CareGroup checks out Symantec database security tool

CareGroup Healthcare System, with three hospitals in the Boston area, for years has let patients from home or elsewhere gain access to their medical records over the Web with the password and ID that their doctors gave them.

However, CareGroup didn't have a way to monitor traffic going to the patient records stored in IBM and Oracle databases at the Beth Israel Deaconess Medical Center's data center, which supports applications for all the CareGroup hospitals.

"If someone deleted information, we weren't able to prove it," says Ayad Shammout, senior database administrator analyst. "We didn't even know how much traffic we had."

When Shammout learned about six months ago that Symantec was developing a database-monitoring tool, he decided CareGroup would become an alpha user, letting Symantec install it to monitor three selected databases.

The appliance monitors network traffic using the same underlying "sniffing" engine as Symantec's Network Security 7100 Series intrusion-prevention appliance. But Symantec also has developed software that analyzes database queries. The current version of the Symantec appliance does not block suspicious queries - it monitors and reports on what the database is up to.

CareGroup's experience with the Symantec product has convinced Shammout that he'll use it eventually to monitor CareGroup's 15 database-server farm at the center, even though the tool, unofficially named Symantec Database Audit and Security, remains officially unannounced.

"It shows me the unauthorized users trying to get to the server," Shammout says about the appliance that has resided since September in front of the target servers to monitor traffic. "We get 250,000 queries per hour to these three servers. It captures everything in a passive mode, and I can set up rules to be alerted if someone is trying to delete a database or attack it," he says. The tool watches for database-specific attacks, such as SQL injection.

A few weeks ago when a patient complained that someone deleted a table of information, the data center was able to determine that a patient had done so by accident.

Laws governing protection of patient data, including the Health Insurance Portability and Accountability Act, require hospitals to store records for seven to 30 years. Shammout says the data collected by the Symantec Database Audit and Security tool will be kept as part of that collection.

CareGroup has been using Idera's Compliance Manager product for Microsoft SQL, but Shammout isn't keen on adding auditing software directly to the server, because it uses up the server's processing resources.

The tool doesn't have a way yet to export the information it collects to an external database, Shammout says. But as an early adopter, CareGroup, which is associated with Harvard Medical Center, has the opportunity to influence development to ensure it works the way CareGroup prefers.

In addition, Shammout says he expects a special deal when he buys the tool,because CareGroup contributed to its development in a production environment. Symantec voiced no reservations.