“It is my opinion that the Internet is a very dangerous place, but our internal networks are just as dangerous because they allow nearly unfettered access to resources once an internal user has been authenticated.” -Kyle Jeske
Overhauling Network Infrastructures
Networking, and more specifically, network security is presently in the midst of one of the largest overhauls since its implementation. And likely your practice is behind the trend. Largely, the infrastructure hasn’t changed in the last 20 years. There has been advancement in certain categories – like adding passwords to workstations, interoperability of shared devices and in large part attempts to restrict general access by way of authenticating the individual user.
So what’s the problem? And more to the point – why should you care?
As an owner, practice manager, or service provider, in addition to any moral obligation one may feel, it can be argued that you have a mandate to protect the privacy of your patients. The practice, depending on its size, is literally holding up to hundreds of thousands of records on its patients. Which on the black market, is more valuable than credit card or banking information by up to a factor of 15x.
If your practice were to see 10 patients a day, 50 a week, and then works 49 weeks per year – that’s 2,450 patients a year. If a hacker were to unload your patient record data in one shot, that’s worth up to a quarter million dollars for them – and a lifetime of problems just starting for you.
The problem we all share is our approach to security. Unfortunately, it’s not a tangible item that can be implemented once and left alone. While good design patterns will help, your security has to be a strategy that is flexible and will evolve along with the people who are trying to steal from you.
It is further compounded by the proliferation of single-purpose security products (firewall, switches, access points) embedded across networks. The tendency is as the network grows to add security devices to an already overburdened network. (Add a physical firewall, a wireless access device with a password, or device XYZ). This attempt to secure the network actually does the opposite, as it introduces complexity and reduces a centralized view of the network as a whole.
Armed with medical records a thief is capable of levels of fraud that a simple credit card number or bank account wouldn’t otherwise be possible. Additional steps are required to secure and protect both the patient and the practice.
How does your network rate? If I were to ask you to rate your network, on a scale of 1 to 10 (best being most secure) – how do you think you’d do?
Here are a few questions we use to help identify risks within a network: 1. Who has access to it? (The WHO) If asked, could you provide a list of devices, end-users, and their access paths across your entire network within one minute? Could you do it?
2. How did they gain access? (the Where) Where did each user gain access to your network? Was it from a workstation? Was it a wireless access point? Did they jump an IP phone cable and gain an unauthorized IP address? – Each and every device should have only one known entry point. Can you tell me where each device entered the network?
3. When did each user first start and then subsequently stop their access to your network? (The WHEN)When did each user last use access to the network? How long were they using it? And if they’re still on it when does their access expire? – Each device should have a limit on its use, whether that is login hours or access within a given logical network.
If you are unable to answer each of these questions with precision, I’d advise taking a closer look at the tools you’re using to secure your network. After a breach occurs, the best tool will be information about your infrastructure. Being able to answer these questions quickly and accurately will not only help get to the root of the problem but implement counter measures so that moving forward they don’t occur in the same place again.
Safety through Visibility The problem we encounter with placing individual devices on networks to offer security, is that they are typically an afterthought and have no meaningful way of direct communication, thus adding no real value to securing the network as a whole.
Our goal is to add visibility to all user actions and habits. Implementing a least access principle and setting up roles and policies based on usage requirements.
Each section of your business will typically have different information access requirements, for example, perhaps only your exam room needs localized network access to the practice management software, not the internet. So you add that room into an isolated group, setup a policy that says only give access to the management software and restrict all other access. Why give external access to a primarily internal resource? This just introduces unnecessary risk to the practice.
The key to all of this will be to first identify, segment and isolate the different areas of the network, then tie them together through security fabrics. By doing this, we start to see a much clearer picture into the user traffic patterns through a single pane view and increase our overall awareness of users on the network.
If we shift focus away from what is trying to come into the network and start to ask ourselves questions like: What information is traveling around the network? Who is sending data to where? And best of all, why is this data being transferred or accessed? We begin to identify holes in our network and then implement layers of protection against unnecessary risk, potential data loss and harmful actors.
By taking a more collaborative approach across the entire infrastructure, network security managers can enable a broad and dynamic defense strategy for the long term.
If you’d like to discuss your network or talk about its security in more depth; I’m available via email (firstname.lastname@example.org) or by phone (1-727-314-8050). Kyle Jeske, co-owner of KWC MSP and KW Consulting & Solutions, a service provider based in Clearwater, Florida. Specializing in technology solutions, security, and management for dental and medical practices and can be reached at 1-727-314-8050 or email@example.com.