UTMC Secures Vendor and Partner File Transfers of Sensitive Patient Data
Healthcare providers share and transfer sensitive patient data among a variety of vendors and partners, including other providers and health insurance companies. But many providers still use time-consuming and inefficient manual processes to manage their file transfers.
Federal regulations such as HIPAA and HITECH have increased the security and encryption requirements associated with these file transfers, making it even harder for hospitals to rely on these outmoded manual processes.
The Challenge: Eliminate Manual Processes, Strengthen Data Encryption
The University of Tennessee Medical Center in Knoxville has streamlined its file transfer processes while increasing data security using a managed file transfer (MFT) solution from Linoma Software. Previously, the center relied on manual processes to execute and manage transfers as well as to confirm that the transfers had been completed. The system used a standard Microsoft Windows install with an FTP component for incoming transfers. The outgoing process was based on the Microsoft Windows task scheduler and Visual Basic (VB) scripts. Best practices followed for these transfers included PGP and SSL, or VPN tunnels.
Because the transfers relied on scripting, it took a long time to add new FTP jobs. If there was a file transfer error, the troubleshooting process required looking through lengthy log files. The VB script was relegated to one full time employee, and that employee was dedicated to the development and monitoring of the FTP scripts with only limited additional duties.
The medical center wanted to find a way to reduce reliance on this sole employee, while automating the file transfer process in a way that would eliminate the time-consuming VB scripting and comply with HIPAA requirements.
The dedicated employee’s limited skill set and failing physical health posed an operational challenge. The additional members of the team did not have the skill set to take over VB scripting, and there was an ongoing concern that when the dedicated employee was on vacation or out sick that it would be difficult to modify or fix scripts if an issues arose. In addition, management felt that additional team members could, and should, share in the responsibility of building and maintaining the FTP environment.
“The medical environment is changing with new regulations and mandates to be addressed,” says Scott Schwarze, manager of information services at the University of Tennessee Medical Center. “We wished for a product that would do most of the heavy lifting. Coding and encrypting files needed to be completed in some automated fashion. With a small staff but large output, the goal was something that all team members could be trained on.”
Trading Partner Compatibility
In addition, the operational personnel that man the NOC center needed to be able to monitor the transfer process on a 24/7 basis. The medical center also wanted to strengthen data encryption. “We assumed going in that we could not impact vendors,” says Schwarze. “Most of the vendors provided an SFTP or FTPS connection for file transfers.
Our modified policy also stated that data must not only go over an encrypted connection, but the files need to be encrypted as well. All of the vendors that we currently work with support the PGP encryption protocol. Even though the Health Insurance Portability and Accountability Act (HIPAA) does not require the double encryption method we felt, in this technology environment, it would be prudent.”
Automation and Security in One Solution
To improve and strengthen its file transfers, the medical center selected the Linoma GoAnywhere suite of managed file transfer (MFT) solutions. The center selected GoAnywhere Director and GoAnywhere Services to fulfill its encryption, scheduling, and monitoring needs. According to Schwarze, the solution integrated with its existing Microsoft infrastructure.
The GoAnywhere Director MFT solution automates and secures data exchanges among various trading partners. It can connect to most systems using standard file transfer protocols, and can encrypt and compress files using Open PGP encryption and other standards. The solution automates FTP processes, and provides connection retries and auto-resume functionality to ensure delivery. It encrypts, signs, and decrypts files via PGP, can connect to most popular database servers, and can generate detailed audit trails, which are critical for HIPAA compliance. The solution also allows the center to run recurring transfers via the built-in scheduler and can even monitor a folder so when a file is dropped in it, the file will automatically be processed.
GoAnywhere Services is a secure FTP server (and optional web server) that allows companies and their trading partners to exchange files in a secure environment. The on-premise solution includes an enterprise SFTP server, FTPS server, and FTP server with management controls and an audit log reporting function. A secure HTTPS server can also be enabled in the solution for ad-hoc file transfers and sending secure mail. Using this solution, the medical center is able to maintain local control over trading partner and vendor accounts, permission, and data files.
“The ability of GoAnywhere to incorporate connections to our SQL Server and other data sources was important in our solution selection,” says Schwarze. “This connectivity allows us to eliminate steps in the process by being able to pull or push data directly to a database.”
The biggest integration hurdle the medical center faced was going through the VB scripts to identify schedules, PGP keys, and the correct locations from which to pull data. “After a quick installation and a few hours of training we were up to speed,” Schwarze says. “It only took two to three weeks from installation of the product to the first five FTP projects going into production.” During the evaluation of the existing FTP process, staff discovered that some steps could be removed from the procedure. The medical center was able to eliminate custom processes, and all of that work is now handled within GoAnywhere.
“By eliminating cut off times for output from SQL jobs, labor hours for SQL developers were cut in half,” Schwarze says. “FTP administration is now more evenly distributed to handle individual vendor needs. The team is able to extract the data, write it out to a vendor’s specifications, and PGP encrypt and SFTP the files out with a complete audit log for compliance.”
With a robust, secure MFT solution, the medical center can provide a file transfer service to the enterprise that is more stable and reliable, and completes transfers in less time. The Server Team is able to produce a complete FTP package with vendor testing and monitoring in less than a day.
After having the GoAnywhere suite in place for just 14 months, the center is able to run an average of 2,800 jobs per month. Additionally, the company is implementing a new mandate to create a single point of entry and exit for transfers in their environment using Linoma’s GoAnywhere Director and GoAnywhere Services for file transfers.
About The University of Tennessee Medical Center
Located in Knoxville, Tennessee The University of Tennessee Medical Center is committed to improving the quality of life of patients through leadership in health care, health education and clinical research. UT Medical Center is unique because of its standing as the only academic center in Knoxville, making it the leading resource for research, discovery and updated treatments in the community. This means that education is an ongoing endeavor for all employees—many of which will have an opportunity to serve as teachers as well as students. The Medical Center collaborates with the University of Tennessee Graduate School of Medicine and other academic endeavors.
The hospital maintains a serious environment with devotion to technological and treatment advances that provide better care for patients and educational resources for the East Tennessee community.