Ballad Health’s network includes IT, internet of things and operational technology assets used by staff, practitioners and clients across 21 sites. Here’s how it’s using Tenable.sc to find and fix vulnerabilities.
Ballad Health is an integrated healthcare system serving 29 counties of Northeast Tennessee, Southwest Virginia, Northwest North Carolina and Southeast Kentucky. The organization, formed in 2018 as the result of a merger, operates a family of 21 hospitals, medical centers, care facilities and pharmacies throughout the region.
The organization’s network accommodates some 19,000 employees plus guest users and spans a variety of IT, internet of things (IoT) and operational technology (OT) assets, including biomedical devices and industrial control systems. Protecting these devices and applications falls to IT Security Engineer Michael Birchfield and his team.
“There's a lot of different pieces to the puzzle,” said Birchfield in an interview with Tenable during the Edge 2019 User Conference in May. “It's one thing that you have servers, it's one thing that you have network equipment and another that you have endpoints — whether they be PCs, laptops, remote users — but there's also the IoT devices.” In addition, the organization provides connectivity for patients and visitors so they can use their devices in the facilities.
In such a complex attack surface, the number one challenge is “knowing what you have versus knowing what you think you have,” said Birchfield.
Ballad uses Tenable.sc (formerly SecurityCenter) to help resolve this challenge. Birchfield highlighted the platform’s discovery scanning functions, particularly the ability to scan actual subnets versus relying on manual entry. “You may see double the amount of stuff on your network than you thought you initially had from conversations with staff and your analysts,” he said.
For example, said Birchfield, “Say you had 30,000 devices you thought you were worried about and then you find out you have 60,000. That just shows you why you needed this product, because no one else thought you had that and this just generated a report showing it.”
The reporting available in Tenable.sc enables Birchfield to drill down into the data to see what those previously undiscovered things actually are. From there, he’s able to find out who owns the various assets. Hint: it’s not always IT. In some cases, the discovery turns up biomedical devices, IoT devices or even gadgets a staffer may have brought into their office without telling anyone.
It can be too easy for these non-IT devices to be overlooked at remediation time. “If 20 percent of the stuff you didn't manage shows up on this report, who do you go to to solve that problem?” said Birchfield. “It may not be IT at all. It may be a totally different organization in the group or in the company … for us, it's very important to show that all of these things exist and, if it's not in IT, [to figure out] who does it belong to and are they responsible for patching it and keeping it up to date?”
‘It Makes Non-IT People Understand Why This Is Important’
Having detailed reports to point to has an added bonus: it “makes non-IT people understand why this is important,” Birchfield said. This is useful not only for communicating amongst teams but also for sharing information with the C-suite and the board.
The reporting capabilities of Tenable.sc also help the IT team stay on track with patching, explained Birchfield. “If IT is managing this whole network infrastructure and everything plugged into it [and] you have a group of 20 percent of your assets out there are not IT and they're not in your vulnerability management program.” The question then becomes: who is responsible for the patch cycles for this portion of assets?
Tenable.sc gives the teams a source of clarification to resolve miscommunications that can arise when a practitioner claims they’ve patched something but it’s still showing up in a vulnerability report. “In the past, that would be a discussion where you just went back and forth [without resolution]” said Birchfield. “Well, today, in Tenable, you can actually go in and show, ‘yes you patched it, but the reason it's showing up is because of this piece right here.’ You can drill down into the vulnerability and it will tell you, ‘hey, you need to configure this. This is a registered change.’ So not only do you patch it, but you have to make this change to make it acceptable.”
Birchfield noted that, in most of these cases, it turns out that people did the right thing but didn't know there was a second step to the patch. “In the past, I don't think that was ever picked up on,” he said. “People applied the patch and moved on and [if there were] things that needed manual entry, they just didn't know what needed to be done, so they were still vulnerable.”
Customized Reports Help Improve Communication
The ability in Tenable.sc to customize reports and dashboards to different audiences is also an advantage for Birchfield. “I don't want to send somebody something that I know they're never going to look at. If it takes too long and it's too congested, they're not going to spend time on it,” said Birchfield. “But if I give them something that really tells them what they need to focus on, and it only takes two or three minutes for them to figure that out, that's important and that's powerful because they can see right away where they are, where they need to be and what exactly it is they need to fix in order to address that issue. That's very important for me because I know they'll do it if it's something I can give them that's easy to read.”
Birchfield said he’s not yet used the Vulnerability Priority Rating in Tenable.sc but it “looks fantastic.” VPR, a new capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability.
“Today, I'm showing people what all needs to be done, and they're looking at it going … ‘Which ones do I start with?’ ” said Birchfield. “Well, now I can tell you.”
Tenable interviews Michael Birchfield, IT Security Engineer with Ballad Health, at our Edge 2019 user conference: