Healthcare is a huge target for cyber-attackers, and IT teams struggle with being inundated with alerts and the security console requiring nearly constant monitoring.

THE PROBLEM

The Kelsey-Seybold Clinic, a general and specialty care clinic serving the greater Houston area across 22 individual locations, was looking for a way to significantly streamline and automate much of this process.

“Endpoint protection, which most consider to be anti-virus tools, have always been a core component of any information security program, just as firewalls should be for the network,” said Martin Littmann, chief information security officer at the Kelsey-Seybold Clinic. “But malware has evolved and basic signature-based tools are no longer the most effective protection for the endpoint.”

So the clinic set out to find a next-generation anti-virus tool to protect its endpoints. Additionally, the clinic had experienced years of resource and application performance impact from its traditional anti-virus technology and it expected next-generation technology to be a cure.

PROPOSAL

The Kelsey-Seybold Clinic replaced its McAfee suite with SentinelOne, but only after doing proof of concept trials on four vendors’ technologies as well as considering current technologies for the big signature-based legacy antivirus vendors (McAfee and Symantec).

SentinelOne was the only technology that offered the clinic high confidence anti-virus protection from both file-based and file-less malware in addition to threat hunting – as well as a solution monitoring and response, Littmann said.

MARKETPLACE

There are a variety of cybersecurity technology vendors that offer full suites of protective technologies for healthcare and other organizations. These include CrowdStrike, Cylance and Endgame.

MEETING THE CHALLENGE

Implementing a new anti-virus technology into any environment is no small task. Kelsey-Seybold’s infrastructure is a mix of physical machines (desktops and laptops), virtual desktops, and physical and virtual servers.

“We have to verify the solution would be able to service all these environments with no negative impact to patient care and safety and no degradation of system performance,” Littmann explained. “We also were in the midst of a Windows 10 migration so we decided that all Windows 10 machines would get SentinelOne while we maintained McAfee in the Windows 7 environment.”

Since next-generation anti-virus technology approaches protection differently than signature-based systems, which scan files and systems periodically, the clinic started its process by implementing the new technology in parallel and in a monitoring mode.

"Malware has evolved and basic signature-based tools are no longer the most effective protection for the endpoint."

Martin Littmann, The Kelsey-Seybold Clinic

“During this trial period we compared observations and alerts from SentinelOne to any made by McAfee,” Littmann said. “We also tweaked and migrated exclusion rules from the legacy anti-virus environment and implemented similar rules where it was determined exceptions still were needed.”

The next step was to migrate to full protection and remove the legacy McAfee anti-virus technology. The clinic did this first with a test population, just as it does for rolling out patching updates.

“Having seen no issues, we proceeded to roll out to the entire desktop population,” Littmann said. “We next moved into the server environment using a similar strategy of implementing monitoring before introducing full protection. We also rolled out to all test and training server environments before beginning the rollout to production systems.”

RESULTS

Littmann reported that the clinic can confidently say than no systems downtime or performance impact has been seen as a direct result of the rollout. He cannot say this was the case when the clinic did prior antivirus rollouts.

“We also experienced an interesting event in the rollout that gave us very clear documentation of the reduced operational impact of SentinelOne over McAfee,” he said. “On the day SentinelOne was to go into full protection mode for our non-persistent VDI environment, an error was made that turned off all anti-virus.”

After a couple of days, the mistake was caught and SentinelOne was enforced and McAfee was turned off. Since the clinic does active monitoring of its Epic Systems EHR performance, staff could graphically see McAfee response times before SentinelOne, response times with no anti-virus at all, and response times with only SentinelOne. This several-day view verified that SentinelOne had a demonstrable improvement on application response times, Littmann reported.

“Another interesting incident occurred that caused us to have an even greater appreciation of the benefits of next-generation endpoint technology,” he added. “After the Windows 10 rollout, it was discovered a number of clinical staff had benefited from using the Windows 7 sticky note app. Since no one-to-one replacement exists in Windows 10, our desktop team identified a Windows 7 executable for the sticky note app and introduced it to the Windows 10 environment.”

But SentinelOne flagged this executable as suspicious. After digging into the results, staff learned SentinelOne had traced some heritage in the executable code to questionable sources in China. While the executable was not specifically identified as malicious, staff was able to swap out the executable for another that was determined to have no references to the suspicious origins.

ADVICE FOR OTHERS

“We know that healthcare environments are challenged every day with malicious attacks externally and internal opposition to security measures that might be perceived as roadblocks to patient care and healthcare operations,” Littmann said. “But we all share that same moral and regulatory responsibility to protect our data and environments from bad actors.”

Kelsey-Seybold’s experience in taking proactive measures such as next-generation anti-virus technologies and other measures is an approach that can be undertaken cost-effectively and with minimal impact to the business when implemented with thoughtful planning given to the implementation steps, he explained.

“In the end,” said Littmann, “IT wins, the business wins, and the healthcare consumer wins.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com