The “internet of things” and connected-device revolution has arrived in hospitals around the world, and with it comes incredible promise for improved patient care and experience.

But as with many technology advancements, these new wonders introduce risks into our most critical systems. Keeping these devices both secure and in compliance requires a new way of thinking about security, one that can enforce specific policies at a granular level across the network.

Hospitals are held to stringent compliance and privacy requirements. At the same time, many hospitals are underfunded and end up with insufficient information technology. That’s one of the reasons healthcare organizations are such popular targets for cybercrimes, especially ransomware attacks.

IT professionals are not going to make the budget problems go away – not today, and certainly not for several years to come. So, what can be done in the meantime?

Automation, orchestration and segmentation

Although the technologies used to implement solutions to our common problems have certainly changed, the basics of how to secure a network have remained the same for decades: Automate, orchestrate and segment your networks. Apply the principle of least privilege as widely as possible.

• Automation is important for two reasons: repeatability and auditability. When something is automated, it does the same thing repeatedly in a predictable fashion. Predictability is good because it allows us to establish a baseline. From there, we can spot problems before they grow out of control with simple tools like anomaly detection. Automated systems can also be easily audited. In the case of individual systems, scripts can be examined to determine exactly what they do and how.
• Orchestration is automation at scale, across multiple systems, and typically makes auditing even easier.
• Segmentation breaks up networks. Systems that must communicate with one another are placed on a single network segment, but ideally IT teams would not put anything on a network segment that does not absolutely have to be there. That helps contain the spread of compromises when they inevitably occur.

But segmenting the old-school way, either physically or using VLANs, is hard. Not only is it tedious and annoying, but all sorts of systems are talking to one another all the time. Under a traditional segmentation model, individual systems might need to exist on multiple network segments simultaneously. The more systems that do this, the more vectors that exist for cross-segment compromise spread.

Microsegmentation

The principle of least privilege states that computer systems, end users and even the individual modules and processes within applications only ever be given the rights to access the data and resources required for their legitimate purpose and only for the duration of that required need. The real-world application of least privilege tends to make computers hard to use – and that is a big problem in a hospital.

Microsegmentation is the process of restricting what various workloads, endpoints and infrastructure components can talk to using orchestration platforms designed specifically for that task. Different providers go about this in different ways, but the basics are always the same. IT teams painstakingly fill a database with information about everything on their network. A workload/endpoint/infrastructure component talks to a bunch of things using applications/protocols/ports. Once the data is entered into the database, the network orchestration platform then locks everything down. 

A microsegmented network ensures that everything can only talk to what it is absolutely required to, and nothing else. That also limits the spread of compromise because an infected system can only compromise other systems it’s explicitly allowed to interact with.

If microsegmentation sounds like a hassle to get set up, you are not wrong. But once it is in place, it opens a realm of possibilities.

Why hospitals?

One of the problems hospitals have is that they use a lot of IoT devices, all sorts of medical equipment that runs out-of-date software and sensors for everything. There are patients and employees with smartphones, tablets and wearables. On top of this, hospitals have traditional office IT infrastructure to worry about and there is usually a big Virtual Desktop Infrastructure or VDI environment in play, too.

The VDI environment is mostly for ease of use: Staff need to be able to get access to data from any terminal or tablet, anywhere in the hospital. They may even need to get access to that information across multiple care facilities in multiple hospitals.

Consider, for a moment, a hospital with 1,000 medical devices all running on an out-of-date or unpatched operating system. The budget does not support updating them, but they must be kept securely operating. With no network segmentation of any kind, IT teams don’t stand a chance. The first person to click the wrong link will have every one of those 1,000 vulnerable medical devices mining bitcoin instead of keeping people alive.

Even without securing anything else in that hospital, microsegmenting just that class of device is almost certainly worth the cost of the microsegmentation software. But microsegmentation orchestration platforms can be told to do things based on a class of device – meaning IT administrators do not have to enter these restrictions for each device, just for the class of device. Every time one of them is connected to the network, they will be secured appropriately, no matter where they are connected throughout the entire network.

Microsegmentation can also be configured so that all unknown devices can be completely isolated from one another, with only the most basic access to information services until assigned a class. This can be thought of as a more powerful version of the isolation feature common in many commercial Wi-Fi access points and is the simplest way to deal with the massive explosion of IoT and mobile devices that is occurring. Most of these cannot be secured and, yet, IT has to get them on the network.

Suddenly, microsegmentation starts looking important. It is especially critical for environments like hospitals that are significantly ahead of the curve on IoT adoption. It is a technology that pays dividends that increase with time. Although that makes the return on investment hard to quantify on short timescales, it’s difficult to comprehend how the IoT-rich networks of tomorrow will be possible without it.

Trevor Pott is a product marketing developer at Juniper Networks Inc., focused on information security. He wrote this article for SiliconANGLE.

Photo: Darko Stojanovic/Pixabay