Stop, look, listen—and click: allowing employees to use the Internet for personal interest is a risk, but DeKalb Medical Center keeps itself safe and secure with the help of software
Categories: Medical SoftwareHow far can strategic planning extend? How far can competitive advantage stretch? The correct answer is: pretty far. Healthcare organizations (HCOs) that have embraced information technology generally have done so across the board, with motivation that exceeds the noble–albeit typical–goals of providing quality patient care and maintaining financial health.
DeKalb Medical Center in DeKalb County, Ga., part of metropolitan Atlanta, is such a healthcare system. Senior management there wants the organization to be perceived locally and by employees as the kind of employer that qualified personnel work at, stay at and support with loyalty and performance. IT helps it succeed.
DeKalb Medical Center maintains what some HCOs would call a liberal policy when it comes to personal Internet use by employees. Every workstation in the enterprise, including PCs in public areas such as waiting rooms, connects to the Internet. DeKalb Medical Center considers it an employee benefit that employees are allowed to use enterprise PCs and access the Internet for personal interest, and wants to sustain that benefit as part of its retention and recruitment strategy. In return, the organization asks employees for moderation, judgment and propriety–and gets it.
The Internet as a Risk
Advertisement
When Information Security Administrator Sharon Finney arrived at DeKalb Medical Center in August 2003, the HCO was knee-deep in finalizing compliance with HIPAA regulations and taking steps to identify where, when and by whom patient health information might be transmitted. The Internet was instantly identified as a formidable risk.
“We allow employees to access the Internet for personal use, as long as they are diligent and judicious,” says Finney. “We leave it to management of various departments to regulate. With that kind of policy, the organization needs the ability to monitor utilization, enforce policy, and report to and work with departmental managers if problems appear.” Early on, its capabilities in that arena were limited.
Initially, DeKalb Medical Center didn’t know what was moving across its Internet circuit. It didn’t know if protected health information was being transmitted; it didn’t know if files were being shared appropriately; it didn’t know if employees were buying shoes via home shopping networks.
Although the healthcare organization has more than 60 IT staff, the technical services personnel who support infrastructure and networking–and would have been responsible for in-house development of monitoring capability-numbered only seven, so the organization looked outward for help.
“We needed to buy a tool to help us monitor, filter, assess and, if necessary, control Internet usage,” says Finney. DeKalb Medical Center managers evaluated at least four products for the job and finally selected Vericept Healthcare Compliance and Vericept Filter for HIPAA compliance from Colorado-based Vericept. Finney says these were the only tools at the time they found that had all the necessary rules already embedded and would function, right out of the box, in a way the HCO wanted, but would also allow for subsequent customization.
Cost was another factor that helped ink the deal for Vericept. Because the technology was a new one for the organization, it wanted vendor support throughout implementation, and found Vericept included that support in what DeKalb Medical Center considered a competitive price. “They were very willing to work with us from a budgetary perspective,” says Finney.
Look and Learn
How does an organization that values diversity and wants to continue providing Internet access for employees nevertheless monitor, manage and control, and also prevent overuse or abuse?
The healthcare organization began by using its out-of-the-box solution for two months to monitor and learn. Finney says that while the organization didn’t see the inappropriate transmittal of any identifiable patient health information, what it did see enlightened management.
“Initially, we saw a considerable amount of pop-up adware and even spyware on desktops, causing an extreme (excessive) amount of Internet traffic. We also learned that employees were listening to the radio via Internet, which chewed up our bandwidth.” Equally important, she says, a number of employees weren’t Internet-saw, T and would enter substantial personal information on unsecured Web sites. They were unaware of how unprotected their data was, and they entered personal data via their keyboards as if they were sitting in a bank talking with a bank officer.
DeKalb Medical Center management initiated departmental meetings, and up to three times each month, Finney made security presentations at those meetings, describing the new system, monitoring capabilities, and appropriate types and levels of personal usage within the organization. She also described how individuals could safeguard their own data in personal Internet use.
The organization’s master plan was to use the Vericept products’ default settings with no modifications for 60 days while managers monitored and analyzed, and then to be able to customize the software for the HCO’s individual use.