How Ballad Health Uses to Protect Its Complex Attack Surface

Team Tenable

Ballad Health’s network includes IT, internet of things and operational technology assets used by staff, practitioners and clients across 21 sites. Here’s how it’s using to find and fix vulnerabilities. 

Ballad Health is an integrated healthcare system serving 29 counties of Northeast Tennessee, Southwest Virginia, Northwest North Carolina and Southeast Kentucky. The organization, formed in 2018 as the result of a merger, operates a family of 21 hospitals, medical centers, care facilities and pharmacies throughout the region.

The organization’s network accommodates some 19,000 employees plus guest users and spans a variety of IT, internet of things (IoT)  and operational technology (OT) assets, including biomedical devices and industrial control systems. Protecting these devices and applications falls to IT Security Engineer Michael Birchfield and his team.  

“There's a lot of different pieces to the puzzle,” said Birchfield in an interview with Tenable during the Edge 2019 User Conference in May. “It's one thing that you have servers, it's one thing that you have network equipment and another that you have endpoints — whether they be PCs, laptops, remote users — but there's also the IoT devices.” In addition, the organization provides connectivity for patients and visitors so they can use their devices in the facilities. 

In such a complex attack surface, the number one challenge is “knowing what you have versus knowing what you think you have,” said Birchfield. 

Ballad uses (formerly SecurityCenter) to help resolve this challenge. Birchfield highlighted the platform’s discovery scanning functions, particularly the ability to scan actual subnets versus relying on manual entry. “You may see double the amount of stuff on your network than you thought you initially had from conversations with staff and your analysts,” he said.

For example, said Birchfield, “Say you had 30,000 devices you thought you were worried about and then you find out you have 60,000. That just shows you why you needed this product, because no one else thought you had that and this just generated a report showing it.”

The reporting available in enables Birchfield to drill down into the data to see what those previously undiscovered things actually are. From there, he’s able to find out who owns the various assets. Hint: it’s not always IT. In some cases, the discovery turns up biomedical devices, IoT devices or even gadgets a staffer may have brought into their office without telling anyone. 

It can be too easy for these non-IT devices to be overlooked at remediation time. “If 20 percent of the stuff you didn't manage shows up on this report, who do you go to to solve that problem?” said Birchfield. “It may not be IT at all. It may be a totally different organization in the group or in the company … for us, it's very important to show that all of these things exist and, if it's not in IT, [to figure out] who does it belong to and are they responsible for patching it and keeping it up to date?”

‘It Makes Non-IT People Understand Why This Is Important’

Having detailed reports to point to has an added bonus: it “makes non-IT people understand why this is important,” Birchfield said. This is useful not only for communicating amongst teams but also for sharing information with the C-suite and the board. 

The reporting capabilities of also help the IT team stay on track with patching, explained Birchfield. “If IT is managing this whole network infrastructure and everything plugged into it [and] you have a group of 20 percent of your assets out there are not IT and they're not in your vulnerability management program.” The question then becomes: who is responsible for the patch cycles for this portion of assets? gives the teams a source of clarification to resolve miscommunications that can arise when a practitioner claims they’ve patched something but it’s still showing up in a vulnerability report. “In the past, that would be a discussion where you just went back and forth [without resolution]” said Birchfield. “Well, today, in Tenable, you can actually go in and show, ‘yes you patched it, but the reason it's showing up is because of this piece right here.’ You can drill down into the vulnerability and it will tell you, ‘hey, you need to configure this. This is a registered change.’ So not only do you patch it, but you have to make this change to make it acceptable.”

Birchfield noted that, in most of these cases, it turns out that people did the right thing but didn't know there was a second step to the patch. “In the past, I don't think that was ever picked up on,” he said. “People applied the patch and moved on and [if there were] things that needed manual entry, they just didn't know what needed to be done, so they were still vulnerable.”

Customized Reports Help Improve Communication

The ability in to customize reports and dashboards to different audiences is also an advantage for Birchfield. “I don't want to send somebody something that I know they're never going to look at. If it takes too long and it's too congested, they're not going to spend time on it,” said Birchfield. “But if I give them something that really tells them what they need to focus on, and it only takes two or three minutes for them to figure that out, that's important and that's powerful because they can see right away where they are, where they need to be and what exactly it is they need to fix in order to address that issue. That's very important for me because I know they'll do it if it's something I can give them that's easy to read.”

Birchfield said he’s not yet used the Vulnerability Priority Rating in but it “looks fantastic.” VPR, a new capability introduced this year in and, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

“Today, I'm showing people what all needs to be done, and they're looking at it going … ‘Which ones do I start with?’ ” said Birchfield. “Well, now I can tell you.”

Watch Now:

Tenable interviews Michael Birchfield, IT Security Engineer with Ballad Health, at our Edge 2019 user conference:

Learn More:

  • Visit our Predictive Prioritization webpage here.
  • Learn more about here.

Read more >

Published on Sep 19, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.