NETWORK PROFILE
Wired and wireless access across a 12 million square foot facility and 10 ancillary sites with 4,000 wired ports.
CHALLENGES
Inconsistent Security Strategy Leaves Health Care System Vulnerable
Established in 1925 as a community hospital, Sarasota Memorial Health Care System (SMH) has grown into a full-service health system with an 806-bed regional medical center; a network of outpatient centers, long-term care and rehabilitation facilities; and more than 4,000 employees and 1,000 volunteers.
SMH has a three-tiered network infrastructure with Cisco routers and switches at the core, distribution layer and edge, and Meru Networks’ wireless access points. “We understood the importance of security—particularly the requirements of HIPAA and PCI—but because those were based primarily on application security, we lacked the full network protection we needed,” explains John Bozer, director of Information Systems at SMH. “Traditionally, our focus was ‘outward’ to protect the system from Internet threats.”
“We needed a scalable, flexible NAC solution that would have minimal impact on our users. It was also important that the solution we chose would integrate with TippingPoint and other existing technology. This was a key driver for us, and we chose Network Sentry from Bradford Networks as the best solution for our environment.” John Bozer, Director of Information Systems
Failed Network Penetration Test Reveals Hidden Security Challenges
That changed in 2008 when a SMH board member attended a conference presented by a local security expert who claimed that he had been able to circumvent network security at 28 of 30 businesses he targeted in Sarasota County—including SMH. The board member took her concerns to the health care system’s CEO, who insisted on an immediate response.
Bozer and his team hired a third party to conduct a network penetration test and learned that SMH had significant gaps in network security, including risks from unauthorized users and devices that accessed the production network and from internal devices that were connected to the unsecured guest network.
“While the results of the penetration test were disturbing, our problems grew shortly after when two viruses threatened the functionality of our entire system,” Bozer recalls. “It took five weeks to resolve those issues, highlighting our inability to ensure that devices had up-to-date antivirus software and patches in place.”
Bozer had typically competed for budget with clinical systems that directly impact patient care, so it had been challenging to justify capital investments in network security. However, in the face of these newly identified threats, Bozer was provided with budget and tasked with finding a solution that could identify and remediate out-of-date devices and effectively block or control all network access to protect the SMH network.
- Ensure comprehensive network security for the wired and wireless networks
- Automate network security to ensure that only authorized users access the network and that all endpoint devices meet compliance requirements
- Implement network access control yet ensure high availability for authorized users and devices in clinical areas
- Ensure compliance with HIPAA, JCHO and PCI mandates
SOLUTION
Network Sentry Solution, with Network Sentry Foundation and Device Profiler.
“Network Sentry gives us a much greater level of security, with endpoint compliance, complete network visibility, and control over the users and devices on our network. Because we can easily keep the production and guest networks separate, there is no impact to systems, including SMH-owner systems, including medical devices that directly impact patient care.” John Bozer, Director of Information Systems
RESULTS
SMH has completed the deployment of Network Sentry at its regional medical center and expects to begin deployment at its ancillary sites in the near future. Subsequent penetration tests have shown a significant improvement in security levels, although experience has taught Bozer that it is important to remain vigilant. .
- Minimized the time and effort required to identify users and devices and ensure compliance; reduced number of network security alerts from thousands to only a few each day
- Ensured that authorized devices remain on the production network rather than attaching to the unsecure guest network; direct unauthorized users to the guest network
- Leveraged a layered approach to security with complete integration of multivendor security solutions