Catholic Health System Delivers Vulnerability Management Cure

When this nonprofit, NY-based health care system needed the right medicine for its vulnerability management program, it successfully turned to Qualys.

Since 1998, the nonprofit Buffalo, NY-based health care system, Catholic Health, has provided care to Western New Yorkers across a network of hospitals, primary care centers, imaging centers, and several other community ministries. In its mission to provide health care with a human touch, Catholic Health relies on technology to effectively deliver its services, including its strategic alliance with Siemens Medical Solutions for modern clinical and financial platforms and medical imaging systems, as well as the IT that helps to manage patients and the top-notch care that they receive.

“I would recommend Qualys for more than a couple of reasons: the accuracy of its results, its ease of use, its eliminating the need to maintain any servers or software, and the services and support Qualys provides have been unparalleled.”

Michael Arent,
IT Security Analyst, Catholic Health System

The infrastructure at Catholic Health consists of about 6,000 desktops and physical and virtual servers spread across its four hospital campuses and 30 ancillary organizations. Michael Arent, IT security analyst at Catholic Health, has the responsibility to keep all of these systems secure. And, as is the case for any other health care provider of that size, Catholic Health is challenged with working on tight resources. Arent and the rest of the IT team must work to make certain all of those systems are deployed and maintained securely, comply with a number of industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), and remain secure from the growing risks of medical identity fraud.

It’s challenging to keep the infrastructure secured at more than two dozen locations. Arent explains that, in years past, the IT team wasn’t always certain what devices and systems were in use, both from a personal computing perspective and because many clinical devices are attached to its network. “In addition to desktops and laptops, there’s also the concern of the security posture of all of the smartphones, tablets, and other devices entering our locations and seeking network access. We needed a way to identify and track down all of the gear we had, and understand its pedigree because some of it was very old.”

Cost effective, accurate, and thorough

Following its market evaluation, Catholic Health chose to deploy the Enterprise TruRisk Platform to identify and remedy system weaknesses and gaps in regulatory compliance. The Enterprise TruRisk Platform, delivered from a highly scalable multi-tenant cloud infrastructure, delivers a suite of information security and regulatory compliance management services. And, being designed and optimized to scan networked devices to deliver highly accurate assessments, Qualys scales well to all sized environments.

Arent appreciates that with the Enterprise TruRisk Platform there’s no software or hardware to install and maintain. In fact, because Qualys is centrally managed, all of its vulnerability data and system updates are made in real time and are available to all customers concurrently. In addition, Qualys provides the largest KnowledgeBase of vulnerability signatures in the industry and Qualys performs more than one billion IP scans a year.

“The Enterprise TruRisk Platform’s subscription model enables us to have these capabilities at a price we can afford, and provides great value in its ability to help us identify system vulnerabilities and prepare for our internal and external audits,” Arent says.

“The Enterprise TruRisk Platform was something that we were able to choose for a relatively low cost. Also, Qualys allowed us to better prepare for auditors, as well as provide them very comprehensive, yet understandable, reports,” Arent says.

Since the implementation, Arent and Catholic Health are able to much more effectively manage the software and system vulnerabilities that need to be managed in their environment. “The thing I most appreciate is that I don’t have to do anything to maintain it. Qualys handles all of the care and feeding. I use it as much as I can and as thoroughly as I can without having to be worried about the [vulnerability management] servers, the databases, or the platforms,” he says.

Qualys Vulnerability Management (VM), through its ability to tag and help categorize systems, also has helped Catholic Health to sort and classify many of its applications and systems according to risk and their business importance. Through group asset tagging, Arent is able to identify the most critical vulnerabilities and mitigate them based on the real-world risk they pose to the organization. “Initially, when doing our vulnerability assessments, we had to do analysis by location. Now, we are able to analyze and prioritize down to the device itself, and Qualys helps us to tag and categorize devices more quickly and effectively than we were able to do before,” he says.

As a result, Arent is able to see the precise security posture of each of the devices accessing the network at each location. “This helps us put together a remediation plan to mitigate some of the vulnerabilities on some machines that are already out there.

With the plan in place, and Qualys VM scans underway, Arent says Catholic Health is able to save time on its remediation and patching efforts that need to be performed by the desktop and network teams. “That [manpower] is a huge savings right there. I can identify to them what machines, what DNS names, what IP addresses need to be dealt with, and then they can go out and undertake all the patching among themselves,” he says.

More effective regulatory compliance

Qualys also helps Catholic Health to remain compliant to HIPAA. “Qualys makes it possible for us to provide in-depth reporting to our HIPAA officers,” he says. Qualys reports also can be targeted toward and shared with C-level executives, managers, and directors, so that each of these constituencies understands what they need to know about the effectiveness of their vulnerability and regulatory compliance initiatives.

“The Qualys reports are helpful to everyone,” says Arent. “Specifically with our HIPAA compliance officer, Qualys helps us to support her by giving her the information she needs to be more effective at her job,” he says.

Arent says that the Qualys deployment has been a great success so far. And the accuracy, ease-of use, and cloud service model are all reasons why he wouldn’t hesitate to recommend the Enterprise TruRisk Platform to others who need effective vulnerability management. “I would recommend Qualys for more than a couple of reasons: the accuracy of its results, its ease of use, its eliminating the need to maintain any servers or software, and the services and support have been unparalleled,” he says.