Health Care, Web 2.0 and Web Security. Read considerations and chosen solution in article from Health Management Technology Magazine October 2009.

1. Gateway Secures Web 2.0 Initiative
Concerned about malware and other security issues, Health First settled on a
solution that allows IT to set granular, flexible Internet usage policies for devices, as
well as specific users and groups.
Ref.: http://www.healthmgttech.com/features/2009_october/1009_gateway.aspx
Leaders at Health First, a Florida-based not-for-profit healthcare organization, thought that
Web 2.0 had the potential to offer new ways to communicate with patients, employees and
potential new patients. Protecting sensitive patient data and the integrity of the organization,
however, was a paramount consideration and staff worried that opening access without the
right security, policies and planning could be disastrous – because Web 2.0 sites are a top
target of cybercriminals and a major source of data loss if not managed properly.
“In order to let our employees visit these (social networking) sites, we needed a
Web security gateway solution that sits inline in the network stream and is able to
look at the specific content on the page in real time.”
Just a few years ago, IT managers at healthcare organizations could simply use Web security
and filtering solutions to set strict policies blocking employees from nearly all outside Internet
access. The risks posed by the Web – such as an employee accidentally introducing malware or
a virus onto the corporate network or viewing inappropriate information – were greater than
the benefits of allowing Internet access. Today, however, with the introduction of Web 2.0
technologies like cloud-based services, social networking sites, and new collaboration and
communication tools, the closed environment can be unrealistic and can hinder business
process.
"Web 2.0 can help our organization stay ahead of the technology curve, but jumping in without
a plan in place was not an option," says Christi Rushnell, Health First vice president,
information technology and strategic services. "Protecting patient and personally identifiable
information – both because it’s our corporate responsibility and also to meet compliance
regulation standards like HIPAA and the HITECH Act – is our first priority, and so having the
right security in place was our number one concern before opening access to Web 2.0."
Health First IT and security management teams were approached by different groups
throughout the organization about enabling access to tools like social networking sites to
extend their communication on a real-time basis as a cost-effective marketing tool.
Additionally, Health First was running out of room in its data center and so staff began to move
systems traditionally managed onsite to the cloud, such as transcription services and
enterprise-wide patient scheduling.
The Health First network includes three hospitals, the county’s only trauma center, fitness
centers and an aging institute, among other services. With more than 6,000 Internet-
connected devices throughout the organization and thousands of employees with different
roles, one of the most critical challenges to opening access to Web 2.0 was to find a security
solution that would allow IT to set granular, flexible Internet usage policies for devices, as well
1 Of 3

2. as specific users and groups within the organization. Health First wanted to set policies that
could, based on an employee’s role, control how much access that person had to Web 2.0
sites, how much time they could spend on those sites, what level of access they could have to
sensitive corporate information and even what they could do with that information.
Flexibility for Different Needs
"We needed a flexible solution that would provide our marketing team, for example, with
access to YouTube to create and promote videos on new services we provide and to access our
Facebook fan page, or allow our nurses and doctors to access the cloud-based patient care
applications we use," says Rushnell. "But we also needed the flexibility to ensure that a
machine in an openly accessible area was secured from allowing people to go to places on the
Web that would violate policies or put the organization at risk."
Another problem Health First faced was that Web 2.0 sites present an emerging vector for
malware and other data-stealing attacks. Cybercriminals are increasingly infecting sites that
enable user-generated content such as blogs and Twitter, with malicious content. Recent
research also shows that 57 percent of data-stealing attacks are coming over the Web. Health
First found that traditional security solutions were not up to the task of protecting against Web
2.0 attacks and inappropriate content.
"Web 2.0 has quickly diminished the effectiveness of traditional security solutions like
signature-based antivirus and traditional URL filtering, because it’s dynamic and constantly
changing," says Frank Waszmer, Heath First information security architect. "Reputation-based
security is also not enough, as Web 2.0 sites generally have a "good" reputation.
"Places like news sites, Google and social networking sites have great reputations but, today,
it’s often these legitimate sites that are targeted. In order to let our employees visit these
sites, we needed a Web security gateway solution that sits inline in the network stream, is able
to look at the specific content on the page and then prevent the malicious elements from being
accessed."
Another requirement was the ability to look at encrypted secure socket layer (SSL) streams.
Waszmer noticed an increased amount of malicious traffic set up through SSL sessions.
Without being able to see into the traffic streams, Waszmer worried that data-stealing malware
could make its way into the network.
Health First selected Websense Web Security Gateway as a tool to enable employees to safely
access Web 2.0. Waszmer designed a deployment strategy to help minimize installation time.
To redirect HTTP and HTTPS Web traffic to the gateway, he deployed the system in what is
called a "transparent proxy," utilizing the WCCP protocol. The majority of time spent on this
project has been around fine-tuning Web-use policies and working with the different
departments to provide greater control and feedback.
Policies Drive Compliance
Health First currently has five global policies that govern where and how people can use and
interact with the Internet and Waszmer has created more than 20 specialized policies around
Web use to provide greater protection for key areas.
"Today, we are able to set Web-use policies around users, groups and devices," Waszmer
notes. "Because of the flexibility of the secure Web gateway and the reporting and policy
infrastructure we have created, we have been able to roll out access to different Web 2.0 sites
to the groups and specific people that need it.
"Additionally, one of the unique benefits about the solution is that it classifies specific content
on Web sites in real time. So, if it classifies a Web page that has some business benefits but
also contains some content that violates a policy, the solution will block just that one portion of
the page."
Health First uses the gateway as part of a layered security approach that involves technology,
investigation, and awareness and education. "With our strategy and technology in place, I’m
2 Of 3

3. able to run reports on Web use, see malicious or inappropriate sites employees have
attempted to access, and use the reports to better educate Web users and gain a greater
understanding of how Web 2.0 sites can be used throughout the organization," says Waszmer.
"Additionally, the reports allow my team to quickly respond to security events. With visibility
into the systems, we’re able to stay ahead of the threats before they become a problem."
"Today, healthcare IT managers and CIOs need to be an active part of the solution to balance
the business needs of Web 2.0 adoption with security," says Rushnell. "Web 2.0 is here and
only going to become a larger part of our business, so my greatest advice to other healthcare
organizations thinking about enabling Web 2.0 is that they need to anticipate the changes in
the business and adjust, actively taking steps to secure Web 2.0 use."
From the catalog
According to www.websense.com : Websense Web Security Gateway allows organizations to
secure Web traffic effectively while still enabling the latest in Web 2.0 tools and applications.
Through a real-time content-classification engine, the gateway analyzes Web traffic on the fly,
instantly categorizing new sites and dynamic content, proactively discovering security risks,
and blocking dangerous malware. Backed by Websense ThreatSeeker Network technologies,
Web Security Gateway provides advanced analytics – including rules, signatures, heuristics and
application behaviors– to detect and block proxy avoidance, hacking sites, adult content,
botnets, keyloggers, phishing attacks, spyware and many other types of unsafe content.
For more information on
Websense solutions:
www.rsleads.com/910ht-201
3 Of 3