Children’s Hospital and Health System
Children’s Hospital and Health System

Monitoring and controlling who is accessing data at a health care facility has gotten simpler, reports Greg Masters.


When some files mysteriously disappeared from a shared server on the network of Children's Hospital and Health System, headquartered in Milwaukee, Wis., all eyes turned to information security officer Chuck Klawans to provide an answer.

Klawans, and his two-person IT group (a third member is expected shortly), are charged with monitoring network activity of the 240-bed pediatric center.

The riddle was promptly solved by taking a look at reports generated by a software solution from Varonis.

“We found that Varonis Datadvantage enabled us to see who in the enterprise was accessing data,” says Klawans. “The software lays out for us, in a nice display, what permissions every user and group has, including inherited permissions.”

And in a world where the growth of digital information is multiplying each day, managing and controlling access to data is precisely what Klawans was looking for.

In fact, recent research by IDC points out that 281 exabytes -- an exabyte is one quintillion bytes -- of digital information was created and replicated in 2007. So with the threat of data breaches an increasing possibility, the question becomes: how can organizations manage who has access to this massive amount of critical data? And do it in a cost-effective manner?

Also, digging down forensically into activity on the corporate network is vital to any corporation, but a health care operation has particular privacy concerns.

Chuck Klawans, information security officer, Children's Hospital and Health System “We were driven by our need to protect  patient information,” says Klawans. The hospital is required, under HIPAA regulations, to keep a trail of user access.

The company had been using BindView, a suite of IT security and management solutions, which let the company do reports on permissions. But these proved insufficient in the Windows environment.

“We looked around and couldn't find anything until we ran into the Varonis offering,” says Klawans. “We couldn't find a way to audit the information using Windows logging. The real thing we were trying to take control of were Windows file servers with users' personal and shared drives. We had control reviewing or auditing who was accessing data.”

The Varonis solution controls, manages and continuously audits unstructured data use by recommending and automating who should and should not have access to certain data sets while tracking every user file touch. Employees can only access files and folders they need to perform their job functions.  

Controlling data access
Johnnie Konstantas, the vice president of marketing for Varonis, calls the product a software-based solution for unstructured data.

“Enterprises are well aware of sensitive data and even have people with proper titles looking over the data. But, on the unstructured side – a document, a spreadsheet, a apresentation – this kind of stuff ends up on Windows and UNIX file sharers, and can then be distributed.”

Controlling who has access to these records is impossible as data doubles annually, she adds. “Users cannot do this manually. It's an untenable situation. Health care providers are swelling with this stuff.”

Plus, overburdened IT staffs can't keep up with data, and certainly don't know who should have access to it, he says.

This led Varonis to create software which maps data to ensure that the right users are getting to the right data. The tool enables a continuous audit of users, so that a manager can go back to see what individual accessed a particular file and at what time.

Konstantas emphasizes that the software does not require a team. “Part of the success is its ease of use,” she says.

“The Varonis product can intercept storage calls and do logging itself in an efficient manner. It's not resource intensive and uses storage efficiently,” says Klawans.

Mobile users
Remote users come in through SSL VPN accessing web or Citrix and authenticate with Active Directory credentials.

Varonis Datadvantage runs its own analyses behind the scenes and points out users whose access patterns have changed dramatically. For example, it can red flag a user who is getting ready to leave the organization and seems to be stockpiling information.

It is also useful in keeping users in the right groups with the appropriate permissions. And it can also alert staff when valuable storage space is being wasted by looking at resources that are not being accessed, but are instead sitting idly on the server.

“Maybe there's a product out ther the does the same thing as Varonis Datadvantage, but I haven't seen it,” says Klawans.

The installation went very smoothly, he adds, taking only one morning to be loaded onto the servers.
“Once it was installed, it was up and running and collecting data,” he says. “The product is easy to manage and operate.”

A support agreement offers Klawans' team the option to call Varonis support for tweaks. And, when new versions come out, Varonis personnel connect remotely to do the upgrade. Since it's been installed, the implementation at Children's Hospital and Health System has been upgraded a few times.

The tool is meeting expectations and Klawans is pleased. Plus, it's got some features Klawans' team has yet to dig into, he says.