BACKGROUND
The ninth largest Catholic healthcare system in the U.S., Sisters of Mercy Health System’s 28,000 employees and 4,450 medical staff members provide critical services across seven states. Mercy consists of 18 acute care hospitals, a heart hospital, outpatient care facilities, physician practices, skilled nursing and long-term residential care facilities, clinics, a managed care organization and other health-related services. The health system was established in 1986 to serve as the parent corporation of a variety of health care facilities and services sponsored by the Sisters of Mercy of the St. Louis Regional Community.
MERCY, WE NEED A BETTER SOLUTION
Sisters of Mercy Health System (Mercy) is committed to providing stellar health services and ensuring best-in-class protection for the data and applications accessed by its patients and staff. Mercy has two points of Internet access that it must monitor and protect; internal traffic and applications, and client sites that remotely access the corporate network via Secure Sockets Layer (SSL) Virtual Private Network (VPN). With nine major facilities spread across the country, as well as thousands of affiliated clinics accessing its network every day, mitigating threats and controlling application usage is a daunting task. To protect itself, Mercy employed a common array of security devices (firewall, IPS, URL filtering).
Mercy sought to capitalize on the productivity enhancements afforded by a new wave of Web 2.0 Internet-based applications, while also limiting its exposure to the sophisticated network threats that using such programs invites. Hindering the company’s objective was its traditional threat prevention and port-based security posture, which lacked flexibility and granularity and indiscriminately blocked both beneficial undesirable applications. “We had some visibility with our IPS, but not to the extent necessary,” explains Dan Schulte, Manager of Network Security for Mercy. “We wanted to block certain things within applications. For example, we could shut down some Instant Messenger (IM) applications by juggling policies between our IPS and firewall. But if a patient has family in another country and is using IM appropriately to converse with them, we’d like to allow it but prevent them from sending or receiving attachments or executables via IM. Mercy needed improved visibility to identify and track applications trying to tunnel over from different ports. “It was all or nothing with our IPS,” continues Schulte. “We had to see deeper into our packets. We needed a better approach.”
SISTERS HOLDS A BAKEOFF
In the process of conducting market research, Mercy discovered Palo Alto Networks. At the time, Mercy was looking into setting up two networks, one for business purposes and one for non-critical usage, and needed to protect both of them. Given the inflexibility and limitations of its current infrastructure, Mercy was intrigued by Palo Alto Networks next-generation PA Series firewall, and its ability to deliver user-based visibility and control of applications for heightened security. “It piqued our interest because it could do things we wanted to do with our previous IPS and firewall products, but couldn’t,” relays Schulte.
Mercy’s IT staff conducted a head-to-head test pitting competing products against Palo Alto Networks. Hands down, the PA Series emerged as the superior solution. “We’ve done a lot of product “bake-offs,” so we were pretty impressed with what we were able to see with the PA Series -- especially with how the box structures and reports data on network activity,” Schulte explains.
Mercy was also impressed with the PA Series’ port monitoring capabilities. “You’re limited in the number of ports you can monitor with most IPS boxes – and adding more ports can get pretty expensive,” Schulte explains. Instead of investing more into the existing IPS boxes, which would only cover three segments, Mercy could cover eight using Palo Alto Networks, saving the company money. “With the IPS, firewall and web filtering functionality - all in one box - the PA Series is extremely cost-effective!” states Schulte.
DIAGNOSIS: HEALTHY NETWORK AND SAVINGS
Mercy decommissioned its IPS appliances and upgraded its infrastructure to the PA Series. “Anytime you can go to one box with one interface -- instead of multiple appliances -- it speeds everything up,” states Schulte. “Now we don’t have to spend time troubleshooting or correlating firewall and IPS logs.”
Mercy now securely manages and controls applications traversing its network at a level of granularity not possible with its previous solution, allowing its patients and staff to enjoy the benefits of Web 2.0 applications. The PA Series protects Mercy’s different Internet segments and monitors its VPN to ensure that if a user is infected internally its IT team has the visibility to see it and eliminate it,” Schulte says. “Health care is the epitome of a real-time business, with doctors, nurses and staff depending on access to the best tools for helping their patients,” states Schulte. “The PA Series gives us the granular understanding of what users and applications are doing on our networks, and the impact they have on our business and security, so that we can support our company’s mission.”
