Friday, April 21, 2017

The Doctor Is In: Guardium Healthcare Panel Highlights


We’ve been back from InterConnect for a while now and we can’t stop talking about what a great conference it was! Hats off to the IBM events team for smooth execution, interesting session topics and cool demos. We are already looking forward to next year.

Information Insights was fortunate enough to participate in a Guardium Healthcare panel alongside Scott Benaglio from BlueCross BlueShield of Western New York (BCBS WNY) and Gary Wright from Scripps Health. Entitled The Doctor is In: Data Protection for Healthcare, the panel discussion covered different experiences implementing and deploying Guardium within the healthcare industry. Below, we’ve recapped the main ideas shared during the session plus some takeaways you can apply to the tactical daily work of implementing Guardium. 

Special thanks to our moderator Cindy Compert from IBM for keeping us on track – that was no easy task!

The Doctor Is In: Guardium Healthcare Panel
IBM InterConnect 2017 | Main Ideas and Key Takeaways

There should be a legitimate security need for Guardium. We often see Guardium purchased and deployed merely to check off a compliance box. Unfortunately, the natural result in this scenario is an unhappy Guardium user, a lack of wide adoption, a perceived low ROI, and an underutilization of Guardium’s true database security insight. However, when there is an outlined need and a plan in place prior to purchasing Guardium, organizations are much more successful. Having an idea of your need or plan doesn’t mean you have to go through end to end process planning before you implement or even purchase!  However, having a solid business driver behind your decision will not only help guide the direction of the implementation, but will also provide you with a goal line to strive towards in order to prove that Guardium is adding value to your organization. Having a vision (however faint!) for how Guardium can help better secure your healthcare system databases will allow you to structure your implementation toward that vision and then expand as your use of Guardium matures. 

Know your users and what value Guardium brings to their job role. As Guardium advocates, we tend to over anticipate how interested administrators may be when presented with new capabilities and data our solutions can provide. After consistently seeing a lack of interest at the beginning of BCBS WNY’s Guardium journey, Scott took a step back and found that really taking the time to understand what different database administrators cared about helped him deploy Guardium in a useful way. For Scott, now folks like Systems Architects are very interested in using Guardium to help them make project decisions that aren’t even security related!

Develop a phased maturity plan. It’s unrealistic to make a quick transition from deployment to sending real time alerts with Guardium. By developing a maturity plan, you can understand where your database protection is today and what measures are needed to get where you want to be. This “grow-once-you-know” approach helps educate users on what results Guardium can produce and gives them time to feel comfortable with the reports they receive. BCBS WNY laid out their maturity model in three phases: Reactionary, Proactive and Real Time. Within these three phases, they listed out exactly how they planned to use Guardium on a day-to-day basis and used each phase as a building block to get to the next.

Understand what happens to data assets throughout the database system and how that relates to relationships with the organization.  Understanding these relationships is essential to understanding how people interact with databases across the organization, not just by person or department. Analyzing this data helps you know if the correct security controls that are dictated by healthcare protocols are in place and performing properly.


All the panel members are passionate about IBM’s Guardium solution and we hope our experiences serve to help other IT teams plan a thoughtful, deliberate Guardium deployment and implementation plan. Please let us know if Information Insights team can do anything to help promote Guardium in your environment.