For one health system in Massachusetts, getting vendors onto a centralized platform helped establish better vendor management practices and made life easier for system administrators.
A third-party independent audit revealed that UMass Memorial Health Care, a $2.5 billion nonprofit health system comprised of three hospitals and 13,000 employees, had little control over vendor access to its systems via remote access, including its VPN. Most of the vendors had internal accounts on the UMass Memorial network, and while some had restricted access, some didn’t. The revelation led the largest health system in central Massachusetts to invest in a platform from SecureLink Inc. in 2014.
Scott Emery, senior applications security analyst at UMass Memorial Health Care, said the platform gave the health system better control over who accessed what application, when and for how long. It also tracked every keystroke of the vendor’s session, providing detailed screenshots and accounts of the session. The increased visibility gave the health system added security and peace of mind, Emery said.
“We state to the vendor that we’re actually looking at the system,” Emery said. “When they know you’re watching, it’s a little bit different than when they think they can do anything they want.”
Recently, SecureLink released a version of the product for healthcare organizations. SecureLink for Healthcare provides more detailed audit logs, including keystroke and video logs, to help health systems track vendor activity and ensure they’re meeting HIPAA and other security requirements.
Transforming vendor access at UMass Memorial
Before moving vendor access to the SecureLink platform, Emery said most UMass Memorial vendors had individual, internal accounts on the network with varying levels of system access. Emery called the potential risk the practice posed to the healthcare organization “insane.”
“We wanted to get rid of that risk as soon as possible because, once they connected to us, they were on our network and we had little to no control,” he said.
Once UMass Memorial opted for SecureLink, it took about two months to migrate vendor access to the SecureLink platform. At the time in 2014, UMass Memorial Health Care had roughly 70 vendors. Now, the organization works with more than 200.
Emery said one capability included in the standard version of the product that stands out is the alerts he receives when someone tries to log into the SecureLink network and fails. He can look up the IP address of the vendor and get in touch to determine why the vendor wanted to log onto the platform, and either confirm or deny access.
Emery said the product also impacted how much time IT spent on vendor relations such as setting up individual accounts for each vendor.
Rob Palermo, vice president of product management for SecureLink, said the SecureLink for Healthcare offering builds on its standard SecureLink for Enterprises product, and includes healthcare-specific functionalities that customers have asked for.
How it works
Instead of connecting to a health system directly or through a VPN, vendors are given a username and password to connect through the SecureLink platform.
Requiring vendors to log into SecureLink instead of directly to the hospital network is a plus for security, according to Carrie Whysall, director of managed security services for healthcare cybersecurity consultancy CynergisTek Inc. SecureLink also uses multiple steps, including multi-factor authentication, to verify individual users accessing the platform.
SecureLink deploys a virtual server in the hospital environment, and it takes 57 days on average to get vendors connected to the platform. Then, the hospital IT team can fully manage the web-based application. The platform centralizes all vendor activity, so whenever an incident occurs, the IT team can pull activity logs from a centralized location.
Whysall said SecureLink’s tracking capabilities give greater visibility and insight for health IT administrators into vendor activity. If a medical device manufacturer like GE Healthcare pushes out a software update that results in a network issue, healthcare organizations would be hard-pressed to track down exactly what happened using VPN, Whysall said. VPN allows administrators to see when a vendor logged in, but not much else, she said.
“If you don’t have something monitoring what they’re doing in the application, you’re totally blind,” she said. “If you have a tool like SecureLink, it is keystroke-level tracking. It is taking screenshots of every single change that person makes … It adds tremendous value.”
Indeed, the SecureLink for Healthcare offering gives IT administrators the flexibility to restrict vendor access to an application, device or server, and helps organizations meet HIPAA and HITECH security regulations. It also includes a best practices module that alerts system administrators if any changes are made that could impact regulatory compliance or security, SecureLink’s Palermo said.
The new offering also provides customized implementation services, such as special training and setup for HIPAA compliance features, as well as workflow consultation that provides HIPAA-required documentation for vendor remote access workflows, according to a SecureLink news release.
Policy — the backbone of vendor access management
Whysall said SecureLink was worth the investment when she served as security director at Ascension Health, but cautioned that getting vendors to make the switch can be difficult, especially if they have a preferred way to access the health system network.
Healthcare CIOs should put a policy in place regarding how the health system manages its vendors, including the preferred method of network access, Whysall said. Oftentimes, CIOs can reach a middle ground with vendors the organization has already contracted with by requiring the preferred method of network access during the next contract renewal.
“There are some vendors who will refuse to do it, and when it’s not in the contract, it’s harder to hold them to it,” she said.