Mosaic Medical is a nonprofit community health center system with primary care clinics in the central Oregon cities of Prineville, Bend, Madras, and Redmond. In 2002, a group of community members set out to create affordable and accessible care options in the region, beginning with the Ochoco Community Clinic in Prineville. By 2008, the group had opened three community clinics united under the Mosaic Medical name. Today, Mosaic Medical employs more than 230 people in nine clinics, with plans for a tenth clinic soon.
Mosaic Medical runs a distributed mesh network of 350 computers with about 15 servers spread out over primary locations. Clinicians and administrative staff log into a Citrix virtualized environment to access the health system’s main application—an Epic electronic medical record (EMR). The health center hosts instant messaging and email through Microsoft Exchange.
Since 2005, Mosaic Medical has entrusted Trend Micro with its evolving security needs. From 2008 to mid-2014, Mosaic relied on Trend Micro Worry-Free Business Security Advanced. When the contract was due for renewal, Mosaic saw it as an opportunity to review their evolving needs and to seek more advanced web security controls.
With concerns over bandwidth and employee productivity, the growing organization saw a need for Web access controls that could apply permissions and rules to users rather than machines. “At Mosaic Medical, an office might be used by one person one day, and by another person the next day. If the rules are tied to an office machine, we have a lot less control,” said Mike Thomas, Director of IT at Mosaic Medical.
“We are very restrictive on streaming video, as it uses up a lot of bandwidth that might be needed by another department for clinical use,” said Steven Wegener, IT Systems Support for Mosaic Medical. Wegener saw a need to restrict most user groups to a few sites, but allow some individuals within those groups freer access to the Internet while still maintaining the highest security.
Mosaic Medical also wanted the ability to block potentially dangerous links in spam. “Every company has employees who receive emails and clicks on links,” said Wegener.
Finally, they wanted stronger, more flexible reporting tools, along with visibility into each user’s web activity at a granular level. “We didn’t have a standard way to track web activity from our users with our former solution. We could not count on web browser history, since a user could clear that or change workstations,” said Thomas.
“The level of security and control we get from InterScan Web Security helps me sleep better at night.”
Director of IT, Mosaic Medical
Mosaic Medical has deployed the new gateway security service on a facility-by-facility basis, currently protecting about half of its 350 seats. Since the InterScan service is cloud-based, Mosaic can continue to run Worry-Free at the same time, with no conflicts, until installation is complete. Wegener reports that throughout the deployment, they have received prompt answers to their questions, and have quickly grown familiar with the solution’s capabilities.
InterScan Web Security scans inbound and outbound traffic for malware, blocks new threats before they get to endpoints, and provides instant updates for immediate protection. It enforces custom rules and policy actions to ensure complete control over the types of content and applications a user can access.
“The InterScan web solution gives us granular control right down to specific users in our Active Directory,” said Wegener. “If I really wanted to, I could allow just two users access to YouTube sites with a combination of access rules, application control, and custom categories where I can set specific domains to block or allow.”
With a cloud-based management console, Wegener and his team have visibility into the web usage of individual users, along with other useful information for assessing security posture, human resources, and compliance. Furthermore, the InterScan Web Security service decrypts and inspects HTTPS-encrypted content, to prevent tactics that evade other solutions. And its web reputation technology uses continually updated detection intelligence and threat research to block malicious URLs and protect against new threats in real time.
“Trend Micro responded quickly to our needs. I would send an email to the account representative, and he would generally get back to me before I had time to recheck my email.”
IT Systems Support, Mosaic Medical
During their contract renewal period in mid-2014, Mosaic Medical decided to upgrade its security solution to include more sophisticated web security controls. Trend Micro’s cloud solution, InterScan™ Web Security as a Service offered a gateway solution for stopping malware that satisfied HIPAA requirements, enforced web filtering, and had advanced reporting capabilities.
Mosaic determined that their fast-growing network needed the flexibility and efficiency of a cloud-based solution. Wegner also found that competing on-premises solutions couldn’t match the level and quality of service they were accustomed to with Trend Micro. “The decision to stay with Trend Micro was easy, as we’ve been happy with Trend Micro’s solutions and service,” said Wegener.
Today, when a provider at Mosaic Medical takes home their laptop to access EPIC EMR through a home Wi-Fi connection, rules set by Mosaic Medical IT continue to apply to the machine. “With InterScan Web Security as a Service, we experience the same level of control outside of our network as we have inside. That’s one of the ways it makes our computing environment safer,” said Wegener.
The granular level of access control is working as Mosaic Medical hoped it would, and Wegener has set 13 custom web filtering rules so far. By limiting who can access social media and video websites, Mosaic Medical holds its employees to a high standard and improves overall productivity. Restrictions on streaming video also help manage bandwidth, which provides a cost savings benefit to the organization.
By selecting Security as a Service, Mosaic Medical gains predictable, user-based subscription pricing and the flexibility to grow quickly. It also lets Wegener’s team manage and troubleshoot many clinics remotely, reducing travel time and expenses.
The Trend Micro tech team has been quick to respond to Mosaic Medical concerns. For example, Trend Micro helped to build a custom Microsoft Software Installer (MSI) to facilitate remote installation until Mosaic Medical could resolve issues with its usual application deployment management software. Trend Micro also acted quickly to improve readability on websites containing blocked domains. “While trying out a fairly new security product, we experienced lots of response to our feedback from the Trend Micro development team and phenomenal support from the tech team,” said Thomas.
“Our experience with this deployment has given me great confidence in Trend Micro and in the InterScan Web Security service.”
IT Systems Support, Mosaic Medical
With deployment of the new service well underway and the successful enforcement of strict web security policies, Wegener and Thomas look forward to making more use of its flexible reporting features in the near future. “The reports inside the control console are very good. Trend Micro moved away from reports that look like a spreadsheet to reports that give users a dashboard feel,” said Wegener.
Several clinic locations have asked for a kiosk-style guest computer that patients can access from the lobby to make their visit to the clinic faster and more pleasant. “We would absolutely use InterScan Web Security to lock that down,” said Wegener.
Mosaic Medical www.mosaicmedical.org
Region North America, United States, Oregon
IT Environment Mesh network, Windows 7, Microsoft Exchange, Main Application: Epic in Citrix virtualized environmen