A few years ago, tracking patient information at Lake Forest Hospital was enough to give any IT manager a heart...
"Our cardiac-monitoring system had been on a standalone network. We had no control over who was accessing it. It became the responsibility of [clinicians] to ensure there was not unauthorized access to those records," explains Stephen Morenzoni, senior network engineer at the Illinois hospital. In fact, there were 15 to 20 disparate networks like this -- one of the many challenges Morenzoni faced to meet the Health Insurance Portability and Accountability Act (HIPAA). But by consolidating networks and building upon their Y2K efforts, the hospital was able to become compliant and save money.
When preparing for Y2K, the hospital network had to be capable of logging data from its firewalls, servers and other network devices. Having the logs in place positioned it to meet HIPAA's logging requirements. The hospital had also already deployed Microsoft's Active Directory, and its role in making applications available only to authorized users had also advanced Lake Forest Hospital's HIPAA compliance.
The hospital's decision to move to a single network -- which took place over about four years -- was among the most valuable it made in terms of compliance, Morenzoni says.
"We knew that, if we could get everything put on a single backbone, in the long run, it would be cheaper and a lot easier to track and log everything." In the radiology department alone the cost savings was dramatic. In 2000, the hospital spent $2 million on film to perform 48,000 procedures. In 2005, the hospital performed 160,000 procedures -- to the tune of $1.5 million. "Operationally, having a single enterprise network saves us $2.5 to $3 million a year," he says.
One area that has necessitated new capital expenditures was IT's emerging role as a storage facility for all kinds of digital information. HIPAA mandated that the hospital "devise a policy on how to handle and store everything from fetal heart strips to mammograms," Morenzoni says. To manage this vast array of data, the hospital is implementing a NAS solution using EMC's Clariion CX500 and Cisco System's Storage 9216i switches. The hospital plans to use VMware to virtualize its servers, then create a redundant data center at a second campus. Ultimately, SAN-to-SAN replication is the goal, protecting data in the event of an outage and providing the tracking and backup HIPAA requires.
The hospital's IT and corporate compliance groups -- comprising about 35 staff members -- worked to educate all staff about what HIPAA requires of them and what it means for the collection, storing and release of data, Morenzoni says. Reviewers from the Joint Commission for the Accreditation of Healthcare Organizations (JCAHO) routinely audit the hospital's HIPAA compliance efforts to validate its eligibility for Medicare funding and other federal resources. Preparing for JCAHO audits also helps the hospital monitor and maintain compliance, Morenzoni adds.
In the end, the work to keep patients' information confidential is driven by a HIPAA-flavored application of the Golden Rule, Morenzoni says: "We treat each person's medical information as though it were our own."
Dig Deeper on SAP and GRC