A secure network with no disruption to users and service is essential for the operations of any enterprise, but owing to its time-critical nature perhaps nowhere is it as vital than in the health care industry. Additionally, taking a device offline in a hospital setting can literally put a person's life at risk, so this adds a level of complexity to securing the network.
Granular and flexible controls are also needed to address variations in policy, such as in emergency room settings versus guest networks. In general, there are also security issues that can have serious implications if a company doesn't adhere to the latest regulatory and compliance mandates.
When Michael Pinch (below), CISO at the University of Rochester Medical Center in Rochester, N.Y., assessed these challenges not so long ago, he was well aware that the evolution in mobile technology had altered the game plan. There were three primary issues he and his 13-member IT staff set out to solve.
“The growing use of bring-your-own-device (BYOD) among doctors, researchers and other personnel means there are 15,000 additional devices on the network, many of which were unsecured and unauthorized,” says Pinch.
Second was the need for visibility into all the endpoints in the facility's environment. “Many of our endpoints are also medical devices and equipment – like heart monitors and ultra-sound machines,” he says. “The FDA regulates medical devices, and regulations prohibit installing anything on them, including agents.”
The University of Rochester Medical Center (URMC) has three hospitals and supports research and medical schools separate from the University of Rochester, so has separate IT teams. The URMC has approximately 15,000 employees. It is one of the nation's top academic medical centers and forms the centerpiece of the university's health research, teaching, patient care and community outreach missions. The university's health care delivery network is anchored by Strong Memorial Hospital – a 739-bed, university-owned teaching hospital. The medical center is headquartered in Rochester, N.Y., and has more than 160 physical locations.
To shore up its network systems, Pinch and the IT and networking teams, asset management department and risk and compliance teams were all involved in the process to come up with a solution. The center already used tools from Bradford, Cisco and ForeScout and found Bradford and Cisco not compatible with its new needs.
“ForeScout CounterACT's agentless approach was key,” says Pinch, “as was its ability to give us full visibility into all devices, including medical devices connected to or attempting to connect to our network.”
CounterACT's flexible policy engine also played a big role in the selection, he adds, as it allows his team to group devices, enforce policies and remediate devices quickly and easily. “We can also use network enforcement and virtual firewall technology within CounterACT, which allows us to logically create segregated networks of users based on who they are or their device characteristics.”
The Rochester IT team also uses CounterACT to identify medical devices so as to create a group of them. “When we notice on the network that those devices may be misbehaving, rather than blocking them, which might be the default path that we take for an end-user device, we can treat these separately, and automatically create a high-priority ticket to have someone go out and examine the device,” says Pinch.
He touts the solution as flexible and comprehensive. “It helps our network gain complete visibility and control of every device, including medical equipment and users connecting to the networks without disruption.”