Trace Id is missing
December 08, 2021

St. Luke’s University Health Network makes compliance painless with Microsoft Security tools

The St. Luke’s University Health Network IT security team found a way to blend meticulous compliance with a supportive, employee-centric touch. The tools it needs to walk that line while also seamlessly coordinating with HR lie within its Microsoft 365 E5 security and compliance tools. Complying with regulations like HIPAA demands deep visibility into data. St. Luke’s uses the Insider Risk Management solution to spot suspicious employee activity while respecting user privacy and educating its workforce about best practices. It’s a win-win approach that keeps patient data safe and helps employees stay productive.

St. Lukes University Health Network

“Thanks to Insider Risk Management, our HR team can jump in before we suffer a catastrophic issue. We rely on its synergy with our other Microsoft Security solutions to be much more proactive and boost compliance.”

David Finkelstein, Chief Information Security Officer, St. Luke’s University Health Network

As a large healthcare system in the highly regulated healthcare space, St. Luke’s University Health Network faces a formidable compliance challenge—chiefly the Health Insurance Portability and Accountability Act (HIPAA), the federal law that mandates the protection of sensitive personal health information. St. Luke’s has high standards for patient privacy in addition to the numerous regulations it must comply with to maintain its various accreditations and certifications. What would otherwise be a daunting burden is easier, faster, and better with connected tools in Microsoft Security solutions and compliance aids like Insider Risk Management in Microsoft 365.

Complying with a web of widely varying regulations

HIPAA is just the beginning for hospital regulations. Added to that are accreditation requirements like the Joint Commission (JCAHO). Other healthcare regulatory agencies and programs—the Children’s Health Insurance Program, Medicare, Medicaid, and others—also require data.

For St. Luke’s Chief Information Security Officer David Finkelstein, top-level security and compliance management is all about easy access to insights. St. Luke’s is subject not only to healthcare compliance, but also to financial regulations like the Payment Card Industry (PCI) rules. That regulatory diversity means that St. Luke’s needs to examine vast quantities of diverse data. HIPAA alone requires an in-depth examination of 14 different areas that fall under the technical, administrative, and physical environments. With 13 hospitals, the network’s compliance obligations are complex.

Turning to Microsoft for easier-than-ever compliance

To ensure the highest possible level of compliance, Finkelstein implemented the National Institute of Standards and Technology framework—the standard from which HIPAA is derived—at St. Luke’s. It’s a structured program that Finkelstein describes as a demanding but straightforward approach to building a security program. He appreciates the connections to HIPAA in Microsoft solutions that make life easier for his team. “The great thing about the vulnerability management tool in Microsoft Defender for Endpoint, plus Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Exchange is that they all incorporate the HIPAA standard,” he says. “We can see on our dashboard how compliant we are and which regulations we need to satisfy.”

Finkelstein finds that the Microsoft Security solutions that make his work as a CISO easier also facilitate compliance. St. Luke’s uses Microsoft Sentinel and the Microsoft Defender suite. “We use the Microsoft environment to ensure that our data is accurate, that the entire picture we’re seeing makes sense, and that all of our security and compliance tools are aligned,” he says. “The great thing about the automation that’s built into the Microsoft Security tools is that we can positively state what degree of compliance we are achieving with our own internal standards for technical and administrative information.”

In the past, hospital administrators have had to worry about surprise visits from compliance bodies—not because of fear that their institutions weren’t doing the right thing, but because of the mounds of information that would have to be summarily produced. The regulators themselves would be faced with weeks of sifting through data and systems, and would have to make an educated guess at the degree of compliance—and thus the work the hospital would have to do before the next inspection. “Now our risk assessments and visits by the JCAHO aren’t as stressful,” says Finkelstein. “We have the tools we need, like the eDiscovery and compliance capabilities in Microsoft 365, to show them how compliant we are in real time and save regulators all that guesswork. That makes the conversation much easier.”

Ensuring device compliance

Finkelstein’s team appreciates the tightly connected Microsoft tool set that afford visibility across its estate. St. Luke’s needs to ensure that employees comply with its own standards for data safety and patient privacy. That means examining employee access activity and ensuring that the devices they use are as secure as possible, using Microsoft Endpoint Manager. “When we began our Microsoft 365 journey in 2018, one of the first things I brought up was our need to see information about which devices aren’t up to date and which, if any, employees are attempting to access data that they shouldn’t,” he recalls. “And we need to be able to present that information to the relevant parties so that they can take action.”

Managing the most complex compliance risk: human behavior

The user behavior side of the equation is more intricate. It’s easy for employees to inadvertently click on a contaminated link or open a phishing email. Finkelstein credits the health network’s supportive culture for coaching employees on best practices, engendering a pro-security environment. Now with Insider Risk Management—the Microsoft 365 tool that helps security teams find and remedy risky user behaviors—St. Luke’s adds to its comprehensive compliance strategy.

Finkelstein’s team relies on Insider Risk Management to identify and correct risky user behaviors. The solution preserves employee privacy—with pseudonymization on by default—while quickly warning of improperly downloaded or shared data, as defined by the organization. The security professionals at St. Luke’s use Insider Risk Management to collaborate with the HR department, which educates employees about best practices, helping them become part of the overall security effort. “Ninety-nine percent of the risky user behaviors we observe are accidental,” says Finkelstein. “Thanks to Insider Risk Management, our HR team can jump in before we suffer a catastrophic issue. We rely on its synergy with our other Microsoft Security solutions to be much more proactive and boost compliance.”

St. Luke’s wants to make sure that electronic medical records (EMRs) are only accessed as appropriate. Like other organizations that handle confidential information, it’s concerned about the potential for privilege abuse, or misuse—one of the most common types of data breach activities illustrated in the 2018 Verizon Data Breach Investigation Report. Insider risks that deal with a vast amount of highly sensitive data that must be kept current and accessible for life and death decisions present a significant, but manageable challenge.

The health network is working with the Microsoft Insider Threat product team to establish benchmarks for how much information a medical assistant or other hospital worker would typically access and how to create guardrails that define when someone might be exceeding proper access. “Did the worker modify the EMR? Did they download it to their device? What constitutes proper, normal behavior? Those are the questions we’re asking,” says Finkelstein.

Bringing a critical healthcare system through a pandemic

The hard work the St. Luke’s team has done over the past three years to deploy Microsoft Security solutions and standardize on Microsoft 365 productivity apps paid off when COVID-19 descended in early 2020. Finkelstein and his counterpart in Operations had hours to reimagine a remote workforce.  “Technology saved us,” says Finkelstein. “Microsoft Teams saved us. Having 80 percent of the security landscape we’d envisioned years earlier rolled out and ready saved us. There were many stressors during that time, but the technology was not one of them.”

With that accomplishment complete, the security team continues to build on and refine St. Luke’s security and compliance environment. Far from being regarded as a compliance enforcer, Finkelstein finds that the connected nature of the Microsoft solutions his team uses helps automate compliance and create a security-conscious culture that democratizes responsibility for compliance. That frees him to spend more time working with fellow executives throughout the health network to help them realize their goals with the technologies they need. In fact, he now holds the role of Solution Leader at St. Luke’s.

Data makes the difference between the before and after at St. Luke’s University Health Network. “Information makes compliance so much easier than it was before we began using Microsoft Security solutions,” concludes Finkelstein. “We’re seeing significant change in the way that we manage our endpoints and our servers and our applications because we can see the data. And the beauty of Microsoft tools is that they continue to expand and grow.”

Find out more about St. Luke’s University Health Network on Twitter, Facebook, YouTube, and LinkedIn.

“We’re seeing significant change in the way that we manage our endpoints and our servers and our applications because we can see the data. And the beauty of Microsoft tools is that they continue to expand and grow.”

David Finkelstein, Chief Information Security Officer, St. Luke’s University Health Network

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft