Good Security Posture

Mar 1, 2007 12:00 PM, By SANDRA KAY MILLER

Greg Romania likes to stay fit. He is an avid sportsman who enjoys hunting and fishing in the rugged river and mountain country throughout central Pennsylvania. When the weather doesn't cooperate, he hits the treadmill for several miles. Similarly, he's part of a team keeping the information network healthy and secure at Geisinger Healthcare System, Danville, Pa.

“There is definitely a huge awareness of security within the organization,” Romania says. “Strides are constantly being taken to maintain and improve security in relation to technology.”

As a senior network security analyst, Romania is part of the information security office (ISO) at one of the largest rural health care providers in the United States. Servicing 2.5 million people in 40 of Pennsylvania's central and northeastern counties, Geisinger is a not-for-profit organization with more than 12,000 employees, 200,000 health plan members and $1.5 billion dollars in assets.

That's a long way from the hospital's humble beginnings in 1915 when an 85-year-old woman, Abigail Geisinger, the daughter of a local wagon-maker, decided to build a hospital to serve the rural area's needs. Today, Geisinger's network includes four inpatient facilities with nearly 900 licensed beds, providing primary and specialty medical services as well as a clinical research division with 389 active research trials under way.

This year marked the fifth year Geisinger has been listed in the top 100 of Verispan's Integrated Health Networks, a ranking based upon the integration of operations, clinical quality, financial performance and efficiency of services among nearly 600 different health care networks throughout the country. One of the highlights of Geisinger's achievement is its use of technology to develop electronic health records over the last 10 years.

As a large entity governed by multiple regulatory compliance statutes, Geisinger's ISO is separate from the IT department. “We're not a part of IT, but we oversee and work with the IT folks in an effort to get the organization to a good security posture,” Romania explains.

The ISO covers many bases, such as the review of various technologies and solutions deployed at Geisinger and the development of policies that those solutions must follow. Other aspects for which the ISO is responsible are risk assessments associated with both applications and technologies and a comprehensive security awareness program for all users. “In general, we examine any kind of technology that comes in the door — there is a mix of all types of solutions,” Romania says.

While the logical side of security is the primary function of the ISO, Romania is also engaged with the physical security aspects, especially those surrounding the data center. “Our policies set requirements for physical security in which we need to be involved, such as the proximity badges and processes for acquiring access into certain areas,” Romania says. “We also deal with surveillance equipment such as video cameras.”

Prior to coming on board at Geisinger last year, Romania worked for several years as a senior security analyst at ICSA Labs (a division of CyberTrust Corp.) in Mechanicsburg, Pa., where he helped develop the criteria for the certification of security products including firewalls and SSL VPNs. Romania feels that experience combined with “ripping apart different technologies” has provided a solid foundation for his current work reviewing policies and seeing where they need to change in order to provide the best possible security posture.

One of his current projects is creating a solid encryption policy. “There is a heavier requirement for encrypting data while it goes in and out and while it is in storage,” he says. “They [Geisinger] wanted something they could point to that would be the law of the land.”

Solid policies are critical for the ISO. “Our policies are all driven by compliance — HIPAA, Pa. Act 94 (breach of personal information), financial policies, etc. We are heavily involved with regulations and writing policies to comply with them and then making sure we follow them such as with solution reviews,” Romania says. When a new application or technology is requested, it must go through a review process in which the requester fills out a questionnaire. From there, prior to deployment, the ISO, IT and other internal groups determine whether or not the request complies with Geisinger's needs and policies.

ISO and IT are lateral departments that work closely together to secure and maintain network solutions — both wired and wireless. “We are always bouncing ideas back and forth and working through problems such as application security, reviewing firewall logs, etc,” Romania says.

Both teams recently took on the challenge of mobile device encryption. The issue of data going in and out of Geisinger on various mobile devices — PDAs, laptops and USB devices — needed to be addressed to better adhere to compliance regulations. The initial direction was to look at individual solutions specific to each device; however, both teams realized what would work best would be a single solution covering all devices. Together, ISO and IT evaluated the final choice to make certain it would fit into the environment, provide both security and compliance and be easy to use.

Romania says that there is no such thing as a typical day in his job. “I am not sure how to describe it other than it is a lot of everything.” After working in a laboratory and research environment, Romania is in awe of the spectrum of users at Geisinger. “The scope of the health care industry is enormous. You have got to take into account the medical service side, clinical side, patients wanting access to their information as well as protecting the privacy of their information as required by regulation, then there are vendors, businesses partners — it is a mix of everything. I enjoy it. It keeps me busy and on my toes — never a dull moment.”

Romania lives with his wife and three children in Millersburg, Pa., where he describes his life as “the usual with kids running here and there.” He enjoys photography and outdoor activities, especially gardening and growing fruit trees. “Some day I'd still like to have a vineyard,” Romania muses. His attention to detail and vigilance would carry over well from his career in information security.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue