Glenview Hospital: The Breach That Didn't Happen

This is a true story… about a breach that never happened.

It’s 2:00 AM at Glenview Hospital. Dr. Sami, the lone graveyard MD on floors four through six, is frantically visiting patients. His queue of patients waiting is growing faster than his queue of visited ones. He goes to prescribe Bactrim to Lenore in room 403 and can’t access her medical record to check for sulfa allergies. Epic, the patient record system, isn’t accessible. Lenore’s leg is swelling, Dr. Sami’s patient backlog is rising like Kanye’s anger level at an awards ceremony, and the post-op patient in 407 is screaming for meds.

When key systems aren’t available lives are at stake. Families and caregivers have no sympathy when network performance is compromised by overloaded switches or brute force breach attempts. Patients in hospitals, like bank customers or retail shoppers, expect technology to aid, not impede, access to critical services.

In today’s threat landscape where cloud architectures and devops rapid iterations guarantee new risks arise continuously, what’s a service provider to do? 

Here’s what …

Imagine a cloud of apps, databases, storage arrays, and network gear so complex a barn yard door is required to display its topology map. Now imagine that network is generating six figures of events per second from thousands of logs and machine metrics.

Welcome to a day in the life of the Glenview SOC.

Here’s why that breach never happened … when Dr. Sami first observed degraded performance in Epic he was unaware that a complex chain of events had already been initiated to remediate the issue. What originated with a storm of access attempts from a hacker group in Bulgaria was detected, isolated, triaged, and cataloged before Lenore’s leg so much as twitched.

Thanks to AccelOps, the pattern of anomalous traffic levels from a “watch-listed” country and a known malicious domain targeting a vulnerable host triggered a series of rules that generated incidents which generated notifications to the Epic service owner, on-call network tech, and SOC manager.

The smoking gun? A single hacked login used from multiple locations and different IP addresses within five minutes. 

Seconds after Dr. Sami’s Bactrim query slowed three targeted firewall rules were updated, vulnerabilities were patched, access from breached privileged accounts was disabled, service was restored, and a knowledge article had been created to prevent the same issue from recurring. Thank you, AccelOps.

Most important, Dr. Sami wasn’t interrupted, Lenore’s leg never swelled, and room 407 got her meds on schedule.

These days, security event management is required more than ever but it requires cross-correlation of security and performance data across logs as well as machine metrics and config change monitoring. Thousands of breach attempts are thwarted every day thanks to correlation plus analytics that makes it easier than ever for SOC operators to investigate more incidents simultaneously. 

I never would have known about Glenview or Dr. Sami or Lenore if my new friend Dave West, Glenview SOC team lead, hadn’t called to thank our product team. Dave, you’re a hero! Just don’t ask me to visit during the graveyard shift.

Authors

Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud security big data RSA analytics compliance Q&A PCI DSS HIPAA Sarbanes Oxley (SOX) Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social

twitter facebook linkedin