This document discusses successfully creating an IT service at Mercy Health to address organizational challenges and compliance needs. It describes implementing Tripwire Enterprise for change detection and monitoring to gain visibility into their IT environment, validate approved changes, and produce reports for audits. This improved governance of controls, reduced audit findings, and provided a key strategy for their security operations center and PCI compliance efforts. Going forward, Tripwire will help address other regulatory needs and expand its use for security configuration management.
2. Agenda
Introduction
Mercy Health (Who we are)
Organizational/Operational Challenges
Business Case and Implementation Methodology
Present and Future
Questions
9/6/2018 2
3. Introduction
Dieu Tran – Executive Director, IT Business Risk Services and Analytics
(Mercy Health)
Designations – CISA, CISSP, GSNA, CRISC, CRMA, GISF, PCI-ISA
Jody Howard – Manager PCI Compliance (Mercy Health)
Senior IT Architect
9/6/2018 3
4. Who we are
5th Largest Catholic Healthcare System in the US Mercy Health (Who we are)
~$5.5 Billion in Annual Revenue
30 acute care hospitals
11 Specialty Hospitals (Heart, Children's, Rehab and Ortho)
Virtual Care center
Over 800 Clinics Physician Practices and Outpatient Facilities
Operates in seven-state area encompassing Missouri, Arkansas, Oklahoma,
Kansas, Louisiana, Mississippi and Texas
~44,000 co-workers and over 2,100 physicians
9/6/2018 4
5. Challenges
Organizational
◦ Establishing compliance culture – history of audit findings
◦ Leadership (External Audit)
◦ Security Concerns
◦ Complex and Challenging Technical Environment
◦ Staffing
Operational Challenges
◦ IT burdened with ad hoc data requests
◦ Data Integrity, Incomplete data, duplicate requests
◦ Difficult to review results and ensure consistency
◦ Unclear process
◦ Unclear accountability
Change
◦ New/changing regulatory and compliance requirements (External Auditors, PCI,
and HIPAA Security/Privacy)
◦ Governance
9/6/2018 5
6. Business Case and Implementation Approach
Business Case
Savings (time and money)
Successful audit and compliance efforts
Reporting to support controls in place
Governance of controls
Implementation Approach
Prioritize
Engage owners early
Define reporting needs
Training
9/6/2018 6
8. Process
Change Management Process
◦ Reinvigorated need for approvals prior to modifications
◦ Clarified definition of a “change”
Governance
◦ Senior Management review and approval for each change to monitoring
profile once in production
◦ Clear communication on additional volume of work created
◦ Opportunity to focus on groups that were less compliant
Monitoring rules
◦ Accepted Tripwire as a recognized expert and used the published rules as often as possible (OS,
database …)
◦ Avoided historic pitfalls of internal debates to merits of monitoring critical items
9/6/2018 8
9. People
Policy created to support effort
◦ Initially Change Management
◦ Added PCI compliance as Tripwire became viewed as critical success factor
Meetings with technical teams
◦ Often “selling” effort one person at a time
◦ Open and honest discussions
◦ Focus on real purpose of monitoring
Auditing
◦ Remediation notes
◦ Change orders
◦ Matching criteria
9/6/2018 9
10. Technology
Integration into ITSM Tool
◦ Used to validate approved change orders
◦ Remediation becomes component of daily routine obligations
◦ Change detection, File integrity monitoring and Vulnerability Notifications
Rule Tuning
◦ Focus on most critical elements leveraging data analytics
◦ Often used features to identify “normal” activity limited to a specific account
to reduce volume of alerts
Reporting
◦ Reporting to application owners during rule development phase
◦ Reporting attached to each incident showing the details of modifications
◦ Reporting to Governance group for volume of activity
◦ Reporting to internal auditors to demonstrate good faith effort and help focus auditing efforts
9/6/2018 10
11. Present and Future
Present
Tripwire Enterprise change detection viewed as a key strategy for SOC, PCI and commercialization
efforts
Expansion from Change Detection to also include File Integrity Monitoring and Threat Detection
Visibility and monitoring for Epic Financial data
Better visibility and governance around change management
Reliable IT Environment around financial reporting
Reporting to support controls in place
Future
Using for other regulatory compliance needs
Security Configuration Management
9/6/2018 11
13. 13
#1: Secure PHI
Detection and alerts on all changes
to established baseline—
what, who, and business context
Detect unauthorized changes on
critical assets and EHR systems
Extensive library of security
configuration best-practices to
establish and monitor configurations
Assess configurations
against security policies
Discover assets, vulnerabilities and malicious
changes, and help automate the workflow
and process of remediation
Identify risk on critical assets and
EHR systems
End-to-end visibility: discovery, inventory, and
change data for all your critical assets and
EHR systems
Know what’s happening in your environment
14. 14
#2: Achieve Compliance
Out-of-the-box audit report templates,
and automated compliance reporting
Reduce the time spent on compliance
Continuous monitoring and reporting
identifies remediation to stay compliant
Maintain compliance over time
Industry’s most comprehensive library
of policy tests for all major standards
Demonstrate compliance with standards
HIPAA, PCI, NIST and many more
Logging of changes to in-scope assets with
details on who and when
Produce data for audits and for forensics
15. 15
#3: Address the Skills Gap
Integrity monitoring and change
audit to find root cause
Ensure system availability and
speed up investigation
Integration with ITSM to tell authorized from
unauthorized changes
Validate changes and reduce unplanned work
Real-time change detection—
what, who, when and what it means
Control changes that compromise systems
Automate manual processes associated with
dealing with change—isolate and escalate
changes and events of interest
Deal with security data overload
18. 18
Lack of Visibility to Security Posture of
Critical Assets, including EHR Systems
Lack of Resources to Combat Growing
Cyberattacks against Healthcare
Maintaining and achieving compliance with
HIPAA/HITRUST/NIST is time consuming
Tripwire Enterprise EHR monitoring solution
provides a detailed understanding of good vs. bad
changes on all critical assets and EHR systems
Tripwire Enterprise helps you achieve and maintain
compliance HIPAA, NIST, PCI and other security
controls, with audit-ready evidence
Assess on-premise, virtual and cloud assets in a
single product. Integrate with CMDB tools.
Managed services to supplement your team
19. 19
Advanced vulnerability risk scoring and prioritization
helps you focus on the most critical vulnerabilities.
Prioritze changes in Tripwire Enterprise based on
risk
Industry’s most robust risk scoring algorithim helps
you accurately assess vulnerabilities in your
environment
Comprehensive discovery and profiling of all
assets on your network to help you quickly identify
vulnerabilities on your network.
Limited Resources, Infinite Vulnerabilities
False Positives Waste Everyone’s Time
Lack of visibility to devices on my network