BUSINESS: Founded 125 years ago, Children's Mercy Kansas City aims to transform the health and well-being of children and empower them to realize their potential
SIZE: 8,200 employees
BUSINESS CHALLENGE: As a healthcare provider, Children's Mercy must comply with the stringent information security requirements of regulations such as HIPAA. The company wanted clearer visibility of cyber threats across its 40,000 IT assets, but reliance on scheduled monthly scanning lengthened response times and made it difficult to remediate critical vulnerabilities quickly
SOLUTION: Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response; Qualys Global AssetView, Qualys Web Application Scanning.
As one of the leading pediatric care centers in the USA, children travel from 46 states and 17 countries to Children's Mercy Kansas City. The organization’s 8,200 employees include 786 pediatric specialists, who consult on more than 19,200 surgical cases each year.
Like many leading providers, the organization depends on a wide range of digital systems to deliver outstanding care experiences from health information systems and electronic medical records platforms to imaging modalities and back-office applications.
Ravi Monga, Director of Cybersecurity, Children's Mercy Kansas City, says, "It's crucial to keep the protected health information [PHI] of patients and their families safe. Information security is essential to ensure compliance under the Health Insurance Portability and Accountability Act [HIPAA] and protect our hard-won reputation."
Cybersecurity is a key pillar of Children's Mercy Kansas City's long-term IT strategy. The aim is to guard against breaches by hardening assets against cyber threats and remediating vulnerabilities quickly.
"Traditionally, the healthcare industry has moved at a slower pace than other sectors when it comes to information security, but our goal is to change that," continues Monga. "Our ambition is to take the lead among our healthcare peers in shrinking the attack surface and protecting our digital assets from emerging threats."
Why Children's Mercy Kansas City chose Qualys:
Children's Mercy Kansas City's IT environment is extensive, comprising 35,000 assets. The organization operates a heterogeneous infrastructure that includes Windows, Linux and MacOS operating systems to support care delivery.
"In the past, we relied heavily on scheduled remote scans to identify vulnerabilities," says Monga. "However, one challenge was that some of our clinics completely power down their systems at the end of the working day, so we'd miss them if automated scans were triggered in the early morning hours. Our scans would also conflict with our production systems, which meant we could only scan some assets once a month."
He adds, "We knew that we were missing out on valuable vulnerability management insights—and we were keen to increase the frequency of our scanning. Equally important, our previous vulnerability management approach made it difficult to make sense of the large volumes of data we were collecting. To prioritize our remediation efforts more effectively, we targeted a way to cut through the noise."
After shortlisting several information security vendors down to just three companies, Children's Mercy chose Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response. By rolling out Qualys Cloud Agents to key assets, the organization can now gain real-time insight into many areas of its estate.
Akshay Borla, Security Engineer - Vulnerability Management at Children's Mercy Kansas City, comments, "Qualys Cloud Agents really impressed us and were one of the main factors that led us to VMDR. The agents are extremely lightweight, use a tiny amount of CPU resources, and don't require system reboots. Today, we’ve pushed the agents out to 13,000 endpoints and servers, which deliver fine-grained vulnerability and configuration management insights every four hours helping us pinpoint zero-days and other critical threats faster."
Monga adds, "Understanding and visualizing our exposure in easy-to-digest reports makes it much easier for us to communicate about our posture to senior leadership. Thanks to the visibility we gained from Qualys, we’ve successfully made a case to boost our resources in IT and shift our information security efforts into an even higher gear."
With built-in prioritization capabilities, VMDR is empowering Children's Mercy to take fast action to address the most serious threats in a timely manner.
"The combination of real-time data and the prioritization view in VMDR has made a big impact on my day-to-day activities," comments Borla. "In the past, I would have to manually sift through pages and pages of data to figure out where the most severe vulnerabilities were—but now, I can use the Qualys Cloud Platform to see threat indicators in real time. As a result, our IT and patching teams can focus on remediating the vulnerabilities that have known exploits in the wild and shrink the attack surface faster."
By harnessing the Qualys Web Application Scanning add-on for VMDR, Children's Mercy can deliver comprehensive protection for its internal and external web applications.
Borla confirms, "We are now scanning more than 50 web apps with the Qualys solution, including authenticated and unauthenticated scans. We can now see what types of vulnerabilities exist across our application portfolio. We're also able to highlight the top 10 Open Web Application Security Project [OWASP] vulnerabilities in external-facing systems and make sure we take prompt action to protect them."
Since beginning its journey with Qualys, Children's Mercy has significantly enhanced its approach to security. The organization has grown its cybersecurity team by a factor of 10 and increased its maturity across almost all core security domains: including cloud, data protection, vulnerability and threat management.
"We've made great strides with our InfoSec program over the last 18 months, and we attribute a significant amount of that success to our work with Qualys," says Monga. "Since we started our work with VMDR and Cloud Agents, we've measured a 85% reduction in vulnerabilities across our estate, which has shrunk our risk exposure immensely."
By using data from Qualys Global AssetView—a free service to discover all IT assets across on-premises and cloud platforms—Children's Mercy is shortening its response times to urgent threats such as zero-days.
"When a news of a zero-day breaks, we don’t have to wait for a signature to be released before we can start taking action," explains Borla. "Using data from Qualys Global AssetView, we can search for the affected software or vendor across our environment and get a full inventory of everything that might be at risk. We used this approach to shut down the SolarWinds vulnerability rapidly, and remediate a recent Microsoft Exchange vulnerability within just three days."
By offering trusted data from Qualys to teams across the business, Children's Mercy builds strong relationships between the security function and other parts of the organization.
"If you can see that your actions have a positive impact, it creates a virtuous cycle that makes people more engaged and motivated," states Monga. "That's exactly what we've noticed since we've made Qualys dashboards available to our teams. Our IT, end-user computing and infrastructure teams can now see that their remediation efforts are bringing down the total number of vulnerabilities in our environment, which helps us accelerate our efforts."
Looking ahead, Children's Mercy plans to deploy Qualys Policy Compliance. This next-generation solution that empowers organizations to reduce risk and comply with internal policies and external regulations quickly and easily.
“VMDR has truly been a game-changer for Children's Mercy. Thanks to Qualys our priorities for remediation aren’t subjective any longer. We can make clear, data-driven decisions about what to target first.”
Director of Cybersecurity, Children's Mercy Kansas City
"Security is a moving target, and there is always a mountain of work for us to do," concludes Monga. "VMDR has truly been a game-changer for Children's Mercy. Thanks to the Qualys solution, our priorities for remediation aren't subjective any longer. We can make clear, data-driven decisions about what to target first. By building on our partnership with Qualys, Children's Mercy will be in an even stronger position to realize its long-term information security strategy and protect sensitive patient data."