Welcome!

SDN Journal Authors: Elizabeth White, Pat Romanski, TJ Randall, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo, Cloud Security, SDN Journal

@CloudExpo: Blog Post

Enabling Trust for Healthcare IT Security | @CloudExpo #API #Cloud #Security

Why TCP/IP works for connectivity but is problematic for keeping health networks safe?

Enabling patient-doctor trust goes a long way in a provider's ability to provide care. Trust is also critical for enabling network connections that are safe, to help secure health networks.

The healthcare industry is scrambling to shore up defenses as cyberattacks and breaches increase. The rapid adoption of electronic health records/electronic medical records (EHR/EMR) has created an attractive opportunity for cyber criminals. Ponemon Research recently reported that breach costs are $363 for each stolen healthcare record, and that is the highest across all vertical markets.

Health organizations are tasked with the difficult job of protecting both the core HIS network and departmental systems. This is particularly true in multidisciplinary practices which are comprised of clinics and multi-location healthcare facilities. Typically, cyber security in healthcare built walls around the perimeter to keep the bad guys out, with critical connections enabled by TCP/IP.

TCP/IP connectivity starts with a DNS look-up so that Endpoint A can determine Endpoint B's IP address to establish a connection. Endpoint B must respond to the connection request to establish a TCP connection, despite knowing nothing about the requestor Endpoint A. Only then can Endpoint B seek more information from Endpoint A to try to establish its identity, authorization and trust.

This basic architecture has fueled scalable TCP/IP networking in healthcare. The problem is, it requires:

  • Servers with protected health information (PHI) to be heavily advertised (DNS),
  • Continual connectivity of the health network,
  • Servers to expose themselves to unknown users and devices by responding to TCP requests.

This is the perfect formula for any health organization that wants to be susceptible to network-based attacks, and to be fooled by anyone who has stolen credentials from an authorized user.

Server enforced authorization leave servers vulnerable
To defend themselves, health organizations have tried to limit authorization, usually by mapping users into Active Directory Groups that define the applications they are allowed access. The problems, from the standpoint of protection against network-based attacks, are:

  • Stolen credentials can still fool the system if based simply on username/password.
  • Servers must engage with the prospective user - establish a TCP connection and then probably a TLS connection - before enough information can be obtained to determine whether the user is authorized or not.

A lot of bad things can happen in that time frame, including SQL injection, OS or server vulnerability exploitation, connection hijacking.

In less complex times, most applications were run from within the health network and accessed by users who were either local or backhauled over the corporate WAN to access the applications. Today, many apps have moved to SaaS or to Cloud Service Providers. Health IT is challenged with protecting networks and patient data, while providing secure connectivity for those authorized to access this private information.

Software Defined Perimeters (SDP): secure, simple
The technology called Software Defined Perimeters (SDP) has been created to address the issues cited above, and is gaining traction in healthcare. SDP does not attempt to regulate traffic at the network level. It operates at the TCP level, which means it can be deployed anywhere and is transparent to network-level issues such as addressing, ownership, and changing topologies. Since data can't be accessed unless a TCP connection is established, SDP enables a medical system to completely control who gets to connect to what over their entire extended health network. It can allow only trusted connections.

In SDP, applications, services, and servers are isolated from users, creating a zero-trust network, by an SDP Gateway, which is a dynamically configured TCP Gateway. The Gateway rejects all traffic sent to protected servers unless users and endpoints are "pre-approved" as trusted by a third-party arbitrator, performed by the SDP Controller. Endpoints desiring connectivity to a destination protected by an SDP Gateway don't bother to send a connection request to that destination. Instead they "apply" for connectivity to the SDP Controller, which determines if they are trusted or not.

Trust verification involves device authentication, user authentication, and context-based information that will continue to expand over time - including location, BYOD vs. managed device, software posture, and software integrity. The goal is to evaluate overall trust as much as possible before allowing connectivity. If satisfied, the SDP Gateway dynamically configures the TCP Gateways to allow connectivity. The systems isolated and protected by the SDP gateways in this zero-trust scenario are then never exposed to:

  • Attackers who have stolen credentials
  • Unauthorized systems that may intend to exploit server or application vulnerabilities
  • Successful spear phishers trying to move laterally in a persistent search for access to sensitive data
  • Bad guys who, failing everything else, just want to deny service to others via bandwidth or resource starvation attacks

SDP Controllers and Gateways are software entities and can be deployed with no topological restriction. As a result, SDP provides a powerful tool for health organizations to completely control access based on trust, no matter where the application is (internal or cloud), who the user is (employee or non-employee), or what the device is (managed or BYOD).

More Stories By Mark Hoover

Mark Hoover is CEO of Vidder Security. He has been involved in the technology and market development of security and networking technologies over a period of almost 30 years, including Firewalls, VPNs, IP routing, ATM, Gigabit Ethernet Switching, and load balancers.

Most recently, he has been a Venture Partner at Woodside Fund for two years. Prior to that he was the president of Acuitive, a strategic marketing consulting firm that helped define product and market strategies for start-ups, including Brocade, Alteon Websystems, Netscreen, Maverick Semiconductor, Redline Networks, and many others. He started his career at AT&T Bell Labs and moved to SynOptics/Bay Networks before founding Acuitive.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, discussed the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, application performance guarantees & data privacy.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with Tintri's web services architecture and APIs. Impress your DevOps team with smart and autonomous infrastructure.
In today's enterprise, digital transformation represents organizational change even more so than technology change, as customer preferences and behavior drive end-to-end transformation across lines of business as well as IT. To capitalize on the ubiquitous disruption driving this transformation, companies must be able to innovate at an increasingly rapid pace.
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker containers gain prominence. He explored these challenges and how to address them, while considering how containers will influence the direction of cloud computing.