A secure network with no disruption to users and service is essential for the operations of any enterprise, but owing to its time-critical nature perhaps nowhere is it as vital than in the health care industry. Additionally, taking a device offline in a hospital setting can literally put a person's life at risk, so this adds a level of complexity to securing the network.
Granular and flexible controls are also needed to address variations in policy, such as in emergency room settings versus guest networks. In general, there are also security issues that can have serious implications if a company doesn't adhere to the latest regulatory and compliance mandates.
When Michael Pinch (below), CISO at the University of Rochester Medical Center in Rochester, N.Y., assessed these challenges not so long ago, he was well aware that the evolution in mobile technology had altered the game plan. There were three primary issues he and his 13-member IT staff set out to solve.
“The growing use of bring-your-own-device (BYOD) among doctors, researchers and other personnel means there are 15,000 additional devices on the network, many of which were unsecured and unauthorized,” says Pinch.
Second was the need for visibility into all the endpoints in the facility's environment. “Many of our endpoints are also medical devices and equipment – like heart monitors and ultra-sound machines,” he says. “The FDA regulates medical devices, and regulations prohibit installing anything on them, including agents.”
The University of Rochester Medical Center (URMC) has three hospitals and supports research and medical schools separate from the University of Rochester, so has separate IT teams. The URMC has approximately 15,000 employees. It is one of the nation's top academic medical centers and forms the centerpiece of the university's health research, teaching, patient care and community outreach missions. The university's health care delivery network is anchored by Strong Memorial Hospital – a 739-bed, university-owned teaching hospital. The medical center is headquartered in Rochester, N.Y., and has more than 160 physical locations.
To shore up its network systems, Pinch and the IT and networking teams, asset management department and risk and compliance teams were all involved in the process to come up with a solution. The center already used tools from Bradford, Cisco and ForeScout and found Bradford and Cisco not compatible with its new needs.
“ForeScout CounterACT's agentless approach was key,” says Pinch, “as was its ability to give us full visibility into all devices, including medical devices connected to or attempting to connect to our network.”
CounterACT's flexible policy engine also played a big role in the selection, he adds, as it allows his team to group devices, enforce policies and remediate devices quickly and easily. “We can also use network enforcement and virtual firewall technology within CounterACT, which allows us to logically create segregated networks of users based on who they are or their device characteristics.”
The Rochester IT team also uses CounterACT to identify medical devices so as to create a group of them. “When we notice on the network that those devices may be misbehaving, rather than blocking them, which might be the default path that we take for an end-user device, we can treat these separately, and automatically create a high-priority ticket to have someone go out and examine the device,” says Pinch.
He touts the solution as flexible and comprehensive. “It helps our network gain complete visibility and control of every device, including medical equipment and users connecting to the networks without disruption.”
“ForeScout CounterACT appliances work with existing wired and wireless infrastructure and offer installation wizards and numerous plugins to streamline integration,” says Scott Gordon, chief marketing officer at ForeScout Technologies.
The tool automatically identifies, classifies and applies policy to all network devices – including connected medical equipment – without requiring the installation of agents and without any prior knowledge of the endpoint, he says.
“CounterACT ships with numerous policies out of the box and offers a more flexible approach to understanding security posture, changing unacceptable behavior and enforcing policy depending on role, device and exposure,” Gordon says. “For example, it can inform users if they are not meeting policy, enable users to take corrective action, or directly attempt to remediate issues. It can also instantly block unauthorized systems consuming resources in health care buildings.”
As an alternative to security policies that enforce network access based on device type or offer basic guest registration, Gordon says, ForeScout CounterACT includes advanced guest management capabilities that allow for the collection of more details about the visitor and their devices while sharing this information with other systems, incorporating authorization procedures and enforcing a broader range of guest controls.
“Devices on the network are continuously monitored to ensure that they remain compliant with the organization's security policies,” says Gordon. “CounterACT's patented Active Response technology identifies zero-day and targeted attacks, and if attempted, ForeScout can automatically block the attack and contain malware propagation.”
Pinch says the tool is easy to manage from a day-to-day basis. “We have purposefully added a great deal of complexity to take advantage of the extreme flexibility and integration capabilities of the tool, so we intentionally move slowly and test heavily to ensure no user interruptions,” he says.
With the tool, Pinch says he can identify essentially every device on the network and what is running, so he has a good fingerprint of all of the activity. “Even better than just on-and-off network access, rather than just blocking network access altogether, we can put them on a virtual firewall that doesn't have access to PHI, so they can still, perhaps, get their job done if they don't have an encrypted computer.
The solution also assists with HIPAA compliance, a major factor in Pinch's decision to go with ForeScout. His team created a policy to place all medical devices into one group. Then, if they detect an issue with a device, such as out-of-date anti-virus, they can automatically generate a high-priority help-desk ticket and deal with the issue immediately. “This also helps us with HIPAA compliance,” says Pinch.
With role-based access policies, CounterACT will only allow authorized users to have access to particular systems or segments where patient data is stored, adds Gordon. “CounterACT can also verify that encryption products are running on machines that have been authorized to contain patient data and to disable any unauthorized USB devices (such as external storage devices) connected to these endpoints.”
For a medical center that has a lot of non-PHI related activity, Pinch and his team also want to be able to protect employees, such as researchers, appropriately while not being overly controlling. So the tool offers him the potential to identify researchers who don't work within PHI and are not subject to the same HIPAA standards, and so essentially lower the standard a bit and shuffle them off into another area that is less controlled. “That's something that I think is going to be met with a lot of welcome in the research area that typically doesn't like to be highly regulated and controlled,” he says.
The deployment of the ForeScout tool reaches across the network, says Pinch – essentially the whole company across all sites, divisions and hospitals – and gives his team complete visibility and control of all connected devices, BYOD devices and medical equipment within URMC.
That is possible because CounterACT integrates with the broadest array of network and wireless infrastructure, security and log management, endpoint protection suite and mobile device management (MDM) vendors, says Gordon. “Leveraging this integration, ForeScout can obtain and share a broad range of endpoint configuration, event and policy compliance details and receive information to manage access, mitigate threats and remediate problems. As a result, health care organizations optimize their investments and resources.”
On the horizon
As for the future, Pinch says his team will continue to develop policies to help automate the management and mitigation of devices on the Rochester network. “We have started to use the tool to automatically identify broken SCCM [System Center Configuration Manager] and Sophos clients and then perform automated repairs of these clients with custom scripts we have built,” he says. “We've had three full-time interns doing nothing but this for years, and we can now repurpose them.”
What Pinch says he is even more excited about is an integration with Bromium, a product for sandboxing zero-day attacks and APTs. “While we could put the Bromium client on every computer, we are instead going to put it on our users that are most often compromised.” From there, he says, his team can use ForeScout to get the intel on every identified piece of malware found by Bromium, and ForeScout can then check every other machine on the network for the same running processes, allowing his team to gain exponential benefits from the facility's other toolsets.
Further, one of the primary challenges in the health care industry is to inventory network devices. Medical devices often have a small footprint on the network or should not be interfered with because of their proprietary nature and importance to the medical staff. “Over the last few years, an ever-increasing number of mobile devices has become a standard part of the health care environment, and each day we have to deal with a diverse array of users and devices – including tablets, PCs, laptops, phones, wireless medical devices and network infrastructure – which are constantly changing,” says Pinch. “Physicians want to use the technologies to which they are accustomed, while IT has to account for personal device use as well as network access for both staff and guests.”
Rochester also has visiting doctors and community doctors handling patients' personal medical information, and this adds another complicated layer to implementing a secure BYOD policy, as these visiting employees often use their own technologies to access sensitive data on the networks. With its new implementation, these concerns are a thing of the past, says Pinch.