PDX Writes a New Prescription
on Risk

This national provider of software that streamlines the delivery of medications and patient care needed a more efficient way to manage its risk and compliance efforts, and demonstrate those efforts to customers.

The entire healthcare industry is digitizing nearly every aspect of its workflow: the delivery of care, how patients access and fill their prescriptions, and anything else than it can digitize. For instance, chances are that if you’ve had a prescription filled in the United States, it was filled using software from PDX Inc. And while you’ve probably never heard the name PDX, the company, established in 1985, has continuously innovated in pharmacy and patient care software and related services.

“Qualys has validated the strong state of the security of our environment. We didn’t find any surprising rogue servers or anything out of line. Now we can tell our customers that not only do we say we are safe and secure, but Qualys says that we are safe and secure.”

John Woods,
Director of Information Security

Today, 60 pharmacy chains—including drug stores, supermarkets and mass merchants—and more than 350 independent pharmacies representing 10,000 pharmacy locations use PDX software to fill, bill and track their prescriptions.

Of course, the security of that medical information is crucial. Everyone along the information chain—from the doctor to the pharmacist to the patient—and every vendor in-between needs to know the data is reasonably secured. Many of those companies also must remain compliant with any number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes-Oxley for publicly traded companies. This is causing more organizations to request assurance that those they do business with are also compliant.

Customers Want Security and Compliance Assurance

“More of our customers are asking us, all of their vendors really, about the status of IT security and risk management programs,” says John Woods, director of information security at PDX, Inc. Thus, in addition to keeping its systems secure, Woods and the PDX IT and security team must be able to validate a high level of security for its customers and others.

Previously, to secure its systems, the IT infrastructure team had been performing vulnerability assessments using open source assessment tools. But as the PDX business grew, and the industry matured when it came to IT security, the team needed a way to secure its systems and provide the external assurance their customers wanted—that patient and order data were secured and well managed.

Woods began looking for a vulnerability assessment tool that would help PDX to more effectively validate the security policies and procedures it has in place, identify vulnerabilities, and communicate their risk posture to clients. After evaluating many of the leading vulnerability assessment offerings on the market, it came down to two potential providers. “Qualys was the leader when it came down to the final two,” says Woods. What put Qualys in front, in addition to its cost-effective, accurate, and easy-to-use vulnerability assessments, was its ability to provide a widely accepted third-party audit of the security posture and status of its systems.

At the time of the search, one of PDX’s customers provided a number of questionnaires to Woods that related to security and compliance. The customer sought additional external assurance that a number of its systems were hardened. It had been using several configuration management tools to help secure those systems and maintain their adherence to security policy. “But they and others needed third-party validation of our program,” says Woods.

The best, and most affordable way to provide that third-party validation, PDX decided, would be security and compliance applications from the Qualys Cloud Suite.

Comprehensive, Accurate Third-Party Validation

For vulnerability management, PDX selected Qualys Vulnerability Management (VM). Qualys VM automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Driven by the Enterprise TruRisk Platform and the most comprehensive vulnerability KnowledgeBase in the industry, Qualys VM protects systems against the latest security threats without substantial cost, resource and deployment burdens.

By continuously and proactively monitoring network access points, Qualys VM helps Woods and his team to dramatically reduce the time it takes to research, scan and fix network exposures, and eliminates network vulnerabilities before they can be exploited.

For its security policy management efforts, PDX selected Qualys Policy Compliance (PC). Qualys PC enables organizations to reduce the risk of both internal and external threats, while validating compliance levels as required by internal policy, auditors, customers and partners. Qualys PC provides an efficient and automated workflow that streamlines the creation of security and regulatory compliance policies, validates that those policies are being maintained, and provides clear, comprehensive documentation to support a strong compliance posture. “And that’s exactly what our customers really wanted. They wanted someone other than us to check our borders. They didn’t want the fox guarding the hen house,” says Woods.

Rapid Time to Results

The implementation went smoothly. The ability to perform external vulnerability assessments with Qualys VM was possible within days. And deploying Qualys PC went just as smoothly. However, because of the nature of PDX’s production systems, Woods was cautious as he implemented the compliance and security policy assessments, which included checking a host of settings, including system configurations, passwords, running services and the level of server hardening in place. Initially, Woods piloted PDX’s Policy Compliance scans within their application and system development environment. After that went smoothly, PDX tested its Quality Assurance environment. After a couple of additional trial assessments, Woods was convinced that Qualys worked and moved on to assess the production environment. “Those initial and subsequent assessments went very smoothly,” says Woods.

Today, Woods and his team rely on both Qualys VM and PC to ensure that their systems are being managed and maintained according to policy. “Qualys is performing very well. Qualys has identified vulnerabilities and has helped us to quickly remedy those,” says Woods. “Qualys has validated the strong state of the security of our environment. We didn’t find any surprising rogue servers or anything out of line. Now we can tell our customers that not only do we say we are safe and secure, but Qualys says that we are safe and secure."

Now, the internal Qualys solution nearly runs on its own. “Today, the process is almost cookie cutter. Qualys Policy Compliance validates that we have the controls set the way they need to be. We can see if everything is being managed as it should, or if something was changed out of the scope of policy that we would want to see right away,” he says.

In addition to helping to maintain a strong security and regulatory posture, Qualys also provides swift, trusted third-party validation of PDX’s strong security and compliance posture to customers and prospects. “I was just preparing for a meeting with a customer and I called one of my staff to request one of the latest policy compliance reports. I had it in minutes. It shows the diligence we take when it comes to maintaining our infrastructure and protecting our customers’ information,” Woods says.