Welcome!

SDN Journal Authors: Jim Hansen, Greg Schulz, Liz McMillan, Scott Davis, Carl J. Levine

Related Topics: @CloudExpo, Cloud Security, SDN Journal

@CloudExpo: Blog Post

Enabling Trust for Healthcare IT Security | @CloudExpo #API #Cloud #Security

Why TCP/IP works for connectivity but is problematic for keeping health networks safe?

Enabling patient-doctor trust goes a long way in a provider's ability to provide care. Trust is also critical for enabling network connections that are safe, to help secure health networks.

The healthcare industry is scrambling to shore up defenses as cyberattacks and breaches increase. The rapid adoption of electronic health records/electronic medical records (EHR/EMR) has created an attractive opportunity for cyber criminals. Ponemon Research recently reported that breach costs are $363 for each stolen healthcare record, and that is the highest across all vertical markets.

Health organizations are tasked with the difficult job of protecting both the core HIS network and departmental systems. This is particularly true in multidisciplinary practices which are comprised of clinics and multi-location healthcare facilities. Typically, cyber security in healthcare built walls around the perimeter to keep the bad guys out, with critical connections enabled by TCP/IP.

TCP/IP connectivity starts with a DNS look-up so that Endpoint A can determine Endpoint B's IP address to establish a connection. Endpoint B must respond to the connection request to establish a TCP connection, despite knowing nothing about the requestor Endpoint A. Only then can Endpoint B seek more information from Endpoint A to try to establish its identity, authorization and trust.

This basic architecture has fueled scalable TCP/IP networking in healthcare. The problem is, it requires:

  • Servers with protected health information (PHI) to be heavily advertised (DNS),
  • Continual connectivity of the health network,
  • Servers to expose themselves to unknown users and devices by responding to TCP requests.

This is the perfect formula for any health organization that wants to be susceptible to network-based attacks, and to be fooled by anyone who has stolen credentials from an authorized user.

Server enforced authorization leave servers vulnerable
To defend themselves, health organizations have tried to limit authorization, usually by mapping users into Active Directory Groups that define the applications they are allowed access. The problems, from the standpoint of protection against network-based attacks, are:

  • Stolen credentials can still fool the system if based simply on username/password.
  • Servers must engage with the prospective user - establish a TCP connection and then probably a TLS connection - before enough information can be obtained to determine whether the user is authorized or not.

A lot of bad things can happen in that time frame, including SQL injection, OS or server vulnerability exploitation, connection hijacking.

In less complex times, most applications were run from within the health network and accessed by users who were either local or backhauled over the corporate WAN to access the applications. Today, many apps have moved to SaaS or to Cloud Service Providers. Health IT is challenged with protecting networks and patient data, while providing secure connectivity for those authorized to access this private information.

Software Defined Perimeters (SDP): secure, simple
The technology called Software Defined Perimeters (SDP) has been created to address the issues cited above, and is gaining traction in healthcare. SDP does not attempt to regulate traffic at the network level. It operates at the TCP level, which means it can be deployed anywhere and is transparent to network-level issues such as addressing, ownership, and changing topologies. Since data can't be accessed unless a TCP connection is established, SDP enables a medical system to completely control who gets to connect to what over their entire extended health network. It can allow only trusted connections.

In SDP, applications, services, and servers are isolated from users, creating a zero-trust network, by an SDP Gateway, which is a dynamically configured TCP Gateway. The Gateway rejects all traffic sent to protected servers unless users and endpoints are "pre-approved" as trusted by a third-party arbitrator, performed by the SDP Controller. Endpoints desiring connectivity to a destination protected by an SDP Gateway don't bother to send a connection request to that destination. Instead they "apply" for connectivity to the SDP Controller, which determines if they are trusted or not.

Trust verification involves device authentication, user authentication, and context-based information that will continue to expand over time - including location, BYOD vs. managed device, software posture, and software integrity. The goal is to evaluate overall trust as much as possible before allowing connectivity. If satisfied, the SDP Gateway dynamically configures the TCP Gateways to allow connectivity. The systems isolated and protected by the SDP gateways in this zero-trust scenario are then never exposed to:

  • Attackers who have stolen credentials
  • Unauthorized systems that may intend to exploit server or application vulnerabilities
  • Successful spear phishers trying to move laterally in a persistent search for access to sensitive data
  • Bad guys who, failing everything else, just want to deny service to others via bandwidth or resource starvation attacks

SDP Controllers and Gateways are software entities and can be deployed with no topological restriction. As a result, SDP provides a powerful tool for health organizations to completely control access based on trust, no matter where the application is (internal or cloud), who the user is (employee or non-employee), or what the device is (managed or BYOD).

More Stories By Mark Hoover

Mark Hoover is CEO of Vidder Security. He has been involved in the technology and market development of security and networking technologies over a period of almost 30 years, including Firewalls, VPNs, IP routing, ATM, Gigabit Ethernet Switching, and load balancers.

Most recently, he has been a Venture Partner at Woodside Fund for two years. Prior to that he was the president of Acuitive, a strategic marketing consulting firm that helped define product and market strategies for start-ups, including Brocade, Alteon Websystems, Netscreen, Maverick Semiconductor, Redline Networks, and many others. He started his career at AT&T Bell Labs and moved to SynOptics/Bay Networks before founding Acuitive.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., will discuss how these tools can be leveraged to develop a lasting competitive advanta...
TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets. By creating abundant, high-quality editorial content across more than 140 highly targeted technology-specific websites, TechTarget attracts and nurtures communities of technology buyers researching their companies' information technology needs. By understanding these buyers' content consumption behaviors, TechTarget creates the purchase inte...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, will provide a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services ...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
Have you ever noticed how some IT people seem to lead successful, rewarding, and satisfying lives and careers, while others struggle? IT author and speaker Don Crawley uncovered the five principles that successful IT people use to build satisfying lives and careers and he shares them in this fast-paced, thought-provoking webinar. You'll learn the importance of striking a balance with technical skills and people skills, challenge your pre-existing ideas about IT customer service, and gain new in...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
Interoute has announced the integration of its Global Cloud Infrastructure platform with Rancher Labs’ container management platform, Rancher. This approach enables enterprises to accelerate their digital transformation and infrastructure investments. Matthew Finnie, Interoute CTO commented “Enterprises developing and building apps in the cloud and those on a path to Digital Transformation need Digital ICT Infrastructure that allows them to build, test and deploy faster than ever before. The int...
VeriStor Systems has announced that CRN has named VeriStor to its 2017 Managed Service Provider (MSP) 500 list in the Elite 150 category. This annual list recognizes North American solution providers with cutting-edge approaches to delivering managed services. Their offerings help companies navigate the complex and ever-changing landscape of IT, improve operational efficiencies, and maximize their return on IT investments. In today’s fast-paced business environments, MSPs play an important role...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
FinTech is the sum of financial and technology, and it’s one of the fastest growing tech industries. Total global investments in FinTech almost reached $50 billion last year, but there is still a great deal of confusion over what it is and what it means – especially as it applies to retirement. Building financial startups is not simple, but with the right team, technology and an innovative approach it can be an extremely interesting domain to disrupt. FinTech heralds a financial revolution that...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...