St. Luke’s University Health Network practices data security the way it practices medicine—it constantly drives improvement with a future-oriented approach. Its growing network of hospitals and hundreds of St. Luke’s Physician Group practices might present a security challenge, but the St. Luke’s IT security team has a remedy ready. It uses Microsoft Security solutions for a unified strategy that reduces the vendor footprint, lowers costs, and continually sharpens data security.
“I believe that Microsoft is likely the first company on the cusp of creating the predictive model that will take us past threat detection and enable threat prevention. That’s why we trust Microsoft.”
David Finkelstein, Chief Information Security Officer, St. Luke’s University Health Network
For St. Luke’s University Health Network, protecting patient data is key to delivering great care. Serving people in Pennsylvania and New Jersey at 13 hospitals and 607 practices, including a number of specialties, it has a sizeable data estate to safeguard. Succeeding at that vital mission got easier when St. Luke’s reduced its number of security tools and gained dramatically greater visibility into the data it needs to maintain security. It replaced several third-party security solutions with Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft Defender for Office 365, adding to its Microsoft Security solution base for a unified security posture that helps security teams do what they do best: protect St. Luke’s from an ever-evolving threat landscape.
Replacing diverse security apps with a high-value, tightly coordinated whole
Chief Information Security Officer David Finkelstein recalls his early days at St. Luke’s—then a smaller network of hospitals and providers, but one that invited complexity for IT security teams. The original four hospitals each had unrelated, individual platforms and data-handling practices. In total, St. Luke’s had about 37 different point solutions, including Proofpoint for email threat protection and Symantec for antivirus encryption and data loss prevention. “Our third-party tools did a good job in their specialized areas,” explains Finkelstein. “The problem was that none of them talked to each other or shared data.” Piecing together the information needed to assess the security status of the organization’s complex landscape yielded an incomplete picture and took precious time. There were other issues with those tools, too.
Hospital employees chafed at the occasional downtime sparked by the performance hits that St. Luke’s systems suffered because of the very tools that were supposed to protect the business. “From a performance standpoint, many third-party tools really slow down devices,” adds Finkelstein. “That means constantly having to make exceptions for applications, even to the endpoint. Our Microsoft solutions just simply work. They don’t affect performance or require significant exceptions, and it’s easy to use all the features.”
In mid-2020, the St. Luke’s IT team expanded its Microsoft Security solution base with Microsoft Sentinel, a security information and event management (SIEM) solution that offers scalable, cost-effective threat detection and response. It compiles data from Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint for real-time threat evaluation and response. “Being able to coordinate all of our threat data through Microsoft Sentinel helped us to switch to predictive mode,” says Finkelstein. “And we can throw those predictions into other non-Microsoft tools to make a complex data landscape easier to manage.”
Where St. Luke’s once struggled to piece together data from disparate point solutions, it now has a complete picture. “With our Microsoft Security solutions, I can easily access the data, analyze it, and present it to other decision-makers,” says Finkelstein. “My job—securing data—has always been the antithesis of the CIO function to move ahead quickly. But we join forces with data from our Microsoft Security platform to go to the board and show them where our struggles are, and get the support we need to best protect St. Luke’s.”
His other job gives Finkelstein a unique perspective on IT security—when not guiding cybersecurity at St. Luke’s, he’s Chief Information Security Officer in the United States Army. “The military needs to be extremely restrictive,” he explains. “It’s also a big Microsoft shop, and when I deploy security solutions in that more buttoned-up environment, it’s an excellent way to see how they will perform in healthcare.”
Benefitting from a tool set that’s greater than the sum of its parts
As a healthcare provider, St. Luke’s must maintain several highly specialized medical systems. The healthcare environment makes the advantages of a tightly connected security suite even more important. Finkelstein’s team relies on Microsoft Sentinel to stay informed about the number of compliant servers, applications having issues, users experiencing malicious activity, and many other factors. Using it also relieves the team of the burden of reading and interpreting lines of code in logs—a significant task in a system where 30 different data sources connect to Microsoft Sentinel. “The beauty of Microsoft Sentinel is that it converts large volumes of security data into dashboards and graphics that instantly convey the situation,” says Finkelstein. “It gives us a rich depiction of our environment.”
The team uses Microsoft Defender for Cloud to help assess and maintain the security state of its hybrid cloud workloads. “As a CISO, I consider Microsoft Defender for Cloud invaluable for giving me the full picture of how to tighten security in our infrastructure,” says Finkelstein. “I can see outstanding tasks, where our vulnerabilities are, what our priorities should be—I’ve never had access to all this information with any other tool.”
Finkelstein is adamant about the value St. Luke’s gets from Microsoft Defender for Office 365. “Unlike our Proofpoint installation, with Microsoft Defender for Office 365, we can really see employee activity that could be damaging to our environment, like opening a phishing email or clicking on a harmful link,” he explains. “We can follow the threat path and understand exactly how that threat proliferated through the environment, where our tools combat it, and where we need to optimize procedures.”
His trust in Microsoft, already high, grew when the Microsoft Cyber Defense Operations Center notified St. Luke’s of a critical breach that occurred when an employee downloaded a file infected with malware. “Microsoft came in and literally saved the day, providing a level of protection I didn’t realize I had,” recalls Finkelstein.
Stretching resources to cover an expanding field
Over the past few years, the internal user base at St. Luke’s has grown by roughly 8 percent—about 5,000 people. But the IT department head count remains stable at just 6 people. Finkelstein has no doubt about the reason for the enhanced efficiencies and effectiveness. “The automation and the playbooks we gained through the Microsoft Security suite help make the tools essentially an extension of each of my engineers. Those busy people no longer have to research each threat and enact the decisions that they would automatically make anyway,” he says. “We get better insights now that are actionable, because they interoperate with all of our Microsoft tools.”
The team continues to make the most of the AI technology threaded through the Microsoft Security solutions. “We’re building on the connectedness that AI brings to the Microsoft Security tool set, not only to train the tools, but also to have them learn from each other,” he says. “We’re building a lot of playbooks within the systems, and having a single pane of glass makes it very easy to transact data back and forth.”
Ease of use is vital to the effectiveness of Finkelstein’s small team. “We probably spent 1,000 hours a year managing Proofpoint, keeping it up to date, changing policy, and so forth,” says Finkelstein. “By contrast, since implementing Microsoft Exchange with Microsoft Defender for Office 365 a year ago, we’ve spent about a third of that time and made only minimal changes. Microsoft continues to make significant improvements, and we don’t have to do anything to automatically benefit from those protections.” That means more time for Finkelstein and his team to attend to the most complicated issues on their collective plate. “Proofpoint went down every quarter, but our Exchange email hasn’t gone down once since we rolled out Microsoft Defender for Office 365,” he affirms. “We haven’t had a fire drill in more than a year. With everything else I have to worry about, that’s a significant win.”
Creating a security-aware culture for a proactive future
Finkelstein points to the tensions that traditionally drive a wedge between IT security teams and the rest of an organization. While CIOs often get lauded as business enablers, CISOs are too often regarded as the people slowing everything down in the name of tighter security. He wanted to counter that perception.
“One of the biggest challenges to any security program is changing the culture,” Finkelstein says. “And to do that, we had to make sure that employees understood the ‘why’ of what we do. We want them to view us as enablers, not as the bad guys who disrupt their workflows with time-consuming security processes.”
To continue cementing the partnership between the IT security team and other St. Luke’s employees, Finkelstein is focusing on proactive, predictive analytics that further deepen low-user-impact, high-value security. “I believe that Microsoft is likely the first company on the cusp of creating the predictive model that will take us past threat detection and enable threat prevention,” he concludes. “That’s why we trust Microsoft.”
Find out more about St. Luke’s University Health Network on Twitter, Facebook, YouTube, and LinkedIn.
“I consider Microsoft Defender for Cloud invaluable for giving me the full picture of how to tighten security in our infrastructure. I can see outstanding tasks, where our vulnerabilities are, what our priorities should be—I’ve never had access to all this information with any other tool.”
David Finkelstein, Chief Information Security Officer, St. Luke’s University Health Network
Follow Microsoft