Healthdirect Australia

Healthdirect Australia has deployed Tenable.sc within Amazon’s AWS cloud. The deployment must maintain a very high level of security as a very large amount of sensitive, personally identifiable information must be protected. At the same time, clients of the service expect a high degree of availability from any place at any time.

About Healthdirect Australia

Healthdirect Australia is a public company limited by shares. They deliver health services by contracting with service providers, managing ongoing operations and implementing governance structures so that the health services are provided safely and efficiently. All Healthdirect services are wholly or jointly funded by federal, state and territory governments.

Healthdirect Australia manages the following healthcare services:

• Healthdirect nurse helpline and health information
• After hours GP helpline
• Pregnancy, Birth and Baby information service
• Mindhealthconnect service
• National Health Services Directory
• My Aged Care phone and online service

Business Needs

Compelling issues surround the security of public web sites and the maintenance of a known high level of vulnerability status. Healthdirect Australia cannot afford to be compromised due to the nature of the services being delivered. The Confidentiality Integrity Availability (“CIA Triad”) model plays a major role and is a model designed to guide policies for information security within an organisation. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorised people.

Compliance with the CIS Framework

The Center for Internet Security (CIS) publishes benchmarks with recommended security settings to harden servers and applications from attack while maintaining operational ease of use. Healthdirect Australia wanted a solution that would help it maintain compliance with the CIS-based best practice audit framework, while providing easy-to-use reports for IT and management alike.

The Tenable Solution

Healthdirect Australia selected Tenable.sc. Tenable was the perfect fit for their cloud based delivery model, affording the organisation the ability to deploy in the cloud and to cover both non-production and production systems with a continuous network monitoring strategy.

Tenable.sc provides continuous monitoring to identify vulnerabilities, reduce risk and ensure compliance through a unique combination of detection, assessment, reporting and pattern recognition of all network devices. Tenable.sc scales to meet future demand of monitoring virtualized systems, cloud services and the proliferation of devices while supporting more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure. Tenable.sc also maintains daily updates of the plugin security checks.

To help ensure that vulnerabilities are kept to an absolute minimum, Healthdirect Australia requires scanning a non-production deployment together with pre-production and production environments using Nessus on a very regular basis. All environments to be scanned are also hosted within the AWS cloud.

Healthdirect Australia currently scans their non-production environments on a weekly basis and production environments on a nightly basis to ensure that they have maximum coverage. A regular change control procedure is in place between the organisation and AWS to allow this to happen, establishing a standing change window for scanning in the early hours of the morning. It currently takes around 36 minutes to finish a scan on the non-production environment, 22 minutes for the pre-production environment and 21 minutes for the production environment. A total of approximately 500 servers are scanned, and the number of servers is constantly increasing. Healthdirect Australia also relies upon Tenable’s solution to detect any malware that may be present.

Once vulnerabilities are detected, the IT team can elect to patch, virtual patch, mitigate with controls or re-provision the server.

The Results

At a high level, Healthdirect Australia is performing scanning against known vulnerabilities along with some of the standard testing reports out of the box. This is providing great coverage; Healthdirect Australia is using a build guide so they could leverage Tenable for scanning and reporting. They are identifying the vulnerabilities and misconfigurations, and remediating as they go, with over 500 servers covering both production and non-production. Every morning, the security team can see what their posture looks like and how operations are addressing the ongoing issues.

Using Tenable.sc, Healthdirect Australia is meeting its CIS compliance objectives. Tenable Network Security has been certified by the Center for Internet Security to perform a wide variety of Unix, Windows and application based audits based on the best practice consensus benchmarks developed by CIS. Tenable.sc includes CIS compliance templates for ready-to-use reports that can be shared with the IT team as well as management.

Next Steps

Healthdirect Australia plans to use Log Correlation Engine® to refine their reporting and dashboard presentation, and to integrate with their third party log management tool for complete visibility.

*HealthDirect Australia Annual Report 2014-2015