Aug 29 2019

Is Inconsistent Network Segmentation Hurting Your Organization?

Many healthcare organizations fail to deploy the practice to its full potential, leaving key systems and data vulnerable.

Generally seen as a standard security strategy, network segmentation practices are inconsistent across the healthcare industry, according to a recent study conducted by Forescout Technologies.

Segmentation, which involves splitting a network into subnetworks that are isolated from each other, is crucial for safeguarding sensitive information, reducing congestion and improving performance, among other benefits. At the most basic level, virtual LANs can be used to segment a network’s devices, effectively isolating critical data. The greater the number of VLANs an organization chooses to employ, the lower their potential for breach.

But the Forescout report finds that 49 percent of segmentation deployments in healthcare implement fewer than 10 of these networks to support all devices. In fact, just under half of organizations in that subset employ only a single VLAN. 

This finding, Forescout notes, suggests that healthcare organizations have yet to adequately invest in the technology needed to implement a proper segmentation. “Healthcare organizations are not comfortable putting gates around their devices,” Ellen Sundra, Forescout’s systems engineering vice president of Americas, tells HealthTech.

But they should: Although Sundra believes compliance laws such as HIPAA have helped healthcare organizations to be more secure when it comes to tech use, she urges organizations to reconsider how they protect their devices and sensitive data from a breach.

MORE FROM HEALTHTECH: Understand why basic security compliance isn't enough for healthcare organizations.

Why Network Segmentation Is Important

Done correctly and thoroughly, network segmentation has many benefits.

“Ideally, segmentation tools should help you map your network, classify devices into logical groups and manage those devices at scale while restricting access to critical applications,” a Cisco whitepaper explains.

However, organizations may find this easier said than done. And a poor or rushed rollout could ignore an array of network security vulnerabilities.

“The reason why organizations aren’t successful with network segmentation is because they don’t know what’s on their network,” says Sundra. “Operational technology networks used to be air gapped” — physically isolated from unsecured computers or networks — “but now all the security tools that the team has invested in don’t work with all of these new devices. 

That, she adds, leads to “devices ending up on the network that security teams don’t even know about.”

Sanjeev Sah
The goal is to provide appropriate levels of security in accordance with posed threats or anticipated risks, and to limit exposure from a negative event."

Sanjeev Sah CISO, Medical University of South Carolina

The rapid expansion of Internet of Things devices onto healthcare networks is causing an increase in attack surfaces. By 2020, 26 billion networked devices and connections will exist, the Cisco whitepaper notes.

Which is why many healthcare network security teams are stepping back to examine the types and scope of devices on their network. “Visibility gives organizations the confidence to segment,” Sundra says, “and to find the vulnerable endpoints and put them on their own network.”

Take, for example, wireless baby heart monitors found in hospitals. By placing them on their own network segment, Sundra says, the monitors will still function but with limited vulnerability to a cyberattack.

DISCOVER: Four tips to successfully segment your healthcare organization's network.

Medical University of South Carolina Implements Segmentation

At the Medical University of South Carolina, network segmentation is a key strategy to protect the organization and its services

“The goal is to provide appropriate levels of security in accordance with posed threats or anticipated risks, and to limit exposure from a negative event,” Sanjeev Sah, the university’s CISO, tells HealthTech. “We need to make sure that if the device has a negative cyber event that it doesn’t propagate to different parts of the network and it doesn’t cause severe outages or impact other assets that are performing very important functions.” 

Like other academic medical centers, MUSC is challenged because clinical, business, classroom and research operations all depend upon network reliability. As such, the organization provides network assurance for these users by leveraging network access control technologies across its segments for both wired and wireless networks.

With a new children’s hospital opening in Charleston this October, the organization has kept network accessibility and cybersecurity top of mind. MUSC, in its attempt to avoid major service disruptions or data breaches in the future, has been testing new segmentation efforts as well as network access control technologies for the facility.

“In that hospital, it gave us an opportunity to have a bit of a green environment where we’re able to employ the network access controls and segmentation that are difficult to rearchitect without disrupting operations for the rest of our organization,” says Sah. “Working with IT teams, we've developed a plan that will allow for wired network connectivity based on network access control for approximately 5,000 assets or devices. It will also make way for hundreds or thousands of wireless devices.”

The organization opted for Aruba's ClearPass technology to facilitate network segmentation and wireless access control in the new facility. So far, it’s been a success, Sah says. 


How to Improve Network Segmentation in Healthcare

Visibility into each segment of an organization’s network should provide the foundation of a good security program. Likewise, data gathered from that analysis can be leveraged to improve existing segmentation practices and decision-making.

“It’s what you do with that information that matters,” Sundra says. “You need a tool that allows teams to use different methods of segmentation because you’re going to have a different segment strategy for your data center, your IoT devices and your OT devices.”

That requires a deeper and continued conversation among key stakeholders.

“Sometimes you can’t really impact the device itself in terms of what you can do to it,” says Sah. “So then you have to employ methods like microsegmentation to provide higher scrutiny in terms of, is this device authorized? Is this device talking to a central monitoring station? And if it is, what specific destinations and sources does it need to be talking to versus having the ability to speak to the entire portion of the network or the segment?”

Still, Sah and Sundra agree that network segmentation is just one part of a larger cybersecurity strategy.

We employ layers of security safeguards to protect IoT devices, device level security and network security — including network access control to identify devices — to enforce policies and protect our resources,” Sah says. “Network segmentation, with authentication and authorization on the network and being able to compartmentalize that to a particular portion of the network, gives us a second layer of protection.”

baona/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT