CASE STUDY: HEALTHCARE
PRODUCTS:
Idera SQL compliance
manager
“The best part of the story
is that our auditors visit
quarterly and have been
very pleased with the level
of tracking that we are
doing and the reports
that we are providing,
thanks to SQL compliance
manager.”
Brian J. Smith
Enterprise Data Architect
Hanger Orthopedic
Group, Inc.
|
Founded in 1861, Hanger Orthopedic Group is the largest provider of orthotic and prosthetic patient care services and products in the US. In addition to corporate offices in Maryland, Hanger owns and operates over 600 patient care centers and several distribution centers nationwide.
As an active user of Microsoft’s platform, Hanger relies heavily on SQL Server. It serves as the backbone to mission critical applications including the Electronic Data Interchange (EDI) system that is used to transmit patient and insurance information in a HIPAA-compliant manner, and their proprietary orthotic and prosthetic billing application.
Due to Sarbanes Oxley, Hanger has very strict control processes and policies in regards to making changes on SQL Servers. They must validate to investors and auditors that they are taking measures to keep data valid, safe, and ensure that all changes to the data are monitored. To help ensure that key SQL Server databases are in compliance with federal regulations
and to meet the necessary reporting requirements, Hanger relies on SQL compliance manager from Idera.
Hanger has over 600 database servers nationwide and has identified eight “SOX-critical” SQL Servers. For these servers, Hanger must provide auditors with proof that the integrity of the data has been maintained at all times. This means tracking all changes made and tracking all users that have accessed the data.
Before Hanger implemented SQL compliance manager, they were using a “homegrown” application that was time-consuming to maintain and required a lot of overhead. More importantly, it did not produce the
reports that the auditors required.
Hanger now uses SQL compliance manager to track and report on every access and change to their SQL Server databases. “SQL compliance manager is a more cost-effective solution, offers more functionality, and requires a lot less work on our part. Furthermore, it is a neutral third-party application that auditors seem to prefer,” said Brian Smith, Hanger’s Enterprise Data Architect.
“Incredibly, we’ve found that SQL compliance manager requires less than 5% CPU utilization and utilizes a barely noticeable amount of disk space. It
is very low impact even on our high transaction servers that process over half-million to a million transactions a day. Because overhead was a major consideration for us, we spent two weeks testing SQL compliance manager and discovered then that the product had very little impact on our servers.”
“We found SQL compliance manager very easy to implement and deploy. At first, however, it tracked much more than needed! We only needed to track what administrators were doing, so we simply configured the product to meet our specific needs. During this time, we contacted Idera’s technical
support team several times. We found them to be very helpful, patient and knowledgeable.”
“Now we have the product set up to catch the actual text of any statements that are executed. This allows us to embed our [helpdesk] ticket numbers
in the ‘comment’ section and to ensure that all activities match up. It meets our needs perfectly, but we know that we are using only a portion of
SQL compliance manager’s full capabilities. It’s good to know that we could do a lot more with SQL compliance manager if we ever need to.”
“The best part of the story is that our auditors visit quarterly and have been very pleased with the level of tracking that we are doing and the reports that we are providing, thanks to SQL compliance manager.”
“In a nutshell, SQL compliance manager has been a wonderful addition to our IT infrastructure and has really made our jobs so much easier. With SQL
compliance manager doing all of the reporting for us, we can focus on more proactive tasks.”
HOW HANGER USES SQL COMPLIANCE MANAGER TO HELP ENSURE COMPLIANCE WITH SARBANES-OXLEY
1. Whenever a change must be made within SQL Server, it must be mapped to a User ID and a Help Desk Ticket.
2. These numbers are embedded inside SQL Server in the “comment” section when the change is made.
3. Weekly, Hanger uses SQL compliance manager to generate a “Changes
by User ID” report. This report ships pre-defined with the product. This report is accessible via the SQL compliance manager Web interface, so he never has to launch the product.
4. The Security Manager then compares the SQL compliance manager report with the Help Desk Ticket – ensuring that every change made to SQL Server can be tracked to an actual Help Desk Ticket number.
Hanger’s security manager, Keith Nelson, is responsible for reviewing and physically signing off on the reports as they are run weekly.
5. These reports are saved for the quarterly visit from the auditors.
|