- Healthcare network security has become more complicated over the years because of the explosion of mobile device connectivity. And because it’s so difficult for healthcare organizations to have a firm grasp on where their perimeters begin and end, they must look for new ways to ensure networks are secure both internally and externally.
Panelists who took part in a talk titled “Data Security in the Cloud: Leveraging the Low-Cost Advantages while Managing Risk” at the recent iHT2 conference in Boston discussed how they perceive healthcare network security and access controls. John Meyers, PhD, Assistant Professor of Medicine and Director of Technology, Department of Medicine, Boston University Medical Center, sparked the talk by explaining how there’s occasionally there’s going to be some protected health (PHI) out there that shouldn’t be. But if an organization limits the number of users who have access to the data, it can help mitigate those risks.
David Reis, PhD, CISO, VP of IT Governance, PMO and Security at Lahey Health explained how Lahey essentially stopped trusting its inside network two years ago in the same way it doesn’t trust everyone externally. When asked what this change in trust measures meant, Reis said there were a few different considerations involved, starting with no longer trusting internal users.
Not because the users are untrustworthy, but because things happen. In that regard, because we don’t trust the network, we really don’t use data loss prevention (DLP) anymore because it’s untrustworthy. The problem with DLP is it only knows what it can see, so if it’s encrypted data you can’t see it then exfiltration happens at the encryption level and DLP doesn’t intervene.
Reis added that Lahey may use DLP at the perimeter to see what’s happening, but it no longer sees it as a silver bullet. Lahey has also implemented serious network access controls (NAC), which it uses because it’s more interested in knowing about user activity than about than stopping users. Alongside these robust NACs, Reis explained how Lahey doesn’t allow random devices to plug in and it must know what was plugged in, who was associated with the device and for how long.
We also have a robust data exfiltration capability that we’ve instituted at the core of the network and the perimeter so we can watch data flows. Looked at that way, it becomes illuminating pretty quickly and easy to flesh things out. You ask where the data is moving in and out from, what devices are plugging in and out and what users are doing once they’re plugged in.
In terms of potential user push back, Reis said that there’s no user intervention required, these policies and NACs just give the organization the ability to track what they’re doing. Meyers went on to say that there’s been some interesting academic research that shows just by tracking traffic patterns, an organization can tell how friendly an activity is.
And this relates not only to data transmitted, but packet sizes and sources where it needs to meet certain criteria based on algorithms to determine whether traffic is friendly or not. I think over time, vendors will start to include these on edge type firewall appliances. Today, we have rules, where tomorrow we’ll have weighted genetic algorithms to try to determine whether or not a new pattern is friendly.