David Chou

Chief Information and Digital Officer, Children's Mercy Kansas City

Supernova Award Category: 

Safety and Privacy

The Company: 

Children's Mercy continues transforming children's lives and redefining pediatric medicine. We are the only free-standing children's hospital between St. Louis and Denver and provide comprehensive care for patients from birth to 21. Children's Mercy consistently is ranked among the leading children's hospitals in the nation. We were the first hospital in Missouri or Kansas to earn the prestigious Magnet designation for excellence in patient care from the American Nurses Credentialing Center. Our mission is to improve the health and well-being of children by providing comprehensive, family-centered health care and committing to the highest level of clinical and psychosocial care, and to research, academic and service excellence.

The Problem: 

With the number of data breaches increasing over the past several years, Children's Mercy’s executive management embarked on an effort to evaluate the security measures deployed by the hospital to protect the patients' information. An audit of the network combined with the feedback from the physicians and employees revealed aging infrastructure and security measures that fell short of expectations, and performance and protection levels commensurate with the ever-increasing cybersecurity risks. Sluggish network speeds impacted the performance of the applications that house Electronic Medical Records (EMR) requiring extra time for the physicians to look up and update the medical records; security devices deployed throughout the network lacked the modern capabilities of detecting and preventing more complex cybersecurity attacks, and provided limited visibility into the type of information that was coming into and leaving the hospital network.

The Solution: 

In order to maximize the impact of the changes, the hospital partnered with PricewaterhouseCoopers (PwC) as a trusted advisor to re-design the network perimeter and security architecture of the organization. A roadmap was designed to reduce the complexity of the network environment and increase the level of protection against cyber intrusions. The solution involved removing the obsolete network devices such as older routers and switches as well as older Cisco perimeter firewalls, and replacing them with the next generation firewalls (Palo Alto) and network devices capable of high network speeds and supporting future transition to software-defined networking model. Along with the infrastructure changes, an Identity and Access Management program was re-designed and an improvement plan was put in place to enhance access controls to the network and critical applications that contain patient data and information.

The Results: 

The immediate effect of the changes experience by the entire organization was the improvement in both the network performance and the Internet connection speed and an improvement in security. Updated security technology now provided increased visibility into the network traffic with consolidated security stack consisting of intrusion detection and prevention (IDS/IPS) capabilities, mobile code (malware) protection, real-time inspection engine on the firewalls that provided web traffic control and inspection over both regular and encrypted channels. These security capabilities were also tied to the organization Active Directory to establish a better incident response and containment capabilities (if an incident were to occur) by including user and workstation information in security logs and activity records. To preserve the integrity of the logs, a cloud solution was implemented to establish a central logging and monitoring solution. Final results included increased performance and reliability of the hospital's network and improvements in security of the patient data traversing the hospital's network and stored on the hospitals' systems. By improving the visibility, the movement of information is now more granularly controlled and monitored resulting in increased confidence from our patients knowing that the security of their personal and health data and information is one of the top priorities of the organization.

Metrics: 

The metrics were a key component of the improvement process. The key metrics were collected before and after the changes were planned and implemented. The following key areas were closely monitored:

1. Overall network speed - the network equipment upgrades increased the throughput from 1GB to 10GB capability.

2. Internet connection speed - the speed tests confirmed an increase from 5Mb/s download speed at various hospital locations to over 600Mb/s

The Technology: 

The key technology at the hearts of this change consisted of a combination of next generation firewalls (Palo Alto) providing leading security protection mechanisms, and Cloud technology such as Splunk, Sophos, Microsoft Azure, and other utilized by the team to balance the on-premises and cloud components of the final solution.

Disruptive Factor: 

Given the current state of cybersecurity in healthcare, we are among the leaders in protecting our environment and network from external threats. We utilized best of breed technology brought i together in a cohesive environment to for visibility to security threats on a full the spectrum of our network and devices within our network. Our solution was presented at a recent HIMSS Security Forum, and there have been many inquiries in regards to how the process and technology was developed to monitor, respond, and correct incidents within our environment.

Shining Moment: 

The smooth transition during the cutover of the network perimeter to the new firewalls was the high moment for the team working on the transition. After months of preparation, testing, validation, and review of various scenarios to minimize the impact on the hospital and the patient care, the implementation went flawless with minimal impact as planned. Only minor issues that were quickly resolved were reported post implementation.

About Children's Mercy Kansas City

Our company boilerplate does not fit in this space. Please contact for text.