This document discusses successfully creating an IT service at Mercy Health to address organizational challenges and compliance needs. It describes implementing Tripwire Enterprise for change detection and monitoring to gain visibility into their IT environment, validate approved changes, and produce reports for audits. This improved governance of controls, reduced audit findings, and provided a key strategy for their security operations center and PCI compliance efforts. Going forward, Tripwire will help address other regulatory needs and expand its use for security configuration management.

1. SUCCESSFULLY CREATING AN IT SERVICE

2. Agenda
 Introduction
 Mercy Health (Who we are)
 Organizational/Operational Challenges
 Business Case and Implementation Methodology
 Present and Future
 Questions
9/6/2018 2

3. Introduction
Dieu Tran – Executive Director, IT Business Risk Services and Analytics
(Mercy Health)
 Designations – CISA, CISSP, GSNA, CRISC, CRMA, GISF, PCI-ISA
Jody Howard – Manager PCI Compliance (Mercy Health)
 Senior IT Architect
9/6/2018 3

4. Who we are
 5th Largest Catholic Healthcare System in the US Mercy Health (Who we are)
 ~$5.5 Billion in Annual Revenue
 30 acute care hospitals
 11 Specialty Hospitals (Heart, Children's, Rehab and Ortho)
 Virtual Care center
 Over 800 Clinics Physician Practices and Outpatient Facilities
 Operates in seven-state area encompassing Missouri, Arkansas, Oklahoma,
Kansas, Louisiana, Mississippi and Texas
 ~44,000 co-workers and over 2,100 physicians
9/6/2018 4

5. Challenges
Organizational
◦ Establishing compliance culture – history of audit findings
◦ Leadership (External Audit)
◦ Security Concerns
◦ Complex and Challenging Technical Environment
◦ Staffing
Operational Challenges
◦ IT burdened with ad hoc data requests
◦ Data Integrity, Incomplete data, duplicate requests
◦ Difficult to review results and ensure consistency
◦ Unclear process
◦ Unclear accountability
Change
◦ New/changing regulatory and compliance requirements (External Auditors, PCI,
and HIPAA Security/Privacy)
◦ Governance
9/6/2018 5

6. Business Case and Implementation Approach
Business Case
Savings (time and money)
Successful audit and compliance efforts
Reporting to support controls in place
Governance of controls
 Implementation Approach
 Prioritize
 Engage owners early
 Define reporting needs
 Training
9/6/2018 6

7. IT Service Management ITIL Components
9/6/2018 7
People
Process
Technology

8. Process
Change Management Process
◦ Reinvigorated need for approvals prior to modifications
◦ Clarified definition of a “change”
Governance
◦ Senior Management review and approval for each change to monitoring
profile once in production
◦ Clear communication on additional volume of work created
◦ Opportunity to focus on groups that were less compliant
Monitoring rules
◦ Accepted Tripwire as a recognized expert and used the published rules as often as possible (OS,
database …)
◦ Avoided historic pitfalls of internal debates to merits of monitoring critical items
9/6/2018 8

9. People
Policy created to support effort
◦ Initially Change Management
◦ Added PCI compliance as Tripwire became viewed as critical success factor
Meetings with technical teams
◦ Often “selling” effort one person at a time
◦ Open and honest discussions
◦ Focus on real purpose of monitoring
Auditing
◦ Remediation notes
◦ Change orders
◦ Matching criteria
9/6/2018 9

10. Technology
Integration into ITSM Tool
◦ Used to validate approved change orders
◦ Remediation becomes component of daily routine obligations
◦ Change detection, File integrity monitoring and Vulnerability Notifications
Rule Tuning
◦ Focus on most critical elements leveraging data analytics
◦ Often used features to identify “normal” activity limited to a specific account
to reduce volume of alerts
Reporting
◦ Reporting to application owners during rule development phase
◦ Reporting attached to each incident showing the details of modifications
◦ Reporting to Governance group for volume of activity
◦ Reporting to internal auditors to demonstrate good faith effort and help focus auditing efforts
9/6/2018 10

11. Present and Future
 Present
 Tripwire Enterprise change detection viewed as a key strategy for SOC, PCI and commercialization
efforts
 Expansion from Change Detection to also include File Integrity Monitoring and Threat Detection
 Visibility and monitoring for Epic Financial data
 Better visibility and governance around change management
 Reliable IT Environment around financial reporting
 Reporting to support controls in place
 Future
 Using for other regulatory compliance needs
 Security Configuration Management
9/6/2018 11

12. Tripwire Solutions For Healthcare Challenges
Onyeka Jones, Product Manager, Healthcare Solutions

13. 13
#1: Secure PHI
Detection and alerts on all changes
to established baseline—
what, who, and business context
Detect unauthorized changes on
critical assets and EHR systems
Extensive library of security
configuration best-practices to
establish and monitor configurations
Assess configurations
against security policies
Discover assets, vulnerabilities and malicious
changes, and help automate the workflow
and process of remediation
Identify risk on critical assets and
EHR systems
End-to-end visibility: discovery, inventory, and
change data for all your critical assets and
EHR systems
Know what’s happening in your environment

14. 14
#2: Achieve Compliance
Out-of-the-box audit report templates,
and automated compliance reporting
Reduce the time spent on compliance
Continuous monitoring and reporting
identifies remediation to stay compliant
Maintain compliance over time
Industry’s most comprehensive library
of policy tests for all major standards
Demonstrate compliance with standards
HIPAA, PCI, NIST and many more
Logging of changes to in-scope assets with
details on who and when
Produce data for audits and for forensics

15. 15
#3: Address the Skills Gap
Integrity monitoring and change
audit to find root cause
Ensure system availability and
speed up investigation
Integration with ITSM to tell authorized from
unauthorized changes
Validate changes and reduce unplanned work
Real-time change detection—
what, who, when and what it means
Control changes that compromise systems
Automate manual processes associated with
dealing with change—isolate and escalate
changes and events of interest
Deal with security data overload

16. Tripwire Capabilities

17. 17
Log
Management
Configuration
Assessment
Change
Detection
Policy
ManagementVulnerability
Assessment
Asset
Discovery
Centralized
Operations
Reporting &
Analytics
IT OT
Factory
automation
systems
Network
devices
& SCADA
systems
Capabilities

18. 18
Lack of Visibility to Security Posture of
Critical Assets, including EHR Systems
Lack of Resources to Combat Growing
Cyberattacks against Healthcare
Maintaining and achieving compliance with
HIPAA/HITRUST/NIST is time consuming
Tripwire Enterprise EHR monitoring solution
provides a detailed understanding of good vs. bad
changes on all critical assets and EHR systems
Tripwire Enterprise helps you achieve and maintain
compliance HIPAA, NIST, PCI and other security
controls, with audit-ready evidence
Assess on-premise, virtual and cloud assets in a
single product. Integrate with CMDB tools.
Managed services to supplement your team

19. 19
Advanced vulnerability risk scoring and prioritization
helps you focus on the most critical vulnerabilities.
Prioritze changes in Tripwire Enterprise based on
risk
Industry’s most robust risk scoring algorithim helps
you accurately assess vulnerabilities in your
environment
Comprehensive discovery and profiling of all
assets on your network to help you quickly identify
vulnerabilities on your network.
Limited Resources, Infinite Vulnerabilities
False Positives Waste Everyone’s Time
Lack of visibility to devices on my network

20. integrity monitoring
secure configuration management
unauthorized
changes ensure compliance
Benefits
Stronger Security Posture, Faster Incident Investigation and Proof of Compliance

21. dieu.tran@mercy.net
jody.howard@mercy.net
ojones@tripwire.com
21