UMass Memorial Health Care is a $2.5 billion non-profit health system based in Worcester, Massachusetts. The flagship of its multi-campus system is 779-bed UMass Memorial Medical Center.
The health system also comprises two community hospitals (163-bed UMass Memorial HealthAlliance/Clinton Hospital and 79-bed UMass Memorial-Marlborough Hospital), a large physician multi-specialty group practice and numerous other related entities.
Early in 2014, UMass Memorial Healthcare was made aware of a third-party independent audit finding of a potential issue with the way that it controlled access for vendors to its network.
While analyzing the potential audit findings, staff were made aware of the basis of those findings, which directly resulted from the headline-grabbing 2013 Target breach. That breach resulted from hackers obtaining login information through a vendor that managed its energy management system, and using that access to get into the store’s systems directly.
“After doing additional research on vendor access to UMass Memorial Healthcare network and systems, we determined that we potentially had a major security problem that had been identified by the audit,” said Scott W. Emery, information systems security analyst at UMass Memorial Healthcare.
“Vendor access to UMass Memorial Healthcare was inconsistent and largely uncontrolled. We had no permanent record of when vendors accessed our network or systems.”
The methods for accessing UMass Memorial Healthcare varied from VPN connections, web services, remote desktop and various third party remote PC access. Vendor accounts that the health system set up on its network were being used as group accounts by vendors and each had different privileges assigned to the accounts.
The other main issue the health system faced was its knowledge of what the vendors did while they were logged into its network and systems.
“We immediately searched for a solution to help us gain control of our problem,” Emery said. “We engaged several companies who specialized in secure vendor access. We basically were looking for a vendor who could provide: secure access to our network and systems; detailed access logs and history; session information of the vendor; notification of vendor access to our environment; and capabilities to disable or enable the access.”
After several technical review sessions of the solutions presented, it became evident that many of the vendors offered good solutions but also provided products that did much more than the health system needed. Although the health system wanted to solve its problems, it did not want a product that was multifunctional and well beyond the limits of secure vendor access.
“One company that rose to the top of the list was Securelink,” Emery reported. “From the start, they focused on our problem and not on other potential interests of the solution. They engaged us with our interests in mind and wanted to partner with us in finding a solution to our specific problem of secure vendor access to our environment.”
Emery added that the vendor’s concerns were genuine and that it never strayed from what the health system wanted to accomplish. He said the health system ended up selecting Securelink for the following reasons:
- It was an employee owned company, which the health system felt that everyone in the company had a stake in its success at addressing its identified issues.
- It focused on secure vendor access.
- If touted its ease of implementation and continued support.
- It had a strong reputation and customer referrals.
- Its overall cost was affordable.
There is a variety of secure vendor access technologies on the IT market today, with vendors including BeyondTrust, Bomgar, CyberArk, Netop, SANS and Saviynt.
MEETING THE CHALLENGE
“By choosing Securelink, we were able to provide a solution that addressed our initial problem and more,” Emery said. The product, he said, provided dual authentication, secure browser access, encrypted traffic, recording of vendor sessions, notification of when vendors are accessing resources, notification of reason why vendor is accessing the resource, notification when vendor has completed access, full control of vendor access, and limit vendor to only resources defined.
The product, he added, also provided passing of credentials (no passwords exchanged), individual vendor accounts (no group accounts), links with other Securelink environments (Nexus connections), use of various network protocols (like RDP, SSH, VNC, etc.), proactive security responses (vendors know the health system is watching and monitoring), system analyst (internal users) have full control of their vendors and access, production systems accessed can be blocked during critical use times, and more.
“Our challenges of implementing this environment were limited,” he said. “The main challenge became convincing vendors that their previously unfettered access to our environment would change dramatically and impact their support of their systems or applications. However, once vendors used the SecureLink environment, they became quick supporters.”
Internally, the health system struggled for a short time with the changing of its processes for vendor access until internal staff became fully aware of the benefits of using the environment. They now are convinced that the health system will work with them to make sure that their vendors get securely to their resources without unnecessary steps and processes.
At the end of year three working with SecureLink, UMass Memorial Health Care participated with a third-party company hired by Securelink to help calculate the return on investment of the implementation.
“Originally, we were not focused on this as a major decision factor for selecting the solution; however, we became interested in how well we did given all our success,” Emery said. “Our feelings were that we simplified the process and eliminated many unneeded steps in our original process for vendor access. This might be something that we could report back to senior management as an added benefit to the implementation of a secure vendor environment. To our delight we found that the ROI of the implementation far exceeded our expectations.”
Overall, UMass saw a 594% annual ROI based on a range of efficiency and security factors, Emery reported. The following are some of the statistics resulting from the third-party ROI study:
- It improved service delivery by improving uptime of critical applications – risks savings equal to $700,416.
- It reduced time spent creating and tracking vendor access accounts – operations savings equal to $98,229.
- It reduced time spent managing, supporting and troubleshooting vendor access accounts – operations savings equal to $208,203.
ADVICE FOR OTHERS
“We highly recommend doing a full security vulnerability assessment of the vendor environment,” Emery advised. “This would include how vendor accounts get set up and the privileges they are given. You should always defer to the least amount of privileges necessary to complete support tasks. Look at the process flow defined for vendor access and see if improvements can be made in that area to improve customer service overall.”