During the past few months, much has been said about the significant effort required to implement and support virtual care and remote work. But for IT security leaders, that big lift comes with a big risk. As clinical and non-clinical functions are increasingly performed outside of healthcare facilities, the demand is growing for enterprise-grade cybersecurity in those locations.
“It’s something we need to work toward, because that’s what the public expects,” said Jonathan Nguyen-Duy, VP of the Global Field CISO Team at Fortinet, during in a recent panel discussion. “They want to be wowed and they want to have a great experience.” And that means being able to access services when and how they want — in a secure environment, of course.
It presents a significant challenge, but one that can be met if the right pieces are in place, said Nguyen-Duy, who broke down the topic of security-driven networking, along with co-panelists Christopher Frenz (AVP of Information Security, Interfaith Medical Center), Phil Campbell (CIO and VP of Information Services, CalvertHealth Medical Center) and Krishna Sankhavaram (Executive Director of IT, UT School of Public Health at Houston).
According to Nguyen-Duy, the first component in creating a solid strategy is recognizing that security and networking can’t be viewed as separate entities; but rather, they need to be converged. “Business objectives are negated if the security function isn’t working, and if WAN optimization isn’t there to ensure bandwidth.”
And one can’t come before the other, noted Campbell, who spent time as a Navy intelligence officer before coming to healthcare. “It starts with having networking and security built in. If you stand up a network and then try to layer security on top of it, you wind up with a lot of holes and gaps.”
On the other hand, by having it flow as one integrated function, organizations can provide end-to-end security, said Sankhavaram. “It protects your data. It protects your applications. It protects your workflow, and the path from whoever is trying to access the data all the way up to the data itself.”
However, as every security professional knows, there are no guarantees, particularly when a global pandemic hits. At UT School of Public Health, one of the concerns was VPN overload, which happened when UT’s campus was on lockdown, and all of a sudden, “everyone had to come in through the VPN in a secure way,” which meant constantly having to verify users. “It was a very steep curve,” he noted. “Our firewall team and the VPN team did the best that they could, but it was very difficult to manage at that state.”
For Campbell’s team, it wasn’t network capacity that was the issue, but rather, being able to secure against vulnerabilities for the thousands of staffers who were sent home. It meant having to initiate difficult conversations. “We’d say, ‘I know you need this now, but we need to do this right,’” he added.
“Don’t trust anything”
This, according to Frenz, is where a Zero Trust philosophy can make an impact, by drawing a hard line as to what’s allowed into the network. “If it’s not essential communication it should be blocked. That’s the approach we’ve taken in our environment,” he said. “There needs to be a multiple layer of security that exists at the network level, the application level, and the operating system level, and those layers have to work together.”
Interfaith Medical Center, which is located in Brooklyn, NY, become one of the first hospitals to implement Zero Trust when it went live in 2015. Interestingly, the impetus came when security leaders simulated a malware attack, and quickly learned that network segmentation was “very effective at keeping the threat contained,” said Frenz. And so, as his team focused on how they could take that segmentation to the next level, the answer quickly became clear.
“If you look at all the ransomware attacks against hospitals, lateral movement is a huge problem,” he noted. “Anything organizations can do to begin to limit that possibility within their environment is a great thing, and I think Zero Trust is a really good goal to shoot for.”
Sankhavaram agreed, adding that his team is doing just that. “We used to say trust, but verify — now, we don’t trust anything. We constantly monitor everything that comes into the environment.”
The idea with Zero trust, according to Nguyen-Duy, is that if the network can’t be 100 percent protected, “at least you can monitor what’s happening on the device.”
The big question, of course, is how. During the discussion, the panelists provided several best practices to keep in mind when implementing Zero Trust.
- Start Simple. Frenz’s team started on the data center side, first by introducing a tool from VMWare, then segmenting well-known systems like DNS and DHCP servers. What’s key there, he said, is ensuring every network engineer understands all of the ports and protocols. “It allowed them to learn the new tools, while at the same time increasing our protection.” His team then moved on to virtual desktops, and to systems that are considered “high risk in the data center,” and “safe systems that we considered to be complex, but pose a lower risk.”
- Study data flow. A critical step early on, according to Sankhavarm, is to study how the data are being used, which includes where it’s coming from, what type of applications are being used to analyze it, and who’s sharing it. The most optimal way to do that? By working with application developers. “We worked with the people who had the data and we mapped it out to make sure that we understood exactly how it was flowing,” he said. “Everything was constantly getting monitored,” which ensures “nothing can be taken out or put into the network without our knowledge.”
- Take inventory. Another key step, noted Frenz, is to build up a solid inventory. “We took the time to learn all of devices on our network. Once we knew where all the data were, the most challenging portion was taking the time to see how the data actually flowed between all those different devices,” he added. “If you’re going to do Zero Trust, that’s where you’re going to spend the bulk of your time.”
- Don’t rush it. At Interfaith, it took about 18 months to fully segment and isolate the data. That’s not unusual, said Nguyen-Duy, who believes one of the biggest hurdles is doing data classifications and trying to understand who owns what, along with the criticality of those assets,” he noted. “There’s no way around that. No matter what technology you end up using to implement that strategy, the legwork needs to be done upfront.”
- Assume the worst. It may seem fatalistic, the reality is that when it comes to securing your network, “You have to presume that your ecosystem, your network, your partner’s networks, and the devices you all use are most likely already compromised,” noted Nguyen-Duy. And in some cases, those devices are “already under the control of an adversary and being used to target you.”
In the event of a possible breach, the smart move is to engage a threat research capability that actively monitors dark web marketplaces. This way, security leaders can determine whether anyone is inquiring about the organization or offering information, he said. “It’s just another way that CIOs, CISOs and their teams can demonstrate reasonable care.”
What complicates matters is that at any given time, organizations are involved in multiple initiatives, most of which have stringent timelines. For IT security leaders, balancing new implementations with existing security upgrades can be tricky, noted Campbell. “You have to think in advance about how you’re going to tackle that so you can stay focused.”
Finally — and perhaps most importantly — although security is absolutely crucial part of the IT leader’s strategy, it can’t trump patient care. If too many security measures are implemented, life-saving devices and machines can be rendered unusable, he said. “We’ve got to walk that fine line,” and consider the impact Zero Trust policies can have on clinicians’ ability to deliver care. “We’re ultimately not here to secure data; we’re here to save lives.”
To view the archive of this webinar — Healthcare CIOs’ and CISOs’ Guide to Security-Driven Networking (Sponsored by Fortinet) — please click here.