For The Children’s Hospital of Philadelphia (CHOP), keeping patient data safe is critical. CHOP is upgrading its domain controllers to the Windows Server 2012 operating system to take advantage of Dynamic Access Control, a feature that makes
it easier to authenticate user access rights. With the upgrade, CHOP can enhance patient data safety, reduce IT costs, and improve IT staff effectiveness by relieving employees of mundane infrastructure chores.
Since its start in 1855 as the nation’s first hospital devoted exclusively to caring for children, The Children's Hospital of Philadelphia (CHOP) has been the birthplace for many dramatic firsts in pediatric medicine. The 516-bed facility has fostered
many medical discoveries and innovations. In addition to its main hospital in Philadelphia, CHOP has 44 satellite locations and 17 community-hospital partnerships.
The hospital’s IT staff cares for about 700 servers running the Windows operating system and a variety of business and healthcare applications. A key concern is keeping patient data confidential as it moves between 12,000 employees across dozens of locations.
“There are stringent regulatory requirements that healthcare organizations have to follow regarding patient data and stiff fines for noncompliance,” says Mike Mercogliano, Supervisor of Systems Operations in The Children’s Hospital of Philadelphia IT department.
“We take the security of patient data very seriously.”
An employee in a satellite location might unknowingly put patient data on a file server that was not secure. Or, an employee might change jobs within CHOP and with that job change lose access to certain kinds of data. It was sometimes a problem to make sure
that access rights were enforced.
The hospital also wanted to find a way to deliver IT services in a less expensive and more centralized manner. While central IT staff handled employee onboarding and terminations, other IT groups were responsible for daily administering file-level security
using a mix of manual and automated processes. Additionally, the IT team used VMware to virtualize its server infrastructure but had not virtualized domain controllers because of concerns about data accuracy.
CHOP learned about the Windows Server 2012 operating system and was particularly interested in the Dynamic Access Control feature, which promised to help safeguard patient confidentiality. Dynamic Access Control provides the ability to grant access to
file server data using claims-based authentication included in standard Active Directory domain controllers.
||By creating rules in Dynamic Access Control, we can ensure that payment information, Social Security numbers, and other information remains secure. We can prevent files from being written to places they shouldn’t be.
| Mike Mercogliano
Supervisor, Systems Operation, The Children’s Hospital of Philadelphia
The IT staff worked with Microsoft Services Consulting to set up a Windows Server 2012 test environment—an HP ProLiant DL360 server running Windows Server 2012 Datacenter. CHOP imported its Active Directory accounts into this lab environment and created several
virtual domain controllers.
By using Dynamic Access Control and the title attribute in Active Directory, the CHOP team was able to limit access to data. When employees change groups and titles, Dynamic Access Control captures those changes from the company’s enterprise resource planning
system and automatically shuts off or enables data access as cued by title change.
The team is also excited about using the Server Core installation option for Windows Server 2012—a scaled-back installation. “Server Core enhances security by providing less vulnerability to security breaches but also by preventing anyone from walking up
to a server and accessing data,” says Dan Flynn, Systems Engineer at The Children’s Hospital of Philadelphia.
Flynn and Mercogliano also liked the improved Active Directory Administrative Center, which provides an improved recycle bin that makes it easier to manage and restore deleted objects, a more fine-grained password policy, and a Windows PowerShell history
viewer. “Having this graphical user interface utility has really been a plus,” Flynn says. “The dashboard lets us manage a number of servers centrally instead of connecting to each server individually.”
During its evaluation, CHOP also tested the Hyper-V virtualization technology in Windows Server 2012. “The ability to manage both Hyper-V and VMware environments with Microsoft System Center will be great,” Flynn says. “We are paying for System Center in
our license but haven’t used it yet.” CHOP completed testing, deployed several production servers, and is in the process of upgrading all of its domain controllers to Windows Server 2012 and deploying Microsoft System Center 2012.
By upgrading to Windows Server 2012, The Children’s Hospital of Philadelphia will realize the following benefits:
Enhanced patient data safety. CHOP now has greater control of data access rights. “By using Dynamic Access Control, we can automate the updates to our Active Directory group information when employees change jobs and, thereby, eliminate
human error,” Mercogliano says. “By creating rules in Dynamic Access Control, we can ensure that payment information, Social Security numbers, and other information remains secure. We can prevent files from being written to places they shouldn’t be.”
Adds Cathy Beech, Chief Information Security Officer for The Children’s Hospital of Philadelphia, “We are committed to maintaining a culture of safety for our patients and their families, and they trust CHOP to manage and monitor access to their health information.
Using Dynamic Access Control aligns with our Information Security Program.”
Reduced IT costs. The IT staff expects that it will be able to streamline the IT work related to new-employee onboarding as it implements policy-based data access. It also expects to see fewer help-desk calls, because employees will have
access to data based on their job titles and will not need to request access to individual file servers. “Data storage at CHOP is growing at a rate of 30 to 50 percent a year,” Mercogliano says. “Improving file-level security by implementing central access
policies will greatly reduce the risk of data loss and minimize the need to add staff as our data grows.”
More effective use of IT staff. The IT staff will have more time to spend creating applications that help clinicians heal patients rather than on mundane infrastructure chores like managing document access rights. “Dynamic Access Control
in Windows Server 2012 will help minimize the time required to monitor and maintain individual file and access permissions,” says Bob Bartelt, Chief Technology Officer at The Children’s Hospital of Philadelphia. “Also, the ability to virtualize our domain
controllers will improve supportability and streamline hardware upgrades. Anything we can do to reduce time spent on infrastructure maintenance frees up time to support our healthcare mission.”
For more information about other Microsoft customer successes, please visit: