Acquiring Best Practices for Ardent Health Services

Larry Schunder and his team work diligently to ensure Ardent Health Services’ data security in the wake of its many acquisitions

The healthcare industry is consolidating at a rapid pace as more hospital groups acquire individual hospitals and healthcare systems alike. As one of those groups, Ardent Health Services has to be vigilant to ensure quality of patient care and consistency throughout all of its acquisitions, particularly in regard to information security.

This has been a concern of Ardent’s chief technology officer and chief information security officer, Larry Schunder. Bringing forty-two years of information processing and security experience to the table, Schunder is working to establish Ardent as a thought leader in this arena. His goal is to turn Ardent into a powerful example of how healthcare systems can make acquisitions smoother, more secure, and more advantageous for patients.

Schunder’s position is demanding, but his more than four decades of experience have prepared him well for the role’s particular challenges. “I’m old, and I’ve done a lot,” Schunder remarks. He is bringing that expertise to bear by managing all technology concerns for Ardent’s thirty hospitals—everything from desktop computers to wired and wireless networks, data centers, wide area networks, and more. Furthermore, he’s also responsible for addressing cybersecurity concerns for the company’s hospitals and their more than twenty-five thousand employees.

Larry Schunder, Ardent Health Services Dana Thomas Photography

Most challenging, however, is Schunder’s role in addressing information security concerns for Ardent’s new acquisitions. “Usually, no one sells a perfectly good hospital,” Schunder says. When Ardent acquires new hospital systems, their data privacy, storage, and security are often in need of immediate attention. During the acquisition process, Schunder’s team goes into the system and assesses their current cybersecurity situation, then determines a measured approach to address the system’s greatest vulnerabilities.

Sometimes addressing these technology shortfalls can feel like a desperate race to stay ahead of the problem. “It’s like that dream where you’re being chased by someone,” says Schunder. “You go through your plan as fast as the budget and process will allow, but you’re always just ahead of whatever bad thing is chasing you.”

“As with so many of our customers, Ardent came to CRITICALSTART seeking a way to achieve the highest levels of security and data protection, but with limited resources and in-house expertise,” says Alan Bain, vice president of sales of Dallas-based MDR provider CRITICALSTART. “Our professional services team worked closely with them to evaluate their needs, assess their current infrastructure, and identify the right security strategies and solutions to move forward.”

One of the most vulnerable aspects of data security during an acquisition in the healthcare industry is patient data, the safety of which Ardent treats as its highest priority. While most hospitals, even struggling ones, have a reasonable amount of patient data security in place, Schunder is proud of Ardent’s robust information security infrastructure that his company and team have put in place. He dedicates a great deal of his time to determine the best way to protect patient information in all of Ardent’s hospitals and systems.

Not only does Ardent have to worry about threats to data security from the outside, Schunder and his team also work to provide Ardent with strong protections to data privacy from internal threats, such as employees. “People don’t like to hear that you have to monitor internal data access, including employee and contractor access,” says Schunder. “But we have to protect patient data, even from ourselves.” This means using role-based security permissions to limit people’s access to data, leaving staff with only the information they need to do their job.

There are also internal cybertools in place to look for people moving unusual amounts of data internally to catch employees trying to access data without permission. When it comes to patient data security, Schunder and Ardent are comprehensive.

“Larry’s depth of experience and the collaborative approach he fosters creates the most impactful solution to support Ardent’s mission,” says Thomas Lewis, CEO and cofounder of managed security services firm CyberMaxx. “CyberMaxx is honored to serve as a key strategic partner for Larry and the Ardent team.“

Unlike other hospital groups, Ardent is moving towards a standardized technology environment for all of its hospitals, which means updating security, applications, emails, and other aspects to fit one single set of standards. While other hospital systems largely allow their acquisitions to maintain the applications they already use, Ardent’s plan is to move every hospital under its umbrella to the medical-record application Epic and the Lawson accounting/payroll system. It’s focusing on the long game, but the dividends in efficiency are more than worth it for Ardent, he says.

Given the complexities of this process, Ardent takes care to make the standardization process a collaborative one, working with the existing hospital’s staff to determine what needs to change and what they should prioritize.

“Typically, the systems we acquire do not have the level of discipline and reporting that allows us to quickly identify where they’re not meeting our standards,” says Schunder. To that end, the Ardent team sits down for several weeks detailing the current environment’s processes and procedures, then reaches an agreement with those in the hospital to determine what should change.

For Ardent and Schunder, communication is key to the effective completion of these integrations and projects. “I live by a rule: If it’s not in writing, it never happened,” Schunder notes, stressing the importance of keeping a written record of agreements and decisions to avoid miscommunication and misinterpretation. “We’re all human, and we walk away with our own interpretation of events.” This strategy results in a paper trail so everyone involved can do their work based on the facts of the agreements in place.

Given the massive cybersecurity concerns that face the healthcare industry, particularly in an age where acquisitions are common, Schunder, his team and Ardent work diligently to ensure that Ardent’s acquisition process goes smoothly from an information security perspective. At the end of the day, this means formulating a strong plan and avoiding distractions: “Manage your commitments, and don’t allow the emergency of the day to distract you from your set goals,” he says.


Expertise Spotlight

CRITICALSTART is leading the way in Managed Detection and Response (MDR). Our mission is simple: protect the customer’s brand while reducing their risk. We do this for organizations of all sizes through an award-winning portfolio, from the delivery of managed security services to security-readiness assessments, professional services, and product fulfillment.

CRITICALSTART simplifies our customers’ worlds while keeping them secure and compliant. Our fully managed 24-7-365 cybersecurity operations center is operated by our team of security experts performing 99 percent of incident investigations. We slash the number of incidents being escalated to our customers, eliminating the burden on their resources and reducing staff turnover and expenses. Our capabilities include:

  • ZERO-TRUST: Unlike traditional methods, our Zero-Trust model assumes every unknown security event is a “known bad” event that must be investigated, versus assuming events are “known good” until proven bad. The result is a 99 percent reduction in alert overload.
  • 100 PERCENT TRANSPARENCY: We’ve designed our services to provide complete transparency to the customer. Customers have access to the same consoles, dashboards, and reports as our analysts.
  • MOBILE-FIRST: SOC teams need to be accessible and have the ability to investigate and resolve alerts from wherever they are. That’s why we developed the industry’s first MOBILESOC for iOS and Android devices.

For more information, go to www.criticalstart.com.