When healthcare organisation Healthe started developing its online electronic medical record service called Healthe Me in 2006, chief innovation officer Alan Payne recognised that security and privacy would be critical.
These are the first things everyone always asks about, Payne says. The most important thing we need to avoid is a data breach.
Healthe Me is a health and wellness programme that offers benefits and services to improve its members overall health and wellness, with an online personal health record at its core. The Healthe group includes Healthe Care, the largest privately owned hospital network in Australia, with more than 1,500 staff, 1,000 accredited medical practitioners, close to 1,000 beds and the latest in medical technology.
Payne decided that the key to a secure system would be a multi-layered security with various components from experienced vendors. With that in mind, he and his team sat down with experts from Oracle, Symantec and Verizon and built the security architecture from the ground up.
We took the best and sorted out the weakness of each group, he says. By doing that, I created a best-of-breed security architecture whereby we have these multiple protective layers.
Verizon was brought in to manage the hardware infrastructure and the physical data centre. Primarily, it was physical port security and security of the data centre, Payne says. They obviously make sure its fully secured, that it has all the usual access controls, that all of the firewalls are in good working order, backed up and maintained.
Oracle played its part in offering identity management components. So we actually encrypt all our data within the environment itself. So even if you could get access to the system, you still couldnt do anything because the data is encrypted at the base level, Payne says. To guard against the threat of removable devices such as USB drives, he ensured that the system is secured at the data level by encryption according to the roles and responsibility of employees Even if you can get a USB to copy something, it is useless to you, he says.
Payne engaged Symantec to help construct the security architecture and provide information security online. He describes the service-level agreement by the vendor as proactive whereby they continually monitor the health of the whole company network.
While threat assessments are continually made, the systems firewalls and applications are automatically updated without needing Paynes engineers to do it themselves. Most of it is taken care of and it is very low maintenance, he says.
The Symantec Managed Security Services aggregate and analyse log data from Healthes heterogeneous firewalls, intrusion detection systems, and integrated security appliances. The Healthe network team gets an e-mail from the vendor whenever suspicious activity is spotted that should be investigated.
Sign up for Computerworld eNewsletters.