Problem solve Get help with specific problems with your technologies, process and projects.

Network security case study: Inside the Cleveland Clinic

Using a SIM system to monitor information in a DMZ, the Cleveland Clinic provides a network security case study from which others can learn.

The Cleveland Clinic has garnered press over the years for everything from its famous patients to its filmless radiology departments. Each year, it ranks among the top four overall hospitals nationwide, according to U.S. News & World Report. Its director of information systems, though, lives in fear of becoming tomorrow's news.

"If a 200-bed hospital in, say, Illinois were to have an application hacked, it might make local newspapers. For us, because we have facilities all over the country -- as well as internationally -- not only will we make The New York Times, but chances are we'd make the international press as well," says Matt Speare. His job includes keeping intruders from accessing the Clinic's networks while simultaneously expanding Web-based initiatives that service millions of patients and health care workers.

Network protection for Speare has meant deploying several security solutions in a DMZ, including Check Point FireWall-1 and Cisco Secure PIX, routers, a VPN concentrator and intrusion detection systems. The routers, VPN and IDSes all carry the Cisco Systems brand name, but separate companies later acquired by Cisco made each. That means every one of these devices produces its own set of logs and alerts and operates on a different security alarm system and severity classification. Daily alerts alone number 2 million to 3 million.

For Speare and three other network administrators dedicated to the DMZ, keeping tabs on any one device is time-consuming; collectively, it's near impossible. "Every one of these generates a huge amount of logs that at any point 10 or 12 people could spend the better part of the week going through," he says.

To gain control of monitoring, The Cleveland Clinic last July began using ActiveEnvoy from netForensics, a security information management (SIM) application that normalizes security data over a heterogeneous network and automates the alarm process, triggering real-time alerts based on level of threat. By correlating security events and using rules-based aggregation, attacks can be prioritized and the amount of generated data condensed. Now, threats at the Clinic are defined and rated on a 1 to 5 scale, with Levels 1 through 3 not requiring immediate action and Levels 4 and 5 prompting e-mails or pages to IT staffers.

Speare's staff weighed six solutions, including an ACID system using Snort technology and managed security services provider Counterpane Internet Security. ACID was found too tedious, requiring high levels of technical expertise and constant manual updates. The MSSP option was attractive, but too expensive.

"Budgets here are set in stone a year before," he explains. The hospital couldn't cough up another $180,000 for external monitoring, but it could find reserve funds for a $25,000 control management solution.

Another strike against the MSSPs: The Cleveland Clinic staff wasn't sure it could turn over so much responsibility to a third party, given the revenue and reputation at stake. In addition to bad publicity for breaches, there are potential fines for failing to protect patients' medical files as prescribed by the Health Insurance Portability and Accountability Act (HIPAA). netForensics appears to be meeting The Cleveland Clinic's administrative needs and business goal of introducing one of the first hospital-based e-commerce models for patient- and physician-records access via the Internet -- introducing a massive number of new users to an already stretched system.

Archived logs generated by netForensics serve as proof that security measures -- including monitoring -- are in place for HIPAA compliance. The intelligent, automated netForensics system also reduces staffing needs -- a key for The Cleveland Clinic. Finding local infosecurity professionals can be difficult, Speare admits, and recruiting outside the area is even more so. "It's a nice town, but for some reason trying to get someone to Cleveland is near impossible." Initially, Speare was disappointed that netForensics lacked an open agent to support various platforms. Since then, the company added a universal agent feature that ties in with almost any device in his DMZ environment.

Now, he says, he'd like the company to address another drawback. "I'd like to see it in a packaged appliance. One issue we had was to get an appropriate server to run it on. They do offer an NT version, but we like Unix. If they offered a packaged appliance, it would be much faster for most organizations to [install] it rather than the open-source community building a Unix server to support it."

Speaking of support, netForensics appears able to handle the heavy-duty load of The Cleveland Clinic's estimated 10 million daily transactions. Most of the traffic comes from people submitting or accessing NIH reports, patient records or appointment schedules via the Web. That transaction level is bound to increase as more patient-and physician-oriented services are established in the DMZ environment, eventually prompting another server in redundant array.

"I think we've probably pushed it to the edge, and it's held up," Speare says.

This was last published in January 2002

Dig Deeper on SIEM, log management and big data security analytics