By David Miller
Imagine a castle and moat with walls impervious to outside attacks. Traditional network security is a lot like a castle and moat design. Traditional network security has these big walls that are seemingly impassable for outside threats to gain access within the network. This is a good model of a trusted and secured network. In such a network, administrators simply control the access into the network from outside. However, in this model, the people on the inside of the castle can still operate freely. What happens when someone who is not supposed to be there gains access from inside the castle? Consider a malware or virus that makes its way inside a traditional network by exploiting a vulnerability in hardware, software or firmware. It spreads freely until caught and isolated. This type of cyberattack is known as a zero-day attack. It is a breech that no one predicted would occur and the first instance of it is considered like the first day of an epidemic, hence a “zero-day.” It is becoming increasingly frequent amongst the different types of ransomware attacks as hackers become more and more inventive. These attacks are happening more often, sometimes even taking hospital’s data hostage until their demands are met. How do we protect ourselves against this threat? Enter zero trust security.
Zero trust security requires strict identity verification for every person and device trying to connect to the network. It blocks everything and everyone who tries to access the network by default, both inside and outside of the network. The details of the requestor must be entered into the system to gain access on the network. This can be implemented with MAC filtering, active directory logins, certificates, access fobs, dongles, chip cards or a combination thereof. A zero trust security would be like having castle guards escort all civilians within the castle. A zero trust architecture trusts no one within the network. Everyone is on lock down. One must have the proper authentication to communicate. In short, it protects against threats that remain unknown.
Unified threat management (UTM) provides a complete protection package against network threats utilizing a form of zero trust architecture. It’s more advanced than a standard access control list (ACL). UTM is a hardware or cloud-based solution that provides comprehensive protection against network threats. As previously discuss in other articles, a traditional network security should utilize a combination of both ACLs, VPNs, and subnetting to segment and protect network traffic. A UTM integrates all these concepts into one reactive system. If, for example, an IP is violating the ACL policies, a UTM can react just like a guard in the castle. There are a wide range of options from completely shutting down the communication to isolating the machine on its own VLAN while monitoring its behavior. Just like the guard, sometimes stopping a potential threat too early limits information gathering options. UTMs can monitor, isolate, track and evaluate communications using ACL settings. UTMs can listen to and evaluate network traffic to ensure that all the IPs and their respective users, are acting in the best interest of the network. It is the full implementation of a zero trust network.
The Department of Veterans Affairs Office of Information and Technology utilize Cisco Identify Services Engine (ISE) as its form of UTM. ISE is a one-stop solution to streamline security policy management. It serves as an authentication appliance for wired and wireless devices across a network. ISE preserves business integrity by standardizing access and policy to the network’s objectives. ISE gathers information from the switch ACLs to enforce policy, manage VLAN endpoints, authenticate users via servers and deliver trusted access. It accomplishes this by enforcing a zero-trust architecture.
Transitioning from a traditional network security to an ISE network security for healthcare technology management (HTM) departments is relatively pain free in the planning and designing but painful in its implementation. HTM professionals will need to identify all medical devices that operate on the hospital network in detail. Particularly, the VLAN, MAC and IP for each device. UTMs require a full description of what a device is, who it communicates to, and what HTM expects the machine to do. This information is uploaded into the ISE hardware and communicated out to all network switches. Once a medical device connects to a switch, it must be on the ISE list to communicate freely. If there is any deviation from the list, the network port is blocked, and no network traffic can occur. The painful portion of implementation is the actual go live date. Plan for three to five days of full-time troubleshooting as HTM departments identify medical equipment that falls off the network after implementing ISE. The majority of the troubleshooting comes down to identifying medical equipment that was not inventoried into ISE. Most commonly this is either because of mistakes in the HTM professional documentation or the IT professional submitting information into ISE. Communicate with the customers and set expectations. Ensure they know when the transition will occur and what they can do to help troubleshoot. Immediately after implementation, set the expectation that C-arm may not pull the worklist from the electronic medical record. That way the department can be vigilant in having someone in surgery testing equipment before use. If a device is found to be deficient, the team can notify with the room location and identification number so the HTM Informatics team can troubleshoot the communication quickly.
Let’s go back to a zero-day attack and see how a UTM system works. Imagine that a hacker discovered a vulnerability on a medical device that has not been patched or updated by the vendor yet. Using an onsite vulnerability, such as direct system access, the hacker utilizes this exploit to upload a ransomware onto the hospital network. They do this hoping to encrypt patient files and hold patient records hostage to extract thousands of bitcoins. The UTM scans the new network data, inspecting packet headers and using deep packet inspection. The UTM identifies the new requests as unusual behavior for the compromised medical device. It recognizes this as a threat and in milliseconds, isolates the device from the rest of the network. This prevents any further vulnerabilities. HTM and IT professionals can now identify the infected medical device, disinfect the system and perform a risk assessment on the attempted hack. The overall network was protected, and it all happened nearly instantaneously. This would be an example of an ideal implementation of UTM.
Most medical devices are connected to a network infrastructure in some sort of fashion. The growth over the past 10 years is exponential. While medical device communication and interoperability has never been better, faster and stronger, it has also never been so vulnerable to cyber-attacks and ransomware. There are many solutions developed to help make a network secure and the current gold standard is to utilize a UTM solution. Implementation of this technology is not a novelty. Currently, a UTM is a must and in the future, it may be a legal requirement.
David Miller is the biomed department chief at VISN 17: VA North Texas Health Care System, Dallas Veterans Affairs Medical Center.
