“It is my opinion that the Internet is a very dangerous place, but our internal networks are just as dangerous because they allow nearly unfettered access to resources once an internal user has been authenticated.” -Kyle Jeske
Overhauling Network Infrastructures
Networking, and more specifically, network security is presently in the midst of one of the largest
overhauls since its implementation. And likely your practice is behind the trend.
Largely, the infrastructure hasn’t changed in the last 20 years. There has been advancement
in certain categories – like adding passwords to workstations, interoperability of shared
devices and in large part attempts to restrict general access by way of authenticating the
So what’s the problem? And more to the point – why should you care?
As an owner, practice manager, or service provider, in addition to any moral obligation one may
feel, it can be argued that you have a mandate to protect the privacy of your patients. The
practice, depending on its size, is literally holding up to hundreds of thousands of records on its
patients. Which on the black market, is more valuable than credit card or banking information by
up to a factor of 15x.
If your practice were to see 10 patients a day, 50 a week, and then works 49 weeks per year –
that’s 2,450 patients a year. If a hacker were to unload your patient record data in one shot,
that’s worth up to a quarter million dollars for them – and a lifetime of problems just starting for
The problem we all share is our approach to security. Unfortunately, it’s not a tangible item that
can be implemented once and left alone. While good design patterns will help, your security has
to be a strategy that is flexible and will evolve along with the people who are trying to steal from
It is further compounded by the proliferation of single-purpose security products (firewall,
switches, access points) embedded across networks. The tendency is as the network grows to
add security devices to an already overburdened network. (Add a physical firewall, a wireless
access device with a password, or device XYZ). This attempt to secure the network actually does
the opposite, as it introduces complexity and reduces a centralized view of the network as a
Armed with medical records a thief is capable of levels of fraud that a simple credit card number
or bank account wouldn’t otherwise be possible. Additional steps are required to secure and
protect both the patient and the practice.
How does your network rate?
If I were to ask you to rate your network, on a scale of 1 to 10 (best being most secure) – how do
you think you’d do?
Here are a few questions we use to help identify risks within a network:
1. Who has access to it? (The WHO)
If asked, could you provide a list of devices, end-users, and their access paths across your
entire network within one minute? Could you do it?
2. How did they gain access? (the Where)
Where did each user gain access to your network? Was it from a workstation? Was it a
wireless access point? Did they jump an IP phone cable and gain an unauthorized IP
address? – Each and every device should have only one known entry point. Can you tell
me where each device entered the network?
3. When did each user first start and then subsequently stop their access to your network?
(The WHEN)When did each user last use access to the network? How long were they using it? And if
they’re still on it when does their access expire? – Each device should have a limit on its
use, whether that is login hours or access within a given logical network.
If you are unable to answer each of these questions with precision, I’d advise taking a closer look
at the tools you’re using to secure your network. After a breach occurs, the best tool will be
information about your infrastructure. Being able to answer these questions quickly and
accurately will not only help get to the root of the problem but implement counter measures so
that moving forward they don’t occur in the same place again.
Safety through Visibility
The problem we encounter with placing individual devices on networks to offer security, is that
they are typically an afterthought and have no meaningful way of direct communication, thus
adding no real value to securing the network as a whole.
Our goal is to add visibility to all user actions and habits. Implementing a least access
principle and setting up roles and policies based on usage requirements.
Each section of your business will typically have different information access requirements, for
example, perhaps only your exam room needs localized network access to the practice
management software, not the internet. So you add that room into an isolated group, setup a
policy that says only give access to the management software and restrict all other access. Why
give external access to a primarily internal resource? This just introduces unnecessary risk to the
The key to all of this will be to first identify, segment and isolate the different areas of the
network, then tie them together through security fabrics. By doing this, we start to see a much
clearer picture into the user traffic patterns through a single pane view and increase our overall
awareness of users on the network.
If we shift focus away from what is trying to come into the network and start to ask ourselves
questions like: What information is traveling around the network? Who is sending data to where?
And best of all, why is this data being transferred or accessed? We begin to identify holes in our
network and then implement layers of protection against unnecessary risk, potential data loss
and harmful actors.
By taking a more collaborative approach across the entire infrastructure, network security
managers can enable a broad and dynamic defense strategy for the long term.
If you’d like to discuss your network or talk about its security in more depth; I’m available via
email (firstname.lastname@example.org) or by phone (1-727-314-8050). Kyle Jeske, co-owner of KWC MSP and KW Consulting & Solutions, a service provider based in Clearwater, Florida. Specializing in technology solutions, security, and management for dental and medical practices and can be reached at 1-727-314-8050 or email@example.com.