Fixing IT Security Risks at an Academic Hospital and Trauma Center


Healthcare information technology security is a common casualty of the M&A activity that’s reshaping the hospital landscape almost daily. Kaufman Hall, a healthcare consulting firm that tracks hospital mergers and acquisitions, reported that a record 115 separate hospital transactions were announced in 2017 alone.

As hospitals change hands, so do their health IT systems. That exposes those systems to new risks and threats during and after the transactions. It also requires legacy health IT systems to adapt to new IT risk management and governance policies, procedures and protocols to ensure technology infrastructure is optimized to prevent IT security breaches.

One of the hospitals caught up in the wave of deal-making is University of Louisville Hospital and University of Louisville James Graham Brown Cancer Center in Kentucky. The 404-bed academic hospital and trauma 1 facility (the only one in Louisville and the region) are affiliated with University of Louisville School of Medicine.

In May 2017, U of L Hospital and U of L James Graham Brown Cancer Center’s parent health system, Catholic Health Initiatives (CHI), announced plans to divest the hospital. The divestiture is scheduled to be completed by the end of this year.

CHI has provided most of U of L Hospital’s IT security services. The hospital itself employs one chief information security officer, John Zuziak, who manages one full-time IT security person. John reports directly to the hospital’s chief information officer and works closely with the chief compliance officer.

Assessing the hospital’s readiness to assume responsibility for its own IT security

John’s challenge was determining whether U of L Hospital and U of L James Graham Brown Cancer Center on its own could protect the facility from the growing healthcare information security risks and other threats to the hospital’s clinical and financial data systems. He needed an independent, third-party review of the hospital’s IT security capabilities and vulnerabilities.

U of L Hospital and U of L James Graham Brown Cancer Center is a Change Healthcare radiology imaging customer, but was not as familiar with our business continuity and disaster recovery (BCDR) and IT security services.

John said he needed an IT security partner who:

  • could perform the required IT risk assessments quickly;
  • would take a comprehensive approach to evaluating capabilities, identifying gaps and recommending solutions;
  • would offer IT solutions that tracked with recognized IT security frameworks;
  • had experience and expertise in the healthcare sector and health IT space; and
  • had a great reputation and offered a competitive price for its services.

We fit the bill, and we completed our Rapid Security and BCDR assessments in just over two weeks.

A roadmap for protecting the hospital’s data assets

We made three significant findings as a result of the assessments. The hospital needed:

  • A BCDR program that covers downtime tolerance, backup systems and systems testing
  • A more effective approach to IT asset management
  • More visibility into the IT support and IT security services

We made a number of recommendations, each with a cost–benefit ratio, to the hospital in two areas: healthcare information security and BCDR. Among our nine information technology security recommendations were that the hospital should:  

  • Complete a hardware and software asset inventory
  • Revise active directory design and clean up readiness for the cloud
  • Isolate out-of-date machines and protocols to protect against malware
  • Reduce duplicate and dormant active-directory accounts
  • Establish privileged-access management to manage the risk of administrators

Among our eight BCDR recommendations were:  

  • Conduct an enterprise-wide business-impact analysis
  • Establish downtime-tolerance and risk-appetite levels
  • Develop and adopt an enterprise-wide BCDR strategy
  • Create and operate a formal BCDR program with a three- to five-year horizon
  • Establish BCDR policies and procedures, including a regular testing calendar

Our evaluation included a 24-month roadmap for U of L Hospital and U of L James Graham Brown Cancer Center to implement the recommendations by the end of 2019. John told us he intends to use our assessments to obtain the needed resources to put programs and systems in place that protect his hospital’s systems from IT security risks, manmade and natural disasters, and other threats.

If your hospital or health system is interested in an assessment of its IT security risks, please contact us or request to meet with me in Change Healthcare booth 4202 at HIMSS.


Steven Ramirez, MHA, CISM, CBCP, CHPCP, is a senior IT solutions consultant for Change Healthcare, focusing on IT risk and security.

Leave a Reply