Secure Records of 400,000 Patients a Year

Northbrook, IL – February 10, 2010 - Rapid IT changes in the Healthcare industry creates a security headache in networks that demand open access 24/7.

The University Hospital of Brussels (UZB) network spans 20 buildings, dozens of departments and connects to private and public entities across the country. It's tested in real time by AVDS.

Introduction
Securing a healthcare IT infrastructure consisting of 150 servers, 2.000 terminals and hundreds of applications is not an easy job. In Belgium, where healthcare records have been electronic for years and where security standards meet or exceed US HIPPA (Health Information Portability and Accountability Act) standards the job is indeed challenging. 

With this in mind, picture a hospital that treats over 400,000 patients a year, and has a medical staff constantly depending on the availability and security of patient records. Security issues in this environment can cause serious headaches. The University Hospital of Brussels, UZB, is such a hospital and was faced with this problem.

The Challenge
Like many medical organizations, UZB increasingly depends on IT. Over the last ten years electronic records have almost entirely replaced paper medical files simply because they are more accurate and efficient. But they also pose a greater security risk. 

Until recently, UZB relied on one network vulnerability assessment per year done by a contractor, according to IT systems coordinator Eric Pattyn. He is responsible for UZB's entire IT infrastructure, including servers, datacenters and employee help desk. 

"Once a year, we would test the network for vulnerabilities, from the outside and from within," explained Pattyn. "An intrusion test would be performed on a small number of IP addresses to discover if any were vulnerable. Additionally, an internal test would check TCP/IP ports, to see which were open that were supposed to be closed." 

This one-off assessment had several drawbacks. Not only was it quite costly, but it was limited in its scope. "We could only test ten to fifteen IP addresses at a time and with the test report in our hands, we could only fix the current vulnerabilities. Healthcare is a very dynamic industry, which means that our infrastructure is changing constantly. New devices and software are added on a daily basis, so a month after a test was done the results had become totally obsolete."

"Running the same test more frequently wasn't an option as it is too time-consuming and expensive. Having a member of the IT team test the network was just as costly. That would have required one full-time employee. What we really needed was a solution that would scan our network continuously."

The Solution
For Pattyn and his IT team, there was only one way to continuously improve network security. "Our search lead us to Beyond-IP straight away", said Pattyn. "There were a few open source solutions that we considered as well, but they lacked the features and benefits of a truly automated system like AVDS. AVDS was by far the best and most suitable solution. What I also really like about AVDS, is that as an appliance it is more secure than software which is much more vulnerable to hacking attempts, and it also proved much more accurate and safe than other solutions we looked at."

"The initial setup of AVDS at the university hospital was quite easy," Pattyn explains. "All we had to do was define which objects should be scanned for vulnerabilities. In our case, that meant scanning all our physical and virtual servers."

"AVDS helps us determine which operating systems, ports, services and applications are vulnerable for attacks." Testing the internal network for security vulnerabilities is very important to the hospital, not only because of the size of its network or the sensitiveness of the data stored, but also due to the organization's open nature. "Naturally, as a hospital, we have to be open 24 hours a day. While we have physical security measures, it is almost impossible to prevent people from entering the building at night. And when it's quiet we are more at risk of a hacker or intruder coming in, attempting to log into the network and stealing patient or financial records."

Another security issue to consider is the import, storage and export of patient information. Most patient records in Belgium are electronic, so when a new patient arrives their records are transferred to the hospital database for review. When a patient returns to their home, their records are then made available for use by their primary care physician. Some of UZ Brussels' electronic patient data is stored off site and is delivered to the hospital through a virtual LAN as needed. Additionally the hospital's network has to be continually open to some networks with externally controlled medical devices. AVDS scans servers on those non-trusted networks, via the virtual LAN, to ensure that they too are secure.

The Story
Since AVDS is scalable, it was deployed across the hospital network gradually. First, the most important application and data servers were covered. Then coverage was extended to other servers, including mail, print and image. Finally it will be extended to every device that is on the network, including wireless devices and phones.

"The hospital's network is expanding quite quickly so it is important to know that it is also being continuously tested and monitored," said Pattyn. "ADVS's online reports are very helpful as they tell us which servers and applications are vulnerable to attacks. We use this information to increase security awareness amongst IT staff. For example: differential and hierarchical reports make it possible for us to dynamically monitor the network. They show us trends in certain vulnerabilities, so that each issue can be understood in its own context." 

About AVDS
Beyond-IP's AVDS enables automated vulnerability control, testing and management of network security vulnerabilities. AVDS testing performs a security mapping of your network and simulates attacks originating from both inside and outside. Once mapping of all devices, ports and services is complete, AVDS generates a detailed vulnerability report specifying any security weaknesses, along with detailing the best practice solutions to those vulnerabilities.

The AVDS vulnerability library is updated on a regular basis to stay abreast with the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the company's own research and development team, as well as those discovered elsewhere.

Contact for Beyond-IP, LLC

Ben Bradley
ben@maconraine.com
630-221-9844