Scrutinizing, Securing, Making a Switch

Since being named CIO of MediGain in late 2015, Ian Maurer has made it his mission to bring automation, analytics, and security to new heights

Back in 2011, Ian Maurer was a veteran technical leader in the healthcare space when a friend of his acquired MediGain, a Plano, Texas-based company that helps physician offices with medical billing. “He had grand plans for expanding MediGain through various acquisitions and automating some of the manual tasks, putting together a program that could essentially standardize different operational procedures across these acquisitions,” Maurer recalls. “He asked me to come in and start with the reporting and analytics piece of the company.”

Maurer was brought in to the company to serve as its director of IT and business intelligence. Last August, he transitioned to CIO.

With the increased scrutiny paid to medical information in recent years, one of Maurer’s most important tasks is to ensure the information associated with his clients is protected. In that regard, getting a handle around what people were doing on a day-to-day basis—and what, exactly, necessitated security the most—became the main challenge.

“In my opinion, the largest threat that we face today is the insider threat, so having a user that walks off with patient health information or confidential information of some sort has been high on our list,” Maurer says. “To mitigate that, we’ve added an email archive device to the network, which allows us to monitor all incoming and outgoing email and keep a snapshot of it so we can push that through different searching algorithms and engines to identify those that are doing things they shouldn’t.”

The company also employs device management software to track the different devices assigned to different offices—laptops, mobile phones, or other equipment. This allows Maurer and his team to view who’s logged in when and where, see the websites they are going to, and make sure everything is safe.

“We also want to be diligent and protect ourselves from external hackers, so we leverage the malware detecting, IDS [intrusion detection systems], and IPS [intrusion prevention systems] solutions embedded in all of our security appliances,” Maurer says. “Monitoring logs is important as well. We have a device to help us do that, and we can see what types of potential malicious activity is going on in our network and take steps to remediate those issues.”

When he came on board, Maurer was tasked with migrating the company to Cisco Meraki networking, which doesn’t take a team of network engineers to run; a couple of key people can now manage the entire global network.

“Previously, we had a hodgepodge of all of these different types of equipment, all of these different capabilities that varied significantly from site to site, and it was my philosophy to standardize all of our devices, equipment, and capabilities across our organization globally,” he says. “I knew when I saw the Cisco Meraki product that it would be a winner for us. It’s essentially a cloud-based operation that you log into, and you can control all of your network assets from that application.”

For example, when Maurer wants to update the Wi-Fi password at all of the company’s locations globally, he could do it from a single plane of glass without giving it out to anyone, updating all devices at once. That has allowed for greater control, greater visibility, and transparency down to the granular level.

“We’ve used the Meraki software in a number of instances to track stolen devices and update the police on where they are, and in other cases we’ve had issues where staff has left with confidential information and we’ve been able to prove that by looking at their activity,” he says. “It’s a very powerful solutions. You can drill down to the switch port on an off-switch in India and see what’s plugged in, what type of sites it’s gone to, etc. It’s completely versatile.”

When Maurer started, MediGain’s business-intelligence team was also creating month-end reports for each client—one per month.

“It was a very manual process,” Maurer says. “It required extracting data from client systems and converting it to Excel format, and then they were going in and scrubbing that data, creating pivot tables and all this manual data manipulation to create a report to send out as early in the month as possible.”

Maurer knew there was a better way, especially with MediGain’s plan to acquire more companies and add additional clients. His first task became to automate the procedure.

“I went in and decided on a platform as a service solution called GoodData, and using that tool I was able to create practice management vendor specific automated extracts,” he says. “Once per day, we pull data from our client practice management systems and aggregate and normalize it all so it’s standardized from client to client.”

“Our internal users could log into the site and see all the relevant data—the dashboards we created along with the subject-matter experts—and we could look at it in an aggregated format and see all the clients rolled up, and see how we are doing as a company, and see their financial performance over time.”

The new process eliminated errors, freed up time and energy for employees to focus on other projects, and most importantly, provided “true analysis,” interpreting the data instead of just running reports all the time.

Still, Maurer contends that education remains the key to maintained security. That’s why he regularly attends regional conferences in safety and cybersecurity and passes the info to his CFO and CEO to identify experts within their area and push the knowledge base down to others.

“We want to make sure people understand what’s out there and how we can avoid some of those issues that we are seeing,” Maurer says. “We’ve had ransomware emailed to individuals and social engineering attempts at some of our staff. In one case, we had people call our accounting department asking for money to be transferred, but because of our education, our people were able to figure out what was going on—even though they had pretended to be the CEO and had an email very similar.” AHL