Protecting costs, reputation and thousands of patient records at top U.S. hospital with identity security

Summary

A key U.S. hospital has deployed a portfolio of CyberArk Identity Security solutions to improve its cybersecurity capabilities. The outcome: a transformed culture that accepts effective policies to secure the organization without impacting operations – all while preventing the patients, staff and the organization from suffering expensive fines and damage to its reputation.

Company profile

This U.S. hospital is a world-class academic medical center committed to excellence in patient care, research, education and community service. It is one of the nation’s largest and most comprehensive hospitals and a leading provider of inpatient, ambulatory and preventive care in all areas of medicine. With some over 2,000 beds, more than 6,500 affiliated physicians and 20,000 employees, this hospital sees more than two million patients annually, including approximately 15,000 infant deliveries and more than 310,000 emergency department visits. Its footprint comprises eight campuses.

Employees: 26,000

Challenges

With patient outcomes and digital transformation on the line, a U.S. hospital is proof that organizations can secure their key initiatives in a way that balances protection and productivity – while simultaneously building a culture that embraces identity security.

Accolades do not often come much richer than those afforded to this hospital. Founded in the late 1700s, it is one of the leading healthcare providers in U.S. It is also one of the busiest with 2,000 beds, 6,500 physicians and two million patients annually, including nearly 15,000 births and over 310,000 emergency department visits.

The hospital is a leading user of the EPIC (electronic healthcare records) platform which drives operations to ensure patients, staff and IT systems are rigorously protected from cyberattacks. The hospital has worked hard to develop a robust cybersecurity infrastructure, led by their Information Security Manager, and a team of cybersecurity specialists.

However, it has been a challenging job. With nearly 600 applications across 3,000 servers and 20,000 workstations, the hospital needed to secure its privileged accounts. Users had direct access to servers with normal everyday accounts and passwords, some in place for 10 years or more. Additionally, there were applications that had static passwords referenced in plain text scripts.

“Application owners we were trying to protect were pushing back because they came from a world of direct interactive access and autonomy, with no oversight,” said the Information Security Manager. “It was crucial for these owners as changing an account password, it could impact patient care. We had to fight those battles and get buy-in from those users, as well as leadership, to make sure change was successful without hindering operations.”

When it came to selecting a privileged access management solution, this U.S. hospital’s choice was CyberArk. The hospital’s CISO had used CyberArk at another organization and as the Information Security Manager observed, “He knew pretty much immediately that we were going to invest in CyberArk and since then, we have been happy and never felt the need to change.”

Solutions

This hospital has deployed two solutions that are part of the CyberArk Identity Security Platform: CyberArk Privileged Access Manager (PAM) Self-Hosted and CyberArk Secrets Manager.

Shortly after implementing the solutions of the platform, the hospital ran the CyberArk DNA tool, which is a scanning tool designed to automate the manual and complex process of scanning an organization’s network for privileged accounts. “It really opened our eyes to how bad our situation was,” recalled the Information Security Manager. “It helped us prioritize our projects, what needed immediate attention, what could wait and what would take time. That included service accounts and scripts written by staff no longer employed, that would have to be reverse engineered.”

Overall, CyberArk is protecting the hospital’s IT environment comprising 3,000 Windows servers, 500 Linux servers and applications such as SQL Management Studio. “CyberArk PAM Self-Hosted and the multiple automations and integrations CyberArk provides has helped us implement just-in-time access with passwords only existing for single sessions.” explained the Information Security Manager. Regarding Secrets Management, the Information Security Manager says “using CyberArk Secrets Manager has been a huge benefit. It has allowed us to remove hardcoded plaintext credentials from automation scripts and applications and replace them with complex credentials managed and rotated by CyberArk and accessed using APIs. Eliminating hardcoded credentials resulted in a big reduction in the attack surface.”

Furthermore, CyberArk has been integrated with several other applications including ServiceNow, Security Information Management (SIM) and Forescout network access control. ServiceNow is used to manage privileged account authorization for increased control and visibility. “The extensibility of CyberArk Secrets Manager has been a huge benefit to us,” elaborated the Information Security Manager. “The out-of-the-box integrations with third party software has simplified how we securely integrate these applications with the rest of our portfolio, which is fantastic.”

Because the IT team did not have a lot of privileged access management experience, the hospital used CyberArk Strategic Consulting Services and CyberArk Design and Deployment Services to learn how best to protect accounts without impacting operations and roll out the CyberArk solutions.

“The partnership and consulting with CyberArk helped us put together a plan to roll out CyberArk aggressively, but without end users and application owners really noticing,” shared the Information Security Manager. “We were able to make it easy for them to use the tool without disrupting their day-to-day work. That was a huge benefit to the organization. Having a vendor that is willing to take time to help customers deploy solutions is fantastic.”

Results

“CyberArk and our identity security program has afforded this hospital the flexibility and agility to embrace digital healthcare confidently and securely.”

Information Security Manager, top U.S. hospital.

CyberArk has enabled the hospital to develop and deploy a consistent security process for users to follow. The solution manages accounts and passwords, so users no longer have to remember them or use risky practices – like writing passwords on post-it notes. “Having CyberArk in place is a huge uptick in our security posture and it has changed our culture. Now application owners are confident in CyberArk and understand that, despite our new way of working, they are protected. The peace of mind that we have gained has been the biggest value-add to the organization.”

The Information Security Manager described two types of identity that CyberArk protects:

• Human identities: for example, when someone logs into a server for actions such as a break/fix software upgrade or maintenance.
• System identities, such as service accounts that drive processes like a scheduled SQL database task on a server.

“We use CyberArk to protect human and machine identities with Just-in-Time (JIT) access. Passwords only exist for single sessions. We have not had to take down any systems, impact day-to-day healthcare operations or impact any other type of interactive access despite taking an aggressive approach to password rotation. We are confident it is working effectively because CyberArk has proven to be extremely reliable.”

Information Security Manager, top U.S. hospital.

Although ROI is difficult to quantify, the hospital has realized savings predominantly by cost avoidance, specifically related to HIPAA (Health Insurance Portability and Accountability Act) regulations. “The consequence of a medical records breach for an institution like ours is tremendous, not to mention the impact on our reputation,” warned the Information Security Manager. “These breaches are usually caused by privileged accounts getting compromised. The way we prevent these incidents is by investing in tools like CyberArk, and that immediately resonates with our senior leadership.”

In addition, CyberArk supports regulatory auditing. When the IT team needs to produce an audit report related to actions such as application access or application modification, everything is in one place in CyberArk. “We can produce pretty much any report that we are asked, because CyberArk has such good logging data,” added the Information Security Manager. “In fact, CyberArk enables us to give auditors more information than they asked for, which is fantastic, because it stops those follow up questions that can be time-consuming to answer.”

The Information Security Manager sees his success as that of his team and the whole organization. “My team has embraced CyberArk and become PAM experts,” observed the Information Security Manager. “It has increased their knowledge which enhances their careers. For our hospital, it has been a complete cultural change from using everyday accounts to CyberArk protecting our whole environment. That change has been my biggest personal accomplishment because we had become set in our ways. Now CyberArk is part of the everyday workflow, which is great.”

The Information Security Manager had a word of advice for anyone needing to improve their security posture. Be flexible, take time, get buy-in from senior leaders and users, and find a good partner. “CyberArk has been, and continues to be, a fantastic partner for this hospital,” concluded the Information Security Manager. “The company and its portfolio of cybersecurity solutions has helped increase our security posture exponentially. And it continues to grow as we look to expand our capabilities with CyberArk and invest in additional tools. CyberArk is here to stay, and we are very happy for that.”

Key benefits

• Improves security posture exponentially
• Removes hard coded credentials from automation scripts and machine identities
• Delivers positive change without impacting day-to-day operations
• Shifts traditional culture to one that accepts effective security policies
• Gains buy-in from senior leadership and users
• Prevents expensive breach fines and damage to reputation
• Improves auditing and compliance