News
In the News
Software provides network visibility
Healthcare system solves compliance concerns with new centralized control of its network.
January 01, 2006
Courtesy of www.comnews.com
Doug Torre was a network manager with network management problems. His staff lacked visibility into its network. They could not determine whether compliance requirements were being met. They did not have the proper tools for pushing updates to the network.
Torre is the director of networking and technical services at Catholic Health System (CHS), one of Buffalo’s largest healthcare providers, with 8,300 associates and 1,200 physicians, and a network of 40 locations, including four hospitals, 10 primary care centers, nine diagnostic and treatment centers, and a free-standing surgery center. With network security and Health Insurance Portability and Accountability Act (HIPAA) compliance in mind, CHS faced a number of management challenges with its constantly changing healthcare network environment.
One critical network-management issue was lack of up-to-date visibility into its networks. As a result, CHS did not know how compliant it was at any point in time, nor what it needed to do to bring out-of-compliance systems back in line, explains Torre.
“Without proper monitoring, there was no easy way to verify a machine’s configuration, the patch levels, what it accessed, what machines communicated with it, even its security policies,” he explains. “Not knowing what’s out there or what’s happening with our systems did not allow us to manage our networks or compliance.”
Another management challenge Torre faced was a lack of automation for tasks such as checking, rolling out and enforcing policies. According to Torre, CHS undergoes frequent network changes and security policy updates. Torre needed a tool to centralize network-management updates, as well as handle compliance checking.
CHS security staff members, for example, conducted manual walk-throughs of their facilities to verify computer security compliance. During the walk-throughs, they checked on HIPAA requirements such as computer security policies, local account privileges and authorization timeouts.
“The manual network-management updates were labor intensive, and assessments on compliance were slow and inefficient,” says Torre. “We were looking for a more effective way to manage HIPAA security and internal policy compliance, something that could provide CHS with an automatic network status.”
The selection process
Torre and his staff considered purchasing 2,500 host-based firewalls with configuration controls. They also looked into additional network-management and surveillance tools, such as security event management products. In addition, they considered port-level protection to examine systems and quarantine non-compliant machines.
Torre then learned about a security compliance management solution from Elemental Security that costs approximately the same as any one of those alternatives, but provides additional features with its combined security and compliance functionality. The system is a client-server software product that provides visibility into all machines connected to the network, or attempting to access it. It lets administrators control and contain users or user groups through automated security policies, and centralizes policy and host configuration management, along with network access, and discovery/inventory in one solution.
“The software captures and measures data creating a baseline view,” Torre offers. “From there, we can monitor and improve our compliance. The system lets us gauge performance against corporate policies. It handles our network surveillance and logs the activity in a real-world view.”
CHS purchased 2,500 Elemental client and 150 server agents, along with one central server. The system installed in its primary data center in about an hour, and CHS immediately began deploying agents to its various locations. CHS’ preferred server platform is Windows, but Solaris, AIX and Linux servers also provide an important role. Its desktop platforms of choice are Windows XP and Windows 2000.
“The centralized control and view into our dynamic network, with its extensive computer policies, are valuable in tracking and improving our security and compliance posture,” says Aaron Shackelford, CHS network engineer. “Elemental takes our network security policies and helps implement them throughout the system to automate discovery and control. Network management and security are implemented and maintained without operator intervention.”
The solution’s unified view of what is currently happening with CHS computers helps staff address the HIPAA requirement to record and examine activity in systems that contain or use electronic-protected health information (PHI), according to Torre.
“Some organizations are willing to accept an annual or quarterly point-in-time vulnerability analysis, but what Elemental provides is orders of magnitude better,” he says. “It gives us new levels of information, and delivers a new perspective to managing our network and security–not with a quarterly snapshot, but with a current daily view. This is important because we need to know patch levels on a machine, as well as memory, usage scenarios, who the host communicates with and the policies deployed to it.”
The software’s packet filter, part of the system agent, also provides granular access controls based on a machine’s current compliance status. This control helps CHS efforts to comply with the HIPAA guideline to secure electronic PHI and grant access only to those users or software programs that have been granted access rights, says Shackelford.
According to Shackelford, one of the key systems-management features is the automatic dynamic grouping–if one computer or group fails to meet security policy settings, it can be automatically partitioned to protect sensitive systems and data. If a computer’s policy is altered, the software can correct the configuration or apply policies without intervention. If security vulnerabilities are detected, CHS can quickly find out which computers are at risk, and determine what to do to fix them.
“If security on a computer degrades, such as if its antivirus software stops running, it is no longer allowed to communicate with our database server,” Shackelford explains. “New computers coming on the network can either be automatically segregated, or added to the network, based on the configuration of the system.”
Torre explains that CHS used to make private networks to support various requirements, but now can create groups logically within the CHS network. “These private networks add a lot of complexity to our network,” he says. “They are rigid and create isolated islands that are hard to manage.”
Like many organizations, CHS was interested in building multiple layers of security on its network. In today’s dynamic, partner-rich environment, it needed to manage the network differently, not with a wall around it.
“Managing security at multiple levels makes sense,” says Torre. “I liken it to a castle, protected by a moat and secured by a draw bridge. For those allowed in the castle, you still need locks on the doors to secure some domains, or locks on a treasure chest to protect valuables from those able to enter the room.”
Elemental complements its network perimeter security by adding security around every host. “Managing and defending the CHS network perimeters was an exercise in futility and decreasing returns,” Torre explains. “Now we can manage security policies where our information resides, as well, right down to the individual host or virtual host grouping.”
CHS is also better prepared to manage security audits, and can now report how the network and hosts are operating at any moment. The technology demonstrates compliance against CHS’ policy baselines, and creates a warehouse of detailed information so CHS can look back at compliance levels over days, weeks or months.
“As far as ROI, in addition to time saved, improved audit results, and better management of systems, security and the network, Elemental gave us cost avoidance because we didn’t need to purchase or manage other products and services,” Torre explains. “It delivers multiple features in one product, where we would typically need various products to try to accomplish the same results.”