Clinisync is a nonprofit, independent private organization launched in 2009 with HITECH grant funding from the Office of the National Coordinator for Health Information Technology. With the help of hundreds of healthcare professionals throughout Ohio, they created the Ohio Health Information Partnership (OHIP). First, they assisted primary care physicians in the shift from paper files to electronic communications in their practices to meet federal expectations. Second, they created the infrastructure for a statewide Health Information Exchange (HIE) system, Clinisync, where the medical community could electronically view and share patient health information to improve care coordination. They are currently serving more than 92% of Ohio’s 11.1 million residents and the number keeps growing.
The Initial Challenge
Clinisync originally came to DRS seeking Identity and Access Management (IAM) professional services in the form of Okta™, to protect sensitive patient health information in their HIE system. With DRS Okta™ Managed Services, DRS provides Lifecycle Management, Adaptive Multi-Factor Authentification (MFA), and Single Sign-on (SSO) functionalities, and Universal Directory which tie together with Active Directory. One of the biggest challenges for Clinisync was tracking users and applications.
They also had an urgent need for robust Managed Security Services Provider (MSSP) services that were both scalable and affordable. After discovering the in-depth service offerings that DRS provides, they quickly onboarded as an MSSP client to enhance their overall security posture. They had a very small in-house team that wasn’t solely focused on security efforts, so joining hands with professionals was necessary. Several security gaps were present in their environment, making the need for a roadmap essential.
Why DRS Was Selected
DRS was selected primarily because of its robust MSSP offering, in addition to its IAM solution, which enabled Clinisync to address existing security gaps comprehensively. Cost was also a factor, as DRS could provide solutions and MSSP services at an accessible price point. Clinisync had several compliance requirements that needed to be met, like HIPAA and SOC 2. DRS met these requirements while applying data protection standards from an MSSP perspective. Throughout the process, DRS provided industry-leading levels of security knowledge and expertise.
What Was Implemented
DRS began by implementing an IAM solution in the form of Okta™. The Okta™ integration was incredibly smooth, leading to a seamless adoption by the organization’s users. Okta™ helped streamline Lifecycle Management from creation to deprovisioning, granting and revoking access to users when needed by applying the principle of least privilege. Controlling identities and access within the organization was paramount in having a strong and effective security posture.
Adaptive MFA is another way DRS helped Clinisync protect access to data, since Personally Identifiable Information (PII) is a big target for malicious actors. By providing “a something you have” (phone) with “something you know” (password), Okta™ offered an additional layer of security before granting user access.
Controlling access to applications and data provided immediate and bidirectional benefits for both Clinisync and their employees. It allowed for a strong compliance and security posture, by limiting unnecessary access to applications and data. For employees, the streamlined Okta™ Dashboard promoted productivity thanks to its SSO functionalities, by controlling access to applications and data related to mission-critical job functions, and reducing downtime from entering multiple passwords into various applications.
Once complete, other security components were rolled out to fill the gaps identified during the initial onboarding. For example, DRS successfully customized host-based intrusion detection, by coding specific rules into DRS’ proprietary Security Information and Event Management (SIEM) solution. DRS analysts, engineers, and threat hunters applied security research to customize the ability to detect exploits and vulnerabilities across a variety of systems that could have gone undetected. This resulted in a capacity to detect threats ranging from, but not limited to, common exploitable binaries on Unix, Windows, and Linux systems. It also added the ability to detect multiple failed log-on attempts and after-hour access alerts. The system was set up so that information collected could be aggregated and analyzed, allowing both parties to identify anomalies and underlying threats, to respond appropriately. The system was also designed to enumerate known vulnerabilities in system configurations and applications, to be properly addressed. All of these efforts played a role in tightening Clinisync’s security posture.
Clinisync is now an active client in the DRS MSSP program. Their security posture is monitored daily, providing alerts, remediation, guidance, and reporting metrics. DRS also consults with the organization for ongoing projects, most recently regarding Hi-Trust compliance. As new needs arise, roadmaps are jointly drafted to ensure the goals and business objective of the organization are met.
QUOTE: “Dark Rhino Security is kinda like living in a small town. You know everyone there, everything is very transparent, you always know who to talk to when you have a problem, and issues are always solved”—Henry Vynalek, Director of Operations and Security Officer