'Intelligent' honey pot helps John Muir Health defend its network from bad actors
When Tom August joined Walnut Creek, California-based John Muir Health in 2015 as vice president and chief information security officer, the health system did not have a structured approach to cybersecurity. He was tasked with building it out.
The leadership at John Muir Health equates information security with patient safety – it’s that important to them. August led the development of a risk-based program that looks at threats and risks that impact the organization, not just compliance.
“The biggest technical challenge that we faced when I joined was that we didn’t know what was on the network and had no way of knowing,” August recalled. “Hospitals and medical organizations have lots of devices, from IT workstations to MRI machines, and they all are configured and managed very differently.”
As a result, their risk levels all are different, and the health system needed to be able to see what was on the network and understand the traffic that was around those devices.
"An easy way to determine whether you have malicious activity going on at the network level is to deploy honey pots."
Tom August, John Muir Health
“We often don’t get access to those systems because they are managed by vendors,” August explained. “That creates a visibility problem. Getting visibility into the network became our first priority. We reviewed what the options were to determine which tools were available to do the job.”
Because John Muir Health did not have a structured security program at all, it had the opportunity to look at things from a clean slate. When August and his team designed the security program, they had the opportunity to layer in a defensive approach that reflected a more modern view of risk management, he said.
August looked at TrapX, a vendor of a deception technology that provides real-time visibility across varied IT environments.
“Because of our team’s background in pen testing, we understand how attacks work,” he explained. “It was important for us to get visibility into what was happening on the network so we could determine whether any attacks were occurring. An easy way to determine whether you have malicious activity going on at the network level is to deploy honey pots.”
The smarter the honey pots are, the more information that a team can get. If the John Muir team could make the honey pots look like they belong on the network, that would be even better.
“For us, TrapX’s product acts as an intelligent honey pot that can be customized to look like it belongs on the network,” August said.
There is a wide variety of network security technology vendors on the market today. Some of the vendors of this technology include A10 Networks, AlgoSec, Carbon Black, Cyber Forza, Hillstone Networks, Indegy, Ixia, Skybox Security and SolarWinds Worldwide.
MEETING THE CHALLENGE
John Muir Health first spoke with TrapX in 2015, and it thought the vendor had an interesting toolkit.
“We piloted it and immediately saw that it worked as designed, so we deployed it on the most sensitive networks in the company,” August remembered. “Within a day, we found malware on two medical devices that was trying to communicate on the network. We also identified a slew of configuration issues that we knew we needed to fix.”
So August and his team were immediately able to see suspicious activity due to the malware and misconfigured devices. About a year later, they expanded the deployment to every segment of the John Muir Health network.
“It’s integrated with our logging systems and provides very meaningful information about network activity that helps to diagnose and remediate not only security issues but other operational challenges we have on the network,” he said.
August added that the provider organization has had a good experience with the security vendor’s willingness to work with other vendors and make sure its tool communicates and coordinates with other systems.
“We immediately identified things on the network that shouldn’t be there and were able to very quickly address them,” August reported. “If new things come up, we have a high degree of visibility to be able to detect them at the network level. We treat it like an early warning system. If something is moving around on the network, we’ll see it.”
ADVICE FOR OTHERS
First, be very clear on the problems that one is trying to solve: These can best be clarified through risk assessments and through discussions with the business, August advised.
“Second, don’t be afraid to engage your vendors,” he added. “They work for you and are there to help you solve problems. Don’t be distracted by buzzwords. Don’t chase the shiny objects. Vendors have different goals and motives than the health system.
“We are here to help our patients heal,” he said. “So it’s important to hold the vendors accountable for helping you solve your problems. That means that vendors should be very clear on how their technologies help support or reduce the risk of providing patient care.”
CISOs should hold themselves accountable, as well, he added. Be honest, transparent and collaborative with vendors, and together the CISO and the vendors are more likely to develop an effective approach, he said.
“Finally, don’t be afraid to look to the ‘little guys’ for security solutions,” he advised. “At John Muir Health, we’re lucky that we’re so close to all the healthcare and security innovation happening in Silicon Valley. Newer players are smart. They’re hungry. They’re innovative. Do your research and find a tool that meets your specific technical needs.”
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.