Twenty-five offices and clinics at different locations. Thirteen thousand employees. Thirty thousand endpoints. All connecting to the network at any given time. That’s the lay of the land at central Florida’s largest medical center – and it’s really not an unusual scenario in this era of rapid expansion, acquisition and consolidation in the healthcare world.
What I learned from the CISO, who oversees this large multi-site environment, is that his biggest challenge is identifying, classifying and managing connected devices of all types – from smartphones to personal and corporate-issued PCs, to environmental systems (HVAC) and life-saving medical equipment. In addition to strengthening the organization’s overall strong security posture and protecting medical devices, he was also concerned about maintaining compliance with HIPAA and other complex healthcare regulations. He and his team needed a way to make sure that networked devices met baseline network access requirements to safeguard electronic patient health information (ePHI) and other sensitive data.
When it comes to healthcare security compliance, setting up policies really eases the burden. Once you’ve identified devices on your network, you need to create policies to monitor and maintain compliance for HIPAA, HITRUST, HITECH and other mandates, and that’s exactly what Forescout CounterACT® does. It provided the medical center with real-time, continuous compliance monitoring that begins the moment a device connects to the network.
With a lean six-person IT staff, the CISO appreciated the efficiencies of this more streamlined, less labor-intensive way of staying compliant. A great example of this is managing port security, which is at the core of the HIPAA network access control rule. In this sprawling, geographically distributed environment, it would take two full-time employees to oversee port closing and opening. Forescout CounterACT fully automated this process in real time based on policies. The CISO noted with confidence that “CounterACT is helping us achieve 100 percent compliance.”
The CISO is looking to take automated compliance to the next level through integration with their next-generation firewall through Forescout Extended Modules. The idea is to feed HIPAA compliance data on connected devices gathered by CounterACT back to the firewall. That way, if a device is noncompliant, the firewall can create a rule that restricts network access until the device is remediated.
Network segmentation was also high on the medical center’s list of priorities. In my presentation at HIMSS18 “The Good, the Bad and the Downright Dangerous,” I talked about why network segmentation is a good way to address the issue of fragmentation and visibility in a consolidated or geographically dispersed environment. Designing a network specifically and exclusively for medical devices vastly improves visibility and allows healthcare organizations to address the specific security needs of IoT devices, which are very different than those of corporate assets like workstations, printers, servers and Internet access. Network segmentation can prevent a rogue device from disrupting patient care services or opening the door to a breach. To be truly effective, network segmentation needs to undergo continuous monitoring, classification and assessment of each device on the network, including its role, owner, location and compliance posture.
Again, thanks to Forescout CounterACT, the medical center was able to successfully implement network segmentation, after discovering 4,500 previously unknown devices while gaining real-time visibility and policy-based segmentation of networked devices. We helped them carry out their ambitious plan, which involved setting up separate VLAN segments for medical devices, environmental systems, nurses stations, corporate offices and even a guest network just for visitors and patients. Using the agentless Forescout CounterACT platform, the medical center can now continuously discover, profile and monitor devices on the network. CounterACT then dynamically assigns devices to the appropriate segments according to changes in their behavior, security posture or network modifications. With the Forescout platform in place, unknown, compromised or rogue devices can be limited to certain network segments where they can’t spread malware or exfiltrate patient data. Best of all, there’s no manual intervention required, which is a big plus for the IT staff.
Interested in learning more? Read the case study for more details: “Florida Medical Center Counts on Forescout to Secure Networks, Establish Accurate Device Inventory and Automate Regulatory Compliance.”
If you were unable to attend HIMSS18, click here to watch my presentation: “The Good, the Bad and the Downright Dangerous.”