Neuromonitoring company protects patient information in transit through Total Access Control
Axis Neuromonitoring provides interoperative neurophysiological monitoring (IONM) services for dozens of hospitals across Texas. The healthcare company provides both an onsite technologist to work with surgeons in the operating room (OR), and an offsite interpreting physician to monitor neural pathways effectively throughout a procedure to give surgeons instant feedback on the condition of their patients.
The Axis Neuromonitoring technologist protects patients by continuously monitoring the central nervous system (the brain, spinal cord, and nerves) when it is at risk during surgery. Depending on the procedure, a variety of tests can be used to measure the nervous system function. A trained IONM technologist, under the supervision of a qualified professional, constantly monitors the information from the tests. If there are any changes or potential problems, the technologist can immediately alert the surgeon and nurses.
The IONM company has 75 employees based in Houston, Dallas, San Antonio, Lubbock, Abilene, and Wichita Falls. It also has contract employees who require remote access as well.
Electronically Stored, Protected
Health Information (ePHI)
In 2018, the IT director began looking for an access control solution for its billing department in Dallas, which wanted to enable staff to work remotely as needed – for instance, when a child was sick, they have workers coming to their home, or for out-of-state workers.
At the time, the company’s IT director was using AppLocker to create and edit group policy objects (GPOs) to control access – a manual, exhaustingly time-consuming approach that severely limited the ability of the director to focus on the company’s more strategic IT initiatives.
Axis Neuromonitoring also needed to ensure whichever access solution it brought in adhered to the federal HIPAA privacy and security requirements to safeguard patients’ electronically stored, protected health information (ePHI). That information is held both onsite, on the technologists’ workstations and in the USMON electronic medical record (EMR). Axis Neuromonitoring had recently begun to migrate away from the Allscripts EMR to USMON’s medical data workflow platform.
“We needed to securely control access to ePHI in both systems as well as in the patient case files located on the remove workstations, as insurance appeals can take a long time to reconcile,” the IT director said. “That means our admin – even today, five years later – still needs to control access to both the legacy Allscripts application and new patient files while those insurance cases go through the appeals process.”
After researching potential solutions, the IT director settled on solutions from two vendors for final consideration: F5 Networks and PortSys. However, even the most basic F5 solution was much more complicated than Axis Neuromonitoring required, and also very expensive. F5 also required physical equipment to be added, introducing even more complexity to the company’s infrastructure that the IT director wanted to avoid as well.
TAC Quickly Expands
After receiving demos and bids from both companies, Axis Neuromonitoring selected Total Access Control™ (TAC) from PortSys, based on the Zero Trust solution’s extensive secure mobility capabilities, minimal impact on the company’s infrastructure, and lower overall cost. The company was able to quickly implement TAC for the billing department in three days, but then also realized that the reverse proxy solution was ideally suited to make life easier – and access much more secure – for its technologists on site in the OR, for its interpreting physicians, and for access to its financial software as well.
“Originally, owning and protecting our patient case files was the biggest thing we wanted to accomplish with a new access control solution,” the IT director said. “TAC enabled us to bring a comprehensive, heightened security approach to our mobility challenges – not just for billing purposes, but also for our OR technologists who travel from hospital to hospital around the state, and for our interpreting physician experts, wherever they may be working from. And once the pandemic hit in March 2020, we had to put our mobility strategy into overdrive almost overnight across our entire enterprise, for all personnel within the company.”
Originally, the company’s IT department envisioned connecting the technologists in the hospital and the monitoring physicians working remotely through a CadLink server that was hosted on premise.
“We looked into the possibility of using CadLink, a Cadwell technology, to connect to the back-end server in Dallas to organize and manage our patient files,” said the IT director. “But we quickly found that TAC could make us much more HIPAA-compliant than RD Web, a third-party VPN, and even Microsoft Azure right off the bat.”
That was because as a procedure takes place, the ePHI for the patient file is encrypted from that workstation in the OR in transit through TAC’s secure proxy gateway to the company’s on-premise server. Once the operation is completed and the technologist clicks to close the file, the case finishes uploading to the server and the ePHI disappears from the technologist’s workstation. If the workstation was stolen or the Bitlocker key for that workstation was compromised, the ePHI from the operation would no longer exist on that physical device.
“TAC ENABLED US TO BRING A COMPREHENSIVE, HEIGHTENED SECURITY APPROACH TO OUR MOBILITY CHALLENGES – NOT JUST FOR BILLING PURPOSES, BUT ALSO FOR OUR OR TECHNOLOGISTS WHO TRAVEL FROM HOSPITAL TO HOSPITAL AROUND THE STATE, AND FOR OUR INTERPRETING PHYSICIAN EXPERTS, WHEREVER THEY MAY BE WORKING FROM. AND ONCE THE PANDEMIC HIT IN MARCH 2020, WE HAD TO PUT OUR MOBILITY STRATEGY INTO OVERDRIVE ALMOST OVERNIGHT ACROSS OUR ENTIRE ENTERPRISE, FOR ALL PERSONNEL WITHIN THE COMPANY.”
TAC’s Segmentation Protects Against Attacks
The Axis Neuromonitoring IT director was also impressed with TAC’s segmentation capabilities.
“When users in the billing department access resources on the back-end servers from home, there has to be some sort of segmentation, or else you leave your infrastructure wide open to attacks,” the IT director said. “At the time, we utilized a single terminal server hosting multiple applications, so multiple people could access it. If a hacker somehow stole a user’s credentials and was able to access the terminal server, the microsegmentation in TAC prevents any lateral movement from the application they used to gain entry to other applications, since they only were authenticated for that single application.”
The IT director credits TAC with making his life much easier, especially when it came to setting up individual and group security policies.
“Before TAC, we used AppLocker to set up the group policy objects, and even though I could do it by user or security group, it was a superb pain in the butt,” the IT director said. “We had people leaving the company and then boomeranging to come back to work for us, so each time that happened we would have to go through the steps of locking them out of our resources and then giving them permissions to get back in. It was a heavy lift for a small IT department.”
Another issue was shadow IT, where users installed a new application on the terminal server unbeknownst to the admin. AppLocker wouldn’t necessarily block access to that application if the proper security policies hadn’t been applied, which could potentially leave more holes in the attack surface. If hackers were able to gain access into that application through an enriched RDP experience, they could then expand the attack to target other applications as well.
“With TAC, we were able to limit lateral movement by segmenting the resources and using RDP remote apps to lock them down,” the IT director said. “We were able to accomplish this much more secure state seamlessly through TAC without having to lock everything down in Active Directory on policies and then go into AppLocker to also lock everything down on that individual server.”
“WITH TAC, WE WERE ABLE TO LIMIT LATERAL MOVEMENT BY SEGMENTING THE RESOURCES AND USING RDP REMOTE APPS TO LOCK THEM DOWN.”
TAC Makes Admins & Users More Productive
Before TAC, Axis Neuromonitoring held a three-day seminar for its technologists to meet HIPAA requirements. During that seminar, the admin would have to go through every technologist’s workstation, download the patient files that were still on there, and then wipe the workstations clean.
“This was a very long process, where we would have to write over that data at least 10 times with zeroes and ones,” said the IT director. “It would take at least 30 minutes for every workstation if we did it on site during the seminar, and double that amount of time if we did it remotely. And we had to do that for 40 technologists every six months.”
Now, with TAC the patient case file is encrypted in transit and uploaded in real time to the server, before disappearing from the workstation. “What used to take me a full week to accomplish is now done in a flash, and we’ve become even more HIPAA-compliant,” the IT director said.
TAC also improved the user experience, the IT director said, especially for the technologists who are logging in from the OR.
“If you’re an office worker, you’re signing in to Microsoft 365 every day, so you’re not as likely to forget your password,” the IT director said. “However, our technologists are not logging in every day, so TAC’s ability to implement password reminders and resets in real time was critical for them as well as the other folks in the OR working with them. Before TAC, a new password could take anywhere from three minutes to three hours to update on Active Directory, during which time the technologist – or any other user – could be locked out of the applications they needed to do their jobs.”
Since the technologists did not log in every day, Axis Neuromonitoring’s IT director set up reset reminders 14 days before their passwords expired. That took the onus off the technologists to remember to reset their password. The resets were set up through TAC in Active Directory immediately, so no time was lost on the front lines in the OR.
“With TAC it’s very simple,” the IT director said. “They click on the TAC icon, they sign on, they click on the required application, and boom, the monitoring application is connected to our back-end servers. Nice and simple – three browser tabs, and next thing you know you’re in surgery.”
TAC Creates a Competitive Advantage
TAC also enabled Axis Neuromonitoring to reduce its IT security sprawl and exposure at the same time. Previously, the company used Cisco AnyConnect VPN, which at the time was known by hackers as being vulnerable. It was also exceedingly difficult to install and configure workstations for Cisco AnyConnect, whether the user was local or remote. “Once TAC came into play, Cisco AnyConnect VPN went bye-bye,” the IT director said. “And that saved us a lot of money.”
The end result today, the IT director said, is that “com-pared to all other IONM companies, Axis Neuromonitoring is much, much more HIPAA-compliant and secure because of TAC. And that provides a great competitive advantage for our company.”
“COMPARED TO ALL OTHER IONM COMPANIES, AXIS NEUROMONITORING IS MUCH, MUCH MORE HIPAA-COMPLIANT AND SECURE BECAUSE OF TAC. AND THAT PROVIDES A GREAT COMPETITIVE ADVANTAGE FOR OUR COMPANY.”
Neuromonitoring company protects patient information in
transit through Total Access Control