Case Study: Crowe Helps Triage Information Security at Greenville Health System
Feb. 24, 2015
Greenville Health System (GHS) is a public not-for-profit academic health system. Headquartered in Greenville, S.C., GHS has six medical campuses, five acute care hospitals, and four specialty hospitals in addition to other facilities and practice sites. The organization has approximately 1,350 beds and revenue of approximately $1.8 billion.
“As GHS continued to grow, we wanted to take a fresh look at information security throughout the enterprise,” said CIO Rich Rogers. “We are aware of information security concerns in the industry and wanted to make sure the GHS security framework was up to date.” GHS engaged Crowe Horwath LLP to provide a new perspective on GHS’ information security, revise its information security strategy, and assist with executing that strategy.
Information security cannot be addressed by focusing on a single component of the issue. In other words, information security is not a technology problem; it requires effective people, processes, and technology controls.
Crowe isolated and managed controls by separating “governance” controls (policies and procedures, roles and responsibilities, and risk management) from operational “security domains” (regulatory compliance, data protection, logical and physical security, logging and monitoring, and management of business continuity, threats and vulnerabilities, employees, security configuration, security changes, and third-party risks). As a result, Crowe was able to 1) assess broad topics without redundant entity-level controls, such as overlapping policies, and 2) report the information security status in a snapshot.
Through the combined efforts of GHS and Crowe, information security awareness was elevated throughout the organization, including the information security function. As advised by Crowe, GHS also put additional information security initiatives in place related to the Health Insurance Portability and Accountability Act
, meaningful use, and the Payment Card Industry Data Security Standard. These initiatives have had a positive impact on compliance and enhanced GHS’ information security posture.
Crowe continues to assist GHS with different aspects of information security, but GHS now has the tools and processes to maintain the efforts Crowe initiated – thus allowing GHS information security to mature while Crowe uses its resources in areas with the most impact on the organization.
Excerpted and posted with permission to Crowe Horwath from Consulting®
magazine, April 2014 © 2014 Kennedy Information, LLC
Keene, NH 03431-3744 USA Tel: 800.531.0007 or 603.357.8110 Fax: 603.357.8111
In This Issue