Where Is Network Segmentation Headed? One Industry Expert Has a Good Idea | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Where Is Network Segmentation Headed? One Industry Expert Has a Good Idea

February 19, 2018
by Mark Hagland
| Reprints
Impact Advisors’ John Robinson shares his perspectives on the new thinking around network segmentation, including around micro-segmentation and software configuration

Among the numerous critical elements in the healthcare data and IT security area that is gaining more attention these days, and at more granular levels, is the set of issues around information system network segmentation. Network segmentation, as a concept, is far from new, including in healthcare; indeed, very broad network segmentation strategies have been an element in overall data and IT security plans at many U.S. patient care organizations for years. But the ongoing acceleration in cyberattacks on patient care organizations, including through phishing-driven ransomware and other malware intrusions—most often via phishing emails sent to staff members at patient care organizations—is compelling the discussion forward.

Specifically, industry experts are urging CIOs, CISOs, CTOs, and other healthcare IT leaders in patient care organizations to think about new, more sophisticated forms of network segmentation, including “micro-segmentation.” What is micro-segmentation? One industry expert, John Robinson, a senior advisor with the Naperville, Ill.-based Impact Advisors consulting firm, has a good handle on the topic. The North Ridgeville, Ohio-based consultant, who specializes in strategic technology consulting, has been with Impact Advisors for nearly two years. Previously, he had spent time at Dell Health Consulting, and prior to that, at the MetroHealth integrated health system in Cleveland, and at Catholic Health Initiatives in Denver. Robinson spoke recently with Healthcare Informatics Editor-in-Chief Mark Hagland about these issues, as Hagland interviewed industry experts for the upcoming Special Report on Cybersecurity. Below are excerpts from their interview.

When you look at the subject of network segmentation at a 40,000-foot-up level, what are the biggest issues, from your perspective?

From a senior management perspective, the biggest issues are, firstly, nobody’s really clear what it is. There are so many variations on the theme. There’s network segmentation, micro-segmentation, security segmentation, network partitioning. It’s a million names for essentially the same thing.


John Robinson

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Among those terms, which one or two are best, or most understood, in your view?

The most understood, and the one that has the potential to become the standard term here, is micro-segmentation. But it’s a misnomer. It’s what I would call tentacle segmentation, really. Micro-segmentation has a nice ring to it. What that really is, is a technical approach that makes network security more flexible, by applying software-defined policies, rather than manual configuration.

How many IT security professionals in patient care organizations are still manually configuring their network segmentation?

The vast majority of healthcare organizations are still back in the manual configuration phase, trying to address rapidly evolving threat vectors with a manual methodology that just can’t keep up. You can’t type fast enough, basically, to do manual configuration in order to keep up with the threat vectors that are accelerating on a daily basis.

And the new wave in this area is software configuration, correct? What’s involved in software configuration, and how does it make a difference?

Creating a software-defined network allows you to apply policies, processes, and procedural rules to the traffic and data on the network itself, as opposed to manual configuration, where you are still manipulating software, but where you’re still essentially twisting wires. So this is not something that’s an alternative to manual configuration. You still need to electronically twist the wires, as it were, to keep your basic physical infrastructure chugging along, but you apply software definitions to that network so that you’re looking not at physical attributes of connectivity, but at the data flowing across that physical infrastructure, and applying polices and rules to that data, to make sure it goes where you want it to go, and doesn’t go where you don’t want it to go.

What are the key differences between software-configured and manually configured network segmentation?

With software-configured network segmentation, you can start with, I’m not going to let anybody in, and then loosen from there, whereas with physical configuration, you’re starting off allowing everyone to connect.

In other words, it’s like when a department store lets shoppers in one shopper at a time.

Right, and when they direct that shopper directly to a specific TV. However, there are some ‘gotchas’ there that have nothing to do with technology. You need to have, as an IT leader, a really good understanding of what you’ve got [in terms of information systems]. You need to know where all your users are, you need to know about all of your applications, and you need to understand who needs to connect to what. And that’s not easy.

In other words, you have to start with an overall strategy?

Yes, that’s right. In my mind, there’s no such thing as a tactical plan to address security at this level; it has to be strategic. You need to have this really intimate understanding of your environment, before you begin. Tactical responses are all, on the order of ‘X is happening, let’s do this.’ That’s like watching penguins on a beach: if something flies over the beach, all the penguins watch it fly over. Or if you’ve ever watched first-graders play soccer, that’s how most healthcare organizations respond to a security event.

So, put another way, you have to decide where your moats are going to be?

That’s what I would call legacy thinking about security. Let’s say you’ve got a hospital leadership team of 15 people, with all their areas of responsibility. If you were to ask those 15 people what’s most important, my guess is that you’d to get 20 answers. The reality is that importance is a perception. If I’m running the OR, then my surgery scheduling is far more important to me than purchasing. But if I’m running purchasing, well, you can’t run your OR unless I can buy you stuff. And if you take that approach, you end up with basically everything being important, and ultimately, nothing being important.

So rather than breaking the environment down by function, as you’ve just described, you basically need to organize the security environment—principally your data center—that’s where all your jewels are. And within the data center, rather than breaking it down into an applications VLAN, management VLAN, etc., put everything together in what I would call operational groups (finance, HR, etc.), and then within that grouping, create a policy-based environment to allow access to that group. It’s just a different way of thinking; it doesn’t change what’s in your data center; it’s a different way of structuring your data center.

And this is where people fall down—it’s really in understanding what’s in that data center. My bet is, if you were to come into any hospital and say, show me a list of the applications you run in your data center; they would actually struggle. They do not have the foundational components of having an application catalogue, or a configuration management database, that says who does what, when, and what they’re allowed to do. Until you do that, all these fancy security technologies are going to be difficult to implement, and you’ll spend a lot of money delivering a security solution, because you don’t really have a full picture of your environment, so you don’t really know when you’re done.

What are your thoughts and perspectives on how to handle the core EHR [electronic health record], in the context of these newer ideas about network segmentation?

Let’s say you’ve got a highly integrated EHR environment, as with Epic, Cerner, or any of the big EHR vendors. The challenge there is that you’ve put all your eggs into one rather significant basket. There are very good reasons to do that, but from a security standpoint, it’s a bit of a nightmare. So in order to provide the level of patient care you want to provide, via a highly centralized EHR, you have to allow users from all across the organization to access that functionality, which is these days usually controlled by a Citrix access layer or a virtualization access layer. And that’s where you can apply some degree of control, in that access or virtualization access layer.

That provides a policy-ish kind of layer between the users and the core, which says, if I know that this virtual terminal is in labor and delivery, being able to apply a software-defined policy, I should never see someone using that terminal accessing patient accounts. You do have a bit of granularity there. It’s not as good as it should be because you’re starting with a centralized EHR, but you can at least minimize the risk exposure.

In other words, essentially, you can break up the EHR, in the context of a segmentation strategy.

Yes, that’s right, you can. The challenge is, there’s no free lunch here. If you start to partition your EHR environment with an eye to security, then you create operational problems, because at the end of the day, you want all these bits of the EHR to communicate with each other. So that creates problems at the end of the line.

What is the ideal strategy for the EHR, in the context of all of this?

That’s really a good question. I’m not sure that there actually is an ideal. I think that what we have to come to is a grand compromise of operational sustainability and functional flexibility. It’s one of those things where you can’t have all of one or all of the other. You have to make it as secure as you can, while keeping it functional. Because total security would mean pen and paper. But per your example of the hospital being down for weeks, that’s a management problem, not a technical problem. The technology exists to prevent that, by appropriate uses of backup, of business continuity strategies, and in making a commitment and investment to your core infrastructure to say, I know there will be vulnerabilities. Look at two core vulnerabilities of the CPU chips in the computer, the Intel, called Meltdown and Specter. In the end, you need to mature your approach, to realize that security is a business imperative, and not something that IT needs to do to keep the place safe.


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


/article/cybersecurity/where-network-segmentation-headed-one-industry-expert-has-good-idea
/news-item/cybersecurity/hipaa-settlements-three-boston-hospitals-pay-1m-fines-boston-med-filming

HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Med” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film “Boston Med” on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

More From Healthcare Informatics

/news-item/cybersecurity/independence-blue-cross-notifies-17k-patients-breach

Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

Related Insights For: Cybersecurity

/news-item/cybersecurity/report-healthcare-lags-other-industries-phishing-resiliency

Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

See more on Cybersecurity