By Rob Bathurst

September 24, 2015 - Most healthcare organizations’ network infrastructures and support technologies are designed on the prevailing engineering principles of when the need for specific IT systems became a requirement for the organization. This can mean a variety of infrastructure technologies may be layered upon one another, as rarely does an organization rebuild the network from the ground up every time business requirements change.

If we think about a medium-to-large healthcare organization and all the infrastructure components that compose it, it can be broken down into two major categories; the business network and the clinical network.

The business network will contain systems related to personnel management (HR), general IT systems and servers, business and partner related systems, billing, patient record systems (EHR/EMR), voice systems, and many others used to operate the organization from day to day.

The clinical network will usually contain point-of-care system (infusion pumps, monitors, etc.) and the servers that are used for configuration and control of those systems. Just because the network is broken down into two categories for this article, it does not mean that most organizations logically or physically distinguish them with their network.

Most healthcare organizations, large and small, operate entirely flat networks using switch technologies such as VLANs to attempt to provide some traffic segmentation, which unfortunately provides very little granularity in the security controls that can be assigned to specific network segments and high value systems like the EMR servers or point of care devices. This usually results in a large amount of odd firewall and routing rules put in place to create some semblance of security domains or enclaves, if any rules at all.

As time has progressed, so too has the need for more IT systems within healthcare resulting in more systems being put in place without the security maturity other industries have developed to manage those rapidly expanding support systems.

Some of the biggest threats facing healthcare organizations used to be theft or employees losing data, but as the years have progressed, so has the threat landscape. Large PHI data breaches are now coming through targeted attacks, as well as opportunistic attacks on healthcare companies. Direct attacks such as phishing, social engineering, and web/database attacks (such as SQL injection) are currently the most common attack vectors into large organizations, as external remote exploitation has become more difficult as server operating systems improve and organizations mature.

If an attacker manages to get a foothold onto a healthcare organization that is poorly segmented and controlled, not only is the PHI data at risk, but all the critical care devices running on the same flat network could be at risk for possible damage or attack. In addition, most healthcare organizations have connections to many outside partners and vendors that essentially become extensions of their own internal networks. Attackers can and will utilize connections into and out of a network to compromise connected organizations and utilize their foothold within an organization’s network to migrate to other critical parts of the organization, such as the EMR and HR to steal records or user credentials.

So, what does this mean for organizations that may be running a flat network or a network that has grown over time to connect to acquisitions or partners? It means that the protection, detection, isolation, and response technologies and processes must be in place to face current and emerging threats.

Because many of the current threats now come from within the network, the philosophy of having a good set of external firewalls and a hardened DMZ will protect that network must be rethought. What can an organization do to protect itself? The answer to the question is often as complex as the organization trying to implement the solution, but can usually be put into three categories; processes, technologies, and people.

From a process prospective, an organization should have policies relating to data classification and handling, IT governance, regulatory compliance, and comprehensive user education. However, these policies should also be tailored to each organization. The right technology is one of the most critical components in growing a mature program.

A mature organization will also have multiple technologies deployed and properly configured to address the security needs of different points throughout the network. Endpoint technologies should include malware detection and execution prevention, full hard disk encryption, and centralized asset control.

Network technologies will include security and event monitoring with monitoring in each network segment or area, centralized logging, firewalls controlling the separation of critical network segments, and encrypted communication links.

This is by no means an exhaustive list of technology for most organizations, and each organization is unique, but it is an outline of some common best practices. The most important part of a good organization however, is people. A mature organization will have correctly trained people to run their information security program and their information security program will in turn train their users how to correctly operate on the network. All the latest technology in the world will not help an organization if there are not properly trained employees to interpret the output of those technologies.

Rob Bathurst is a Fellow at the Institute for Critical Infrastructure Technology (ICIT) and the Director for Healthcare and Life Sciences at Cylance. Prior to Cylance, Rob was the senior technical advisor on emerging threats and attack techniques at the Mayo Clinic where he also led the Technical Vulnerability Assessment Team and Vulnerability Management Team. He is currently finishing his Masters of Science degree from the University of Oxford with a focus on the security of Implantable Medical Devices.