“ForeScout CounterACT appliances work with existing wired and wireless infrastructure and offer installation wizards and numerous plugins to streamline integration,” says Scott Gordon, chief marketing officer at ForeScout Technologies.
The tool automatically identifies, classifies and applies policy to all network devices – including connected medical equipment – without requiring the installation of agents and without any prior knowledge of the endpoint, he says.
“CounterACT ships with numerous policies out of the box and offers a more flexible approach to understanding security posture, changing unacceptable behavior and enforcing policy depending on role, device and exposure,” Gordon says. “For example, it can inform users if they are not meeting policy, enable users to take corrective action, or directly attempt to remediate issues. It can also instantly block unauthorized systems consuming resources in health care buildings.”
As an alternative to security policies that enforce network access based on device type or offer basic guest registration, Gordon says, ForeScout CounterACT includes advanced guest management capabilities that allow for the collection of more details about the visitor and their devices while sharing this information with other systems, incorporating authorization procedures and enforcing a broader range of guest controls.
“Devices on the network are continuously monitored to ensure that they remain compliant with the organization's security policies,” says Gordon. “CounterACT's patented Active Response technology identifies zero-day and targeted attacks, and if attempted, ForeScout can automatically block the attack and contain malware propagation.”
Pinch says the tool is easy to manage from a day-to-day basis. “We have purposefully added a great deal of complexity to take advantage of the extreme flexibility and integration capabilities of the tool, so we intentionally move slowly and test heavily to ensure no user interruptions,” he says.
With the tool, Pinch says he can identify essentially every device on the network and what is running, so he has a good fingerprint of all of the activity. “Even better than just on-and-off network access, rather than just blocking network access altogether, we can put them on a virtual firewall that doesn't have access to PHI, so they can still, perhaps, get their job done if they don't have an encrypted computer.
The solution also assists with HIPAA compliance, a major factor in Pinch's decision to go with ForeScout. His team created a policy to place all medical devices into one group. Then, if they detect an issue with a device, such as out-of-date anti-virus, they can automatically generate a high-priority help-desk ticket and deal with the issue immediately. “This also helps us with HIPAA compliance,” says Pinch.
With role-based access policies, CounterACT will only allow authorized users to have access to particular systems or segments where patient data is stored, adds Gordon. “CounterACT can also verify that encryption products are running on machines that have been authorized to contain patient data and to disable any unauthorized USB devices (such as external storage devices) connected to these endpoints.”
For a medical center that has a lot of non-PHI related activity, Pinch and his team also want to be able to protect employees, such as researchers, appropriately while not being overly controlling. So the tool offers him the potential to identify researchers who don't work within PHI and are not subject to the same HIPAA standards, and so essentially lower the standard a bit and shuffle them off into another area that is less controlled. “That's something that I think is going to be met with a lot of welcome in the research area that typically doesn't like to be highly regulated and controlled,” he says.
The deployment of the ForeScout tool reaches across the network, says Pinch – essentially the whole company across all sites, divisions and hospitals – and gives his team complete visibility and control of all connected devices, BYOD devices and medical equipment within URMC.
That is possible because CounterACT integrates with the broadest array of network and wireless infrastructure, security and log management, endpoint protection suite and mobile device management (MDM) vendors, says Gordon. “Leveraging this integration, ForeScout can obtain and share a broad range of endpoint configuration, event and policy compliance details and receive information to manage access, mitigate threats and remediate problems. As a result, health care organizations optimize their investments and resources.”