Effective Network Segmentation to Address Healthcare IT Security Threats


OpenSky has been providing IT consulting services for a regional healthcare provider for many years. In the last of couple years the relationship has expanded significantly to the point where OpenSky supplies the overall infrastructure strategy and the heavy lifting for new technology projects, as well as highest level operational support. In my role, which is similar to that of a CTO, I have helped our client address many challenges that are unique to the healthcare industry, such as how to ensure the security of the hospital’s network and patient data, while efficiently adding a multitude of medical devices to the network and managing relationships with an ever-increasing list of vendors.

TUEVRL-16928low1-1This client’s healthcare system involves multiple hospitals, advanced care facilities, hospices, and both affiliated and non-affiliated doctor practices. It includes about 5,500 people, 100 buildings, 20,000 Ethernet ports, and 600 servers, both physical and virtual. Currently, OpenSky is planning a major initiative around medical device segmentation. Some of this is work that is going on right now and it will also go into the budget planning process for our 2016 year, which begins in October.

This particular hospital has completed a recent network refresh (most gear is < 3 years old across the board); however, it was implemented as something of a traditional network design, meaning mostly flat on the inside with a few DMZ devices on the outside perimeter. In the last year, I have been bombarded with a large amount of medical devices that need to be integrated into the environment. The traditional approach of just dropping these devices on the network is of great concern to me because I’ve seen first-hand the problems this quick fix can create.

Challenges created by dropping devices on the network include:

  1. The devices have minimal security features, as the vendors are not being driven to add more security into the devices.
  2. The devices have relatively deep access into the EMR systems used to store patient information.
  3. The vendors are resistant to “best practices” with regard to patching the devices.
  4. Frequently, the vendor supplies a contract that states this device should be run on an isolated network, but this is ignored and the device is placed on a traditional interior network segment.

The problems created by simply adding devices to the network are compounded by the complex relationships that this hospital, like most organizations in the healthcare industry, require to deliver a more complete range of services to their patients. Every year, the hospital works with more and more third party providers who need some access into our systems, and Citrix isn’t always good enough for the partners who require thick client access. Many of our partners are actually inside the network all of the time and their support contracts allow them administrative access to their servers.

As a consequence, we are working on designs that integrate the capabilities of Cisco ISE (Identity Services Engine) and VMware NSX, to provide the framework that allows us to:

  1. Identify devices and people and map them into groups where we can control their access to applications and protect them from other devices in our network.
  2. Allow these devices and people to connect in from anywhere in our environment without having to do manual network configuration.
  3. Efficiently run a VMware environment and permit all these applications to be hosted on shared servers and also use the NSX firewalling features to create virtual security boundaries.

Our approach to address these two interconnected challenges, the proliferation of network connected medical devices and third party system usage, has been:

  1. Educate the medical staff about the risks we have identified and make sure they understand that even though it may require more steps to securely deploy new medical devices, it is a necessity in order to properly leverage technologies such as NSX and Cisco ISE to protect the environment and ensure patient safety.
  2. Insert ourselves into the provisioning process to be sure that no new medical devices are brought in without completing a security assessment of the product.
  3. Evaluate the capabilities of new devices with respect to secure wireless, and protocols such as 802.1x. Ensure that the business clearly understands the applications that the device needs to connect to AND whether internet access is truly needed for the device.
  4. Document the requirements of the device. Ensure that future devices of the same type are installed in an identical fashion onto the network.

We are hoping that the changes that I have outlined above will improve the security of these network devices, along with bringing security features to the forefront of the discussion when new devices are brought in. It also will allow us to make these devices more portable, so that they could be plugged in anywhere in the network and the proper security will be deployed.

It would also be great to get some open discussion going about how everyone sees this emerging world. I think it is going to be a very big year in this space. On the good side, it seems like we finally have good solutions to efficiently solve a problem that has been around forever. On the bad side, this is probably going to be the year where we see somebody in the USA exposed to a major criminal theft of medical records that will be attributed to lax security on these devices.