Hospital Skirts Compliance Meltdown

BURLINGAME, Calif. -- StoragePlus -- Storage managers must take data classification and security into their own hands if they want to solve their compliance headaches, according to Karen Johnson, regulatory officer at the Ascension Health Network.

End-users, she warned during her keynote here today, can be more of a hindrance than a help when it comes to getting storage securely under control. The situation is particularly acute for Indianapolis-based Ascension Health Network, a healthcare firm encompassing 16 major midwestern hospitals. "How many of you have doctors that can remember passwords?" she asked healthcare execs in the audience, adding that security remains a major challenge in the medical sector.

With IT managers wrestling with the data retention demands of the Health Insurance Portability and Accountability Act (HIPAA), Johnson's 16,000 end-users simply add to this problem. "Any space that you give end-users, they will end up saving [data] to it," she explained. "I don't think that they know where the delete button is."

"If you're requesting voluntary deletion of material, it generally won't happen," warned the exec, adding that Ascension Health Network once found 10 copies of Microsoft Plus stored on its network.

The firm has built 250 Tbytes of SAN-based storage to support all its data, which includes Xiotech devices for file and print services and radiography data, as well as an EMC Clariion for electronic medical records.But just adding capacity is not enough if storage managers want to get their arms around the compliance challenge. "You cannot continue to store and store and store," she said, adding that storage managers need to deploy tools to classify their data.

To this end, Ascension has deployed software from StoredIQ to "crawl" through its storage networks and report back on what types of information are stored where. This can then be classified and, if necessary, stored or deleted in accordance with compliance requirements.

On the security side, the healthcare firm is also using Symantec's BindView software to set up access control groups and a product from Vericept to "catch" confidential data as it moves around the organization.

Echoing yesterday's keynoter David Webster, manager for IT architecture and strategy at Yahoo, Johnson urged storage managers to include their staff in the classification process. (See Get Users Involved, Says Yahoo Boss.) Ascension, she told Byte and Switch, is in the process of appointing some 700 "data custodians" across its organization, who will help drive its compliance effort. "We work with them to define what information needs to be retained."

Johnson explained that she has also set up a team specifically to address the technology impact of compliance, which includes project managers, network engineers with experience on various operating systems, and a "large contingent" of security engineers.Ascension's vendors also need to be kept in the compliance picture, and Johnson has appointed a paralegal specifically for this job. "It's vital that your vendors understand they are part of the security loop."

But the next issue looming on Johnson's horizon is Indiana's data breach notification law, which went into effect during the summer. "Many of our patients actually come from different states, and with 22 different breach laws out there, it is getting to really complicate things."

James Rogers, Senior Editor, Byte and Switch