A leading not-for-profit health system in the United States, with multiple hospitals, rehabilitation centers, physician clinics, mental health facilities, independent living centers, and home health agencies, employs more than 9,000 individuals, including nearly 1,400 physicians. Collectively, the entities within the healthcare organization also maintain more than 1,500 licensed beds across the state in which it operates, making it one of the largest private employers with a complex network of systems, applications, and environments.
As the health system planned to consolidate nearly 50 separate electronic medical record systems across its healthcare network into one centralized system, the organization faced a major challenge. One Senior Systems Engineer expressed that the new centralized system “required a Linux back-end environment, so we needed to expand to about 60 Linux servers fairly quickly." Previously, the health system had used AIX and Solaris, but to accommodate the growth for the new project, the organization planned to deploy most of the systems on the Red Hat Linux operating system.
Approximately 400 application design, support and admin personnel as well as medical personnel that would consult on the new user-interface system would eventually need access to the Linux servers. Given that the health system must operate under HIPAA compliance regulations, the security and policy controls that would manage the Linux servers would play a major role as the organization must always be prepared for potential audits.
To take on this challenge, the health system closely examined Core Privileged Access Manager (BoKS) from Fortra as well as Centrify and BeyondTrust. For the new server control solution that would help manage and protect the new servers running on Linux, the organization sought several key capabilities:
- Integration with Active Directory for both users and groups.
- Discreet privilege escalation management across multiple systems—with the ability to specify commands and options.
- Compatibility with the security-enhanced Linux kernel module for supporting access control security policies. Compliance with HIPAA regulations.
- Controls over local accounts and domain accounts
“The product demonstrations provided by each software firm and a review of the capabilities that each solution offered differentiated [Core Privileged Access Manager (BoKS)] as the only one that met all the requirements,” said the Senior Systems Engineer.
“The solution also streamlines the process for adding local accounts to systems and controls the adding of the access route for the local accounts,” he added. “This is a critical security feature as it prevents someone from using an account with root access to create a new account with privileges.”
The health system specifically valued the privilege escalation management feature offered by Core Privileged Access Manager (BoKS). This eliminates the need to manage a sudoers file on every single system. “We were so impressed during the demonstration that we did not need to run any on-site tests,” he added.
After working through the initial accelerated deployment, the health system has benefited from the day-to-day capabilities that Core Privileged Access Manager (BoKS) provides in managing the Linux server environment. “Privilege escalation management and centralized sudo management are particularly huge benefits,” the Senior Systems Engineer emphasized.
On an almost daily basis, the security team receives requests for a group of users to gain privileged access to one or more systems. Rather than having to manually edit the sudoers file on each system every time there’s a change, they can go into the Core Privileged Access Manager (BoKS) console and add any program group that is needed.
The team can also set the duration for how long the group will be active and the specific users for which each system is activated. The granted access is then automatically pushed out to all the pertinent systems, and the users can instantly connect.
“Gaining this capability means we no longer have to log into each server and edit the sudoers file, keep track of the changes, and then remember to undo the access after the duration expires,” he added. “This probably saves us about 30 minutes per system every time we need to make such a change—and usually we need to do this for anywhere from 6-30 systems. All that time adds up.”
Core Privileged Access Manager (BoKS) is also a big time saver any time the team needs to roll out a new system. “We just add the system, note the correct groups, and all the accounts that are needed for that system are automatically added.”