Ensuring network security for healthcare systems is a challenge. Recent initiatives focused on the quality of care require network infrastructures that allow providers to access medical resources from anywhere at any time. With this increased mobility, combined with HIPAA regulations, there is demand for security solutions that provide maximum network access, while protecting against data threats.
The best method for meeting this balance is through the implementation of a network access control (NAC) solution. NAC ensures only the right users with the right devices gain access to appropriate resources. With this real-time control, providing adequate policy enforcement for mobile medical personnel and managing the access from inside the network perimeter are within reach.
With the requirement for real-time access, devices such as laptops, smart-phones and handhelds are being used to deliver patient information. Healthcare providers have the ability, regardless of location, to access that information.
However, these unmanaged mobile devices introduce risk since they are typically not part of the network and not controlled by the network administration. By implementing an agentless NAC solution, control is regained with minimum disruption to the user. A NAC system will detect guest devices from wherever medical professionals are logging in and apply a pre-determined policy with the appropriate connectivity levels and enforcement options.
For example, policies can be created that allow access for mobile doctors, and alert the administrator to violations for correction at a more efficient time. Additionally, if a NAC solution with built-in intrusion prevention technology is employed, threats, like "zero-day" worms, can be stopped without affecting doctors' access, by blocking only the infected port.
There are many workstations in healthcare institutions and each location and user requires a different set of access rights. For example, community volunteers should not be permitted access to confidential patient information, whereas emergency department personnel require nearly unlimited access. Until the advent of NAC technologies, this delineation was only possible through the physical separation of network segments.
Beyond typical non-user devices, such as IP printers and fax machines, health organizations have the added challenge of medical devices connected to the hospital-wide network, such as EKG, CRT, and ultra-sound machines. The connectivity of these devices permits a higher level of care by allowing staff to login anywhere to monitor information.
Unfortunately, without an adequate level of security, hackers can spoof the MAC or IP address assigned to one of these devices. These devices have the same access to information flow on the network but have largely been ignored due to the lack of agents available. Some agentless NAC solutions, however, apply the same level of security to these devices as they would to other managed user devices. NAC monitors the behavior of the device and stops activity that does not represent typical behavior, such as ensuring an EKG machine is only communicating data typical of an EKG machine.
It is imperative that security solutions deployed in today's infrastructures be flexible in order to maximize security while ensuring access to patient data and compliance with HIPAA regulations. A well designed NAC solution will deliver an automatic, role-based policy enforcing.
Author Information:Kent Elliott is CEO of Cupertino, Calif.-based ForeScout Technologies.
