Information security is paramount in the healthcare industry, requiring compliance with some of the strictest privacy and storage standards. Even so, healthcare companies still face risks for data loss and security gaps—often making headlines for breaches affecting millions of patient records, with the average time to discovery more than 200 days.
MEDHOST helps more than 1,100 hospitals, behavioral healthcare organizations and rehabilitation facilities across the nation manage their facilities and provide medical care with financial and clinical solutions, as well as consumer engagement software and services. William Crank, chief information security officer at MEDHOST, is devoted to keeping patient health records and other secure data safe without impeding the business.
Hired as the company’s first fully dedicated security professional four years ago, Crank recalled the environment requiring “security discipline and maturity” upon his arrival. “The challenge that I had to overcome was visibility. The key to any security program meeting its goals is having visibility of all of the activities within the organization’s network,” recalled Crank. “I can’t protect what I don’t know or don’t see.”
MEDHOST delivers solutions from private, as well as public and hybrid cloud settings. “My role is to ensure that we enable the business to minimize shadow IT or shadow dev and do it securely, maintaining the security posture of our production workloads in those three environments,” said Crank.
Crank and his team use multiple tools that monitor different components of the ecosystem. “I have different segments where threats lie differently,” said Crank, explaining that he secures workstation, server, managed server, development and quality assurance spaces, as well as core network routing and switching. He evaluates security tools against three major components: capabilities, support and cost.
Key capabilities include ease of implementation, automation and management. “I cannot have my security engineers monitoring 25 different tools,” said Crank adding that the old approach of segregating tools from different vendors to minimize recurring problems is no longer relevant. “In today’s day and age, I think security teams have minimal resources and need to minimize the number of things they log into to get visibility into the threats on the network.”
Technology partners that help solve problems and take the time to understand the network are most valuable to Crank. “The customer support piece is as important if not the most important component,” he said.
“Always looking for ways to save the company money without compromising its risk posture, capabilities and support,” Crank said he recently completed evaluations of existing solutions that resulted in a lower cost option. “I just went to a new Web security tool that saved about $125,000.”
“We’ve maintained our budget and matured our program, while reducing the threat surface of our enterprise with the tools and resources we have,” said Crank. “We continue annually to increase efficiencies and effectiveness to meet the needs of our customers.”
Over the past few years, coverage has expanded from protecting some production workloads to full spectrum enterprise visibility. Meantime to resolution has also improved. “We’ve cut down time to identify and respond by 75 percent or more,” said Crank.
“Utilizing tools to the fullest,” said Crank, is the focus of his current roadmap to maximize his team’s productivity and talent. “We’re purely focused on controls maturity, program maturity, taking a look at the toolsets we have and how we can utilize them more effectively and more efficiently, and where can I extract value from them that I haven’t gotten today.”
With tools to offload routine monitoring, MEDHOST can take a proactive approach to keeping the business secure as it grows. “It’s easier to build security on the front end and implement it than it is to retrofit,” said Crank adding that IT shouldn’t dictate what’s best for the business.
“You need to go ask the business what their requirements are and what their needs are,” Crank advised. “We’ve got a very strong engineering and operations team that caters to the business, that’s our lease on life.”
Christy Peters is a writer and communications consultant based in the San Francisco Bay Area. She holds a BS in journalism and her work covers a variety of technologies including semiconductors, search engines, consumer electronics, test and measurement, and IT software and services. If you have a story you would like profiled, please contact her at [email protected]
The IT Innovators series of articles is underwritten by Microsoft, and is editorially independent.