CISO, David Reis. Under Reis and the new management’s leadership, Lahey has taken a much more risk-averse position in the industry. Drewett took some time to speak with HealthITSecurity.com about some of these developments.
Can you talk about some of the changes to the IT security program at Lahey Health?
There had been a lot of good IT development and enablement among the clinicians, but there wasn’t always the focus on security. With the HITECH Act’s breach reporting rules being established in 2009, [Lahey's] regulations really took shape. David’s arrival in 2011 was fortuitous. My role as a director is to oversee a manager and six technical subject matter experts. We concentrate in these areas:
- Network security and work closely with the network services team
- Vulnerability management in working with the server and platform teams
- Mobile device security testing and deployment, working with the desktop technology team
- Compliance, forensics and reporting – working with HR and compliance/audit and risk management
I have program and technology development going on in each. In the network security space, we’ve been moving from Cisco to Palo Alto [networks]. With next-generation firewall technology and the ability to control the network at the protocol and application signature level. We’ve also implemented F5 technologies to improve the web portal and VPN client access.
In the vulnerability space, we’ve been implementing scanning tools from Rapid 7 from the inside. And we have scanning services from Qualis on the other edge. In terms of mobile technology, we’ve developed a secure email on mobile devices through Good Technology. And we’ve used a secure email gateway from Zix Corp. On the monitoring side, we’ve developed a new SIM from Splunk. And we’re implementing RSA’s Net Witness, which is the packet capture component of the security analytics product offering.
How do you approach buying decisions when choosing among the litany of security products?
From an IT security strategy perspective, we’ve honestly taken a very simple approach. First, we look at the upper right quadrant of the Gartner report. And we have a general philosophy that comes from both Dr. Reis and our CIO, Bruce Metz, which is [to focus on value]. Healthcare organizations have historically not had the ability to make significant investments in IT security. This is a function of a lot of things. Sometimes it’s leadership’s focuses and priorities and sometimes it’s financially-driven. We try to ensure that whatever we make an investment in is a highly-mature and effective product. Some of these products may have higher investment costs associated with them, but they may also have proven value over a long period of time. That’s how we begin our selection process when it comes to products, some of which are niche, but we always start there.
We also have a value-added reseller (VAR) that represents a number of best-of-breed products, K logix. They’ve done a really nice job helping us understand what’s available and what some challenges may be with the different products, as well as how some other customers are having issues or succeeding in various areas.
I can’t comment directly on the communication between Dr. Reis, the CIO and our VP, but I know that they meet regularly. And we often meet with the technology services group as well as the other teams, such as service management.
Subscribe
Stay up to date with cyber security trends and more