Kettering Medical Center Network provides crucial services 24x7x365 and cannot afford downtime of its network systems. A study a year ago revealed that network or system unavailability costs the hospital about $1 million per day. But the real cost cannot be measured in dollars–it’s the impact on patients’ lives.
More than 300 different systems, including such apps as the radiology and lab systems and the patient-information system, run on Kettering’s IT network. Other applications are provided in an ASP model, accessible through the Internet. When Kettering’s systems are under attack from a virus or other security threat, physicians and other caregivers cannot access the necessary systems and end up spending less time with patients.
Network and Technology Manager Bob Burritt says keeping patient information secure is also a “critical item.” Kettering has started down the path of using electronic patient health records. “We need to wrap a high level of security around our systems so our patients can be confident that their personal information will not leak out to the public in any form or fashion,” says Burritt.
A regional hospital organization in Dayton, Ohio, Kettering has five hospitals in the Dayton area plus clinics throughout a 40-mile radius, 1,300 patient beds and 6,500 employees. It also has 4,800 devices on its network that are vulnerable to security attacks and expects to add another 1,000 devices in the coming year.
Before it outsourced network security to Symantec Corporation, a global infrastructure software and services provider, Kettering’s security processes and IT team were “definitely in a reactive mode,” Burritt recalls. “Various worms and viruses kept hitting us. First a PC wouldn’t work right and, while we were remediating that, the virus or worm would impact other PCs. Or sometimes it was slammer or another type of propagating worm that slowed down our system.” Once aware of a problem, the IT team would analyze the security logs and react. But attacks were happening more and more frequently, and Burritt says they couldn’t continue on that reactionary path without more resources.
Security vulnerabilities are increasing–in fact by 18 percent this year, according to Mike Broobank, Senior Director, Products Management and Managed Security Services for Symantec. They are also becoming harder to deal with, he says. Broobank attributes the increase in vulnerabilities to the rising profitability of cybercrime and the fact that attacks are now personal and not just universal viruses or worms. “Cybercrime is really pushing the security agenda,” says Broobank.
Framing the Solution
In 2004, Burritt and Kettering’s new information security officer were considering Kettering’s level of compliance with the Health Insurance Portability and Accountability Act (HIPAA), launching electronic medical records, as well as how Kettering could be more proactive in reducing risks in its security environment. HIPAA compliance was required by April of that year. “We had a good handle on our steps toward HIPAA compliance,” states Burritt, “but we needed more consistent policies and processes.”
Kettering’s outsourcing relationship with Symantec started with Symantec performing a HIPAA compliance assessment and a network vulnerability assessment. Broobank says some large enterprises that are further along in the lifecycle of their security management already know where they are vulnerable and what type of solution they need. Others need Symantec’s assistance up front in framing the solution. “Either way, an assessment of vulnerabilities and of Sarbanes-Oxley, HIPAA, or other regulatory compliance is paramount. The assessment shows a company what it actually needs before it spends money on something that won’t meet its needs,” Broobank says.
It became evident that Intrusion Detection Sensors (IDS) and different kinds of firewalls were critical items in the level of security solution that Kettering needed. But technology alone was not the solution. Burritt says Kettering would have had to hire two full-time high-level engineers to analyze the information in the incident and event logs from the IDSs and firewalls–at least an added cost of $100,000 annually.
But Broobank points out that the costs involved in providing the necessary level of services was more than two additional FTE salaries. “Monitoring on a 24x7x365 basis is a complex staffing situation,” he says. “In addition, the cost of building from scratch the repository of data on vulnerabilities would be prohibitive.”
The staffing and repository costs are not the full cost picture. Burritt says, “That does not take into account the dramatic decline in viruses on our system. That’s a hard cost as far as our resources going out to resolve those issues but also the cost of the productivity downtime of the end user.”
Kettering opted for Symantec’s Managed Security Services solution. The provider monitors and analyzes the incident and event logs, correlates global real-time security trend data with the client’s devices and data, and manages the devices (providing the latest patches and changing firewall rules as necessary to protect against threats).
Analysts and engineers at Symantec’s four Security Operation Centers around the world monitor the data that the technology brings in from more than one billion logs per day. They analyze and prioritize events and incidents and for security threats “get our clients out of bed if need be,” says Broobank.
One of the advantages of an outsourced solution is that the cost of monitoring is spread among all clients, making it more cost effective for each. Another advantage is that clients reap the benefit of what Symantec sees happening to its other clients’ environments.
Even so, the service is customized in that Symantec has dedicated analysts who are assigned to knowing a specific client’s environment and requirements and specialize in reporting to that client.
Burritt comments that “99 percent of the information in the logs is incidents or events that are legit. It’s only about one percent that we have to worry about. Symantec’s analysts only send us the information on the situations we need to remediate. Plus they are analyzing information all over the world for all their clients and monitoring trends. If they see something important, they notify us. When they do, we know that’s information that has been finely tuned.”
Kettering also has the option to log onto the Symantec site and access different reports about information in their firewall and IDS sensors. “It’s more information than we need, but it’s good to have access to it,” says Burritt.
Symantec is vendor neutral on the devices and firewalls it supports. However, it will provide its own intrusion detection devices and firewalls for clients that do not already have such technology in place such as Kettering. That was an advantage in Kettering’s case, as bundling the equipment with the service resulted in a lower price.
Moving Forward with Improvements
The initial vulnerability assessments of both Symantec and Kettering resulted in process improvements. For example, they created a separation database for protection when employees terminate. A project currently in progress is developing a system that administers the level of access each user has to each system. A third process improvement is investigative reporting, available to managers and top executives. “It can, for example, investigate what a particular PC is accessing on the Internet,” Burritt explains.
As the solution was implemented, the network traffic of Kettering’s staff had to be filtered through detection sensors and firewalls. “The system can even see a virus I might pick up on my laptop at home if I plug it back in to our network,” says Burritt.
A separate firewall was installed for physician offices in Kettering facilities. “Through our LAN, they can access the Internet faster than through DSL,” explains Burritt. The firewall also allows them access to certain patient data on certain systems.
They later installed another firewall and sensors at Kettering’s medical college campus so students can access the Internet but can’t get into Kettering’s business network and patient records.
Kettering is now working with Symantec on a network access control project. They selected Symantec among three providers bidding for this work. During the first year, they are monitoring who accesses the network and are putting access control policies in place. It also involves installing a filter and block on wireless traffic from patients and their families, preventing them from accessing any systems beyond a Symantec firewall.
Burritt comments that Symantec’s expertise in security is not the only reason Kettering is satisfied with the services. “They know our issues and our environment. They are proactive in asking us how they can improve their information for us. They implement solutions so it doesn’t disrupt our main applications; and I like the way they work with my IT staff. I deal with all kinds of technology vendors and service providers,” says Burritt. “Symantec is by far one of the best, if not the best. I rate them 10 out of 10.”
Kettering’s mission, says Burritt, is improving the health of the people in the Dayton community. He adds, “Security is a major factor of that nowadays. All it takes is one slip in security, one open link, or one weak link, and our organization will be exposed. Symantec is a big part of helping make sure we are in really good shape so that doesn’t happen.”
Lessons from Outsourcing Journal:
- When healthcare providers’ systems are under attack from a virus or other security threat, physicians, nurses, and other caregivers cannot access the necessary systems and end up spending less time with patients.
- Healthcare providers using electronic patient health records need to ensure a high level of security around their systems so patients can be confident that their personal information will not leak out to the public. The cost of high-level engineers to analyze security incident and event logs, as well as building a repository of global vulnerabilities and threats, can be prohibitive unless using an outsourcing provider’s solution.
- An up-front assessment of security vulnerabilities and of Sarbanes-Oxley, HIPAA, or other regulatory compliance is paramount before selecting a security solution. The assessment shows an organization what it actually needs before it spends money on something that won’t meet its needs.
- Buyers may realize a cost advantage by bundling the provider’s security devices with the cost of services.