Among the numerous critical elements in the healthcare data and IT security area that is gaining more attention these days, and at more granular levels, is the set of issues around information system network segmentation. Network segmentation, as a concept, is far from new, including in healthcare; indeed, very broad network segmentation strategies have been an element in overall data and IT security plans at many U.S. patient care organizations for years. But the ongoing acceleration in cyberattacks on patient care organizations, including through phishing-driven ransomware and other malware intrusions—most often via phishing emails sent to staff members at patient care organizations—is compelling the discussion forward.
Specifically, industry experts are urging CIOs, CISOs, CTOs, and other healthcare IT leaders in patient care organizations to think about new, more sophisticated forms of network segmentation, including “micro-segmentation.” What is micro-segmentation? One industry expert, John Robinson, a senior advisor with the Naperville, Ill.-based Impact Advisors consulting firm, has a good handle on the topic. The North Ridgeville, Ohio-based consultant, who specializes in strategic technology consulting, has been with Impact Advisors for nearly two years. Previously, he had spent time at Dell Health Consulting, and prior to that, at the MetroHealth integrated health system in Cleveland, and at Catholic Health Initiatives in Denver. Robinson spoke recently with Healthcare Informatics Editor-in-Chief Mark Hagland about these issues, as Hagland interviewed industry experts for the upcoming Special Report on Cybersecurity. Below are excerpts from their interview.
When you look at the subject of network segmentation at a 40,000-foot-up level, what are the biggest issues, from your perspective?
From a senior management perspective, the biggest issues are, firstly, nobody’s really clear what it is. There are so many variations on the theme. There’s network segmentation, micro-segmentation, security segmentation, network partitioning. It’s a million names for essentially the same thing.
Among those terms, which one or two are best, or most understood, in your view?
The most understood, and the one that has the potential to become the standard term here, is micro-segmentation. But it’s a misnomer. It’s what I would call tentacle segmentation, really. Micro-segmentation has a nice ring to it. What that really is, is a technical approach that makes network security more flexible, by applying software-defined policies, rather than manual configuration.
How many IT security professionals in patient care organizations are still manually configuring their network segmentation?
The vast majority of healthcare organizations are still back in the manual configuration phase, trying to address rapidly evolving threat vectors with a manual methodology that just can’t keep up. You can’t type fast enough, basically, to do manual configuration in order to keep up with the threat vectors that are accelerating on a daily basis.
And the new wave in this area is software configuration, correct? What’s involved in software configuration, and how does it make a difference?
Creating a software-defined network allows you to apply policies, processes, and procedural rules to the traffic and data on the network itself, as opposed to manual configuration, where you are still manipulating software, but where you’re still essentially twisting wires. So this is not something that’s an alternative to manual configuration. You still need to electronically twist the wires, as it were, to keep your basic physical infrastructure chugging along, but you apply software definitions to that network so that you’re looking not at physical attributes of connectivity, but at the data flowing across that physical infrastructure, and applying polices and rules to that data, to make sure it goes where you want it to go, and doesn’t go where you don’t want it to go.
What are the key differences between software-configured and manually configured network segmentation?
With software-configured network segmentation, you can start with, I’m not going to let anybody in, and then loosen from there, whereas with physical configuration, you’re starting off allowing everyone to connect.
In other words, it’s like when a department store lets shoppers in one shopper at a time.
Right, and when they direct that shopper directly to a specific TV. However, there are some ‘gotchas’ there that have nothing to do with technology. You need to have, as an IT leader, a really good understanding of what you’ve got [in terms of information systems]. You need to know where all your users are, you need to know about all of your applications, and you need to understand who needs to connect to what. And that’s not easy.
In other words, you have to start with an overall strategy?
Yes, that’s right. In my mind, there’s no such thing as a tactical plan to address security at this level; it has to be strategic. You need to have this really intimate understanding of your environment, before you begin. Tactical responses are all, on the order of ‘X is happening, let’s do this.’ That’s like watching penguins on a beach: if something flies over the beach, all the penguins watch it fly over. Or if you’ve ever watched first-graders play soccer, that’s how most healthcare organizations respond to a security event.
So, put another way, you have to decide where your moats are going to be?