By Dr. Mike Lloyd, RedSeal CTO
Being prepared for the unknown is as important to the digital side of healthcare as it is to the medical side. Both require knowing your resources, preparing for likely scenarios and following good hygiene practices for advanced planning, health maintenance, and rapid intervention. There are established protocols in medicine and for digital infrastructure. The Center for Internet Security (CIS) publishes Critical Security Controls, which serve as a widely agreed upon set of solid, proven approaches to cyber readiness.
Know What You Have
These start at the most basic level – understanding your inventory. This is the cyber equivalent of washing your hands – it’s truly fundamental. Still, knowing what you have is an easy problem to overlook and underestimate.
What makes it hard is tracking a changing network, filled with medical devices that move around. The faster these devices move and change, the harder they are to track.
Consider preparing a hospital for a natural disaster. You could start with an inventory of patients, but they move and change so frequently that it would be extremely hard to keep an accurate map of every patient’s location. Instead, it makes sense to map out the buildings to make sure your disaster preparedness plan accounts for the right number of patient beds in the right locations.
Likewise, in any healthcare network, planning for cyber preparedness starts with a map of the network, just as you might map out a building. This helps ground your asset inventory in a practical way. Comparing data feeds can also show vital gaps in knowledge. That is, most data records are faulty, but you can improve them by correlating them with others. Comparing your set of (known) endpoints to what you know about your network can readily show you where something important must be missing. This is another reason that network mapping can be of great assistance to know what online assets you have and how they’re connected.
The Role of Segmentation
Once you have a reasonable handle on inventory, and a defined process to detect new IT fabric and new endpoints over time (so that the inventory is continuously improving), what next?
In healthcare, any patients who are especially fragile or likely to spread infection are immediately isolated. It’s essential to stop pathogens from spreading, even if you can’t perfectly stop them. Cyber security has similar problems – devices on the network are fragile and tend to spread infection laterally with ease. This is why network segmentation is important – the online equivalent of real-world isolation wards.
The challenge with online segmentation is that it’s not visible. It’s further complicated by mobility – people and equipment can move around, so the infrastructure must support ideas like a single physical space that can contain two networks. Think of a single room in a hospital, where there’s one network for the patient who has brought in a phone and wants to get on a guest network, next to a medical device that needs to be on a secure network, not open to the Internet. This isn’t easy for people to verify, because the distinct networks are invisible, and objects move around.
Segmentation is used throughout IT, but has a particularly strong role in healthcare, due to classes of devices that weren’t designed to be updated in the way our laptops and phones are. Medical appliances are not general-purpose computers. Generally, they can’t run agents or be patched, which means a good deal of standard security products won’t work with them. They are like patients with compromised immune systems, requiring additional isolation.
The Role of Automation
The good news about these fundamental cyber security challenges is that automation software is a great asset. Software is able to build out a complete network map and maintain it continually as an organization changes. It can combine knowledge of the network fabric with an inventory of endpoints, so that you can pull together a single map of your assets, understand gaps and plan for future scenarios. Software can also be used to validate crucial network segmentation designs and monitor constantly in case the design is damaged by unexpected changes. These areas – completing an inventory and ensuring segmentation – are both fundamental to security and vital for audits. For example, regulations require that credit card data and patient records are protected from the outside. Proving that to outside assessors is far easier to achieve when you already have a solid map, an asset inventory, and an automated ability to demonstrate network segmentation.
Healthcare networks face unique pressures, from emergency preparedness to stewardship of patient data, to mobile smart devices that put complex demands on network fabric. The stakes are high, and the complexity is always increasing. Taming this complexity is necessary to keep networks as secure and functional as possible.
Digital preparedness requires understanding whether inventory and segmentation controls are working as intended. This is time consuming and tedious work for humans, while it’s an ideal application for automation software which can rigorously check every day that the changing network still meets requirements. People can stay focused on optimizing their digital infrastructure to deliver the best patient care, while the menial network tracking is left to machines.