Trace Id is missing
November 04, 2019

St. Luke’s University Health Network secures digital health transformation with Microsoft 365

St. Luke’s University Health Network (SLUHN) looks to the cloud to define a new way of providing health services—free of the encumbrances of on-premises infrastructure and yesterday’s workplace tools. The health network, consisting of 10 hospitals and 300 sites across 10 counties in Pennsylvania and New Jersey, has embarked on a digital health transformation journey using the Microsoft 365 productivity cloud to empower its 15,000 employees with intuitive tools that protect sensitive information, optimize health team collaboration, and improve patient experience.

St. Lukes University Health Network

“The beauty of Microsoft 365 tools is that they make it easy to help secure health information and empower care teams at the same time.”

David Finkelstein, Chief Information Security Officer, St. Luke’s University Health Network

“St. Luke’s turned to the cloud for speed, security, and agility,” says Chad Brisendine, Chief Information Officer at SLUHN. “We’re getting rid of infrastructure and automating IT processes, so we can shift our skills to sourcing and delivering more business value-added solutions. With Microsoft, we implemented multiple security software enhancements in less than four months. With a cloud solution, we’re only paying for what we use, reducing costs.”

“The beauty of a lot of the Microsoft platforms, especially Teams and Yammer, is that they're all built with security behind it,” adds David Finkelstein, Chief Information Security Officer at SLUHN. “That includes encryption and other tools that ensure the data we share is very safe.”

Securing health communications to improve care

SLUHN has clear priorities when it comes to its digital health transformation: improve patient and employee experience through highly secure health team communications that help protect sensitive data. “Data safety is important to SLUHN because we need to understand who is accessing our data at all points and how it's encrypted as it traverses the network,” says Erin Boris, Information Security Strategic Specialist at SLUHN. “Any threat that gains access to our network could gain access to our health records. Right now, health records are considered very valuable by malicious hackers.”

“With more than a million records at St Luke's, it's our responsibility to protect patient information and keep the trust of our patients, so they know they are safe in our hands,” confirms Brisendine. “And Microsoft helps us protect that data in secure environments, such as the Teams collaboration platform.”

Enabling mobility and agility at this level requires a balance between giving providers the tools they need and protecting personal health data to comply with regulations, something that Finkelstein sees as his first priority at SLUHN. “Teams is a perfect example of how we can maximize productivity and minimize risk,” says Finkelstein. “The beauty of Microsoft 365 tools is that they make it easy to help secure health information and empower care teams at the same time.” With Microsoft Teams deployed on mobile devices, providers connect through chat, video, and voice. Employees also access the network’s electronic medical record (EMR) and scheduling software, creating a mobile hub for efficient patient care.

SLUHN has a bring-your-own-device (BYOD) program. It uses Microsoft Intune to manage the mobile devices providers and administrative staff carry with them in clinical and office settings to access Office 365 apps, EMR data, and SLUHN’s scheduling solution. “We are expanding our Intune use exponentially,” says Finkelstein. “Maintaining compliance while enabling BYOD is much simpler now that we can compartmentalize work and personal apps on the phone. If a staff member loses their device, or leaves the network, it’s a simple matter to wipe data from the Outlook client and any SLUHN business apps.” If an employee leaves SLUHN, the team can remove the hospital’s applications and data without affecting the personal data on the device.

Simplifying security with interoperable solutions  

SLUHN takes advantage of the interoperable intelligent security services within Microsoft 365—across Windows 10, Office 365, and Enterprise Mobility + Security—to save time while enhancing the hospital network’s security posture. With a single suite of interoperable, cloud-based security services, IT staffers don’t have to piece together disparate solutions. “The fact that Microsoft has developed a platform approach to cloud security is a huge boon to any healthcare security professional,” says Finkelstein. “Microsoft is well ahead of the game in providing powerful tools that help healthcare organizations compensate for small IT teams. We operate with only six people overseeing security for 17,000 employees. We replaced 13 point solutions with one platform consisting of eight interoperable security solutions with Microsoft 365. Now we can focus on the bigger security threats that come into our organization.”

For an at-a-glance measurement of SLUHN's overall security posture, Boris uses Microsoft Secure Score. “Secure Score gives a holistic view of the environment that we use to prioritize security concerns as they arise.”

SLUHN takes advantage of a triumvirate of advanced threat protection (ATP) solutions available in Microsoft 365: Microsoft Defender ATP, which is built into the Windows 10 operating system and helps prevent and respond to cyberthreats; Office 365 ATP, a cloud-based email filtering service that helps protect email and data in Office 365 apps; and Microsoft Azure ATP, which helps SLUHN protect employee identities and alerts IT to unusual behavior.

“Each of these products provides insight into a different threat vector,” says Boris. “With Azure ATP, we get alerts if anyone tries to perform a lateral movement or a brute force attack. Now our team and our system engineers better understand these alerts. Microsoft Defender ATP provides post-breach analysis—great new territory for us to explore. We use Office 365 ATP primarily for monitoring unsafe practices with email. For example, we see immediately if someone sets up a forwarding rule so we can take steps to prevent employees from forwarding their St. Luke's email to their personal accounts.”

“The analytics that come across multiple areas reduces the number of false positives, so we don’t have to spend cycles figuring out if the threat is actually occurring,” adds Finkelstein. “The amount of information that we get now is eye-opening.”

And using Microsoft Defender ATP, SLUHN can see exactly when a threat enters the system, its impact, and any remediation steps to take. “The threat analytics in Microsoft Defender ATP are very promising,” says Finkelstein. “Using Symantec for five years, we never had this level of information. Not only do you get real-time attack information, you also get suggestions about how to prevent it from happening again.”

Protecting data in cloud applications

Midway through a Microsoft Cloud App Security deployment, SLUHN has already gained visibility into its many unmanaged, third-party software as a service (SaaS) apps, solving a major pain point. “One of our challenges prior to deploying Cloud App Security was detecting shadow IT,” says Boris. “Gaining that visibility through Cloud App Security helps us with software inventory, app rationalization, and most importantly, data loss prevention.”

“Cloud App Security has already discovered unsupported apps, a huge help in closing down potential data leaks,” continues Boris. “We have the ability to block unsupported cloud applications with one click, which we've never had before.”

Boosting compliance

When Finkelstein joined SLUHN five years ago, his job was to build a policy process standard that allowed the network to be much more data compliant with regards to moving, storing, and encrypting data. There were 22 solutions for security and compliance, which required multiple “bolt-ons” to connect and monitor endpoints and devices across the network. It was a daunting effort for IT staff.

“The beauty of the Microsoft security and compliance platform is that we can see the actual data that proves how compliant our employees are,” says Finkelstein. “So, we're able to confirm that our users are even more compliant than they think they are. And being able to remediate risks, making those changes in seconds instead of days, is amazing. The morale of my team has gone up exponentially.”

When it comes to the Health Insurance Portability and Accountability Act (HIPAA), SLUHN follows the National Institute for Standards and Technology (NIST) standards. “And because Microsoft has followed some of those same NIST standards, and guidelines and processes, when we evaluated their security and compliance tools, it was very easy for us to take that onboard,” says Finkelstein.

SLUHN looks forward to using Microsoft Information Protection to simplify how it complies with HIPAA, especially when it comes to data loss protection. “Now that Microsoft Information Protection includes exact data matching capabilities, we’ll be better equipped to prevent leakage of specific patient social security numbers, addresses, and birth dates, not just generic number ranges,” says Boris. “We can export a master patient record and use it to check all data that leaves our organization. If it matches it, it will either prevent it from leaving or send us an alert. This is a big step forward.”

As SLUHN deploys Microsoft 365 security and compliance solutions to support its digital health transformation, the network also improves overall patient experience. “At the end of the day, we can say to the patient, alongside the quality of health services you receive, protecting your data is the most important thing to us,” concludes Finkelstein. “Thanks to Microsoft 365, that’s one more way we can differentiate the culture of care at St. Luke’s.”

Find out more about St. Luke’s University Health Network on Twitter, Facebook, and LinkedIn.

Read more on St. Luke's Microsoft 365 chapter, St. Luke's Teams chapter, and St. Luke’s Critical Care chapter.

“St. Luke’s turned to the cloud for speed, security, and agility. We’re getting rid of infrastructure and automating IT processes, so we can shift our skills to sourcing and delivering more business value-added solutions.”

Chad Brisendine, Chief Information Officer, St. Luke’s University Health Network

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft