Jan 05 2018

The Benefits of Segmentation for Healthcare Security

Provider organizations divide and conquer their networks to shore up their defenses.

Previously in this space, I have discussed the need for healthcare organizations to take a balanced approach to cybersecurity in order to keep pace with ever-evolving digital threats. One action a provider can take to shore up its defenses is segmentation, in which firewalls, routers and virtual LANs are used to restrict access to specific areas of an organization’s IT network.

While we’ve seen some providers turn to segmentation to protect their data and devices from hackers, organizations would be wise to consider it as a standard practice. Let’s take a deeper dive into what makes segmentation such an effective strategy.

Device Segmentation Proffers Provider Peace of Mind

Medical device segmentation provides assurance that, in the event a hacker successfully breaches one portion of an organization, devices on other networks will remain safe. Scot Copeland, medical IT network risk manager for Scripps Health in San Diego, says in an Op-Ed that the goal of segmenting medical devices on their own network should be to design VLANs to manage tools within them according to their security needs.

Many devices use proprietary communication and data structure, says Copeland, who adds that VLANs can provide “good choke points for firewalls, intrusion prevention/detection systems and other network monitoring devices.”

Matt Klein, chief information security officer at the Medical University of South Carolina, whose organization secures its medical devices and other internet-connected tools using segmentation, says in a cybersecurity Q&A with HealthTech that many providers share the concern that manufacturers must place more focus on using supported OS platforms and building security into development.

Limited Access Keeps Control Out of Hackers Hands

Another benefit of segmentation is that it limits access to disparate networks to only those individuals who truly need it. Chad Wilson, director of information security at Children’s National Health System, discussed segmentation during a recent HIMSS Learning Center webinar about reducing cybersecurity risk, saying that not all staff members need to use all applications.

This practice can also result in better performance by optimizing bandwidth based on priorities, Wilson says.

Riverside Health, an integrated health system south of Chicago, segments nonmedical systems such as financial and human resources onto separate networks using a host of tools, including Fortinet firewalls. In conjunction with application whitelisting, CISO Erik Devine says the strategy is not cost-intensive — it even saves the institution money in some ways — while helping to protect 3,000 users, 700 servers and more than 4,000 endpoints.

Patient Satisfaction Sees Improvement

At HIMSS 2017 in Orlando, Fla., RWJBarnabas Health’s CISO Hussein Syed said that a segmentation strategy helped his organization to improve patient satisfaction by 70 percent. RWJBarnabas divides its surface into three segments: traditional, which includes laptops, email and servers; medical information centers, which include electronic health records and devices such as CT scanners; and transformed care, which includes wearables and remote health monitoring tools.

While segmentation is not a cure-all for healthcare cybersecurity, it’s a strategy that more providers should pursue, especially given the expanding device landscape and evolution of digital threats.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using the #WellnessIT hashtag.

Olivier Le Moal/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.