Children's Mercy Kansas City protects sensitive patient data from serious cyber threats

He adds, "We knew that we were missing out on valuable vulnerability management insights—and we were keen to increase the frequency of our scanning. Equally important, our previous vulnerability management approach made it difficult to make sense of the large volumes of data we were collecting. To prioritize our remediation efforts more effectively, we targeted a way to cut through the noise."

Moving to real-time insight

After shortlisting several information security vendors down to just three companies, Children's Mercy chose Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response. By rolling out Qualys Cloud Agents to key assets, the organization can now gain real-time insight into many areas of its estate.

Akshay Borla, Security Engineer - Vulnerability Management at Children's Mercy Kansas City, comments, "Qualys Cloud Agents really impressed us and were one of the main factors that led us to VMDR. The agents are extremely lightweight, use a tiny amount of CPU resources, and don't require system reboots. Today, we’ve pushed the agents out to 13,000 endpoints and servers, which deliver fine-grained vulnerability and configuration management insights every four hours helping us pinpoint zero-days and other critical threats faster."

Monga adds, "Understanding and visualizing our exposure in easy-to-digest reports makes it much easier for us to communicate about our posture to senior leadership. Thanks to the visibility we gained from Qualys, we’ve successfully made a case to boost our resources in IT and shift our information security efforts into an even higher gear."

Prioritizing remediation work effectively

With built-in prioritization capabilities, VMDR is empowering Children's Mercy to take fast action to address the most serious threats in a timely manner.

"The combination of real-time data and the prioritization view in VMDR has made a big impact on my day-to-day activities," comments Borla. "In the past, I would have to manually sift through pages and pages of data to figure out where the most severe vulnerabilities were—but now, I can use the Enterprise TruRisk Platform to see threat indicators in real time. As a result, our IT and patching teams can focus on remediating the vulnerabilities that have known exploits in the wild and shrink the attack surface faster."

Protecting key web applications

By harnessing the Qualys Web Application Scanning add-on for VMDR, Children's Mercy can deliver comprehensive protection for its internal and external web applications.

Borla confirms, "We are now scanning more than 50 web apps with the Qualys solution, including authenticated and unauthenticated scans. We can now see what types of vulnerabilities exist across our application portfolio. We're also able to highlight the top 10 Open Web Application Security Project [OWASP] vulnerabilities in external-facing systems and make sure we take prompt action to protect them."

Slashing vulnerabilities by 85%

Since beginning its journey with Qualys, Children's Mercy has significantly enhanced its approach to security. The organization has grown its cybersecurity team by a factor of 10 and increased its maturity across almost all core security domains: including cloud, data protection, vulnerability and threat management.

"We've made great strides with our InfoSec program over the last 18 months, and we attribute a significant amount of that success to our work with Qualys," says Monga. "Since we started our work with VMDR and Cloud Agents, we've measured a 85% reduction in vulnerabilities across our estate, which has shrunk our risk exposure immensely."

Stamping out zero-days

By using data from Qualys Global AssetView—a free service to discover all IT assets across on-premises and cloud platforms—Children's Mercy is shortening its response times to urgent threats such as zero-days.

"When a news of a zero-day breaks, we don’t have to wait for a signature to be released before we can start taking action," explains Borla. "Using data from Qualys Global AssetView, we can search for the affected software or vendor across our environment and get a full inventory of everything that might be at risk. We used this approach to shut down the SolarWinds vulnerability rapidly, and remediate a recent Microsoft Exchange vulnerability within just three days."

Creating a virtuous cycle of improvement

By offering trusted data from Qualys to teams across the business, Children's Mercy builds strong relationships between the security function and other parts of the organization.

"If you can see that your actions have a positive impact, it creates a virtuous cycle that makes people more engaged and motivated," states Monga. "That's exactly what we've noticed since we've made Qualys dashboards available to our teams. Our IT, end-user computing and infrastructure teams can now see that their remediation efforts are bringing down the total number of vulnerabilities in our environment, which helps us accelerate our efforts."

Taking the next step

Looking ahead, Children's Mercy plans to deploy Qualys Policy Compliance. This next-generation solution that empowers organizations to reduce risk and comply with internal policies and external regulations quickly and easily.

"Security is a moving target, and there is always a mountain of work for us to do," concludes Monga. "VMDR has truly been a game-changer for Children's Mercy. Thanks to the Qualys solution, our priorities for remediation aren't subjective any longer. We can make clear, data-driven decisions about what to target first. By building on our partnership with Qualys, Children's Mercy will be in an even stronger position to realize its long-term information security strategy and protect sensitive patient data."