Cape Cod Healthcare

How Cape Cod Healthcare identified vulnerabilities and took steps to remediate them

PDF download

The Customer

Location: Cape Cod, MA USA

Industry: Healthcare

Products: Varonis DatAdvantage

One of America’s Top Ten health care systems, Cape Cod Healthcare (CCHC) is the leading provider of healthcare services for residents and visitors of Cape Cod. With more than 450 physicians, 4,500 employees and 1,100 volunteers, Cape Cod Healthcare has two acute care hospitals, is the Cape’s leading provider of homecare and hospice services (VNA), has a skilled nursing and rehabilitation facility, an assisted living facility, and the Cape’s only local laboratory service (C-Lab) with numerous health programs.

Just in this 30-day period, it had already started to identify shared permissions, how they were set, and the types of data on our network. The intelligence included data owner identifications and how to see who is accessing what. Quite honestly, it sold itself with the auditing capability.

– Rich Bianco Director of User Services at Cape Cod Healthcare

The Challenge

CCHC has approximately 7,000 users accessing, and making changes to, its shared folders. Cleaning up permissions and defining roles had become a priority.

In conjunction, CCHC needed a way to identify overexposed areas and effectively and efficiently remediate redundant access. Stale data identification was another key requirement. Users were afraid to delete files, thinking they may be needed in the future. With storage expensive and backups tedious, CCHC wanted to be more efficient with its existing storage capacity, and required a technology that could accurately identify stale data.

Evaluation Parameters

Rich Bianco, Director of User Services at CCHC, was looking for a way to better manage user access provisioning and data management. He was introduced to Varonis by a CCHC network engineer. Bianco explains, “One of the team met with Varonis at an event and was so impressed, he immediately told me about it. We knew we needed something but, at that time, I couldn’t find one vendor that could answer all of our challenges. We arranged to have a 30-day evaluation of Varonis DatAdvantage, and had it placed in our data center, where it collected file touches. At the end of the trial period, Varonis came in to give us a demonstration, which turned out to be a real eye opener. Just in this 30-day period, it had already started to identify shared permissions, how they were set, and the types of data on our network. The intelligence included data owner identifications and how to see who is accessing what. Quite honestly, it sold itself with the auditing capability.”

The Solution

Varonis DatAdvantage provides CCHC a complete, bi-directional view into the permissions structure of its unstructured and semi-structured file systems. It aggregates Active Directory user and group details, ACL information and all data access events—without requiring native OS auditing—to build a complete picture of who can and who is accessing data, and who should have their access revoked. This allows CCHC to identify rightful data owners, so the right people can ensure appropriate access and usage.

By combining DatAdvantage with the Varonis IDU Classification Framework, CCHC also has visibility into the content of data across its file systems and SharePoint sites, and can then integrate this intelligence into the Varonis Metadata Framework. Classification information is then presented in the DatAdvantage interface, enabling actionable intelligence for data governance, including a prioritized list of those folders with the most exposed permissions and containing the most sensitive data, which users have access to that data, which users are accessing it, who owns it, and how to effectively limit access without disrupting business processes.

Prior to deploying DatAdvantage CCHC knew it had a significant volume of stale data but had no way to identify it. In addition to the cost of housing this redundant information, simply backing up the system took extra time. By identifying data that hadn’t been touched for a set period, CHCC is able to remove it from its servers, freeing expensive storage space and also allowing backups to finish more quickly. The knock-on effect of this cleanup will result in the improved performance of its systems and servers.

Today, CCHC has visibility into its data and the ability to act upon issues within applications itself. Bianco adds, “We can identify vulnerabilities from excessive permissions and take steps to remediate them. We know we’ve got it right because we can first sandbox changes and then run test drives to see what happens before we implement, which is a huge comfort.”

From an audit perspective, CCHC describes the benefits as ‘huge’. Bianco explains, “We have an annual IT audit where they come in and make sure that appropriate access controls are being used. With Varonis, we can easily obtain and verify the evidence that proves we are doing what we say.”

Perhaps the most significant benefit CCHC has realized is the ability to put data owners back into control of their data. This means Bianco and his team will no longer be solely responsible for data maintenance or management, nor do they need to interpret what access is appropriate for any given piece of data. Instead, this decision is made by the correct person – the data owner.

Business Benefits

Identify over exposed areas and effectively and efficiently remediate redundant access

CCHC can identify vulnerabilities from excessive permissions and take steps to remediate them. It knows these are implemented correctly by first sandboxing changes and then running test drives to check before implementation.

Accurately identify and remove stale data, freeing up expensive storage capacity and making backups run more efficiently

By identifying data that hasn’t been touched for a set period, CCHC is able to remove it from the servers, freeing expensive storage space. This will also improve backup efficiency and the performance of its systems and servers.

IT audit queries relating to access controls are simple to answer, with validated evidence

CCHC knows that appropriate access controls are being used. With Varonis it can easily obtain and verify the evidence needed to answer IT audit requests.

Rightful data owners identified and in control of their data

IT is less involved in data maintenance and management, nor do they need to interpret what access is appropriate for any given piece of data. Instead, this decision is made by the correct person – the data owner.