For more than 20 years, Heartland Dental has been at the forefront of dentistry in the U.S. Founded in 1997 by Rick Workman, DMD, it is now the largest dental support organization in the country, providing non-clinical administrative support services to more than 1,700 dentists across 38 states. Director of Infrastructure and Information Security, Josh Gilmore, leads the company’s IT security team, which also includes Senior Security Engineer, Ross Petty.
In today’s environment, healthcare-focused companies are attractive targets for cyber-criminals looking to monetize ransomware and data theft. In fact, there were over 500 reported data breaches of 500+ records in the vertical last year alone—a 196% increase from 2018, according to a HIPAA Journal report. These concerns are top of mind for Heartland Dental’s IT security team, who work diligently to ensure the optimal protection of their data.
InsightVM is Rapid7’s flagship vulnerability risk management solution, providing comprehensive visibility into local, remote, cloud, containerized, and virtual infrastructure via the lightweight Insight Agent. It unites disparate teams around a single source of truth, enabling them to translate vulnerabilities into business risk and prioritize more effectively.
Heartland Dental has major HIPAA compliance demands to meet within their security protocols. Historically, this had kept most of its IT infrastructure on-premises—but increasingly over recent years, the company considered the benefits of cloud migration and remaining secure and compliant, according to Gilmore. This led to investments in Office 365, as well as Azure and AWS.
As part of these broad digital transformation efforts, the IT team realized that its current vulnerability management tooling was no longer fit-for-purpose. The legacy Tenable solution it had in place was too manual and error-prone.
“We knew it was possible to achieve more accurate reporting,” explains Petty:
“We needed a solution that was going to be precise because we would be reporting to the business KPIs and metrics out of our vulnerability management program. We knew we couldn't do that with the legacy solution.”
A proof-of-concept process was triggered and, having used Rapid7 for several years in the form of Nexpose and Metasploit Pro, Gilmore shortlisted InsightVM. Additionally, the Insight cloud platform was appealing due to its clear product roadmap and ease-of-use.
“Heartland Dental is focused on efficiencies within our processes and systems,” says Petty. “So, whenever we're evaluating products and vendors, we have to make sure it's a good fit for the team and that it's going to help optimize our workload while helping us provide greater security.”
During Heartland’s combined POC and penetration test, InsightVM immediately discovered areas of possible vulnerability missed by the incumbent legacy solution.Gilmore and Petty agreed to proceed with InsightVM and deployment of the agents was seamless—which was crucial given that COVID-19 was about to force mass remote working on the nationally-dispersed organization.
“With the COVID situation, we knew we weren't going to be able to get data from doing network-based scans over the VPNs,” says Petty. “So, one of the very first things we did was deploy the Insight Agent. It was a huge win for us to be able to push out unlimited agents to our corporate employees to go work from home.” Leveraging their existing deployment process with Microsoft SCCM, Heartland Dental deployed thousands of agents across 1,000+ locations and scanned 42,000 assets in no time at all.
InsightVM has already positively impacted the organization’s security management. Aside from helping to mitigate cyber-risk among remote workers, the reliability of the scans themselves and the intuitive reporting and dashboards functionality were a big win. It has also helped to focus the minds of disparate teams by tagging owners of exposed systems and providing them with a third-party risk score and clear path to remediation.
A monthly scorecard meeting now brings together IT leadership to view their top assets by risk score and plan strategically to reduce these scores and fix any issues affecting the firm’s most critical assets. The cumulative effect of these improvements has helped Gilmore to mature the organization’s IT security program.
“The reports and the export to PDF or CSV have allowed us to build a stronger dashboard for the information security team and the vulnerability management life cycle,” Gilmore explains. “We’re able to demonstrate possible vulnerabilities to others in IT and beyond and show our progress in remedying them.”
As for the future, Heartland Dental is planning to deploy InsightAppSec, Rapid7’s dynamic application security testing (DAST) offering. Scanning cloud and on-premises environments, it automatically analyzes web apps to identify vulnerabilities like SQL Injection, XSS, and CSRF, whilst offering powerful reporting for compliance and remediation. The organization wanted a tool that could scan both mission-critical internal web servers and external-facing web servers.
“We develop a lot of internal applications. One thing that we're really focusing on is patient-facing technology, allowing patients to visit a supported dental office website and schedule their appointment or complete various other patient-related activities,” explains Gilmore. “So, scanning those APIs that are open externally or the web servers will be the key.”
As the pandemic accelerates digital transformation and patient-centric online experiences, Heartland Dental is clearly at the cutting edge of progress. As the company has ably demonstrated, they’re creating world-class security for their supported dental practices and the company as a whole.