It is late 2003, and officials at the Kettering Medical Center Network have a challenge on their hands: How do they ensure they are securing their network in the most efficient manner?
Rather than simply renew its Symantec AntiVirus Enterprise Edition licenses, the network of Ohio hospitals decided to perform a complete network security assessment.
"HIPAA compliance was one driver, but another was the commitment to be proactive in security," said Bob Burritt, manager of network and technology services for the Kettering Medical Center Network. "The network security assessment began in October 2004 and Symantec Consulting Services made its recommendations in early February 2005."
In the end, the company found savings in time and money as well as a greater level of confidence in its security posture and compliance with HIPAA (Health Insurance Portability and Accountability Act) regulations. The question asked in 2003 by officials from the Kettering Medical Center Network is repeated within organizations throughout the world.
Security professionals said company officials need to take a comprehensive approach to extending security throughout the enterprise-from the IT staffer to the employees in the call center.
Khalid Kark, an analyst with Forrester Research, said the biggest challenge CISOs (chief information security officers) face today often is convincing all of their employees they have a role to play.
"One simple sentence that a lot of [CISOs] get is, Its not my job," Kark said. "We have to get over that perception, and the CISO has to be kind of the cheerleader for that and they have to really go out and market security in a way that everyone understands its their responsibility."
Ensuring every employee is aware of the HIPAA and other laws and regulations can be tough, Burritt said, adding the hospital network has a number of education programs for employees on security and other topics.
Click here to read why analysts are predicting the death of traditional network security.
"We turned the need for HIPAA compliance into an opportunity to get a complete network security assessment from Symantec Consulting Services," he said.
The Kettering Medical Center Network now uses Symantec Network Security 7161 intrusion prevention appliances to provide an outer shield for its network against worms and zero-day attacks. Inside the network perimeter, Symantec AntiVirus Enterprise Edition protects the hospital networks servers and desktops, and Symantec Client Security and Symantec AntiVirus for Handhelds protect laptops and mobile devices. In addition, the networks intrusion prevention appliances are continuously monitored and managed by Symantec Managed Security Services.
As a result, Burritt said, the hospital network has saved $200,000 in staff time annually through firewall monitoring from Symantec Managed Security Services and another $18,000 in annual savings by slashing staff time for a security review of KMCNs 200 servers. In addition, there was a one-time savings of $140,000 and $70,000 annually on licensing, and $4,000 annual administrative savings from the Symantec Value Licensing Program.
"We definitely measure the costs of downtime," Burritt said. "According to our [chief financial officer], we lose a million dollars a day in revenues if our IT systems go down."
With such money at stake, organizations have a vested interest in securing their network. Establishing a strong data security framework begins with understanding what data they care most about, said Christopher Parkerson, senior product marketing manager at the Data Security Group at RSA, the security division of Hopkinton, Mass.-based EMC.
Page 2: Assessing and Protecting Your Corporate Network