How Hospitals Use Network Microsegmentation to Guard Against Cyberattacks
Ransomware attacks have ramped up markedly, particularly in the healthcare industry. Consider high-profile attacks on hospitals like California’s Hollywood Presbyterian Medical Center, which in February 2016 paid hackers $17,000 in bitcoin to regain access to its systems.
For healthcare, ransomware accounted for 72 percent of all malware attacks last year, according to Verizon’s 2017 Data Breach Investigations Report. And generally, ransomware attacks increased by more than 300 percent in 2016.
While battling such evolving threats isn’t impossible, it requires a multilayered approach that includes email authentication, application whitelisting, software patches and user training, says Christopher Frenz, infrastructure director for the Interfaith Medical Center in Brooklyn, N.Y. Frenz, who co-authored the Open Web Application Security Project’s Anti-Ransomware Guide, prefers to isolate devices.
“I shoot for a zero-trust model, where devices can only interact with other devices or systems with which they explicitly need to communicate,” he says.
Segmentation represents a vital strategy against digital threats. It limits the ability of infections to spread from one device to another across a network by breaking data centers into elements and managing each separately.
And while segmenting physical devices can quickly become complicated, Frenz says taking such an approach with regard to virtual environments is relatively easy.
IMC uses VMware’s NSX to microsegment virtual machines in its data center, essentially putting a firewall in front of each virtual machine, Frenz says.
“Then we can configure the rules in the firewall to allow just the communications we want to come through.”
At IMC and other provider organizations, such as Martin Luther King Jr. Community Hospital in Los Angeles and Riverside Health in Kankakee, Ill., segmentation plays a key role in mitigating the risks posed by outside cyberattackers who threaten privacy and patient safety.
SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks
Build a Security Culture from the Top Down
Hackers increasingly target healthcare in part because cybersecurity is not a top priority, says Kathy Downing, director of practice excellence for the American Health Information Management Association. When choosing between investing in security or new surgical equipment, the latter usually wins out, she says.
“You’d think a hospital board of directors would hear about these attacks and ask their privacy and security officers what they need,” Downing says. “Instead, privacy and security officers are still trying to get the attention of senior leadership.”
At Riverside Health, an integrated system south of Chicago, however, CISO Erik Devine has led the implementation of strategies and technology that have kept the organization ransomware-free for more than two years.
Deploy a Multifaceted Cyber Strategy
Riverside uses segmentation, access control and whitelisting to protect a network of 3,000 users, 700 servers and more than 4,000 endpoints, Devine says.
Four years ago, when ransomware attacks against healthcare organizations were less frequent, Devine made a bold decision to whitelist every executable on Riverside’s network. It took two years to inventory every app and create rules, but it was worth it, he says.
“Every application, every .dll file, every .exe, every patch,” Devine says. “If a doctor plugs in an iPhone and downloads iTunes, we’re like, ‘Nope, you can’t do that.’ Users can make requests and ask permission, but it’s a manual process. When bad stuff hits our system and gets through all our other shields, once it reaches the endpoint, it can’t run.”
Riverside also employs full-disk encryption on all endpoints and isolates medical devices such as insulin and intravenous pumps.
“We segment them down to the port,” Devine says. “We can say this machine only talks to this IP address on that port, and that’s it.”
At the data center level, Riverside segments nonmedical systems, such as financial and human resources, onto its networks using a variety of tools, including Fortinet firewalls. It even segments down to the user level, to control which staff members can access which systems.
“It’s almost a permission access list, combined with an access control list and application whitelisting, on top of network segmentation,” he says. “Some say that’s extreme, but it’s not cost-intensive and in some ways it saves us money.”
Prioritize Continued Operations for Medical Devices
At Martin Luther King Jr. Community Hospital, interim CISO Mark Kadrich prefers to have a network dedicated just to Internet of Things devices. The 131-bed facility has a segmented network, but Kadrich continues to evaluate communications pathways for all of its devices. Once that’s complete, he hopes to migrate the “these-could-kill-you” devices to their own network.
“I’ve done this before at other organizations, and it’s proved to be very robust,” he says.
Still, CISOs must make sure that if a network segment is attacked and taken offline, the devices on it will still operate, Kadrich says.
“Say you’ve got a neonatal monitoring system that talks to a centralized data collection system. When the network fails, can that monitor continue to run? Can you architect it in a way that if the core network fails, the edge switches allow the system to keep running and babies continue to be monitored?”
In many cases, the only way to find out is to shut the network off — not usually an option for healthcare providers.
Limit Network Access for Devices and Users Alike
It’s also not enough just to segment networks and devices; hospitals must segment users too, and limit their access on the network, Kadrich says. For example, not everyone needs the ability to send and receive external email — a prime source of phishing and ransomware.
One of the best things providers can do is map data flow between their different systems, IMC’s Frenz says. This simplifies rule creation for virtual firewalls while making it easier to identify potentially dangerous network traffic.
Another key element is incident response time, Kadrich adds.
“Most companies measure their incident response procedures using a calendar, when they should use a stopwatch,” Kadrich says. “All the segmentation in the world isn’t going to do you any good if you can’t close the door in time.”