Cegedim Tackles Vulnerability Management and Compliance

Building a robust model for managing information security for clients in the highly regulated healthcare industry

www.cegedim.com

INDUSTRY: Computer Services

BUSINESS: Cegedim

SCOPE: International

SIZE: 8,000

BUSINESS CHALLENGE: Cegedim needed to demonstrate the highest levels of security and regulatory compliance for its hosted services, which store personal medical data from a number of heavily regulated clients.

SOLUTION: Enterprise TruRisk Platform

Established in 1969, Cegedim is a global technology and services business with three operating divisions: CRM & Strategic Data, Healthcare Professionals, and Insurance and services. The group provides solutions for business intelligence, CRM, customer databases and regulatory compliance. Cegedim has 8,000 employees in more than 80 countries and generated revenues of EUR 912 million (>US$ 1 billion) in 2014.

All Cegedim client data is hosted in private clouds. The enterprise’s open architecture, which extends across its three main data centers (Asia, U.S., Europe), made it necessary to put in place a well-defined process for monitoring a network perimeter that comprises more than 2,000 public IP addresses.

Vulnerability management is fundamental for Cegedim—on the one hand, to guarantee the integrity and confidentiality of data, and on the other hand, because the group must conform to the demands imposed by international financial reporting and auditing standards (including ISAE 3402 Type 2 and SSAE 16 ), as well as the demands relating to the company’s status as “Hébergeur de Données de Santé” [a French government-approved hosting company for health data].

For this reason, Cegedim needed to put in place a rigorous process and policy framework around IT security. The company chose to deploy the Enterprise TruRisk Platform, and has used the solution successfully since 2007. Combined with the technical expertise of the group’s security teams, the solution helps ensure both a level of security that conforms to regulatory standards and an appropriate approach to vulnerability management.

Proactive Detection of Security Risks

At the heart of the Qualys solution are automated monitoring and continuous auditing capabilities, which help Cegedim to ensure compliance, and to detect and resolve security risks proactively.

As a SaaS solution, the Qualys Vulnerability Management (VM) solution within Enterprise TruRisk Platform enables the automatic launch of scans from a user-friendly, intuitive web interface. For IP addresses that are not accessible from the public Internet, monitoring is handled via appliances deployed on Cegedim’s internal networks. Within the web interface, users can choose different views of analytical data, depending on their role and requirements.

Romain Vergniol, Head of Information Security for the Cegedim group, comments: “The Enterprise TruRisk Platform supports the work of our security teams and reinforces security in real time. Post-scan reports give us consolidated information on patching levels, and our teams analyze this information, filtering it to meet different requirements. This analysis enables us to detect and address security issues on the network perimeter. Once we have analyzed the issues and estimated the level of risk, we prioritize them for resolution based on their criticality, their extent and their likely impact.”

The Qualys reports show both new security risks, and issues that have already been identified and are being resolved.

Why Cegedim chose Qualys:

  • Rapid, low-impact deployment, covering both internal and external IPs.
  • Enables faster response to new security threats, strengthening compliance.
  • Automated reporting and analysis saves time and effort.
  • Clear reporting simplifies compliance efforts in a highly regulated industry.

Taking Full Advantage of the Cloud

The Qualys philosophy is that cloud solutions are better than traditional enterprise software solutions when it comes to tackling the challenges of security and regulatory compliance for information systems. This is because cloud solutions enable deployment on a larger scale and at lower cost, as well as making it easier to automate the integration and correlation of data.

By running weekly scans, Cegedim significantly reduces the time taken by its teams to process information. This reduces the number of vulnerabilities they need to address, and means that analysis takes less than 30 minutes. The strength of the Qualys solution is also due to the optimization and monitoring of the extended geographic perimeter and the detection of configuration errors. This strategic balance offers great advantages in terms of management, cost reduction, and cost control. Finally, clear and concise reporting helps the company to communicate its compliance policy both internally and externally.

Romain Vergniol comments,“Our goal is to shrink the window of vulnerability and the impact of incidents as far as we can. We have defined security standards for the remediation of identified flaws, and our controlled framework means that fixes are made to the pre-production platform for verification before we roll them out to production. Qualys is a trusted third party for our enterprise, and we value the fact that our clients can clearly see the most important metrics in the security reports.”

Recent events have shown that many enterprises in the healthcare sector continue to be poorly protected against malware and other external digital threats. Preventative measures should begin with having a good understanding of the entire systems landscape and putting in place a security policy right from the highest level of the enterprise—just as Cegedim has done.

At Cegedim, the senior management team is fully involved, validating and supporting organizational processes that are defined jointly by the IT department and the internal security staff. The senior management team’s role is crucial, helping to define the most critical enterprise services and the level of risk deemed acceptable.

“The Enterprise TruRisk Platform supports the work of our security teams and reinforces security in real time.”
Romain Vergniol
Romain Vergniol

Head of Information Security for the Cegedim group

The key internal benefit of using the Enterprise TruRisk Platform—the ability to demonstrate compliance with internal and external audit standards—also gives confidence to the pharmaceutical laboratories that Cegedim serves. These laboratories are themselves subject to compliance demands, making it vital for Cegedim to be able to prove and maintain its status as an approved cloud hosting provider for personal healthcare data.