On average, data breaches cost healthcare organizations $408 per record according to the 2018 Cost of a Data Breach Report by the Ponemon Institute and commissioned by IBM. Across all industries, healthcare has seen the priciest of data breaches for the last 8 years running.
To boost security, Greenville Health System, a not for profit, patient-centered healthcare network that serves upstate South Carolina and the surrounding area, knew they needed to lock down their devices and be able to remotely delete sensitive information, regardless of device location. Because compliance fines can be a part of what make data breaches or protecting sensitive data so pricey for healthcare, they also needed to prove their systems were encrypted to industry standards.
Before they were able to achieve this however, Greenville Health needed to measure their risk exposure across the organization. With such a large and continually growing network of employees and devices, it was vital that their security solution be scalable and always-connected – regardless of network connectivity. It was suspected that some employee device theft had occurred, but without monitoring capabilities, it was extremely difficult to pinpoint the extent of the problem. With so many moving parts, Greenville needed to have a complete picture of their current endpoint risks, and what actions to take.
The manager of Information Security at Greenville Health System had worked with Absolute at a previous organization. One of the first things he did when he joined Greenville was reach out to Absolute to discuss how they could work together to strengthen Greenville’s information security and application management.
“We had an outdated approach to information security,” he said. “We were immature in our security posture—we didn’t know what was on our network, what inventory was on our workstations or whether the devices were encrypted to compliance standards.”
Better Visibility & Control
HIPAA compliance proved a challenge for Greenville Health, with multiple locations and devices constantly on the move. Before they could put the necessary measures in place to secure their devices, Greenville performed a Dark Endpoint Risk Assessment to benchmark their internal controls against HIPAA requirements and security best practices from methodologies such as NIST 800-53 r4, HITRUST v8, and CIS Critical Security Controls v6.1. This combination of consultative techniques and the visibility provided by Absolute gave Greenville a maturity score across each control area and identified security gaps.
Then, Absolute’s risk assessment professionals collaborated with Greenville to develop a remediation action plan to improve workflows and ensure security requirements. This valuable report identified previously dark endpoints and, with the implementation of Absolute Persistence® for continuous visibility and rapid remediation of at risk devices, Greenville was able to fully protect their devices and the sensitive healthcare data they contain.
Within a few months, a Greenville subcontractor was caught stealing devices and reselling them. Additionally, a former employee was caught with laptops that should have been returned upon termination. Greenville leveraged Absolute’s investigations services to recover the systems and ensure proper measures were taken to secure the data.
Learn more about how Absolute helps healthcare organizations and, if you’re ready to improve your organization’s endpoint security and better comply with HIPAA, you can start by taking our Dark Endpoint Assessment.