Provides a complete picture of risk
With Elastic Security, Nebraska Medicine can ingest and normalize logs from all its environments to maintain clear and comprehensive threat visibility.
Repels cyber attacks
Nebraska Medicine can now use Elastic Security on Microsoft Azure to help protect its staff, patients, and systems from ransomware, DDOS, and other criminal activity.
With Elastic Security, Nebraska Medicine can automatically gather and distribute data and reports to regulators.
Top U.S. healthcare organization deploys Elastic Security to protect patient data and networks; automate workflows, boost efficiency, and reduce costs.
Cyberattacks targeting healthcare organizations are on the rise. Ransomware incidents more than doubled between 2016 to 2021 disrupting medical services and exposing patients’ protected health information (PHI). The risk is becoming even greater as more medical devices connect to hospital networks, potentially exposing equipment to hackers and putting patients in jeopardy.
Nebraska Medicine is proactively working to stave off the increasing number of cybercrime threats. The organization, recently featured in the top 50 of Newsweek’s World’s Best Hospitals, consists of two hospitals: The Nebraska Medical Center and Bellevue Medical Center. Nebraska Medicine also partners with the University of Nebraska Medical Center (UNMC), which is the academic and research arm of the enterprise. Responsibility for protecting the organization’s data and IT networks falls to Gary Roth, Senior IT Security Engineer at Nebraska Medicine, and his colleagues in the enterprise security team. In all, they must secure 70,000 endpoints including servers, workstations, laptops, connected medical devices, and printers from hospitals, research departments, and various clinics across the state.
Our strategic objective is to ingest and normalize logs from all our environments and get a complete picture of the risks facing the enterprise. This includes logs from endpoints, applications, and all security controls.
When Roth joined the organization in 2020, it lacked a single view of data from these environments. Instead, the team had to log onto multiple tools and run the same related searches. “These tools worked independently, but it was inefficient and burdened the team,” he says.
Using the cloud to reinforce security
Nebraska Medicine set up a proof of concept, which led to the deployment of Elastic Cloud on Microsoft Azure.
“Elastic is the first and only platform that Nebraska Medicine uses for centralized logging, enabling us to ingest logs from across our entire IT infrastructure,” says Roth.
Log ingestion for O365 and Azure was previously using standalone Filebeat modules. More recently, Nebraska Medicine has moved to Elastic Agent with out-of-the-box integrations to collect endpoint and cloud logs.
Retaining data, setting the rules
Elastic Security also has a positive impact on the organization’s Identity Lifecycle Management (ILM) strategy. Today, Nebraska Medicine keeps newer indices in hot storage for two days before moving to cold and then ultimately frozen storage. “Elastic allows us to easily customize our log storage and retention to meet our needs,” says Roth.
Nebraska Medicine is also taking advantage of Elastic Security to build security rules and detect signs of threatening behavior.
Increasing efficiency, freeing up time
Elastic Security reduces the burden on the organization’s security analysts. They can work through alert investigations more quickly now that logs are consolidated in one easy-to-search location.
Elastic Security frees up time for our team to expand their security knowledge, undertake training, and boost their skills.
Nebraska Medicine is also enjoying benefits from workflow automation within Elastic Security. Roth and his team connected centralized security alerting in Elastic to the organization’s ServiceNow ticketing system, which allows them to make further use of ServiceNow’s security incident response playbooks.
Defending with dashboards
Nebraska Medicine makes extensive use of Kibana dashboards to visualize data and respond to alerts. This includes out-of-the-box Windows event dashboards for user logons, user and group management, and PowerShell usage. Server administrators use these interfaces to detect changes to accounts, inappropriate admin account use, and other anomalies.
Several teams have created dashboards tailored to their specific requirements. “The consolidation of disparate wireless SSIDs that we’ve accumulated over the years is a good example,” says Roth. “Our network security engineers configured a dashboard that identifies devices trying to connect to decommissioned networks.”
Security supports strategy
Roth stresses the extent to which Elastic Security enables his team to support the wider strategic goals of the business.
Efficiency is everything in healthcare. With Elastic Security we can widen access to data and dashboards so that everyone can troubleshoot problems without having to constantly reach out to other teams. We’re saving our organization time and expense.
In the future, Roth expects to use additional Elastic Security tools and build out more dashboards for custom data sources. He plans to create alerts for performance metrics and is looking at the potential deployment of Endpoint Security integration in detect mode alongside current endpoint security agents. These steps help Nebraska Medicine prepare for the future of healthcare where online patient appointments, robotics, remote devices, and AI diagnosis play a growing role.
Elastic Security gives us a future-proof platform to defend the organization against evolving threats to our systems, staff, and patients. Add to that the automations and cost efficiencies that Elastic brings, and you have the ideal solution for large, complex healthcare organizations.