A Case Study on how Black River Memorial Hospital Improved Security Posture
HIPAA compliance is a big piece of any healthcare organization’s cybersecurity process. However, the goal of any compliance audit is to ultimately improve security posture. In healthcare, this requires measures such as monitoring vulnerabilities and tracking privileged user rights to not only document compliance but remediate threats.
“AristotleInsight has been a significant tool in helping me accomplish data mapping all the information into, within, and out of our organization. Tracking the flow of data in a healthcare organization is a challenging project, but I feel like we now have proof of control over the systems.”
Ideally, a healthcare organization will implement a single solution capable of this. At Black River Memorial Hospital, that solution is AristotleInsight®.
Proving Compliance at Black River Memorial Hospital
Celebrating their 50th year of assisting patients, Black River Memorial Hospital provides key services such as:
- Occupational Health
- Diagnostic Imaging
- Emergency and Urgent Care
- Medical/Surgical Inpatient Care
- Nutrition Services
- Pain Clinic
- Respiratory Care
- Home Medical Equipment and Supplies
In Black River Falls, Wisconsin, the task of overseeing Black River Memorial Hospital’s security posture along with ensuring compliance with frameworks, including HIPAA, belongs to Brett Spafford, Information Security Specialist. Spafford credits AristotleInsight as a large help with accomplishing her job.
“I feel that using AristotleInsight, I have more proof of control over the network and that I’m better equipped to handle HIPAA security compliance and documentation requirements.”
AristotleInsight is an Integrated Visibility platform that provides Continuous Diagnostics and Monitoring of security functions such as Configurations, Vulnerabilities, Privileged User Management, Asset Inventory, and Threat Analytics.
The system collects and reports on vast amounts of data from users, devices, applications, processes, and endpoints.
“Having one solution with so many capabilities and tools has helped so much through several risk assessments because of how many security areas the product covers,” says Spafford.
“Being able to make recommendations supported by the analytics and metrics in the system has helped our leadership teams make informed decisions about where to focus resources for our security program.”
Improving Security Posture
In addition to documenting compliance with security frameworks, it is imperative that healthcare organizations are continuously monitoring their security posture and making improvements.
“IT Departments need tools like this to automate processes, set alerts and provide an “at a glance view” of the details all the way through trends.”
One area that traditionally troubled organizations is vulnerability management. Without a continuous monitoring solution, organizations are left facing questions such as ‘who applied this patch? or ‘why was this vulnerability accepted?’.
“We utilize the vulnerability management features of AristotleInsight to set goals and track patch management progress,” explains Spafford. “We are able to report out to other departments on the metrics of vulnerability management to show how the department has improved processes.”
“We are easily able to focus our efforts on the workstations that have the highest levels of risk, or where vulnerabilities are the most widespread so we can have the biggest impact.”
Exploitable vulnerabilities and privileged user accounts are two of the most common targets for attackers of healthcare organizations. Spafford is confident in Black River Memorial Hospital’s ability to monitor both areas.
“By using information on privileged users, we have been able to tighten our security controls and improve administrative processes. Tracking active directory changes and reviewing system activity shows the clear separation of duties that are required during risk reviews.”
What differentiates AristotleInsight from other monitoring solutions is the forensic level detail of the collected data. The advanced machine learning platform UDAPE® tracks any changes made and provides the diagnostics needed to track security events.
“The drill-down capabilities have given me forensics tools to determine how a particular machine became infected. I was able to use that information to put other security defenses and alerts in place and to educate users on risks based on threats that targeted our organization,” explains Spafford.
“We are able to create the timeline of events on command and control, malicious software, and indicators of attack. These tools help identify, protect, detect, respond, and recover to show our cybersecurity maturity improvements to The Joint Commission, Baldrige Excellence, and the NIST Cybersecurity Framework.”
“IT Departments need tools like this to automate processes, set alerts, and provide an ‘at a glance’ view of the details all the way through trends.”
AristotleInsight® for the Healthcare Industry
The needs of organizations in the healthcare industry are constantly changing. It is important for a security solutions to be able to adapt along with these changes.
“One of my favorite things about AristotleInsight is how it has evolved through compliance changes in regulatory requirements and best practices and how it responds to the ever-changing threat landscape,” explains Spafford.
“Over time, my favorite features have changed because it continues to get better and better as information security becomes more complex. I appreciate the scope of the product and services that offer so many tools for tracking, reporting & alerting, and improving processes within one, affordable solution.”
Black River Memorial Hospital, and Spafford trust the Integrated Visibility platform, AristotleInsight from Sergeant Laboratories, with their cybersecurity monitoring and reporting.
“AristotleInsight has been a significant tool in helping me accomplish data mapping all the information into, within, and out of our organization. Tracking the flow of data in a healthcare organization is a challenging project, but I feel like we now have proof of control over the systems,” says Spafford.
“I don’t feel like I could work in information security without this product.”
To download a PDF version of this story, please click here.
About the Author
Cyber Security Expert, PUBLISHER, CYBER DEFENSE MAGAZINE
Gary is a globally recognized cybersecurity expert, speaker and keynote, investor, advisor and consultant. He is the inventor and founder of technologies and corporations sold and/or licensed to Hexis Cyber, WatchGuard, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. He is currently the CEO of Cyber Defense Media Group (CDMG), which is the Publisher of Cyber Defense Magazine and Cyber Defense TV, is a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cybercrime and cyber terrorism, also covered in Inc, Forbes and Fortune Magazines. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Gary is a member of ISC2.org and is a CISSP®.