Glenview Hospital: The Breach That Didn't Happen

This is a true story… about a breach that never happened.

It’s 2:00 AM at Glenview Hospital. Dr. Sami, the lone graveyard MD on floors four through six, is frantically visiting patients. His queue of patients waiting is growing faster than his queue of visited ones. He goes to prescribe Bactrim to Lenore in room 403 and can’t access her medical record to check for sulfa allergies. Epic, the patient record system, isn’t accessible. Lenore’s leg is swelling, Dr. Sami’s patient backlog is rising like Kanye’s anger level at an awards ceremony, and the post-op patient in 407 is screaming for meds.

When key systems aren’t available lives are at stake. Families and caregivers have no sympathy when network performance is compromised by overloaded switches or brute force breach attempts. Patients in hospitals, like bank customers or retail shoppers, expect technology to aid, not impede, access to critical services.

In today’s threat landscape where cloud architectures and devops rapid iterations guarantee new risks arise continuously, what’s a service provider to do? 

Here’s what …

Imagine a cloud of apps, databases, storage arrays, and network gear so complex a barn yard door is required to display its topology map. Now imagine that network is generating six figures of events per second from thousands of logs and machine metrics.

Welcome to a day in the life of the Glenview SOC.

Here’s why that breach never happened … when Dr. Sami first observed degraded performance in Epic he was unaware that a complex chain of events had already been initiated to remediate the issue. What originated with a storm of access attempts from a hacker group in Bulgaria was detected, isolated, triaged, and cataloged before Lenore’s leg so much as twitched.

Thanks to AccelOps, the pattern of anomalous traffic levels from a “watch-listed” country and a known malicious domain targeting a vulnerable host triggered a series of rules that generated incidents which generated notifications to the Epic service owner, on-call network tech, and SOC manager.

The smoking gun? A single hacked login used from multiple locations and different IP addresses within five minutes. 

Seconds after Dr. Sami’s Bactrim query slowed three targeted firewall rules were updated, vulnerabilities were patched, access from breached privileged accounts was disabled, service was restored, and a knowledge article had been created to prevent the same issue from recurring. Thank you, AccelOps.

Most important, Dr. Sami wasn’t interrupted, Lenore’s leg never swelled, and room 407 got her meds on schedule.

These days, security event management is required more than ever but it requires cross-correlation of security and performance data across logs as well as machine metrics and config change monitoring. Thousands of breach attempts are thwarted every day thanks to correlation plus analytics that makes it easier than ever for SOC operators to investigate more incidents simultaneously. 

I never would have known about Glenview or Dr. Sami or Lenore if my new friend Dave West, Glenview SOC team lead, hadn’t called to thank our product team. Dave, you’re a hero! Just don’t ask me to visit during the graveyard shift.