Major Health System Immunizes Itself from Network Threats


The Medical College of Virginia Hospitals (MCVH) is the teaching hospital component of the Virginia Commonwealth University Health System (VCUHS). Since 1838, MCVH has been in the forefront of advances in healthcare, providing patients from across Virginia and neighboring states with some of the most progressive treatment and technology available. More than 700 students from around the world pursue their M.D. degree under the tutelage of MCV Hospitals’ renowned faculty. Representing more than 200 specialty areas, including multi-disciplinary centers for cancer, cardiology, neurosurgery and transplantation, the staff of MCV Hospitals includes dozens of physicians who have been recognized as among the best doctors in the country.


Named one of “America’s Best Hospitals” by U.S. News & World Report, VCU Health System employs 7,500 people. Given its large staff and 24x7 operations, VCU Health System’s network typically supports high volumes of users – up to 10,000 daily – and at all hours. The primary, and constant, challenge for the organization’s IT team is to balance its users’ need for open and immediate access to medical and health information and research with meeting compliance requirements to protect data and patient privacy. Deemed by Hospitals & Health Networks magazine as one of the “Most Wired” healthcare institutions in the country, VCU Health System also faced the challenge of managing mounting demands on its Internet bandwidth usage.

The organization’s IT team attributed much of the growing consumption of Internet bandwidth to streaming audio and video that was unrelated to patient care. “Our Internet pipe should be big enough to meet our needs, but it was filling up routinely,” explains Bob DeVoy, Network and Storage Services Manager, VCU Health System. Closely correlated to this fact were growing concerns that users might be introducing security risks via their online activities.


VCU Health System had Cisco Systems firewall modules deployed to protect it. However, these firewall modules do not afford the visibility into network activity and application access necessary for VCU Health System to identify and monitor risky activities and match them to specific users and/or machines. Thus, DeVoy and his team needed a solution. Websense, an Internet filtering and web security tool, was in use by 500 employees. DeVoy considered expanding its coverage to encompass all of VCU Health System’s network users, but sought a more comprehensive and affordable solution that might also deliver efficiencies in bandwidth consumption.

At the invitation of Palo Alto Networks partner SUN Management, DeVoy attended a seminar to learn about Palo Alto Networks PA-4000 Series next-generation firewall. Impressed, he arranged to evaluate the PA-4000 Series on-site to determine where it could offer improvements in both security and network usage. “Within a couple of hours of running the trial we were able to identify specific desktops running streaming media from YouTube and other programs that pose security risks, and get a sense of the magnitude of the problem,” said DeVoy.


Convinced of its ability to deliver superior results, DeVoy and his team deployed the PA-4000 Series next-generation firewall. As a result, VCU Health System has enjoyed dramatically increased application visibility and control, reduced threats to its network and decreased its Internet bandwidth consumption. Moreover, the ability to track applications flowing in and out of its network has given VCU Health System the granular information it needs to formulate, and enforce, an acceptable use policy for its users. “We really find the report export capabilities in the latest version of the PA-4000 Series extremely helpful,” said DeVoy. “This is clearly the tool we’re going to use to better manage our Internet and internal bandwidth. Palo Alto Networks does everything that our previous infrastructure did plus a ton more!”

Using the information gleaned from the PA-4000 Series, VCU Health Systems’ security team has put together policies to block access to applications that are not work related, while still allowing its staff the freedom to access files and information that enhance patient care, learning and productivity. “Our job is to minimize risk while maximizing the ability of medical and administrative staffs to get their jobs done as efficiently and effectively as possible,” said Bob DeVoy. “Palo Alto Networks allows us to define and enforce appropriate user policies, so that the business of the hospital always comes first, risk is minimized and our medical professionals retain maximum flexibility.” Based on the impressive performance of the PA-4000 Series, VCU Health System is also interested in the device’s threat prevention capabilities. In fact, it plans to send its security team to an upcoming training session to learn more. “We confident we’ll get even more return as we continue to take advantage of more of the PA-4000 Series’ capabilities in the near future,” added DeVoy.