CISOs, CIOs, and their IT colleagues in U.S. patient care organizations are moving forward with alacrity to meet the IT and data security threat vectors accelerating in their direction these days. In that context, as a first-quarter issue special report from Healthcare Informatics noted in February, “If there’s a single IT security strategy that nearly all patient care organizations have implemented at least in part, it’s network segmentation—the purposeful separation of elements of an organization’s information technology network in order to enhance IT security. Yet at the same time, this is an area in which, industry experts say, there is also a vast lack of understanding of the underlying principles and strategies needed to make network segmentation actually help facilitate greater security, in practice.
And of course, the challenges facing the IT leaders of patient care organizations are also facing IT leaders in every type of business organization, in every industry. John Friedman, a managing consultant at the CyberEdge Group consulting firm, puts it this way in his recent white paper, “The Definitive Guide To Micro-Segmentation,” published last year by Illumio, a Sunnyvale, Calif.-based cloud computing security solutions provider: “We can no longer rely on perimeter defenses to keep the bad guys out, and are not doing so well catching them inside the data center either. Most IT security professionals are familiar with frameworks such as Lockheed Martin’s Cyber Kill Chain,” Friedman notes. But, he says, “Statistics show that it is extremely difficult to reduce the “dwell time” of attackers once they have a foothold inside the data center. Virtualization and cloud technology exacerbate this challenge. It is hard to protect applications that can be executing anywhere, with pieces being moved around continually. In this environment, limiting lateral movement within the data center becomes a top priority for IT groups. If a cybercriminal compromises the credentials of an employee who uses application A, can we make sure he can’t reach applications B, C, and D? If a hacker uncovers the password of a system administrator in location X, can we make sure she has no way to connect to systems in locations Y and Z?” That remains a fundamental IT security challenge in healthcare.”
Meanwhile, a companion special report in that issue noted that strategies are evolving forward quickly in the area of disaster recovery and business continuity, even as the leaders of U.S. patient care organizations navigate strategic and tactical complexities in that area.
One of the health system CISOs interviewed for both special reports was Thien Lam, vice president and CISO at the 15-hospital BayCare Health System, based in Clearwater, Fla. Lam spoke with Healthcare Informatics Editor-in-Chief Mark Hagland regarding both of those broad, important subjects. Below are excerpts from their interview, which took place earlier this year.
What are the biggest concerns for you right now as CISO, looking in particular at disaster recovery/business continuity, network segmentation, and related issues?
The biggest concern for me is incident response, and how mature we are when we respond to incidents, or how we recognize incidents. There are many steps involved. You have detection; you detect that someone’s tried to hack you. And you respond to find out how quickly you can put out the fire. In terms of detection, my biggest concern is that the hackers are usually ahead in terms of technology; and it can sometimes be very challenging to detect an attack, and to get your people engaged and looking into a situation. Most of the time, you’re managing day-to-day operations, but at the same time, you have to be ready to respond when people are knocking at your door. So, definitely incident response is very important. And you have to be able to recognize the many ways in which the hackers can get in. Web traffic can be very hard to see. Another big issue is medical devices. When you talk about network segmentation, most people use the terms network segmentation and network isolation very loosely.
What are you and your colleagues doing in that area?
In terms of network segmentation, we’ve created a separate network for the medical devices, so that the medical devices don’t talk directly to the production network; they have their own VLAN. Also, we have devices that we put in front of the medical devices—they’re like a mini-firewall, to make sure the medical devices aren’t vulnerable to an attack. And there are many, many different types of medical devices. Many don’t have an OS (operating system). But most do. And some can be upgraded, and some cannot. And sometimes, you have medical devices that are current, and some that are out of date.
And they may be on XP or on an OS [operating system] that cannot be upgraded or patched. And the issue is that, most of the time, the manufacturers themselves don’t provide patches. They’ll ask you to upgrade a device or replace an old one, but that can cost millions of dollars. So with regard to network segmentation, we want to make sure that we put the medical devices on a VLAN, so that they can’t talk directly to the Internet. At the same time, we micro-segment them by putting a mini-firewall in front of each medical device, and we’ve also locked USB port on the device. You put in a USB key. So we protect them physically also, and also protect the medical devices from the rest of the network.
What is your overall segmentation arrangement or plan?