Key Business Needs
HealthDirect Australia was challenged by the need to maintain a high level of security for large volumes of personal and sensitive data, while providing convenient access and availability of data to patients and clients. The organisation wanted to maintain compliance with the Center for Internet Security (CIS) best practice audit framework, while providing easy-to-use reports for IT and management.
Tenable Products Selected
HealthDirect Australia selected Tenable SecurityCenter View™ (CV). Tenable was an ideal solution for the organisation’s cloud-based delivery model, enabling it to deploy in the cloud and providing continuous monitoring to both its non-production and production systems to identify vulnerabilities, reduce risk and ensure compliance.
Thanks to SecurityCenter CV, Healthdirect Australia can scan, identify, prioritize and remediate vulnerabilities and misconfigurations, and create automated reports for its IT and management teams. In addition, Tenable is helping the organisation achieve its CIS compliance objectives on an ongoing basis.
Healthdirect Australia has deployed Tenable’s SecurityCenter Continuous View™ within Amazon’s AWS cloud. The deployment must maintain a very high level of security as a very large amount of sensitive, personally identifiable information must be protected. At the same time, clients of the service expect a high degree of availability from any place at any time.
About Healthdirect Australia
Healthdirect Australia is a public company limited by shares. They deliver health services by contracting with service providers, managing ongoing operations and implementing governance structures so that the health services are provided safely and efficiently. All Healthdirect services are wholly or jointly funded by federal, state and territory governments.
Healthdirect Australia manages the following healthcare services:
- Healthdirect nurse helpline and health information
- After hours GP helpline
- Pregnancy, Birth and Baby information service
- Mindhealthconnect service
- National Health Services Directory
- My Aged Care phone and online service
Compelling issues surround the security of public web sites and the maintenance of a known high level of vulnerability status. Healthdirect Australia cannot afford to be compromised due to the nature of the services being delivered. The Confidentiality Integrity Availability (“CIA Triad”) model plays a major role and is a model designed to guide policies for information security within an organisation. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorised people.
Compliance with the CIS Framework
The Center for Internet Security (CIS) publishes benchmarks with recommended security settings to harden servers and applications from attack while maintaining operational ease of use. Healthdirect Australia wanted a solution that would help it maintain compliance with the CIS-based best practice audit framework, while providing easy-to-use reports for IT and management alike.
The Tenable Solution
Healthdirect Australia selected Tenable’s SecurityCenter Continuous View™ (SecurityCenter CV™). Tenable was the perfect fit for their cloud based delivery model, affording the organisation the ability to deploy in the cloud and to cover both non-production and production systems with a continuous network monitoring strategy.
SecurityCenter CV provides continuous monitoring to identify vulnerabilities, reduce risk and ensure compliance through a unique combination of detection, assessment, reporting and pattern recognition of all network devices. SecurityCenter CV scales to meet future demand of monitoring virtualized systems, cloud services and the proliferation of devices while supporting more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure. SecurityCenter CV also maintains daily updates of the plugin security checks.
The deployment of the Healthdirect Australia solution was unique, with both SecurityCenter CV and the Nessus® scanners deployed within the Amazon Web Services (AWS) cloud.
To help ensure that vulnerabilities are kept to an absolute minimum, Healthdirect Australia requires scanning a non-production deployment together with pre-production and production environments using Nessus on a very regular basis. All environments to be scanned are also hosted within the AWS cloud.
Healthdirect Australia currently scans their non-production environments on a weekly basis and production environments on a nightly basis to ensure that they have maximum coverage. A regular change control procedure is in place between the organisation and AWS to allow this to happen, establishing a standing change window for scanning in the early hours of the morning. It currently takes around 36 minutes to finish a scan on the non-production environment, 22 minutes for the pre-production environment and 21 minutes for the production environment. A total of approximately 500 servers are scanned, and the number of servers is constantly increasing. Healthdirect Australia also relies upon Tenable’s solution to detect any malware that may be present.
Once vulnerabilities are detected, the IT team can elect to patch, virtual patch, mitigate with controls or re-provision the server.
At a high level, Healthdirect Australia is performing scanning against known vulnerabilities along with some of the standard testing reports out of the box. This is providing great coverage; Healthdirect Australia is using a build guide so they could leverage Tenable for scanning and reporting. They are identifying the vulnerabilities and misconfigurations, and remediating as they go, with over 500 servers covering both production and non-production. Every morning, the security team can see what their posture looks like and how operations are addressing the ongoing issues.
Using Tenable’s SecurityCenter CV, Healthdirect Australia is meeting its CIS compliance objectives. Tenable Network Security has been certified by the Center for Internet Security to perform a wide variety of Unix, Windows and application based audits based on the best practice consensus benchmarks developed by CIS. SecurityCenter CV includes CIS compliance templates for ready-to-use reports that can be shared with the IT team as well as management.
Healthdirect Australia plans to use the Tenable Log Correlation Engine™ (LCE®) to refine their reporting and dashboard presentation, and to integrate with their third party log management tool for complete visibility.
*HealthDirect Australia Annual Report 2014-2015