Customer Success Story

FairWarning Lightens Burdens, Increases Efficiency of Hospital CIO / Security Officer

Joanne White, CIO & HIPAA Privacy and Security Officer

Client ProfileWood County Hospital is a 196-bed, licensed community hospital located in Bowling Green, Ohio. The hospital offers a comprehensive suite of inpatient and outpatient services, and is an accredited Center of Excellence for bariatric surgery. The hospital has also forged a close partnership with Bowling Green State University, and in 2013 opened a $5 million, 23,000-square-foot health center near campus.

Results• An organization-wide culture change• Increased employee acceptance of the

importance of guarding patient data• Occurrences of privacy breaches have

been substantially reduced

ChallengeThe hospital’s IT staff, just 16 people, is understaffed and overworked—a scenario shared by a great many healthcare organizations. But Wood County’s CIO is also tasked with overseeing the organization’s HIPAA Privacy and Compliance efforts. Help was needed—both with managing HIPAA- related workloads, and with maintaining the constant vigilance necessary in protecting patient data.

SolutionPatient Privacy Intelligence and Managed Privacy Services

Harried hospital executive finds some relief with FairWarning’s Managed Privacy Services

Customer Success Story

Healthcare organizations are now targeted for data theft more than any other industry. According to the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, nearly 90% of healthcare organizations have suffered data breaches in the past two years, at a cost of more than $6 billion industry wide.1

Healthcare executives charged with protecting patients’ data and assuring HIPAA compliance have quite the challenge on their hands. They are very important people. And very busy people.

Joanne White is a very busy woman. As the CIO and HIPAA Privacy and Security Officer of Wood County Hospital, she has many responsibilities to juggle. Her job will never be easy. But it will also never again be quite as hectic as it once was.

Overview: Healthcare Security Officers Face Daunting Challenges

2

You can set up different sorts of alerts. What I started with was Neighbor Snooping, VIP Snooping, Employee and Manager Snooping, and Family Snooping.”

Joanne White, CIO & HIPAA Privacy and Security Officer

Customer Success Story

patient data, and investigating occurrences or claims of data breaches.

Two recent developments, in particular, impacted Joanna’s job.

The first was the opening of a student health center, which would give 25,000 students access to hospital systems via a wireless network. Joanne had worked at a college in the past, and knew that students could sometimes be a bit disruptive (“…hacking was one of their favorite things.”)

The second development was tied to the glut of recent news reports about HIPAA breaches and resulting cash settlements. Each time a news story about a massive HIPAA settlement would appear in print or on TV,

How much stress and non-stop effort can be packed into one workday?

Joanne White likely felt that she was testing that limit every single day. She manages an IT staff of just 16 people, and has the responsibility of supporting the hospital, all the clinics, and the Falcon Health Center serving 25,000 students.

“We run really lean,” Joanne explained.

Joanne also bears the full responsibility of overseeing the organization’s HIPAA Privacy and Compliance efforts. Her plate was quite full. But in recent years, security and compliance efforts grew disproportionally demanding. Joanne found that more and more of her time was devoted to protecting

The Challenge: Operational Overload

3

the phone calls would inevitably begin: “I think someone has looked at my health record. How do I go about putting in a claim to collect money?” And though most claims were bogus, Joanne had no choice but to run audit logs against each claimed incident to verify and confirm that no breach occurred.

And Joanne wasn’t getting much help from the tools she was using. One tool, for example, captured data for forensic investigations by recording every single key stroke from every device in the organization. This data was saved to a massive SQL database that, in

three years, grew to 14 terabytes. So much data was stored that in-house storage capacity was exceeded, requiring moving the data to cloud-based storage.

But the tool offered no automation. No canned reports. Conducting investigations and teasing useful insights out of the stored data was tedious and massively time consuming. “I spent most of my evenings working on HIPAA because I didn’t have time during the day.” It was an unsustainable situation, and Joanne knew she needed help.

FairWarning has given me a lot of time back.”

Customer Success Story

4

Solution: “Other hospitals gave FairWarning very high marks.”

Joanne considered several vendors in seeking a solution to her HIPAA-related problems. As it happened, she met regularly with a group of representatives from 12 local hospitals. Several of those hospitals were already using FairWarning, and were pleased with the results. They all gave FairWarning very high marks.

Joanne evaluated the FairWarning demo, and decided to go with FairWarning’s Patient Privacy Monitoring platform (currently monitoring over 250 billion rows of data across more than 7,000 healthcare facilities).

But she had another decision to make. FairWarning also offers a Managed Privacy Services (MPS) solution, which serves as a de-facto staff extension for overworked and under-manned compliance and security staff officers.

MPS helps healthcare organizations:

� Minimize overall risk profiles� Improve compliance postures� Simplify OCR audit preparations� Resolve staffing and resource issues� Perform and document investigations� Identify internal threats

MPS was exactly what Joanne needed, but she was hesitant. “I wasn’t sure if I wanted to let go of all the responsibility.” However, 75% of all FairWarning onboarding customers elect to utilize MPS. Therefore, Joanne also decided to give MPS a try.

Customer Success Story

5

Easy, Customizable Reporting

FairWarning’s ability to present data visualizations in customizable chart formats assure that data is presented in ways most effective for each user. For Joanne, that capability has been particularly helpful in fulfilling the needs of many users and departments throughout the organization.

“I can very easily run a report by patient name, pin number, medical record number—whatever’s needed. I can put a date range in. I can be very broad or very specific. When I run a report at someone’s request, I can easily provide exactly what they need.”

Thanks to FairWarning MPS, Joanna’s team has been relieved of the responsibility of monitoring all of those terabytes of data. “FairWarning looks at the data first,” Joanne explained. “They do it in a very timely manner. They do it all day long. I just log on to FairWarning once each week to review my audit alerts.”

The implementation was easy: “One of the easiest implementations I’ve ever done,” Joanne recalled. Importantly, FairWarning seamlessly integrated with the already-in-place tools that Joanne relies upon, such as Cerner HealthIntent, OB TraceVue, Spacelabs, and others. FairWarning has even helped the team to boost the effectiveness of these tools that feed into FairWarning —spotlighting a modification to the Cerner patient list to eliminate false positive alerts, for example.

FairWarning has even catalyzed a culture shift throughout the entire Wood County organization. Like most any other healthcare organization, Wood County worked to foster an awareness among employees about the importance of patient-data security: mandatory HIPAA training; constant discussions with users; etc. But the preaching often fell upon deaf ears.

But FairWarning enables complete and comprehensive transparency in monitoring user actions. Joanne and her team knows exactly who accessed what record, and when. And now, users know that Joanna’s team knows. “I have written-up people for accessing charts they weren’t supposed to,” Joanne said. “This new software has brought awareness to the forefront. It’s caused people to take pause before looking at a chart that they don’t have permission to access.”

And that applies to doctors, same as everyone else. Joanne recalled that before FairWarning, doctors often would think that HIPAA didn’t necessarily apply to them. They have learned otherwise.

Joanne is still a very busy person. But thanks to FairWarning, at least one aspect of her job, managing HIPAA Privacy and Compliance, is easier. “We put in really long days here and have no life,” Joanne said (somewhat jokingly). “But this software has made that part of my job a lot easier.”

Key benefits that FairWarning’s Managed Privacy Services provides to the Wood County team includes:

The Results: Less Stress, More Control

5

Customized Education and Communication Plan

FairWarning’s MPS team works directly with end users, training them to use the product. Users are taught to navigate the product, produce their own reports, review investigations, identify and examine trends, and much more.

Proactive Alerting

Before FairWarning, Joanna’s team was decidedly reactive, seemingly always a bit (or a lot) behind in conducting investigations. But that’s no longer the case. FairWarning’s MPS team quickly alerts Joanna’s team to any event that may warrant investigation.

Joanne offered a recent example: “Just this week, one of our VPs was looking at their child’s record. FairWarning saw that, and alerted me right away. Those are the types of proactive alerts I get from FairWarning that keep me on track with my auditing.”

Dedicated FairWarning Reps

Each MPS client is assigned a dedicated analyst. It’s a service that Joanne has found invaluable. “If I want a report or have a question, I just phone or email my assigned rep, and he’s always available. He’s knowledgeable, and if he doesn’t know something, he’ll find the right person. And I always get an immediate response.”

6

Is Your EHR Vendor FairWarning Certified?

The FairWarning Ready program certifies that participating healthcare vendors conform to uniform standards pertaining to the sharing of data. It makes life simpler for everyone involved.

Is your EHR vendor already FairWarning Ready certified? With hundreds of vendors participating in the FairWarning Ready program, odds are good that they are—or soon will be.

!

1. Ponemon Institute. “Nearly 90 Percent of Healthcare Organizations Suffer Data Breaches, New Ponemon Study Shows.” http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data (accessed April 13, 2017).

Customer Success Story

For more information, please visit www.FairWarning.com 727-576-6700 | Solutions@FairWarning.com© Copyright 2004-2019 FairWarning, Inc. | All rights reserved. Various trademarks held by their respective owners.

13535 Feather Sound Drive, Suite 600Clearwater, Florida 33762 USA

About FairWarningFairWarning strives to protect the health, wealth, and personal information for every person on Earth. The company’s industry-leading, affordable application security solutions provide data protection and governance for Electronic Health Records (EHRs), Salesforce, Office 365, and hundreds of other applications. FairWarning solutions protect organizations of all sizes against data theft and misuse through real-time and continuous user activity monitoring and improve compliance effectiveness with complex federal and state privacy laws such as HIPAA, PCI, FINRA, SOX, FISMA and EU Data Protection Act. FairWarning catches people stealing your data.

About Mercy HealthMercy Health is the largest non-profit healthcare system in Ohio. The organization consists of 23 hospitals across Ohio and Kentucky, a college health insurance company, and hundreds of offices, clinics, and care locations. Mercy Health generates $4 billion in annual revenues, and is the fourth largest employer in Ohio.

7