Prevent malicious applications from gaining access and control of critical medical devices; prevent malware and other cyberthreats from compromising the medical center network and disrupting vital patient and business services.
Palo Alto Networks® Next-Generation Security Platform to provide granular control over network traffic and automatically prevent known and unknown exploits from disrupting productivity or posing a threat to patient safety.
Threat Prevention, URL Filtering (PAN-DB), WildFire, Panorama, Premium Support
PA-5020 (2), PA-3020 (1), PA-500 (1)
Fisher-Titus Medical Center provides comprehensive state-of-the-art healthcare services for 70,000-plus residents throughout North Central Ohio. Its full continuum of care includes a 99-bed acute care hospital, a 69-bed skilled nursing facility, a 48-unit assisted living facility, a Home Health Center, and outpatient services.
The medical center is known for its high-quality patient care, having received numerous recognitions, including the HealthGrades Outstanding Patient Experience Award and Leapfrog’s “A” Hospital Safety Score for five consecutive years.
Fisher-Titus Medical Center is a non-profit community hospital that leverages technology extensively to enhance patient care and drive administrative efficiency. Potential vulnerabilities in its medical devices, increased cyberthreats, and an expanding facility prompted the medical center to replace its end-of-life Juniper Networks® firewalls and scale out with the Palo Alto Networks Next-Generation Security Platform.
With the Palo Alto Networks platform, Fisher-Titus gained more granular control to prevent unauthorized applications from accessing its medical devices. It also created user- and application-specific policies to manage what applications and systems individual users are permitted to access based on their role.
In addition, the Palo Alto Networks platform automatically prevents known and unknown threats from infiltrating the medical center's network while improving overall network performance dramatically.
Protecting Life-Critical Medical Devices
Fisher-Titus Medical Center may be a community hospital, but it is big on technology. In fact, the medical center is committed to offering its patients the most advanced technology and medical treatment possible.
To prove the point, Fisher-Titus became the nation’s first all-digital “smart” community hospital when, in 2010, it implemented a fully integrated Cerner® electronic health record (EHR) system and interactive technology in patient rooms. The medical center has also earned recognition by Hospitals & Health Networks magazine as one of the Most Wired hospitals in the U.S. for five years in a row.
Especially today, information and medical technologies are the foundation for providing the highest level of personal care and efficient healthcare administration. But with more and more medical devices and applications sharing patient data among hundreds, if not thousands, of people inside and outside the medical center, information security is a top priority.
A major security concern is aging medical devices built on older technology that wasn't designed for modern cyberthreats. In many cases, these devices can leave "back doors" open for the vendors to perform updates or maintenance. But that can also open the door for cyberattacks. A relatively simple attack might break through and just shut down the machine – bad enough.
But a particularly malicious attacker could gain control and alter drug dosages regulated by the machine, which could have life-threatening impact.
Fisher-Titus partnered with Palo Alto Networks to ensure that nothing like that happens in its facilities. The medical center implemented the Palo Alto Networks Next-Generation Security Platform to not only close those back-door vulnerabilities, but also automatically prevent cyberthreats of all kinds from breaching its network and potentially compromising medical systems or patient care.
Deeper Network Visibility Means Stronger Security
Fisher-Titus originally deployed a Palo Alto Networks PA-5020 Next-Generation Firewall several years ago in "virtual wire" mode behind a legacy Juniper Networks firewall, along with a PA-500 Next-Generation Firewall in its DMZ. But as attack vectors became more sophisticated and the medical center continued to expand, Fisher-Titus needed to strengthen its security infrastructure even more.
Dylan Border, the lead project engineer for the security expansion at Fisher-Titus, explains, "Our traditional firewalls blocked traffic just based on services and ports. You couldn't get clear visibility into what applications the medical devices were running, so it was easy for a malicious program to slip through the cracks."
With the Juniper firewall going end-of-life, Fisher-Titus replaced it with a second PA-5020 Next-Generation Firewall and began taking advantage of the full features of the Palo Alto Networks platform to secure its network and 1,200 clinical and business users.
The medical center also added subscriptions for Threat Prevention, URL Filtering, and WildFire® cloud-based threat analysis service. In addition, Fisher-Titus deployed a PA-3020 Next-Generation Firewall for a newly constructed satellite facility with about 30 office staff and repurposed its PA-500 Next-Generation Firewall to secure a private link between the Medical Center and remote doctors' offices. Panorama™ network security management provides the security team with centralized administration, and the entire Palo Alto Networks platform is backed with Premium Support.
"Without the depth of visibility and scale that the Palo Alto Networks platform brings, I can't think of a practical way we could otherwise protect our network in today's world," says Border. "We just love the platform. There's no other network security vendor we'd rather work with."
Granular Policies Prevent Unauthorized Access
Today, the Palo Alto Networks Next-Generation Security Platform provides comprehensive protection against cyberthreats that could impact the medical center and its patients.
Platform capabilities like the Next-Generation Firewall and Threat Intelligence Cloud, help Fisher-Titus prevent unauthorized access to medical devices and other network assets while allowing authorized traffic to flow smoothly and efficiently.
The medical center now has specific policies in place that define which medical devices can communicate with each other. With deep packet inspection, the security team has a granular view of known good traffic as well as known bad or suspicious traffic that can be quickly and easily addressed with new policies. Plus, with features like App-ID™ application identification technology and User-ID™ user identification technology, the team can manage which applications and systems individual users are permitted to access based on their roles. For example, a nurse wouldn't be permitted to access the payment system, while a finance user would.
"The Palo Alto Networks platform gives us a 360-degree view of how all applications and users are communicating on the network," notes Border, "and it gives us so much more control. Instead of being limited to ports or IP addresses, we can build policies around specific user accounts and get very granular in terms of who can access what."
He adds that the process for creating and managing policies is quite easy on the Palo Alto Networks platform. "Managing policies is very logical, and takes much less time than our previous firewall. Then after you build out a policy you can just click a network link and see what traffic has hit it. We essentially have a single pane of glass that provides clear oversight of where traffic is coming from and where it's going."
Built-in reporting also helps the security team keep tabs on network health and activity. Everything from bandwidth utilization reports to compromised host reports provide important insights and can help substantiate network changes to upper management.
For example, if a device is repeatedly sending the same beacon over and over again, there's a good chance it's been compromised, and the team can immediately take appropriate action. Similarly, if a report shows excess traffic on a particular circuit that can't keep up with the volume, this could justify upgrading the circuit speed.
Intelligent Prevention Stops Cyberthreats at the Door
Fisher-Titus also gains much more than visibility – it now has assurance that both known cyberthreats and zero-day attacks are automatically prevented from hitting the medical center's network. Among the most common, exploits come through everyday email in the form of Microsoft® documents embedded with malicious macros. Most are zero-day attacks that can easily slip through traditional signature-based security methods. But since implementing WildFire, those malicious macros have all been effectively stopped.
Border points out, "We receive hundreds of malicious documents every day and just as many other zero-day threats. WildFire inspects every one of them, figures out what they're trying to execute, and in a few minutes sends us a rule that protects our network. It's truly one of the most valuable benefits of the Palo Alto Networks platform."
With WildFire as part of the integrated Palo Alto Networks platform, Fisher-Titus also saved a substantial amount of money.
Previously, the medical center used an on-premises malware analysis appliance, but it was undersized and unable to handle the growing volume of attacks threatening the healthcare provider. Upgrading the appliance would have been very expensive, so by consolidating network security onto a single platform, Fisher-Titus avoided many thousands of dollars in additional cost.
Higher Performance Keeps Authorized Traffic Flowing Smoothly
In addition to blocking threats, both known and unknown, Palo Alto Networks also helped Fisher-Titus improve performance for authorized traffic on its network. With its previous firewall solution, the medical center often saw VPN tunnels slow down – practically to a halt – during periods of heavy network traffic. This put a drag on productivity and usually resulted in a flurry of support calls, which steal time away from other more strategic projects. Now traffic consistently flows smoothly.
"We had completely maxed out what our previous solution could handle," says Border. "The data plane on the Palo Alto Networks firewall is so much faster, we never see slow-downs any more. Our users have definitely noticed the difference. The network is much snappier now."
If Fisher-Titus ever runs into an issue that could impact performance or needs assistance with common day-to-day incidents, Palo Alto Networks Premium Support is always on hand to help.
Border remarks, "My experience with Premium Support has always been second to none; in fact, in my experience the professional support from Palo Alto Networks is the best in the industry. The person who answers the phone is your contact throughout the process. They have a vast amount of knowledge and can usually solve your issue on that first call. That makes it a very fast and efficient process to get the support you need."
Taking Protection Out to the Endpoints
Looking ahead, Fisher-Titus now has its sights set on adding Traps™ advanced endpoint protection to its Palo Alto Networks platform. As the incidents of ransomware and other sophisticated exploits threaten its PCs and servers, the medical center recognizes that traditional antivirus solutions are no longer adequate.
"The problem with antivirus is that when it picks up a virus, it's already too late," Border observes. "Traps is like having a mini-firewall on your endpoints, so you have the same kind of threat prevention on your PCs and servers as you have at the edge or core of your network. So that's another vital layer of protection we plan to add in the very near future."
He concludes, "We are very passionate about Palo Alto Networks here at Fisher-Titus. The way they offer an entire platform is absolutely essential to what we do every day to secure our network and protect patient and business data from being compromised. It's a real comfort knowing we have the best technology available today to watch out for our network."