Wood County Hospital has served the patients of Wood County, Ohio, since 1951. Over the years, its operation has expanded to include the main hospital, off-site medical offices, and eight clinics supported by over 700 clinical, administrative, and IT staff. The hospital is committed to providing the highest quality care and patient experience. For the IT team at Wood County, this means delivering consistent application and infrastructure performance to ensure clinicians, administrators, and patients can access the information and systems they need, when they need them. It also means ensuring that these systems, as well as patient data, are protected from increasingly sophisticated and rapidly evolving threats, including ransomware.
For Wood County CIO Joanne White, security is a top priority. The hospital already had a sophisticated security framework in place, including IDS, IPS, firewalls, and SIEM. While these tools helped protect the perimeter and alerted on potential threats, alert fatigue, coupled with lack of visibility into threats inside the network, left Wood County with a crucial gap.
Seeking to gain critical visibility and improve the signal-to-noise ratio regarding potential threats, White began evaluating network traffic analysis (NTA) technologies, which combine rule-based detection, machine learning, and other advanced analytics to detect and alert on suspicious activities on the network.
Apples to Apples
After considering several options, White and her team decided to evaluate ExtraHop and another NTA vendor. ExtraHop, recommended by several of White's peers at the College of Healthcare Information Management Executives (CHIME), supported many healthcare industry-specific applications and protocols out of the box. ExtraHop also offered visibility into application and infrastructure performance, making it broadly applicable to the IT team. The alternate solution came with a much-hyped user interface and machine-learning claims but was relatively unknown among White's peers. One of the few healthcare organizations to have used it decided to shut the solution down after a year due to escalating costs and complexity.
As the evaluation kicked off, one clear difference emerged immediately: ExtraHop began surfacing concrete insight via dashboards and analytics right out of the box without requiring any customization.
Case in point, during the evaluation ExtraHop alerted White to a device from the physical therapy department that was unexpectedly communicating with her workstation -- and over 100 other machines -- using an unauthorized Universal Plug-and-Play (UPnP) service. Known as a malware attack vector for DDoS and bypassing firewalls, UPnP had been specifically disabled across Wood County's systems -- or so they thought. After seeing this, White was able to take action and quickly quarantine the host.
This granular visibility set ExtraHop apart from the competition. While the other solution could provide some information about which machines the workstation was communicating with, it didn't delineate the protocols and devices making those communications. Uncovering that information would have required manually reviewing logs and re-imaging machines.
Half the Price, Double the Value
The big shock came when White compared the final pricing quotes from both vendors. ExtraHop was less than half the cost of the competing NTA solution. By that time, White had also realized that the level of customization required for the competing solution would have necessitated bringing in a full-time specialist -- at a cost of over $70,000 per year.
"In the evaluation, ExtraHop delivered immediate value out of the box and its competitive pricing was the cherry on top. It was a no-brainer," says White.
With ExtraHop deployed, it didn't take long for White and her team to start reaping the benefits. Within days, a hospital employee reported seeing a message that looked like ransomware. The security team immediately looked at ExtraHop. Sure enough, ExtraHop had already started alerting on the threat – a new strain of ransomware known as CryptFlle2. With the information ExtraHop provided, the team was able to quickly identify and quarantine the infected machine, neutralizing the threat before it could impact Wood County's operations.
"Without ExtraHop, the investigation would have taken days or weeks, exposing the hospital to potentially catastrophic risk," says White. "Even the FBI was impressed when they found out how quickly we identified and contained the threat!"
Staying Ahead of the Security Experts
Like many organizations, Wood County Hospital takes a hybrid approach to security, leveraging both internally-managed systems as well as a managed security service provider (MSSP) to provide additional layers of detection and prevention. CIO Joanne White and her team manage their network security internally, but work with an MSSP to handle things like security monitoring, account auditing, phishing attempts, malware and virus scanning, NetFlow, and vulnerability scanning.
Two weeks after Wood County detected and thwarted the ransomware attack with ExtraHop, they got a call from their MSSP notifying them that ransomware was detected on one of their machines.
"We were thinking to ourselves, 'not again!' Then we looked at the data," says White. "As it turned out, the ransomware that the MSSP alerted us to was the very same thing we'd uncovered and resolved with ExtraHop two weeks prior. It took them that long to detect the issue. If we'd relied on them for ransomware prevention, we'd be in very different position right now."
Moreover, the information provided by the MSSP lacked the detail and context required to remediate the situation. Without ExtraHop, the Wood County team would have spent days or even weeks sorting through log files to achieve the same outcome.