Healthcare and privacy go together

Varonis

Wednesday, 19 November, 2014

Mercy Health and Aged Care Central Queensland (MHAC) is a not-for-profit organisation committed to delivering the highest quality of health and aged care to the community of Central Queensland. It employs approximately 1400 people throughout a number of towns, working in private hospitals, aged care facilities, retirement villages, respite and therapy centres, a surgery unit, linen and food services and a corporate office.

With various information security standards to adhere to, MHAC needed transparency into who was accessing its data, and what they were doing with it. In addition, with nearly 400 workstations and a user base of 600, MHAC also needed an easier, holistic approach to control access to its data.

“As part of compliance with various legislatures, we needed a mechanism to provide visibility into who was accessing our data,” said Marcia Healy, information systems officer for MHAC. “We were also conscious that our IT team were receiving, and provisioning, access requests which, although technically capable, they did not have adequate data context, value or other relevant insight on which to base these decisions.”

MHAC knew it needed to improve visibility, and control, of users’ access rights. “We knew that certain groups had various access rights, through NFTS permissions,” said Healy. “However, this was exceptionally complicated as we did not have a holistic view. We needed transparency to be able to monitor who was accessing information and identify what they were doing to it.”

Due to the nature of the organisation, MHAC’s workforce includes a large percentage of shift workers further complicating users’ access permissions.

MHAC evaluated alternative solutions to audit and manage shared folders and files. However, it found that these other solutions, instead of retaining the NTFS permissions, were building an extra private access layer. This was an obvious risk should the system ever need to be uninstalled or stop functioning for any reason.

The solution was a system from Varonis - DatAdvantage and DataPrivilege - that ensured MHAC could meet these challenges.

The solution allows MHAC to identify who is accessing its information and what they are doing with it. With a complete audit trail, MHAC can prove policies are in place, and being adhered to, to satisfy compliance with various national and international information security standards.

“The solution automatically identifies who the likely data owners are and they are then empowered to assign the permissions for their information,” said Healy. “Anyone who needs access to files can raise a request which is directed to the relevant data owner automatically who provisions the request. It also allows us to remove access rights from groups, without having to go through them one by one, when someone terminates their employment, which previously was a huge job.”

An immediate benefit has been that, by removing the onus of this responsibility from IT, the process of provisioning users has become far more efficient as people are now dealing directly with managers who can action the request immediately. It also has strengthened security to sensitive data as the appropriate person is making the decision of who does and doesn’t have access. “This is great both morally and administratively,” concluded Healy.

Image credit: ©Petrik/Dollar Photo Club