Mark Rein, senior director of IT at Mercy Medical Center in Baltimore has to maintain a difficult balancing act: providing access to enterprise applications for 6,000 users with a wide variety of backgrounds and needs (doctors, residents, staff) while safeguarding sensitive data, such as patient records. So the health care provider turned to a next-generation firewall that can distinguish between the many types of applications that now run over HTTP and Internet connections -- and Port 80. (See Startup Puts New Spin on Firewalls and Palo Alto Networks Unveils its Next-Gen Firewall.)
We now have a much clearer picture of what is happening on our network than we did before, Rein says.
Mercy Medical runs Palo Alto Networkss PA-4000 Series firewall, which is one in a series of new firewall devices that are changing the way that companies protect sensitive information. Traditional firewalls work at the network level and either allow or deny users access to all network resources. Newer devices, such as Palo Altos, function at the application level and determine whether or not access should be granted based on the type of data moving from end point to end point. As a result, a company can provide users with access to one item, but deny it to others.
The PA-4000 Series firewall examines information from more than 400 applications and network protocols, and its ability to perform deep packet inspection means the health care company is able to see what information users are accessing and how they are manipulating it.
Mercy Medical Center got a bit of a surprise when it installed the new security tool, however. It found that a few users with access to one application running on a server had figured out that they could work with other applications on that server as well, even though in some cases, they were not authorized to. Perhaps more disturbing was that external users had more access than Mercy Medical realized: Like many other enterprises, Mercy Medical Center had opened up its network to key third parties, such as medical suppliers, physicians, and insurance companies. We were surprised at some of the information that our partners had access to, says Rein, who declined to provide additional details, but noted that there were no HIPAA violations.
Mercy Medical Center had purchased the PA-4000 Series firewall in May to ensure those very types of holes were closed. We were running into some capacity issues with our existing firewall [Ciscos IPX], and thought it was time to look and see what else was available, explains Rein. The Palo Alto product beat out security products from a handful of vendors, including Cisco and Juniper, because it offered more granularity than other firewalls, according to Rein, who had crossed paths with Palo Altos founders in his previous positions.
Installation of the PA-4000 Series firewall went smoothly: The system was running within a few days after the purchase, and the health care provider was able to monitor voice over IP traffic with just a few modifications. Because Palo Alto is a startup company, it was open to Mercy Medical Centers suggestions on improvements to the product.
Once the new system was up, the security transgressions quickly came to a halt. And as part of its security examination, the health care company also installed more VPN connections for its users, and feels it is in a better position now to ward off viruses, malware, and denial-of-service attacks.
Mercy Medical Center currently is undertaking a comprehensive inventory of its users and their IT requirements. Reins staff is working with users to determine which specific applications they need to access, so his team can sculpt more comprehensive policies for each department.
Before we were guessing about which applications users were working with. Now that we know, we want to make sure that employees have access to information needed to complete their jobs without raising any security concerns, says Rein.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.