AZ Sint-Lucas in Brugge, Belgium is an independent hospital with capacity for 475 patients. It currently employs 1,300 healthcare professionals specializing in surgery, geriatrics, psychiatry, and maternity care.
The hospital is nationally recognized for its promotion of safety culture and for its “quality assurance of patient care,” according to the Netherlands Institute for Accreditation of Hospitals (NIAZ). For this, the hospital received several accolades including a personal thank you from, then Prime Minister of the UK, Margaret Thatcher.
Recently celebrating its 50th anniversary, AZ Sint-Lucas continues to improve the responsibility owed to patient care. A large part of that improvement is maintaining a reputation that its confidential patient information will remain safe and secure at all times. In order to do so, the ICT department is administering an expansive IT environment consisting of an on-premises data center, an off-site backup data center and approximately 600 PCs, laptops, and mobile devices.
Healthcare data theft is steadily increasing due to malicious insider threats, user negligence, and external attacks. Recent breach statistics reflect the fact that the risks of a data breach are rising dramatically. In the past two years, 91% of healthcare organizations reported at least one data breach, 39% reported up to five breaches, and 40% reported more than five breaches.
A hospital as large as Sint-Lucas tends to experience a multitude of varying users on its healthcare network – one reason why healthcare data is the most vulnerable of any industry. Doctors intermittently working on and off the network require unfiltered access to websites in order to provide patients with the quickest and best possible outcome. Consequently, these doctors are sending and receiving a substantial amount of unprotected data. Regulating this activity requires an open digital environment accessible through smartphones, tablets, or other devices. The problem is that open policy conditions can easily lead to a user accessing a tainted URL or enable malicious insiders to steal millions of Protected Health Information (PHI) records.
Recently, the ICT team was able to monitor and study user behavior. They discovered that the medical staff visited more non-work related websites than ones related to their jobs—this behavior posed a serious risk for data loss or theft. The challenge for the ICT team at AZ Sint-Lucas was to find a solution that did not have completely open policies, preserved reasonable and safe user browsing and social media habits, and was exible enough to balance the professional and personal needs of the staff—on and off the network—without putting PHI at risk.
“Completely eliminating internet browsing was not our intention. We have mobile computer stations which are available throughout our facilities. Personal online shopping during an employee’s break is fine, but not during working hours. When looking for a new solution; we do not want to impose all sorts of restrictions, but prefer to ‘educate’ them.”
—Kristof Duthoy, ICT Manager, AZ Sint-Lucas Hospital
Of course, saving lives – not protecting data – is the top priority for doctors, nurses and other healthcare professionals. However, healthcare professionals often need to access and exchange information quickly which creates compliance headaches and security nightmares for IT staffs. Many existing security options can severely inhibit a hospital’s efficient access to patients’ medical data, prompting medical personnel to avoid important security processes in the pursuit of patient care.
“As a hospital, we hold a lot of private data that should not fall into the wrong hands. We cannot carelessly give our people the freedom to download or install anything. Conversely, we do not want to impose all sorts of rules.”
A second issue Kristof needed to address was “remote security.” Devices used outside the hospital network are potential sources of data leakage and entry points for attack and data theft.
“Our ICT team is tasked with the responsibility of all laptops, which may leave the hospital. We wanted a solution that could identify the internal browsing rules to apply on-premises, at home, and in a secure manner.”
Furthermore, for Kristof and his team, it was clear that their previous email security solution was no longer meeting their needs.
“The ICT department received more and more complaints about spam, which would all be addressed properly, but it was taking too much of our time to handle.”
Kristof and his team considered several solutions to resolve these and other security issues. IT101, an experienced IT services provider in the healthcare industry, recommended Forcepoint as the most effective security solution:
“IT101 understood—thanks to its experience working with other hospitals—exactly what our needs were. After several in-depth discussions, we chose Forcepoint because it was the only solution to offer all of the functionality that was on our wish list and at a fair price.”
Implementation of the product went smoothly, Kristof explains, with only one minor performance problem which Forcepoint responded to and resolved quickly:
“IT101 was responsible for the implementation of the solution, which went almost flawlessly. I say ‘almost’ because we initially had some performance problems on the web; however, Forcepoint resolved it very quickly.”
Since its implementation, the ICT services department at AZ Sint-Lucas, Brugge has been very satisfied with the Forcepoint Web security solution:
“We are now able to monitor browsing behavior on mobile computer stations much better. If a user tries to access a website that, according to our policy, is non-work related, Forcepoint will block that website for us. The user must now confirm that s/he understands the action and from there the action is reported to our ICT department. There is not a penalty attached to it, but it allows employees to be aware of their browsing habits.”
This success is evident from the significant decline in inappropriate internet usage - another advantage Kristof found in the Forcepoint solution.
“We now allow employees to use social media on PCs and laptops at work. However, games, for example, on social networking sites are not permitted. This option was never available in our previous solution.”
Remote security and social media challenges have also been resolved. Whether a user is accessing the Internet from home or on-premises, the Forcepoint solution has provided Kristof and his team a consistent, unified policy which allows for safe and efficient internet browsing wherever his staff goes:
“Forcepoint fulfilled our wishes regarding the domestic use of laptops. If employees use their laptops in the hospital, they log on to the local proxy server. At home, they do so through their own Wi-Fi connection. With Forcepoint, we can guarantee that it can be accessed safely without them unknowingly allowing viruses to in ltrate.”
YouTube was typically used by employees for non-work related topics which resulted in the excessive consumption of bandwidth. Rather than fully blocking it, Kristof wanted YouTube to be used as an instructional tool for certain software and medical equipment. Forcepoint was able to create a notification page which met those requirements.
In addition, Forcepoint’s solution for email has been exceeding all expectations for AZ Sint-Lucas. The number of complaints regarding spam has dropped sharply. For this reason, Kristof is enthusiastic about the fact that Forcepoint offers a hybrid solution that unifies Web and Email in one product:
“For us, this is a big advantage. On one hand it means that we are essentially relieved to some extent, so we are going to work much more efficiently. On the other hand, it is possible, with this construction, to make comprehensive reports on the Internet.”
The best security solution protects data everywhere it lives—from the network, to the Cloud, and to any endpoint. It should also address internal and external threats, yet be quickly and easily deployed and managed. Today, AZ Sint-Lucas benefits from these advantages and is able to conduct detailed reports on internet usage which provides insight into end-user behavior and other trends.
A healthcare professional’s primary objective is to achieve the best outcomes for their patients. That often requires finding the proper balance between strict, effective security policies across multiple ecosystems and the necessary rapid, unfettered access to the Internet for life-or-death situations.
“We have developed a base for a new solution to Data Loss Prevention. IT101 and Forcepoint reminded us about the upcoming changes in legislation in the area of data privacy and security. With minimal effort and expense, I can safely say that we are now prepared.”
AZ Sint-Lucas Brugge has relied on Forcepoint security solutions since 2007.