Paul German of Certes Networks advises healthcare organisations on the steps that can be taken to ensure their patient data is kept truly secure, especially in light of the recent breaches that have been hitting the headlines
In a world where everything is online, from patient information to medical history, there is a greater need for organisations to carefully consider who can access their systems.
In the past, sensitive patient data has been kept under lock and key on paper in a filing cabinet. However, today, healthcare data has become digitised, and with the move toward integrated care, organisations across the healthcare continuum are actively encouraged to share it. Yet the risk associated with easy-to-share data and remote use thereof means that a single hack is now possible from unprivileged access, with extremely-damaging consequences.
The storm of data breaches making the headlines over the past two years has shown that firewalls have proven to be largely ineffective at stopping the hacking methods now favoured by cybercriminals
The storm of data breaches making the headlines over the past two years has shown that firewalls have proven to be largely ineffective at stopping the hacking methods now favoured by cybercriminals, due, in the most part, to the evolved nature of enterprise applications themselves. To adapt to changing practices, security must become what is termed as ‘software-defined’ and decoupled from the infrastructure, which can be put in place by viewing security as an independent entity from the network infrastructure.
Putting the right security measures in place is the only way to prevent a breach from occurring, and below is my advice for healthcare organisations on the steps that can be taken to ensure patient data is kept truly secure.
Step 1: Create a single point of control
Modern methods for protecting networked applications are highly fragmented. In healthcare environments where multiple systems are accessed on a daily basis, it’s often found that each system and network will use different protection methods and access policies to protect a given application end-to-end. A key requirement for software-defined security is to consolidate these methods and control into a single platform to allow the security manager to have control over all the shared applications across all domains. With this in place, it becomes easier to view and configure policies to ensure gaps are not left open for hackers to exploit.
Step 2: Make security application and user specific
Traditional security approaches focus on infrastructure, which can create segregation and boundaries between different physical domains. Instead, modern, software-defined security positions the security policies and protection functions around applications and users. In a hospital environment, this means security policies should be driven by the need for a given user, such as a consultant, junior doctor or nurse, to access a given application, such as patient records or results, based on their role in the enterprise. Modern cyber-security assumes that all networks are essentially untrusted and that no user, device or application can ever be fully trusted, meaning that consistent access policies can be created across users regardless of which network or device is being used. By adding crypto-segmentation to build secure walls between the identified groups of users and the applications they access, healthcare organisations can ensure that any breach is limited in scope.
Step 3: Construct secure systems from end-to-end
With such sensitive and critical data at stake, it is vital to make sure that sensitive applications are isolated and controlled from end-to-end, no matter where the user is, from the application server to the user’s end-point devices. To adopt this approach, applications must be segmented, which simply means that an isolation method such as encryption is used to isolate the application flow. However, the essential requirement is to ensure that this cryptographic segmentation stays with the flow along its journey, from the server in the data centre or the Cloud to the user on the internet or a wireless device.
By adding crypto-segmentation to build secure walls between the identified groups of users and the applications they access, healthcare organisations can ensure that any breach is limited in scope
Healthcare organisations need to make some changes to their security architecture; and they need to do it now. Many organisations assume the firewall is enough and that once a ‘trusted’ device is granted access to a ‘trusted’ network, security is assured. However, dozens of high-profile breaches across several industries has proven that theory wrong. Once past the firewall, hackers can move laterally to the most-sensitive applications. Acting now is vital to prevent breaches.
Application and network segmentation are not optional in modern, data-driven organisations. Taking these steps ensures that your applications, data, and critically patient data are secure, and now is the right time to do it. So what are you waiting for?