The rapid expansion of Internet of Things devices onto healthcare networks is causing an increase in attack surfaces. By 2020, 26 billion networked devices and connections will exist, the Cisco whitepaper notes.
Which is why many healthcare network security teams are stepping back to examine the types and scope of devices on their network. “Visibility gives organizations the confidence to segment,” Sundra says, “and to find the vulnerable endpoints and put them on their own network.”
Take, for example, wireless baby heart monitors found in hospitals. By placing them on their own network segment, Sundra says, the monitors will still function but with limited vulnerability to a cyberattack.
Medical University of South Carolina Implements Segmentation
“The goal is to provide appropriate levels of security in accordance with posed threats or anticipated risks, and to limit exposure from a negative event,” Sanjeev Sah, the university’s CISO, tells HealthTech. “We need to make sure that if the device has a negative cyber event that it doesn’t propagate to different parts of the network and it doesn’t cause severe outages or impact other assets that are performing very important functions.”
Like other academic medical centers, MUSC is challenged because clinical, business, classroom and research operations all depend upon network reliability. As such, the organization provides network assurance for these users by leveraging network access control technologies across its segments for both wired and wireless networks.
With a new children’s hospital opening in Charleston this October, the organization has kept network accessibility and cybersecurity top of mind. MUSC, in its attempt to avoid major service disruptions or data breaches in the future, has been testing new segmentation efforts as well as network access control technologies for the facility.
“In that hospital, it gave us an opportunity to have a bit of a green environment where we’re able to employ the network access controls and segmentation that are difficult to rearchitect without disrupting operations for the rest of our organization,” says Sah. “Working with IT teams, we've developed a plan that will allow for wired network connectivity based on network access control for approximately 5,000 assets or devices. It will also make way for hundreds or thousands of wireless devices.”
The organization opted for Aruba's ClearPass technology to facilitate network segmentation and wireless access control in the new facility. So far, it’s been a success, Sah says.
How to Improve Network Segmentation in Healthcare
Visibility into each segment of an organization’s network should provide the foundation of a good security program. Likewise, data gathered from that analysis can be leveraged to improve existing segmentation practices and decision-making.
“It’s what you do with that information that matters,” Sundra says. “You need a tool that allows teams to use different methods of segmentation because you’re going to have a different segment strategy for your data center, your IoT devices and your OT devices.”
That requires a deeper and continued conversation among key stakeholders.
“Sometimes you can’t really impact the device itself in terms of what you can do to it,” says Sah. “So then you have to employ methods like microsegmentation to provide higher scrutiny in terms of, is this device authorized? Is this device talking to a central monitoring station? And if it is, what specific destinations and sources does it need to be talking to versus having the ability to speak to the entire portion of the network or the segment?”
Still, Sah and Sundra agree that network segmentation is just one part of a larger cybersecurity strategy.
“We employ layers of security safeguards to protect IoT devices, device level security and network security — including network access control to identify devices — to enforce policies and protect our resources,” Sah says. “Network segmentation, with authentication and authorization on the network and being able to compartmentalize that to a particular portion of the network, gives us a second layer of protection.”