Network segmentation policy protects high-value database from low-level access breach
The current state of healthcare information technology networks is good in that it enables robust communication, is highly resilient and is scalable and agile. But it's bad in that it enables too much communication, does not confine users to minimum necessary access and is overly complex.
The problem is when every user has access to every application or resource. The solution is network segmentation – where users only have access to the apps and resources they need to do their jobs, said Chad Wilson, director of IT security at Children's National Health System.
"Segmentation should be based on the value of a critical business asset or resource, not simply on network boundaries," Wilson explained, during a HIMSS Learning Center webinar, Reducing Cyber Risk with Cloud and Network Segmentation. "The first move of an attacker is reconnaissance. That is essentially what the first step of the segmentation strategy should be – identifying resources, both data and assets."
To protect a network, it is important to gather intelligence about the various weaknesses that may exist. These weaknesses are exploited by attackers to encroach on other resources to the point where the attackers have privileged access to all critical resources. This makes any type of resource, even one that is considered to have low value, extremely valuable if it is used as the entry point into the network and leads to a more valuable target.
Why cybersecurity is top of mind for forward-looking healthcare orgs.
"These assets, or objects, are primarily digital in nature and can include, but are not limited to hardware, such as servers, workstations, handheld devices and printers; software, such as operating systems, server and client applications, and firmware; and documentation, such as network diagrams, asset information, product designs and employee information," said Wilson.
The value of an asset is not solely based on the value of its physical hardware, for example, but rather on the value of the data it contains. If an iPad containing private information about all employees is stolen, the total value of the loss is not merely the cost of replacing a $500 iPad.
The result of this exercise of gathering intelligence is a comprehensive view of the resources on the network along with their risk classification and rating. Organizations should understand how various resources relate to each other, and not treat them individually, Wilson said. A low-value target may ultimately provide access to a very high-value target, so the entire chain should be protected with ample controls.
"You should now be able to move on to the next steps of creating a network segmentation policy that uses the value of each asset to determine how it should be protected," he said. "For example, if user workstations are treated as a low-value target but are used to compromise a system that is of high value, such as an employee database, the workstations should also be segmented depending on the resources they are accessing."
Other steps in the network segmentation process include policy creation, access control modeling, execution and monitoring.
Ultimately, healthcare CIOs should realize five key benefits from a segmented network, said Wilson.
"Enhanced performance: With defined data paths and defined zones, an organization can optimize bandwidth based on services and priority of applications and communication," he said. "Improved security: Proper segmentation can improve visibility into expected behavior versus malicious behavior. It can limit an attacker's ability to move within the organization thereby reducing risk."
Knowledgeable associates is another benefit, he said, as an organization's employees and partners will have knowledge of various compartmentalized systems, enhancing educational and training opportunities specific to the organization.
Yet another benefit is administrative control, Wilson explained, as there is better control over the systems and data as they are segmented – an organization can not only control who accesses the data but also from what system and from what location.
"And equipment and software," he said. "Investments in equipment and software for segments can leverage the one to many concepts allowing for improved scaling of technology. In addition, there are opportunities to remove the duplication of technology for cost reduction benefit."