CISOs, CIOs, and their IT colleagues in U.S. patient care organizations are moving forward with alacrity to meet the IT and data security threat vectors accelerating in their direction these days. In that context, as a first-quarter issue special report from Healthcare Informatics noted in February, “If there’s a single IT security strategy that nearly all patient care organizations have implemented at least in part, it’s network segmentation—the purposeful separation of elements of an organization’s information technology network in order to enhance IT security. Yet at the same time, this is an area in which, industry experts say, there is also a vast lack of understanding of the underlying principles and strategies needed to make network segmentation actually help facilitate greater security, in practice.
And of course, the challenges facing the IT leaders of patient care organizations are also facing IT leaders in every type of business organization, in every industry. John Friedman, a managing consultant at the CyberEdge Group consulting firm, puts it this way in his recent white paper, “The Definitive Guide To Micro-Segmentation,” published last year by Illumio, a Sunnyvale, Calif.-based cloud computing security solutions provider: “We can no longer rely on perimeter defenses to keep the bad guys out, and are not doing so well catching them inside the data center either. Most IT security professionals are familiar with frameworks such as Lockheed Martin’s Cyber Kill Chain,” Friedman notes. But, he says, “Statistics show that it is extremely difficult to reduce the “dwell time” of attackers once they have a foothold inside the data center. Virtualization and cloud technology exacerbate this challenge. It is hard to protect applications that can be executing anywhere, with pieces being moved around continually. In this environment, limiting lateral movement within the data center becomes a top priority for IT groups. If a cybercriminal compromises the credentials of an employee who uses application A, can we make sure he can’t reach applications B, C, and D? If a hacker uncovers the password of a system administrator in location X, can we make sure she has no way to connect to systems in locations Y and Z?” That remains a fundamental IT security challenge in healthcare.”
Meanwhile, a companion special report in that issue noted that strategies are evolving forward quickly in the area of disaster recovery and business continuity, even as the leaders of U.S. patient care organizations navigate strategic and tactical complexities in that area.
One of the health system CISOs interviewed for both special reports was Thien Lam, vice president and CISO at the 15-hospital BayCare Health System, based in Clearwater, Fla. Lam spoke with Healthcare Informatics Editor-in-Chief Mark Hagland regarding both of those broad, important subjects. Below are excerpts from their interview, which took place earlier this year.
What are the biggest concerns for you right now as CISO, looking in particular at disaster recovery/business continuity, network segmentation, and related issues?
The biggest concern for me is incident response, and how mature we are when we respond to incidents, or how we recognize incidents. There are many steps involved. You have detection; you detect that someone’s tried to hack you. And you respond to find out how quickly you can put out the fire. In terms of detection, my biggest concern is that the hackers are usually ahead in terms of technology; and it can sometimes be very challenging to detect an attack, and to get your people engaged and looking into a situation. Most of the time, you’re managing day-to-day operations, but at the same time, you have to be ready to respond when people are knocking at your door. So, definitely incident response is very important. And you have to be able to recognize the many ways in which the hackers can get in. Web traffic can be very hard to see. Another big issue is medical devices. When you talk about network segmentation, most people use the terms network segmentation and network isolation very loosely.
What are you and your colleagues doing in that area?
In terms of network segmentation, we’ve created a separate network for the medical devices, so that the medical devices don’t talk directly to the production network; they have their own VLAN. Also, we have devices that we put in front of the medical devices—they’re like a mini-firewall, to make sure the medical devices aren’t vulnerable to an attack. And there are many, many different types of medical devices. Many don’t have an OS (operating system). But most do. And some can be upgraded, and some cannot. And sometimes, you have medical devices that are current, and some that are out of date.
And they may be on XP or on an OS [operating system] that cannot be upgraded or patched. And the issue is that, most of the time, the manufacturers themselves don’t provide patches. They’ll ask you to upgrade a device or replace an old one, but that can cost millions of dollars. So with regard to network segmentation, we want to make sure that we put the medical devices on a VLAN, so that they can’t talk directly to the Internet. At the same time, we micro-segment them by putting a mini-firewall in front of each medical device, and we’ve also locked USB port on the device. You put in a USB key. So we protect them physically also, and also protect the medical devices from the rest of the network.
What is your overall segmentation arrangement or plan?
We have a plan moving forward that we’re in the process of executing on. Most of us have had flat networks, with everything can talk to everything—your network at home, your car, everything—we’ve spent 20 years creating that connectivity. Now, with all the incidents taking place, it’s clear that that’s no longer a good idea. So now we have to look at this from a role-based standpoint. What we’re planning to do is that we’re going to segment by facility. So if there is an infection within one facility, we want to isolate that facility from the rest of the network, so that the malware or ransomware can’t spread.
The good thing for us is that our EMR is centralized in one location, via the data center. So if we isolate a facility, then that location will not be able to connect to that centralized EMR. So will we plan to segment based on the role or function of a user? We’re not there yet. In the future, potentially, we’ll go down that path. There’s some discussion of looking at, say, if you’re in Human Resources, you shouldn’t have access to the medical device network, for example. We’re not there yet, but we’ll get there.
We also have network access control, which can detect at normal traffic; if traffic is excessive, we can potentially stop that device from connecting to the network. We may not go to the user level, but we may go to the device level.
How do you see the interrelationship between disaster recovery and business continuity? CISOs and other healthcare IT leaders have a diversity of opinions on that.
Business continuity planning is more operational; it is more than just about IT systems. IT systems are just a component of data availability. We live in Florida, which has a hurricane season every year that we have to plan for. And to me, you have to plan for BCP beyond just IT. Because if a hurricane comes, it’s not just the IT system that will be affected, but your generator, your electricity, your water, etc. So my take is that BCP needs to be much broader than just the IS system. The IS system will be just a component of that. Someone needs to own the BCP for the entire system. And that’s true, too, of disaster recovery. Disaster recovery is not just an IT function, it’s a business concern, too.
And in terms of disaster recovery?
We’ve hired a third party to work for us in that area. They’re 1,000 miles away. We have a data center locally and a data center in the Northeast. And we have a disaster recovery plan, so that if we’re ever in a disaster situation, we can switch to our second system 1,000 miles away. We do two tests a year. We simulate the primary data center being down, and we switch to the second data center, and the team makes sure we have connectivity and flow, and the business signs off on the DR test. And every time you do a DR exercise, you identify an issue or issues, and we correct those.
On the business side, we have a disaster recovery plan for the business. And we’ve done testing, but we haven’t done it regularly. The operational side may do it more regularly than that.
What advice might you like to share with your peers on network segmentation and disaster recovery and business continuity?
Per network segmentation, you definitely need to do it. I would be cautious not to try to do it too quickly. I would take time to do it and plan it out, and make sure that we’re creating a plan that will benefit the system. Have a good plan in place, and be prepared to identify challenges along the way. Before we do network segmentation, we need to make sure we understand what businesses would be impacted, and the outcome of that. Because it can really impact a lot of them. I think network segmentation is a good thing. But at the same time, I would tell my colleagues to do it carefully.