Checklist for a successful network segmentation within a Health System
Network segmentation is a primary risk mitigating strategy against current cyber security threats, namely ransomware. However, enterprise-wide adoption within healthcare delivery organizations (HDOs) has been low. Why? There’s a perception that segmentation is too complex, requires specialized implementation skills and might add risks of disruption to clinical care. More pointed, when you don’t have an accurate inventory and classification of your assets, segmentation never gets off the ground. With the heightened number of attacks and increased capability to properly inventory assets, segmentation is gaining real momentum. In fact, many HDO’s have successfully executed segmentation without disruption as an essential element of defending against their cyber risks.
The case for segmentation
Few HDO cybersecurity professionals will argue against the potential benefits of software-based segmentation. HDOs are complex organizations with networks interconnecting IT, IoT, IoMT and OT devices. That means they’re at risk of the East-West spread of malware across flat networks where unmanaged FDA-controlled devices are on the same physical network as nurses’ workstations, the coffee shop WIFI, visiting doctors’ iPads, door controls and security cameras.
Still, IT and security teams must protect their network while ensuring continuity of care, even though they’re uncertain what’s actually connected to their networks. They are loath to disconnect or disable any unknown devices for fear their actions might interrupt essential patient care. Segmentation is a great approach that can protect networks against risks such as ransomware, compliance fines or stolen confidential patent information, limiting the blast radius of a compromise while other systems continue ensuring care and business operations.
Five simple steps towards segmentation
My recommendation to What I have seen with HDOs that have successfully deployed segmentation is the use of a stepped approach. Each of the following steps adds solid progress while building on the previous moves, and ultimately yielding full enterprise-scale protection. So you CAN get the security of segmentation with less disruption than you might think.
- Establish visibility
The key to any successful segmentation strategy is to ensure complete visibility to everything connected to your networks, inclusive of medical devices. To accomplish this, you need a visibility solution without blind spots. That means that discovery can’t solely depend upon security agents, or they’ll miss many IoT, OT and IoMT devices. - Classify
After visibility, any actionable segmentation scheme must include robust classification. Your system must detect which of your devices are infusion pumps, for instance, and classify them into a common group. Your classification scheme should encompass all devices enterprise-wide, and address every combination of user, device and service or application. Our Forescout solution automatically grabs the appropriate level of information for each endpoint, including where it sends and receives network traffic. Most of our HDO clients set up classification so that it orchestrates across systems such as Active Directory to grab users’ information, and ITSMs such as ServiceNow, to tap into CMDB information on application status. - Visualize baseline traffic
The next step to look for from your segmentation tool is the ability to visualize current (baseline) IP traffic. Once you can identify normal traffic flow and map it to the classifications you created for users, applications, services and devices across your network, you’ll be equipped to identify and isolate anomalies. With the ability to drill down into exactly what’s happening with network traffic, down to an IP address level, you can establish unrestricted segments for devices with normal/acceptable communications and protected, or quarantined segments, for those with suspicious IP traffic patterns. - Design and simulate
Based on your visibility, classification and knowledge of existing IP traffic, you can then design segmentation schemes that automate fine-tuned control. To be sure your new policies don’t impact your patient care or HDO business operations in unexpected ways, you must simulate or model the policies before rolling them out. The top solutions, such as Forescout’s, enable you to pre-test your rules-based segmentation scheme and ensure your devices operate as needed. This allows you to avoid exposing the entire network to unnecessary risks, including medical devices, approved PCs, visitors PCs, approved tablets, guest tablets, building systems and servers. - Monitor and respond
Once the segmentation model is completed and pre-tested, it’s time to apply the model to your actual inventory of connected devices. automation can then take over and protect the network by taking immediate action. This will avoid overwhelming your security operations team with alerts and the need to manually move or temporarily quarantine devices that generate anomalous network traffic or have non-compliant configurations. Once you have the system in production, you can fine tune it. Your systems analysts can closely examine “edge cases” of devices or use cases that don’t fit into your pre-established segments. Next, consider modifications and re-run the model or put it back into production.
Taking this stepped approach, you can protect your HDO from cyber risks without undue risks of disruption of clinical care, business operations or overwhelming your security operations team.