Key Business Needs
McKesson needed a robust, scalable, and cost-effective vulnerability management system to pinpoint and prioritize vulnerabilities and risks, as well as ensure compliance of its acquisitions and integrated operations.
Tenable Products Selected
Tenable SecurityCenter™ integrated with the Nessus® vulnerability scanner, the industry standard, to gain a rapid, centralized view of vulnerability status across its vast global network.
This enhanced security process streamlined compliance reporting and ensured auditors have visibility into the vulnerability status of newly-acquired and existing systems. As McKesson continues to grow by acquisition, Tenable's technology scales quickly and easily and helps the company continually identify and prioritize vulnerabilities and threats.
Founded in 1833, McKesson Corporation (NYSE: MCK) is the country’s oldest and largest health care organization, providing the products, technology and resources health organizations need to operate more effectively, reduce costs and enhance the level of patient care they deliver each day.
Headquartered in San Francisco, the company provides services to hospitals, physician offices, payers, pharmaceutical companies and other health care organizations. As part of its scope of business, McKesson provides one-third of all medications in North America and serves 100% of the top 25 health plans, 50% of hospitals and 20% of physicians in the U.S.
McKesson has over 76,000 employees and 50 worldwide offices, and with sales of $137 billion in fiscal 2014, it currently ranks number 11 on the Fortune 500 list. The company continues to expand its global footprint by acquiring up to ten new businesses each year, and its growing network of stakeholders is comprised of tens of thousands of customers, employees and partners around the world.
With each acquisition, McKesson must immediately pinpoint exposure – identifying and prioritizing the vulnerability, risk and compliance status of each new acquisition, as well as of its vast integrated network. In addition, the company must ensure compliance with a variety of core regulatory compliance initiatives, such as HIPAA, PCI, SOX, HITRUST, and FISMA – as a result, internal and third-party audits are frequent occurrences for McKesson’s security team.
“We’re a growth-by-acquisition kind of company, acquiring roughly five to ten new businesses every year,” said Eric Dixon, McKesson’s Information Security Manager. “A core part of my responsibility in the security division of McKesson is to understand how many new IT systems we’re inheriting − do they expose us to any new risks or vulnerabilities − and what kind of impact the acquisition will have on our compliance status.”
Recognizing its dynamic expansion would soon make its security and vulnerability assessment process unmanageable, McKesson began investigating best practices and technology solutions, including vulnerability management, to automate core facets of its security process and meet the demands of its aggressive growth strategy.
McKesson needed a robust, scalable, and cost-effective vulnerability management solution that could quickly and easily expand with each new acquisition
As it searched for appropriate technology solutions, McKesson had three key business requirements:
- McKesson’s brisk growth required solutions that could scale just as quickly. With each new acquisition, the company needed an immediate and comprehensive snapshot of its system’s vulnerability, risk and compliance status.
- Robust Capabilities
- All potential solutions required a dynamic feature set able to manage large-scale deployments and provide McKesson’s security team with fast and accurate results to save them time and expand their compliance and security capabilities.
- Cost effectiveness was another key requirement. McKesson’s continued growth was increasing its security costs, which could have spiraled out of control if not carefully monitored.
“The more the company grew, the more opportunities we saw to streamline and optimize our existing internal security process,” added Dixon. “By leveraging industry best practices and front-line security technology strategies, we would be able to build a new system that would benefit compliance, security, and our internal operations.”
After conducting a detailed and extensive evaluation of technology solutions, McKesson selected Tenable’s technology solutions and best practices to streamline and optimize its security process. Tenable’s SecurityCenter and the Nessus vulnerability scanner were deployed to provide enterprise-wide visibility and insight into vulnerability status, all from a single management console.
Tenable’s integrated approach to vulnerability management and assessment continues to meet all of McKesson’s top business requirements. The technology has given the healthcare giant a clear picture of its vulnerability status, along with actionable information that helps the security team prioritize known and emerging vulnerabilities on its broad network.
Since deploying Tenable’s industry-leading technology, McKesson has significantly expedited its track to meeting PCI compliance. The company’s internal teams are never caught off guard by findings from third-party auditors – in fact, they are aware of the results in advance, which gives them a valuable opportunity to quickly remediate any potential issues in accordance with PCI guidelines.
As an additional benefit, SecurityCenter provides detailed visibility into all of the company’s newly acquired businesses and quickly identifies fundamental administration issues.
“We have been able to use Tenable to demonstrate shortcomings or verify information from management consoles of other products, like antivirus and patch management tools,” said Dixon. “Tenable can provide answers that the other tools cannot provide – specifically hardware and software asset management.”
McKesson continues to use Nessus and SecurityCenter to uncover vulnerabilities across its network and ensure it meets key compliance initiatives on an ongoing basis. As part of its PCI compliance initiative, McKesson’s security team has been leveraging Tenable’s technology to pinpoint rogue personally identifiable information (PII) on endpoint systems.
“We’re in the process of creating a shortlist of systems that need to be investigated for PCI,” said Dixon. “Our daily scans enable us to quickly identify unencrypted social security numbers and credit card information on various systems — that helps us locate and prioritize risks to our compliance status.”