Security
Gateway Secures
Web 2.0 Initiative
Concerned about malware and other security issues, Health First settled on a solution that allows
IT to set granular, flexible Internet usage policies for devices, as well as specific users and groups.
L
eaders at Health First, a Florida-based not-for-
profit healthcare organization, thought that
Web 2.0 had the potential to offer new ways
to communicate with patients, employees and
potential new patients. Protecting sensitive patient data
and the integrity of the organization, however, was a
paramount consideration and staff worried that opening
access without the right security, policies and planning
could be disastrous - because Web 2.0 sites are a top
target of cybercriminals and a major source of data loss
if not managed properly.
"In order to let our employees visit these
(social networking) sites, we needed a
Web security gateway solution that sits inline
in the network stream and is able to look at
the specific content on the page in real time."
Just a few years ago, IT managers at healthcare or-
ganizations could simply use Web security and filtering
solutions to set strict policies blocking employees from
nearly all outside Internet access. The risks posed by
the Web - such as an employee accidentally introducing
malware or a virus onto the corporate network or viewing
inappropriate information - were greater than the ben-
efits of allowing Internet access. Today, however, with the
introduction of Web 2.0 technologies like cloud-based
services, social networking sites, and new collaboration
and communication tools, the closed environment can
be unrealistic and can hinder business process.
"Web 2.0 can help our organization stay ahead ofthe
technology curve, but jumping in without a plan in place
was not an option," says Christi Rushnell, Health First
vice president, information technology and strategic
services. "Protecting patient and personally identifiable
information - both because it's our corporate responsibil-
20 October 2009 HEALTH MANAGEMEnT TECHNOLOGY
ity and also to meet compliance regulation standards like
HIPAA and the HITECH Act - is our first priority, and
so having the right security in place was our number one
concern before opening access to Web 2.0."
Health First IT and security management teams were
approached by different groups throughout the organiza-
tion about enabling access to tools like social networking
sites to extend their communication on a real-time basis
as a cost-effective marketing tool. Additionally, Health
First was running out of room in its data center and
so staff began to move systems traditionally managed
onsite to the cloud, such as transcription services and
enterprise-wide patient scheduling.
The Health First network includes three hospitals, the
county's only trauma center,fitnesscenters and an aging
institute, among other services. With more than 6,000
Internet-connected devices throughout the organization
and thousands of employees with different roles, one of
the most critical challenges to opening access to Web 2.0
was to find a security solution that would allow IT to set
granular, flexible Internet usage policies for devices, as
well as specific users and groups within the organization.
Health First wanted to set policies that could, based on
an employee's role, control how much access that person
had to Web 2.0 sites, how much time they could spend
on those sites, what level of access they could have to
sensitive corporate information and even what they could
do with that information.
Flexibility for Different Needs
"We needed aflexiblesolution that would provide our
marketing team, for example, with access to YouTube to
create and promote videos on new services we provide
and to access our Facebook fan page, or allow our nurses
and doctors to access the cloud-based patient care ap-
plications we use," says Rushnell. "But we also needed
theflexibilityto ensure that a machine in an openly ac-
cessible area was secured from allowing people to go to
places on the Web that would violate policies or put the
organization at risk."
www.healthmgttech.com
 Another problem Health First faced was that Web 2.0
sites present an emerging vector for malware and other
data-stealing attacks. Cybercriminals are increasingly
infecting sites that enable user-generated content such
as blogs and Twitter, with malicious content. Recent
research also shows that 57 percent of data-stealing at-
tacks are coming over the Web. Health First found that
traditional security solutions were not up to the task of
protecting against Web 2.0 attacks and inappropriate
content.
Automate Hospital's Network Security
By Jim Alves
Not having a centralized dashboard or m a n a g e m e n t
console f o r m o n i t o r i n g t h e network a n d installing
u p d a t e s c a n p u t a strain o n t h e IT a n d security
t e a m s , f o r c i n g t h e m t o spend a majority of their
t i m e a n d b u d g e t o n m a i n t e n a n c e . T h e n u m b e r of
machines distributed t h r o u g h o u t t h e organization
c o m p o u n d s this issue, as t h e IT staff must travel t o
e a c h location t o fix problems a n d m a n u a l l y install
upgrades a n d updates.
A single IT m a n a g e m e n t system t h a t provides a
holistic, real-time view of t h e entire network c a n
help t h e IT t e a m be m o r e proactive a b o u t security.
By i m p l e m e n t i n g a comprehensive a n d integrated
IT automation platform that is both flexible and
scalable, organizations can provide their IT teams
with a comprehensive look at the whole system,
reducing human error and security breaches, and
decreasing the amount of time spent addressing
daily IT tasks. Through a single. Web-based console,
one IT professional can efficiently manage hundreds
of systems and have full insight into the health of
the infrastructure, saving time, travel, money and
resources.
Unlike conventional file-based products, IT
automation software creates an image of the
entire system state, including operating system,
business applications, user settings, drivers and
data. This makes rebuilding workstations easier,
while also enabling more-effective monitoring and
implementation of updates simultaneously across
the network. IT automaton also makes security
more effective by centrally managing the three most
important elements of
Jim Alves is executive vice ° complete security
president, product marketing Program: endpoint
and strategy, for Kaseya, security, patch and
San Francisco. upgrade management,
For more information on and backup and
Kaseya solutions, disaster recovery.
www.rsleads.com/910-200 Endpoint security
www.healthmgttech.com HEALTH MAnAGEMENT TECHNOLOGY
"Web 2.0 has quickly diminished the effectiveness of
traditional security solutions like signature-based antivi-
rus and traditional URL filtering, because it's dynamic
and constantly changing," says Frank Waszmer, Heath
First information security architect. "Reputation-based
security is also not enough, as Web 2.0 sites generally
have a "good" reputation.
"Places like news sites, Google and social networking
sites have great reputations but, today, it's often these
legitimate sites that are targeted. In order to let our
enables IT staff to identify and mitigate risks. This
includes antivirus, antispyware and rootkit protection
for servers, workstations and mobile computers.
In order to effectively manage this important
component, the IT team needs visibility into all
deployment, configuration, status and operation of
the endpoint security functionality. Staff should also
directly control all policies, deployment, updates and
operations schedules. In addition, IT professionals
should enforce corporate and security policies
across the entire organizational infrastructure to
keep networks running at optimal level with minimal
security intrusions.
Patch and upgrade management is also a vital
part to maintaining a hospital's IT infrastructure,
keeping security holes closed before major damage
is inflicted. This includes scheduling recurring
patch scans, searching networks for installed and
missing security patches, detecting vulnerabilities,
and monitoring and maintaining patch compliance
throughout the entire enterprise. After the system
is diagnosed and vulnerabilities are located, the IT
staff should then roll out the required actions across
the appropriate machines based on the extent of the
update. Automating these tasks can make updating
and maintaining compliance quick and efficient.
Lastly, a comprehensive security solution
also includes backup and disaster recovery. IT
administrators should not only be able to locate what
needs to be backed up, but also know where the
data is stored in order to quickly recover important
information regardless of their physical location. This
is especially important when an unforeseen, major
event results in data loss.
IT staff should also have the ability to deploy,
configure, manage, monitor, secure, backup and
restore distributed systems. This removes the
responsibility of backing up workstations by end-
users, ensuring trained professionals monitor and
manage the task on a regular and reliable basis.
October 2009 21
 Security
employees visit these sites, we needed a Web security
gateway solution that sits inline in the network stream, is
able to look at the specific content on the page and then
prevent the malicious elements from being accessed."
Another requirement was the ability to look at en-
crypted secure socket layer (SSL) streams. Waszmer
noticed an increased amount of malicious traffic set up
through SSL sessions. Without being able to see into
the traffic streams, Waszmer worried that data-stealing
malware could make its way into the network.
Health First selected Websense Web Security
Gateway as a tool to enable employees to safely access
Web 2.0. Waszmer designed a deployment strategy to
help minimize installation time. To redirect HTTP and
HTTP S Web traffic to the gateway, he deployed the
system in what is called a "transparent proxy," utilizing
the WCCP protocol. The majority of time spent on this
project has been around fine-tuning Web-use policies
and working with the different departments to provide
greater control and feedback.
Policies Drive Compliance
Health First currently has five global policies that
govern where and how people can use and interact with
the Internet and Waszmer has created more than 20
Reconceiving Disease Management
This white paper demonstrates Intel's vision for the role of
rennote patient monitoring (flPM) technology in chronic disease
management and identifies the core issues that disease man-
agement professionals must address.
J Connecting Patients and Healthcare Professionals
' The Intel Health Guide Solution Brief provides a closer look at
next-generation remote patient monitoring.
_.,
Healthcare Document Imaging Trend Report
The Healthcare sector provides significant opportunities for
document imaging software and hardware including document
scanners.
Reaping the Benefits of an Electronic Health Records
System
Cost reduction, improved patient care, and compliance, have
created a trifecta for moving to an Electronic Health Records
(EHR) management system.
Catholic Health Initiatives Saves Big with IT Investment
Catholic Health Initiatives (CHI) saved $125 million with a suite
of business applications.
22 October 2009 HEALTH MANAGEMENT TECHNOLOGY
specialized policies around Web use to provide greater
protection for key areas.
"Today, we are able to set Web-use policies around
users, groups and devices," Waszmer notes. "Because of
the flexibility of the secure Web gateway and the report-
ing and policy infrastructure we have created, we have
been able to roll out access to different Web 2.0 sites to
the groups and specific people that need it.
"Additionally, one of the unique benefits about the
solution is that it classifies specific content on Web sites
in real time. So, if it classifies a Web page that has some
business benefits but also contains some content that
violates a poUcy, the solution will block just that one
portion of the page."
Health First uses the gateway as part of a layered
security approach that involves technology, investiga-
tion, and awareness and education. "With our strategy
and technology in place, I'm able to run reports on Web
use, see malicious or inappropriate sites employees have
a t t e m p t e d to access, and use the reports to better edu-
cate Web users and gain a greater understanding of how
Web 2.0 sites can be used throughout the organization,"
says Waszmer. "Additionally, the reports allow my team
to quickly respond to security events. With visibility
into the systems, we're able to stay ahead of the threats
before they become a problem."
"Today, healthcare IT managers and C I O s need to
be an active part of the solution to balance the business
needs of Web 2.0 adoption with security," says Rushnell.
"Web 2.0 is here and only going to become a larger part
of our business, so my greatest advice to other healthcare
organizations thinking about enabling Web 2.0 is that they
need to anticipate the changes in the business and adjust,
actively taking steps to secure Web 2.0 use." HMT
/ - " " ' ' " " • ^
From the Catalog
According to www.websense.com: Websense Web
Security Gateway allows organizations to secure Web
traffic effectively while still enabling the latest in
Web 2.0 tools and applications. Through a real-time
content-classification engine, the gateway analyzes
Web traffic on the fly, instantly categorizing new sites
and dynamic content, proactively discovering security
risks, and blocking dangerous malware. Backed by
Websense ThreatSeeker Network technologies. Web
Security Gateway provides advanced analytics -
including rules, signatures, heuristics and application
behaviors- to detect and block proxy avoidance,
hacking sites, adult content, botnets, keyloggers,
J ^ , ^ phishing a t t a c k s .
For more information on spyware and many
Websense solutions: other types af unsafe
www.rsleads.com/91 (3-201 content.
www.healthmgttech.com