Gateway Secures Web 2.0 Initiative

Sept. 23, 2009

Concerned about malware and other security issues, Health First settled on a solution that allows IT to set granular, flexible Internet usage policies for devices, as well as specific users and groups.

Leaders at Health First, a Florida-based not-for-profit healthcare organization, thought that Web 2.0 had the potential to offer new ways to communicate with patients, employees and potential new patients. Protecting sensitive patient data and the integrity of the organization, however, was a paramount consideration and staff worried that opening access without the right security, policies and planning could be disastrous – because Web 2.0 sites are a top target of cybercriminals and a major source of data loss if not managed properly.

“In order to let our employees visit these (social networking) sites, we needed a Web security gateway solution that sits inline in the network stream and is able to look at the specific content on the page in real time.”

Just a few years ago, IT managers at healthcare organizations could simply use Web security and filtering solutions to set strict policies blocking employees from nearly all outside Internet access. The risks posed by the Web – such as an employee accidentally introducing malware or a virus onto the corporate network or viewing inappropriate information – were greater than the benefits of allowing Internet access. Today, however, with the introduction of Web 2.0 technologies like cloud-based services, social networking sites, and new collaboration and communication tools, the closed environment can be unrealistic and can hinder business process.

“Web 2.0 can help our organization stay ahead of the technology curve, but jumping in without a plan in place was not an option,” says Christi Rushnell, Health First vice president, information technology and strategic services. “Protecting patient and personally identifiable information – both because it’s our corporate responsibility and also to meet compliance regulation standards like HIPAA and the HITECH Act – is our first priority, and so having the right security in place was our number one concern before opening access to Web 2.0.”

Health First IT and security management teams were approached by different groups throughout the organization about enabling access to tools like social networking sites to extend their communication on a real-time basis as a cost-effective marketing tool. Additionally, Health First was running out of room in its data center and so staff began to move systems traditionally managed onsite to the cloud, such as transcription services and enterprise-wide patient scheduling.

The Health First network includes three hospitals, the county’s only trauma center, fitness centers and an aging institute, among other services. With more than 6,000 Internet-connected devices throughout the organization and thousands of employees with different roles, one of the most critical challenges to opening access to Web 2.0 was to find a security solution that would allow IT to set granular, flexible Internet usage policies for devices, as well as specific users and groups within the organization. Health First wanted to set policies that could, based on an employee’s role, control how much access that person had to Web 2.0 sites, how much time they could spend on those sites, what level of access they could have to sensitive corporate information and even what they could do with that information.

Flexibility for Different Needs

“We needed a flexible solution that would provide our marketing team, for example, with access to YouTube to create and promote videos on new services we provide and to access our Facebook fan page, or allow our nurses and doctors to access the cloud-based patient care applications we use,” says Rushnell. “But we also needed the flexibility to ensure that a machine in an openly accessible area was secured from allowing people to go to places on the Web that would violate policies or put the organization at risk.”

Another problem Health First faced was that Web 2.0 sites present an emerging vector for malware and other data-stealing attacks. Cybercriminals are increasingly infecting sites that enable user-generated content such as blogs and Twitter, with malicious content. Recent research also shows that 57 percent of data-stealing attacks are coming over the Web. Health First found that traditional security solutions were not up to the task of protecting against Web 2.0 attacks and inappropriate content.

“Web 2.0 has quickly diminished the effectiveness of traditional security solutions like signature-based antivirus and traditional URL filtering, because it’s dynamic and constantly changing,” says Frank Waszmer, Heath First information security architect. “Reputation-based security is also not enough, as Web 2.0 sites generally have a “good” reputation.

“Places like news sites, Google and social networking sites have great reputations but, today, it’s often these legitimate sites that are targeted. In order to let our employees visit these sites, we needed a Web security gateway solution that sits inline in the network stream, is able to look at the specific content on the page and then prevent the malicious elements from being accessed.”

Another requirement was the ability to look at encrypted secure socket layer (SSL) streams. Waszmer noticed an increased amount of malicious traffic set up through SSL sessions. Without being able to see into the traffic streams, Waszmer worried that data-stealing malware could make its way into the network.

Health First selected Websense Web Security Gateway as a tool to enable employees to safely access Web 2.0. Waszmer designed a deployment strategy to help minimize installation time. To redirect HTTP and HTTPS Web traffic to the gateway, he deployed the system in what is called a “transparent proxy,” utilizing the WCCP protocol. The majority of time spent on this project has been around fine-tuning Web-use policies and working with the different departments to provide greater control and feedback.

Policies Drive Compliance

Health First currently has five global policies that govern where and how people can use and interact with the Internet and Waszmer has created more than 20 specialized policies around Web use to provide greater protection for key areas.

“Today, we are able to set Web-use policies around users, groups and devices,” Waszmer notes. “Because of the flexibility of the secure Web gateway and the reporting and policy infrastructure we have created, we have been able to roll out access to different Web 2.0 sites to the groups and specific people that need it.

“Additionally, one of the unique benefits about the solution is that it classifies specific content on Web sites in real time. So, if it classifies a Web page that has some business benefits but also contains some content that violates a policy, the solution will block just that one portion of the page.”

Health First uses the gateway as part of a layered security approach that involves technology, investigation, and awareness and education. “With our strategy and technology in place, I’m able to run reports on Web use, see malicious or inappropriate sites employees have attempted to access, and use the reports to better educate Web users and gain a greater understanding of how Web 2.0 sites can be used throughout the organization,” says Waszmer. “Additionally, the reports allow my team to quickly respond to security events. With visibility into the systems, we’re able to stay ahead of the threats before they become a problem.”

“Today, healthcare IT managers and CIOs need to be an active part of the solution to balance the business needs of Web 2.0 adoption with security,” says Rushnell. “Web 2.0 is here and only going to become a larger part of our business, so my greatest advice to other healthcare organizations thinking about enabling Web 2.0 is that they need to anticipate the changes in the business and adjust, actively taking steps to secure Web 2.0 use.”

From the catalog

According to Websense Web Security Gateway allows organizations to secure Web traffic effectively while still enabling the latest in Web 2.0 tools and applications. Through a real-time content-classification engine, the gateway analyzes Web traffic on the fly, instantly categorizing new sites and dynamic content, proactively discovering security risks, and blocking dangerous malware. Backed by Websense ThreatSeeker Network technologies, Web Security Gateway provides advanced analytics – including rules, signatures, heuristics and application behaviors– to detect and block proxy avoidance, hacking sites, adult content, botnets, keyloggers, phishing attacks, spyware and many other types of unsafe content.

For more information on
Websense solutions:

Sponsored Recommendations

Patient Engagement and ML/AI – Modern Interoperability as an enabler for value based care

Discover how modern interoperability empowers patient engagement and leverages ML/AI for better outcomes in value-based care. Join us on June 18th to learn how seamless data integration...

The Crushing Weight of Healthcare Cloud Compliance & Security Debt: Perspectives & Strategies

Discover how to navigate the pressing challenges of healthcare cloud compliance and security. Join industry experts as they unveil key insights and actionable strategies to break...

Telehealth: Moving Forward Into the Future

Register now to explore two insightful sessions that delve into the transformative potential of telehealth and virtual care management solutions.

Telehealth: Moving Forward Into the Future

Register now to explore two insightful sessions that delve into the transformative potential of telehealth and virtual care management solutions.