Learn why Tenable.sc and Tenable.io, both with Predictive Prioritization, are Sentara Healthcare’s choices for vulnerability management.
Sentara Healthcare, the largest health system in the state of Virginia, is a complex technology environment with a mix of IT and operational technology assets and a user base that includes clinicians, administrators, third-party vendors and patients. And the environment is changing rapidly, as healthcare organizations like Sentara realize the value of digital transformation.
“The model is changing,” said Sentara CISO Dan Bowden in an interview during Tenable’s Edge 2019 user conference in Atlanta in May. “We see a future where at least half of our encounters with our patients will be of a digital nature. Meaning now, the threat surface and Cyber Exposure surface just changed drastically.”
And the organization’s exposure is not limited to the computing devices and applications used throughout the organization — it also includes the supervisory control and data access (SCADA) systems supporting the organization’s operational technology (OT) infrastructure, which includes HVAC, refrigeration and entry systems. “If someone shuts down our HVAC systems due to some kind of a cyber attack, that could affect [the quality of] patient care and cause a lot of disruption to how we do business,” said Bowden.
Given the high volume of potential vulnerabilities the organization faces on a daily basis, knowing which to patch first is a key challenge. “Being able to prioritize what we work on in terms of vulnerabilities and threats is crucial,” says Bowden. “There's this constant churn of awareness and stress over deciding ‘well, what do we patch first?’ ”
Putting Predictive Prioritization to Work
The organization uses Tenable.sc on premises and Tenable.io in the cloud for vulnerability management and has been putting the Predictive Prioritization capabilities to use in identifying which bugs to address first.
Predictive Prioritization, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability.
“Predictive Prioritization can help you understand, ok, of all those ‘critical’ vulnerabilities, maybe 80 percent have never been exploited and there's no discussion about those out on the Dark Web or through threat intel sources,” said Bowden.
Having more context about the real-world threat potential of each vulnerability improves the level of communication between Bowden’s security team and their IT colleagues who are responsible for patching. “We can't dump [a] list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us,” said Bowden. “If I give them a list of a couple hundred? […] They'll engage. They'll help us. The application teams will help us. The benefit of Predictive Prioritization is, it sets the context of a discussion, where people actually want to be part of that story of how risk got managed and vulnerabilities were addressed.”
The benchmarking data available from Predictive Prioritization and the VPR score also gives Bowden the data points he needs to communicate with C-level executives, the board and business-side colleagues about the potential impact of cybersecurity threats. “A benchmark is worth a thousand words,” said Bowden. “It gives some clarity to the discussion [...] the security team [...] can feel comfortable that they gave good data, that it was understood because [they] spoke it in the language that the leaders of the organization understand and they help own the message, and I think, then, [they] also help own the accountability for the security program.”
Even in an organization like Sentara, where Bowden said the leadership is highly supportive of cybersecurity efforts, the context and clarity provided by Tenable’s tools helps ease communication between infosec and business stakeholders. “if I just show them ‘hey, we've got all these thousands of critical vulnerabilities and all of it's important,’ they don't know my job at a detailed enough level to know how to help me, even though they want to,” he explained. “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”
Tenable interviews Dan Bowden, CISO of Sentara Healthcare, at our Edge 2019 user conference: