Central Oregon Radiology Associates, Cascade Medical Imaging and Central Oregon Magnetic Resonance Imaging collectively exist to provide the full scope of quality diagnostic imaging services to the Central and Eastern Oregon communities.
They support more than 8,000 referring physicians across more than 50 locations and perform more than 400,000 studies a year, serving as the PACS platform for all the services, providers and locations.
When Richard Stepanek joined CORA in January 2020 as CIO, his charge was to add focus to the security posture of the organization and ensure it was well positioned to support its PACS customers, radiologists and, of course, patients. And to do it as economically as possible – not a surprise to a healthcare CIO.
“This meant we needed to focus on security, business continuity, disaster recovery and keeping the lights on,” he explained. “With this wide-ranging imaging network and limited CORA staff to manage and monitor the exchange of images along with the related patient information, we needed better insight into all facets of what was happening.”
With all of the cyberattacks targeting healthcare, security was a primary driver at CORA.
“We knew we couldn’t hire enough staff to fill out a security team, so we needed the right tools and services to add robustness to our stack,” Stepanek said. “When you’re sitting on top of more than half a million patient records and millions of sensitive images, you have to make sure you’re taking all the steps necessary to protect them.
“Security needs to thread through everything we consider for our organization,” he continued. “We needed a tool to extend the capabilities of the team, but also filter out noise so they could focus on what really matters to protect our critical data.”
To meet these needs, CORA turned to ExtraHop, a security company focusing on cloud-native network detection and response.
“We needed to improve our coverage to 24/7 and add the insight of an SIEM,” said Stepanek. “I started with the notion of outsourcing the whole thing to an MSSP. The price tags were shocking, truly an outsized spend for our operation.
“We quickly realized in the first couple of proposals that the costs were well beyond what we could bear,” he added. “Plan B was to build out a hybrid approach where we equipped my team with the right tools and hired someone to provide that after hours perimeter coverage.”
“You can be surgical about fixing versus taking a big hammer to the problem. I don’t have unlimited people and time to throw at a problem, so we need to be efficient about our problem resolution.”
Richard Stepanek, Central Oregon Radiology Associates
Stepanek had prior experience with ExtraHop’s network detection and response (NDR) solution and reached out to his former account executive. Once he was connected with the vendor team for his part of the country, they quickly got to building out a proof of concept.
“It was only a matter of a couple of weeks and we had an operational platform in our data centers,” he recalled. “The learning curve is much longer, but the system was finding opportunities for us almost right out of the box.
“One of my favorite things about the vendor is how it is willing to back its product, and you get to try before you buy,” he added. “Try that with many of the other SIEM vendors. We were able to see in very short order the potential of ExtraHop. We also opted for the DICOM module given our line of business and quickly found utility with that functionality.”
Stepanek said the vendor team came in and understood this, helping him break down silos and solve the challenges his team was facing.
“My team was fascinated with the newfound capability to see our network like we never had before, including the medical Internet of Things, DICOM-specific traffic and all the other hidden gems you find when you can see into the traffic across your networks: Where the data is going, where it is coming from, who is moving it, and is it safe?” he noted.
“I can’t argue with ExtraHop’s statement, ‘The network doesn’t lie,'” he continued. “Deploying ExtraHop Reveal(x) sensors virtual appliances allows us to passively, out of band, acquire insight into virtually all of our network traffic. Performance hasn’t been an issue even with the terabytes of data we move daily.”
The machine learning built into the application enables the CIO’s team to focus on the threats and issues in a top-down approach by severity.
“My one security specialist can view the alerts that need attention and quickly track the threat or activity across the network by connecting users, devices and actions,” he said. “I routinely log into the platform and look at the dashboards to see what is happening.
“We also have the ability to perform a look-back up to 90 days and see what the NDR might have seen,” he added. “If something new comes along, and we want to make sure we are not vulnerable, due to critical CVEs, exploits and zero days, we now can take appropriate action or feel confident in our posture.”
MEETING THE CHALLENGE
Members of Stepanek’s small IT team are the main users of the ExtraHop technology. CORA also has a managed services security provider that monitors the periphery of the network and sees some external pieces and agent-based feeds. ExtraHop gives the CIO’s team the ability to see into all the activity and to collaborate around a single source of truth.
“Two use-cases spring to mind when I think about the value it provides,” Stepanek said. “First, ExtraHop quickly gave us visibility into our third-party application use. We had just started a migration to Microsoft Office 365. Some people fall into bad or old habits, and we could easily see who was using outdated, personal or inappropriate software that often can be a regulatory violation in healthcare.
“Second, it provides a surgical tool for forensics and response – while also helping me underline the value of this for a healthcare organization. If you don’t know the root cause, how do you understand what happened so you can make sure it stops happening? How do you address the impact on your organization? Moving forward, what do you put in place to make sure it doesn’t happen again?”
The CIO needs good information to see where those points occurred to create an action plan. The more granular that data is, the better solutions and options one has to fix things moving forward, he said.
“You can be surgical about fixing versus taking a big hammer to the problem,” he said. “I don’t have unlimited people and time to throw at a problem, so we need to be efficient about our problem resolution.”
CORA had a collection of different tools for monitoring. After implementing the new technology, it immediately was able to consolidate and cut other monitoring tool costs by 75%. Not a net savings, but a huge cost avoidance for an organization that was not accustomed to spending a lot of money on information security.
“I also believe that we have a much better sense of accountability with this model than we would relying on someone else that doesn’t have any skin in the game,” he said. “We realized about 30% cost avoidance/savings on security over getting a fully managed SIEM.
“With our hybrid model, we have some top-notch capabilities in place with ExtraHop. When the team is presented with alerts, we quickly can address them with our one security analyst and small infrastructure team.”
ADVICE FOR OTHERS
Stepanek’s advice: Take action.
“Complacency is going to be costly,” he said. “Everyone knows that attacks on healthcare are happening more frequently and becoming more expensive. You can’t read any news feed without being able to find where another organization has been hit by malware or ransomware.
“Since November 1, 2020, there has been an increase of more than 45% in the number of attacks seen against healthcare organizations globally, compared to an average 22% increase in attacks against other industry sectors,” he continued. “It is incumbent upon healthcare organizations to take security seriously and put both proactive, preventative measures in place alongside tools to detect and remediate threats.”
There are affordable tools and approaches that can fit into an organization’s staff mix, resources and environment, he offered. Healthcare organizations must prepare for when an attack happens, not if it will happen, he insisted.
“Knowing where the data is coming from, where it is moving to and what is happening to it along the way is critical for any good security or operations program to be effective,” he advised. “Network detection and response (NDR) technology is passive and is intuitively how we can get at the source of truth for what is happening in our environments.
“Everything has to be connected today, it only makes sense,” he added. “IT teams need the ability to validate, triage and establish root cause in minutes instead of days, and ideally automate responses via trusted orchestration partners.”
When a CIO gets called up to the board and they want to know how something could have happened, when it happened, how it happened, what happened and who was affected, being able to lay out the root cause will create credibility that will carry weight when one has to make recommendations for future prevention and mitigation, he concluded.