Where Is Network Segmentation Headed? One Industry Expert Has a Good Idea | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Where Is Network Segmentation Headed? One Industry Expert Has a Good Idea

February 19, 2018
by Mark Hagland
| Reprints
Impact Advisors’ John Robinson shares his perspectives on the new thinking around network segmentation, including around micro-segmentation and software configuration

Among the numerous critical elements in the healthcare data and IT security area that is gaining more attention these days, and at more granular levels, is the set of issues around information system network segmentation. Network segmentation, as a concept, is far from new, including in healthcare; indeed, very broad network segmentation strategies have been an element in overall data and IT security plans at many U.S. patient care organizations for years. But the ongoing acceleration in cyberattacks on patient care organizations, including through phishing-driven ransomware and other malware intrusions—most often via phishing emails sent to staff members at patient care organizations—is compelling the discussion forward.

Specifically, industry experts are urging CIOs, CISOs, CTOs, and other healthcare IT leaders in patient care organizations to think about new, more sophisticated forms of network segmentation, including “micro-segmentation.” What is micro-segmentation? One industry expert, John Robinson, a senior advisor with the Naperville, Ill.-based Impact Advisors consulting firm, has a good handle on the topic. The North Ridgeville, Ohio-based consultant, who specializes in strategic technology consulting, has been with Impact Advisors for nearly two years. Previously, he had spent time at Dell Health Consulting, and prior to that, at the MetroHealth integrated health system in Cleveland, and at Catholic Health Initiatives in Denver. Robinson spoke recently with Healthcare Informatics Editor-in-Chief Mark Hagland about these issues, as Hagland interviewed industry experts for the upcoming Special Report on Cybersecurity. Below are excerpts from their interview.

When you look at the subject of network segmentation at a 40,000-foot-up level, what are the biggest issues, from your perspective?

From a senior management perspective, the biggest issues are, firstly, nobody’s really clear what it is. There are so many variations on the theme. There’s network segmentation, micro-segmentation, security segmentation, network partitioning. It’s a million names for essentially the same thing.


John Robinson

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

Among those terms, which one or two are best, or most understood, in your view?

The most understood, and the one that has the potential to become the standard term here, is micro-segmentation. But it’s a misnomer. It’s what I would call tentacle segmentation, really. Micro-segmentation has a nice ring to it. What that really is, is a technical approach that makes network security more flexible, by applying software-defined policies, rather than manual configuration.

How many IT security professionals in patient care organizations are still manually configuring their network segmentation?

The vast majority of healthcare organizations are still back in the manual configuration phase, trying to address rapidly evolving threat vectors with a manual methodology that just can’t keep up. You can’t type fast enough, basically, to do manual configuration in order to keep up with the threat vectors that are accelerating on a daily basis.

And the new wave in this area is software configuration, correct? What’s involved in software configuration, and how does it make a difference?

Creating a software-defined network allows you to apply policies, processes, and procedural rules to the traffic and data on the network itself, as opposed to manual configuration, where you are still manipulating software, but where you’re still essentially twisting wires. So this is not something that’s an alternative to manual configuration. You still need to electronically twist the wires, as it were, to keep your basic physical infrastructure chugging along, but you apply software definitions to that network so that you’re looking not at physical attributes of connectivity, but at the data flowing across that physical infrastructure, and applying polices and rules to that data, to make sure it goes where you want it to go, and doesn’t go where you don’t want it to go.

What are the key differences between software-configured and manually configured network segmentation?

With software-configured network segmentation, you can start with, I’m not going to let anybody in, and then loosen from there, whereas with physical configuration, you’re starting off allowing everyone to connect.

In other words, it’s like when a department store lets shoppers in one shopper at a time.

Right, and when they direct that shopper directly to a specific TV. However, there are some ‘gotchas’ there that have nothing to do with technology. You need to have, as an IT leader, a really good understanding of what you’ve got [in terms of information systems]. You need to know where all your users are, you need to know about all of your applications, and you need to understand who needs to connect to what. And that’s not easy.

In other words, you have to start with an overall strategy?

Yes, that’s right. In my mind, there’s no such thing as a tactical plan to address security at this level; it has to be strategic. You need to have this really intimate understanding of your environment, before you begin. Tactical responses are all, on the order of ‘X is happening, let’s do this.’ That’s like watching penguins on a beach: if something flies over the beach, all the penguins watch it fly over. Or if you’ve ever watched first-graders play soccer, that’s how most healthcare organizations respond to a security event.

So, put another way, you have to decide where your moats are going to be?

That’s what I would call legacy thinking about security. Let’s say you’ve got a hospital leadership team of 15 people, with all their areas of responsibility. If you were to ask those 15 people what’s most important, my guess is that you’d to get 20 answers. The reality is that importance is a perception. If I’m running the OR, then my surgery scheduling is far more important to me than purchasing. But if I’m running purchasing, well, you can’t run your OR unless I can buy you stuff. And if you take that approach, you end up with basically everything being important, and ultimately, nothing being important.

So rather than breaking the environment down by function, as you’ve just described, you basically need to organize the security environment—principally your data center—that’s where all your jewels are. And within the data center, rather than breaking it down into an applications VLAN, management VLAN, etc., put everything together in what I would call operational groups (finance, HR, etc.), and then within that grouping, create a policy-based environment to allow access to that group. It’s just a different way of thinking; it doesn’t change what’s in your data center; it’s a different way of structuring your data center.

And this is where people fall down—it’s really in understanding what’s in that data center. My bet is, if you were to come into any hospital and say, show me a list of the applications you run in your data center; they would actually struggle. They do not have the foundational components of having an application catalogue, or a configuration management database, that says who does what, when, and what they’re allowed to do. Until you do that, all these fancy security technologies are going to be difficult to implement, and you’ll spend a lot of money delivering a security solution, because you don’t really have a full picture of your environment, so you don’t really know when you’re done.

What are your thoughts and perspectives on how to handle the core EHR [electronic health record], in the context of these newer ideas about network segmentation?

Let’s say you’ve got a highly integrated EHR environment, as with Epic, Cerner, or any of the big EHR vendors. The challenge there is that you’ve put all your eggs into one rather significant basket. There are very good reasons to do that, but from a security standpoint, it’s a bit of a nightmare. So in order to provide the level of patient care you want to provide, via a highly centralized EHR, you have to allow users from all across the organization to access that functionality, which is these days usually controlled by a Citrix access layer or a virtualization access layer. And that’s where you can apply some degree of control, in that access or virtualization access layer.

That provides a policy-ish kind of layer between the users and the core, which says, if I know that this virtual terminal is in labor and delivery, being able to apply a software-defined policy, I should never see someone using that terminal accessing patient accounts. You do have a bit of granularity there. It’s not as good as it should be because you’re starting with a centralized EHR, but you can at least minimize the risk exposure.

In other words, essentially, you can break up the EHR, in the context of a segmentation strategy.

Yes, that’s right, you can. The challenge is, there’s no free lunch here. If you start to partition your EHR environment with an eye to security, then you create operational problems, because at the end of the day, you want all these bits of the EHR to communicate with each other. So that creates problems at the end of the line.

What is the ideal strategy for the EHR, in the context of all of this?

That’s really a good question. I’m not sure that there actually is an ideal. I think that what we have to come to is a grand compromise of operational sustainability and functional flexibility. It’s one of those things where you can’t have all of one or all of the other. You have to make it as secure as you can, while keeping it functional. Because total security would mean pen and paper. But per your example of the hospital being down for weeks, that’s a management problem, not a technical problem. The technology exists to prevent that, by appropriate uses of backup, of business continuity strategies, and in making a commitment and investment to your core infrastructure to say, I know there will be vulnerabilities. Look at two core vulnerabilities of the CPU chips in the computer, the Intel, called Meltdown and Specter. In the end, you need to mature your approach, to realize that security is a business imperative, and not something that IT needs to do to keep the place safe.


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/where-network-segmentation-headed-one-industry-expert-has-good-idea
/news-item/cybersecurity/phishing-attack-healthcare-provider-impacts-128k-patient-records

Phishing Attack on Healthcare Provider Impacts 128K Patient Records

November 21, 2018
by Heather Landi, Associate Editor
| Reprints

New York Oncology Hematology, based in Albany, New York, is notifying its patients and employees that an unauthorized user may have gained access to several employee email accounts, and, potentially, accessed employee or patient data as a result of a phishing attack back in April.

The healthcare provider posted a message on its website stating, “NYOH has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted phishing emails. While NYOH and its partners are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, we continue to take steps to protect our patients and employees’ information.”

Media coverage by The Daily Gazette puts the number of employees and patients at 128,400.

According to NYOH, the phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords. “These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated,” officials said.

On April 20, 2018, a phishing incident occurred through which an unauthorized user gained access to 14 employee email accounts –typically only for a few hours at most, the organization said. A second incident occurred between April 21, 2018 and April 27, 2018, when one additional email account became accessible. Immediately upon discovery of the incidents, NYOH’s IT vendor, took steps to reset passwords, shutting down access to these accounts.

NYOH was subsequently notified of the suspected unauthorized access by its IT vendor. NYOH initiated its incident response protocol to determine the scope and severity of the phishing attacks. NYOH hired an outside forensic firm to conduct a review of the content of the accounts.

Following a thorough analysis, on October 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees, the organization said.

The organization said the following information may have been contained in the affected email accounts: names, dates of birth, home addresses, email addresses, insurance information, medical information such as test results, diagnostic codes, account numbers, and service dates. In very limited circumstances, the accounts also contained patient and employee Social Security and driver’s license numbers.

“While we are not aware of any access to or attempted misuse of patient or employee information related to this incident, out of an abundance of caution, NYOH mailed letters to all NYOH patients and employees on November 16, 2018. This letter includes directions for enrolling in 12 months (or longer as required by law) of free identity theft and credit monitoring services through Experian,” the organization stated.

Email hack at HealthEquity

HealthEquity, a health savings account provider with headquarters in Utah, reported to the U.S. Department of Health and Human Services (HHS) data breach portal that 165,800 patient records were impacted by an email hacking incident.

According to DataBreaches.net, HealthEquity notified the California Attorney General’s Office that on October 5, the company’s IT security team identified unauthorized logins to two HealthEquity employees’ email accounts.  

The investigation was unable to conclusively rule out – or rule in – whether the attacker accessed and viewed emails in those accounts that contained personal and/or protected health information, DataBreaches.net reported.

In a statement to DataBreaches.net, HealthEquity officials stated, “Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.”

More From Healthcare Informatics

/news-item/cybersecurity/study-internal-negligence-not-hackers-responsible-half-data-breaches

Study: Internal Negligence, Not Hackers, Responsible for Half of Data Breaches

November 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

While high-profile data breaches perpetrated by cyber criminals and hackers often make big headlines, a recent study found that more than half of healthcare data breaches are a result of internal issues, not external factors.

With regard to health data breaches, hospitals, doctors’ offices and even insurance companies are oftentimes the culprits, according to researchers from Michigan State University and Johns Hopkins University.

For the study, John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business, and co-author Ge Bai, associate professor at the John’s Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients. The study was published in JAMA Internal Medicine.

The new research follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over seven years, with 33 hospitals experiencing more than one substantial breach.

The study found that more than half of the recent personal health information (PHI) data breaches were because of internal issues with medical providers – not because of hackers or external parties.

“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” Jiang said in a press release about the study.

“Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang said. “These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or ‘other.’”

After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in health care entities.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.

Mobile devices were involved in 46 percent of cases, while paper records accounted for just 29 percent of breaches, the researchers report in the study. Employees taking data home or forwarding it to personal email accounts contributed to 74 breaches in the study, or about 6.5 percent of cases.

Mailing mistakes accounted for two-thirds of the data breaches involving communication errors by employees, the study also found.

Some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, but others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren’t aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem, the study authors wrote.

As a result of their research, Jiang and Bai suggest health care providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a “copy vs. blind copy” protocol (bcc vs cc) as well as encryption of content, the study authors said in the press release.

“Not putting on the whole armor opened health care entities to enemy’s attacks,” Bai said. “The good news is that the armor is not hard to put on if simple protocols are followed.”

Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.

 

Related Insights For: Cybersecurity

/news-item/cybersecurity/cybersecurity-telehealth-and-interoperability-top-mind-it-execs-2019

Cybersecurity, Telehealth and Interoperability “Top of Mind” for IT Execs in 2019

November 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

As health system leaders look ahead to the challenges and opportunities of the coming year, they are increasing their spending to defend against cyberattacks, expressing optimism about reimbursement for telehealth services, and feeling anxiety about Apple, Amazon and Google entering the health care space, according to a new survey.

The second annual survey, conducted by the Pittsburgh-based Center for Connected Medicine (CCM) in partnership with the Health Management Academy, reflects the opinions of healthcare C-suite leaders from nearly 40 major U.S. health systems across the country about their IT priorities for the year ahead. CCM is a collaborative health care executive briefing center jointly operated by GE Healthcare, Nokia and UPMC. The Alexandra, Va.-based Health Management Academy is a membership organization consisting of executives from the country’s top 100 health systems focused on sharing best practices.

Conducted in three parts, the research started with a survey of health system information officers—CIOs, chief medical informatics officers (CMIOs) and chief nursing informatics officers (CNIOs— in May 2018 to determine the top areas of health IT for 2019. A quantitative survey was conducted in July 2018 with questions focused on cybersecurity, telehealth and interoperability. In September 2018, qualitative interviews were completed with 18 C-suite executives, including chief executive officers, chief operating officers, CIOs and CMIOs.

According to the survey report, “Top of Mind for Top Health Systems 2019,” health system executive leaders identified cybersecurity, telehealth and interoperability as the top three areas of health IT that will have the most impact in 2019. Cybersecurity remained at the top of the list from the previous year’s survey, and telehealth and interoperability climbed the ranking. The previous year’s Top of Mind report had identified cybersecurity, consumer-facing technology, and predictive analytics as the top three areas of focus for 2018.

“While consumerism and analytics remain hot topics in health care, it was not surprising to see telehealth and interoperability rise in the minds of health IT executives for 2019. Policymakers, in particular, have emphasized telehealth and interoperability in the past year, and the threats of cyberattacks and data breaches are constant in health care,” the report authors wrote.

While healthcare executive leaders cited those three topics as immediate, pressing concerns, when asked what health IT technologies they anticipated would have the most impact on health care five years from now, health system executive leaders identified artificial intelligence, consumer technology, and genomics. According to the report, one CNIO said: “The technology is moving so fast that it is hard to predict five years out. I would not have picked some of these for 2019 one year ago.”

Cybersecurity

Hackers and other cyber-criminals are stepping up their attacks on the health care industry, leading 87 percent of respondents to say they expect to increase spending on cybersecurity in 2019; no health system was expecting to decrease spending. Half of respondents expect a spending increase greater than five percent.

For 2019, health systems said they would invest cybersecurity resources to bolster current areas of investment, with many focusing on both staff and technology, such as firewalls, intruder detection software, and dual authentication that guard against breach of protected health information (PHI).

Despite increasing financial investment and prioritization of cybersecurity at health systems, executives did not express robust confidence in their organization’s IT recovery and business continuity plans after an attack or breach. Seven out of 10 respondents reported being “somewhat confident” in their recovery and continuity plans; only 20 percent said they were “very confident.”

The most commonly cited challenge in cybersecurity was employee education—62 percent of respondents named “staff” as greatest point of cybersecurity weakness. What’s more, phishing and spear-phishing were cited as the most common types of cyberattacks in the previous 12 months.

According to the report, one CEO commented during an interview: “The people that are up to no good have far better tools than we do on our platforms. If they really target you, they will likely find a way in.… We are not trying to make it impenetrable, but we are trying to make it more difficult to break into our system than others in our market.”

Telehealth

Health information technology (IT) leaders overwhelmingly expect government and commercial reimbursement to provide the majority of funding for telehealth services by 2022; internal funding and patient payments are expected to provide the majority of funding for telehealth in 2019.

Government policy is driving some of this optimism, the report authors wrote. “For example, CMS [The Centers for Medicare & Medicaid Services] published a proposal in July 2018 that provided three new remote patient monitoring reimbursement medical codes. While some critics have said the proposal’s $14 reimbursement for virtual check-ins is too low, the move by CMS appears to cement telehealth reimbursement as a priority for the agency.”

All responding health systems report telehealth accounts for 10 percent or less of their organization’s total care delivery, however, over the next three years, 45 percent of respondents expect use of telehealth to increase by 10 percent or more. Lack of reimbursement was cited as the most significant barrier to adopting greater telehealth services, cited by 70 percent of respondents.

Most health system executives interviewed for the study said their health system had not yet calculated a specific return on investment (ROI) for telehealth. But systems are investing anyway as a hedge that future reimbursement will outweigh the potential losses of today, according to the survey report. “For the moment, reimbursement is widely thought of in terms of physician time, but as technologies evolve, the question will be whether reimbursement will expand to hardware. Investment can also be seen as a bellwether for provider sentiment toward transformation to value-based care,” the report authors wrote.

When considering a telehealth technology system, top features/priorities are “integration with the clinical workflow” and “ease of patient triage and virtual follow-up,” according to the survey.

Need for Innovation Drives Focus on Interoperability

Interoperability has emerged as a key challenge in health care as hospitals and health systems pursue value-based care, consumerism, and other initiatives that require broad sets of data from disparate IT systems, the report noted. As the health care industry continues to evolve, provider health systems are having to think more creatively about their strategies in order to remain successful.

A lack of interoperability has made it more difficult for health systems to address certain key priorities, most commonly improved efficiency / cost reduction, and advanced analytics, the report said. Additionally, executives report challenges addressing care gap closure, longitudinal patient data, and integration with non-owned partners

More than half of respondents (61 percent) said the use of a major electronic health record (EHR) system was not stifling digital innovation at their health system. However, in qualitative interviews, several executives said an EHR was limiting their ability to innovate by locking them into a single vendor’s products, according to the report.

Seventy percent of informatics executive said they were “somewhat concerned” about big tech companies, such as Apple, Amazon and Google, disrupting the health care market; 10 percent were “very concerned,” the survey found.

The report quotes one CEO who said: “They are new competitors that look very different from traditional health care competitors. They are better in their space and can catch up quickly. Current stakeholders are resistant to change. If we’re slow and dodgy we’re going to get lapped.”

The survey also examined the role of the cloud in the future of health IT. The majority of health care data is expected to be stored in on-premises data centers (20 percent) or hybrid / private cloud (60 percent) in the next three years, according to the survey, and 10 percent said they anticipate storing health data in a public cloud.

 

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis