Covenant Health

Challenge

As a major integrated healthcare system, Covenant Health realized a need for greater control over network security to accommodate the health system’s rapid growth. Working with Tenable Network Security, Covenant implemented Tenable.sc to:

• Discover all assets
• Manage network health
• Centralize and schedule vulnerability scans
• Gain internal control of scan findings
• Passively scan portable medical devices

Covenant Health

Covenant Health is a community-owned health system headquartered in Knoxville, Tennessee. Established in 1996, Covenant Health currently includes nine acute care hospitals and numerous affiliated outpatient clinics, specialty services, and physician practices. Covenant Health’s 10,000 employees and over 1,500 doctors serve thousands of patients throughout Eastern Tennessee. Covenant Health is consistently recognized both regionally and nationally for advanced technology, quality, and patient satisfaction.

The Problem

In 2012, Bob Wilson, Covenant’s Information Security Officer, observed that the health system had a need to get ahead of rapid growth and the increasing number of medical devices on their networks. “Healthcare has so many devices that can’t be actively scanned because of the potential risk of rolling them over and damaging the data. We needed to gain visibility and discovery of all devices in the system, and to maintain continuous monitoring of network traffic without disrupting sensitive operations,” he said. As new organizations joined the health system, Wilson and his fellow systems and network managers contracted out risk assessment scans. “Our goal was to first gain visibility and discovery of all assets, self-maintain an inventory of all network devices, then conduct annual and quarterly scans on all endpoints,” explained Wilson. “But with over 15,000 IPs, it was hard to maintain control of the process.”

The Tenable Solution

The Covenant security team recognized Nessus® as the de facto standard for vulnerability management. Wilson had experience using Nessus on personal systems and was confident in its reliability. “Periodically, we also had network vulnerability penetration testing done by contract, which led us to Nessus,” he explained. “We started with a Nessus trial to run local scans on several Covenant systems, which led to our evaluation of the enterprise-class Tenable.sc offering.” The team’s unanimous recommendation of Tenable products was approved by their CIO, along with a recommendation to acquire Tenable’s QuickStart professional services for Tenable.sc configuration.

The Results

Covenant Health is implementing Tenable.sc in stages. While the health system ultimately plans to conduct regularly scheduled scans of everything, it is currently running special purpose scans with success.

“Nessus Network Monitor is a valuable component because of our medical devices,” said Wilson. “You cannot actively scan those devices – a scan can affect the timing of the device or its sensitive processes. But Nessus Network Monitor gives us the ability to see that network traffic and scan passively to detect and track the devices.”

Another major accomplishment was a specialized scan to identify all Windows XP machines in the Covenant system. “We knew they were out there, but we weren’t sure we had a complete inventory of all the machines – a few may have sneaked in without our knowing it,” said Wilson. “The scan gave us a target list for upgrades, since it is a priority of ours to get XP systems off the network.”

But the most important benefit of Tenable.sc is that Covenant has now gained internal control of its scan findings. Wilson explained, “When you contract with a third party for vulnerability scanning, they run the scan and give you a paper report, but it’s hard to use the results." "An in-house solution is much better; we now have results in hand and we can do remediation scans. If we find something, we can select the systems to rescan without contracting the scan out; we have total control internally. We get the precise reports we want, when and how we want them. Self-control is a huge advantage."

Covenant is especially pleased with the Tenable.sc “single pane of glass” approach to scan management. All scan results are pulled into one repository and one console. “Now we have the capability to keep results and remediation efforts for everything in one centralized location,” Wilson remarked. “I don’t have to leave my chair to view and control all assessment operations. And we can now scan all of IT without anyone noticing it.”

Next Steps

Covenant Health is planning to take Tenable.sc to the next level to manage and define scans, to set up scan schedules, and to continually monitor all network traffic. The health system has plans to integrate Tenable.sc with a SIEM in 2015. A new security policy calls for specific metrics that will be tracked with the help of Tenable.sc™.

Wilson concluded, “We haven’t taken the deployment to its full potential yet, but we have confidence that Tenable.sc will meet all our needs.”