Interfaith’s zero trust network protects against cyberattacks, saves $2 million
Interfaith Medical Center in Brooklyn, New York, is a 287-bed non-profit teaching hospital with ambulatory care clinics that treat more than 250,000 patients every year,
Christopher Frenz, assistant vice president of information security at Interfaith, is a strong believer in testing security and empirically determining how secure an organization actually is.
By 2015, it was becoming clear to him that eventually a hospital was going to be hit by a ransomware attack. This sparked his interest in determining just how well Interfaith would be able to withstand an attack.
“One of the ways I approached this was simulating a mass malware outbreak within the hospital, using a custom developed script and the EICAR test string,” he explained. “Running the script attempted to copy and execute the EICAR test string on each PC within the organization to simulate the lateral movement of a threat within the hospital.
“Exercises like these are great because they help an organization concretely identify what security controls are effective, which controls are ineffective or in need of improvement, how well or not the staff response to an incident will be, and if there are any deficiencies in the organization’s incident response plan,” he explained.
While this particular exercise yielded many areas for potential improvement, one of the findings that really stood out was that the network segmentation in place was effective at mitigating the spread of the threat. This made Frenz and staff strategize about how they could begin to take network segmentation to the next level, to further enhance security and begin a journey toward a zero trust network.
"We have successfully avoided malware outbreaks and are actively detecting and responding to advanced threats, long before they impact privacy or operations."
Christopher Frenz, Interfaith Medical Center
“The continued ransomware attacks against hospitals and the pandemic outbreaks of WannaCry and NotPetya worked to not only reaffirm our strategy, but also clearly identify that the protection of healthcare assets was not just a matter of protecting patient information, but a matter of protecting patients themselves,” he said.
“These ransomware attacks lead to the encryption of medical devices at hospitals around the world, potentially exposing patients to delays in care and other possible adverse outcomes,” he added.
One of Interfaith’s key security goals over the last few years has been to use a zero trust network approach to make such lateral movement within the organization as difficult as possible to ensure that patients remain protected.
“Hospitals seeking additional guidance on methods of securing medical devices are encouraged to check out the OWASP Secure Medical Device Deployment Standard v2 – published jointly by the Open Web Application Security Project and the Cloud Security Alliance,” he advised.
Most enterprise application environments in hospitals have relatively little to no network segmentation or firewalling between workloads, Frenz contended.
“To prevent threats from moving from server to server in our Meditech EHR system and other systems, we deployed VMware NSX Data Center to create a more secure infrastructure and reduce the risk of cyberattacks coming in from IoT devices and other end-points,” he explained. “The solution also enables us to link automated, fine-grained security policies to individual virtual machines to increase flexibility and overall efficiency, while meeting meaningful use requirements.”
In addition, Interfaith Medical Center also has used VMware’s AppDefense, a data center security solution that provides a holistic understanding of each workload’s intended state and protects critical applications on its virtual infrastructure, he said.
“Integrated with VMware vSphere, the combination of all three solutions deliver complete, application-level segmentation for an advanced, least privilege security posture that prevents unexpected behavior from executing in the environment,” he explained. “As a result of this deployment, Interfaith Medical Center can seamlessly defend against emerging threats and protect against ransomware attacks.”
Finally, Interfaith implemented VMware’s Horizon and Workspace ONE as an effort to provide clinicians with enhanced security and mobility.
“The solutions secure virtual desktops to mobile devices and lock down hospital-issued devices, with the ability to remotely wipe a device if it’s lost or stolen,” he stated. “Leveraging VMware’s solutions have provided our medical professionals with faster access to medical information, resulting in more responsive care.”
There are a variety of virtualization and network security technology companies on the market. Some of these vendors include Amazon, Citrix, Google, Microsoft, Oracle, Red Hat and Virtual Bridges.
Interfaith Medical Center has been able to cost-effectively scale its data center and provide its small security team with the right tools and resources to better safeguard patient data and applications, Frenz contended.
“As a result, we have successfully avoided malware outbreaks and are actively detecting and responding to advanced threats, long before they impact privacy or operations,” he said. “In fact, our zero trust approach was demonstrably effective when a medical device that had been sent out for repair was returned to service – a device that unbeknownst to us became malware-infected while in the care of the repair vendor.”
The zero trust architecture kept the threat from spreading to anything else in the organization during the very short time it took for the DNS sinkhole to detect the threat and for the security team to respond, he added.
“Additionally, the hospital has significantly reduced data center costs – even as we expand patient offerings and empower patients to be more proactive about their own care, such as checking their health records or prescriptions from home,” he said. “In fact, virtualizing Interfaith Medical Center’s servers resulted in cost savings of more than $2 million over a seven-year period, and we achieved 100% payback on vSphere in half that time.”
And VMware’s NSX Data Center played a critical role in helping the provider organization achieve regulatory compliance and meet meaningful use objectives by adding an extra layer of security to better protect patient health information.
“It helped the medical center qualify for meaningful use Stages 1 and 2, earning incentive payments for the medical center to re-invest in a new healthcare technology,” Frenz explained. “In addition, the solution also enables us to make critical patient data more readily available to hospital staff and patients, all while keeping information segmented and secure.”
The hospital now is in the process of completing meaningful use Stage 3 qualification, which includes the Protected Patient Health Information and Health Information Exchange objectives.
ADVICE FOR OTHERS
“Cybersecurity is a top concern for all hospitals and is increasingly becoming a matter of patient safety,” Frenz advised. “Healthcare needs to begin to focus on more than just compliance alone, as it is far too easy to achieve a state where an organization meets compliance requirements but is still woefully insecure. Organizations need to begin to put their security to the test and pick solutions that can empirically be shown to improve their security posture.”
Additionally, for organizations looking to improve and bolster their application and network security, it’s important to find the right vendor that will provide a seamless, holistic platform that does more than just maintain compliance, he added.