How Ascension Health is Battling Advanced ThreatsEvolving Attacks Call for Next-Gen Solutions
Healthcare organizations are increasingly targets for sophisticated data breaches. How can they improve their defenses? Paul Smith of Ascension Health and Mark Hanson of Fortinet offer tips.
Smith, network manager for information services at Ascension Health, says mobility and the rise of sophisticated breaches - such as the one that recently struck Community Health Systems - are testing healthcare organizations' existing defenses.
"It's a multi-front war, so to speak," Smith says. "All the advanced persistent threats we're challenged with right now put an enormous strain on both the hardware infrastructure as well as the technologists to try to keep ahead of [the risks]."
In response, Ascension has deployed new data center and perimeter security systems that both harden the defenses and give the organization flexibility to meet evolving needs.
"Instead of reacting to the business in terms of what it needed for security adaptability, we've had to get ahead of that game so we don't find ourselves in that catch-up mode," Smith says.
Hanson, a director of strategic accounts at Fortinet, says Ascension's experience matches what he sees at other clients, where new security solutions allow the IT security organization to focus more on facilitating business.
"Highly-available, high-speed, low latency security now assures network operations that any slowdown does not have to do with the firewall," Hanson says.
In an interview about defending healthcare organizations from breaches, Smith and Hanson discuss:
- The latest healthcare breach trends;
- Effective new security solutions;
- How to maximize business benefits of emerging technology.
Hanson is Fortinet's U.S. Director - Healthcare, where he is responsible for Fortinet's Healthcare focus on defining, architecting and delivering the secure networks the healthcare industry needs today. He has held prominent roles at security companies such as Breach Security, GuardianEdge Technologies, Symantec and Cisco Systems.
Smith manages networking for Ascension Health, the largest Catholic healthcare provider in the Midwest. He has more than 25 years of IT infrastructure and networking leadership in the airline, higher-education and healthcare industries. Prior to joining Ascension, he held directorships at ATA Airlines, ITT, and was a practicing consultant for Wolters-Kluwer. Learn more about Fortinet's Healthcare Network Security Architecture.
Healthcare Breach Trends
TOM FIELD: What are the breach trends you're seeing against healthcare entities today?
PAUL SMITH: In all the papers, we've seen the Chinese Heartbleed-centric attacks on a community hospital, and we're all very sensitive to that. In addition to that, we have our own environment that has been encouraging the growth of BYOD, mobile devices, purpose-filled carts and mobile clinical devices that require very specific security postures. Just managing those challenges have been our biggest combined concern as a healthcare organization.
Tradition Security Solutions
FIELD: How do new types of attacks, and the evolution of them, overwhelm some of the traditional security solutions?
SMITH: It's a multi-front war, so to speak. All of the advanced persistent threats that we're challenged with right now put an enormous strain both on the hardware infrastructure, as well as the technologist to try and keep ahead of it. So many organizations, through financial difficulties and/or sheer inertia, may have firewall and security infrastructure in their perimeters that simply aren't up to the task. For these APTs, we're finding that we really need real-time analysis to be able to be flexible and adaptive, and that the hardware also has [to have] the capacity to keep up with it. It's enormously overhead-intensive for this hardware. We found that the previous hardware that we were relying on simply didn't have the capacity to keep up.
Data Centers and the Perimeter
FIELD: How have you opted to defend these data centers and the perimeter?
SMITH: We've had to be very flexible. We had the luxury, if you will, sometime back to treat it as business as usual. If there were some new initiatives, we would accommodate that. A net posture has to have changed; even over the last few years, we've been much more aggressive with frequently updating our perimeter and data center security infrastructure. We've had to introduce multi-tiered bastings of security throughout, and anticipate what the next initiative will bring us.
Instead of reacting to the business in terms of what it needed for security adaptability, we've had to get ahead of that game so that we don't find ourselves in catch-up mode. Just the pace of change has required us to be prepared in advance of the next requirement of us. We really have to forecast it before it's provided to us.
FIELD: As you've deployed security solutions, what challenges have you encountered?
SMITH: Particularly the next-generation firewall approach that we've taken, and that is somewhat of a leap. For years it's been very difficult for technologists to accept that you can have multiple best-of-breed solutions in a single platform. Their concern was the capacity to keep up, can there be enough horsepower to do this, and will [we] be making compromises in each of those blades? Once we satisfied ourselves of that, we had a very thorough vetting process. That probably saved us some effort in the deployment itself. But training is going to be something that anyone will run into; not only is it a very comprehensive platform, but with the combination or aggregation of this functionality, you find yourself in a multi-disciplinary mode. The network team will find itself working more closely with the security team, in that they all have various roles to administer these platforms. So historically, they may have had a delegated responsibility, whereas now there are dozens of people working on the very same platform. The training becomes a particular need in terms of each of those groups' specific requirements.
Security and Business Benefits
FIELD: Once you get over those hurdles, what do you find to be the most significant security and business benefits?
SMITH: [Having] that feature-function benefit in the offering that we can deploy as needed has been huge for us. I'll use an example of a particular clinical device that was to be deployed with a very short timeframe. As it evolved and was almost being designed on the fly with two strategic partners, we quickly determined that we needed a much higher degree of control on that platform, to the point of establishing a VPN tunnel between that and wherever it might be.
The cart, in this particular case for telemedicine, may find itself at one of our facilities, in which we have no control over the network. We had to maintain a secure tunnel back to our principal data center and have control over the device. If we reflect back over a year ago, prior to having those abilities, there really wouldn't have been a clear solution. But in this particular case, the benefit was immediate and tremendous in that it took us very little time to establish that. It was every bit as secure and manageable as we would have hoped, and allowed us not to impede the project. We had our working solution in place well in advance of the rest of the project's deployment.
Advice to Other Entities
FIELD: Based on your experience, what advice would you offer to other healthcare entities so they can respond to the types of attacks that they're seeing?
SMITH: First, we don't have the luxury to rest on our morals any further, and that's not meant to be derogatory. We all have plenty to do, and there are so many requirements vying for attention. But with the security threats existing out there, their rapid growth and the fact that healthcare is a targeted industry, there's no time like the present to revisit whatever type of security posture you need now [and] anticipate needing a few years down the road. Make that leap, because you can find it getting out from under you very quickly if you don't make that commitment.
The second thing that I would suggest would be an expectation of a phased deployment. Because of the capability of these new devices that are available to us, you're relegated to a crawl-walk-run deployment. Set your organization's expectations for that; start as we did with firewall and content management, quickly thereafter follow up with intrusion detection and prevention, and then comprehensive deployments involving application control. That sets you up for the most success, and in addition, also lets the organization assimilate new capabilities. To do it in a fell swoop is almost too much to have one organization accept. We found that deploying over the course of six to nine months is the appropriate way to do it. It allows us to learn by doing, we become familiar with the platform, but it also allows the organization to be able to incorporate it into its culture and business practices.
Ascension's Marketplace Experience
FIELD: Mark, how would you say that Ascension's experience matches what you see in the marketplace and among your own customers?
MARK HANSON: Paul makes many salient points. His experience matches what we see in the market. It is true that managing the challenges of our nation's battle against these new types of attacks to grab data and generate profit is a difficult task for the network and security teams. As Paul discussed, capacity is required. Also, just as we aggregated VPN functions onto firewall platforms years ago, additional aggregation of security functions are required for perimeter and core reengineering today.
Since 2009, with the inception of the notification rule, breaches of unsecured protected health information have affected over 38 million records and counting; that's 10 percent of our nation's population. It can't be business as usual. The industry demand is still number one for highly available networks; number two for high speed throughput with low latency; and number three for advanced holistic and heuristic security. This enabling technology does buy time by constantly protecting against advanced attacks. The experience Paul has seen matches our deployments as clients gain improved stability and uptime in the network with lower latency, and includes the most advanced heuristic unified security. This experience has a wonderful added benefit, as it allows information services to focus on facilitating business.
Highly available, high speed, low latency security now assures network operations that any slowdown does not have to do with the firewall. It is no longer Dilbert's boss saying, "I want you to install the new firewall," and Gilbert saying, "No, why me?" The firewall gets blamed for every problem. The standard firewall's presence in signature-based IPS systems has been easily bypassed in many healthcare organizations for a long time. Individual point products are costly to maintain; as malware becomes ever more sophisticated, healthcare organizations are demanding unified solutions.
Responding to Breach Trends
FIELD: What is the overall message to the healthcare marketplace about how they should best respond to the breach trends that are evolving before them?
HANSON: The network security reengineering and segmentation that healthcare in America needs today does match our abilities to protect against zero-days, botnets, blended malware and advanced threats. Number two, evaluate the technology. We have resources [and] use cases of automated tools to help you quickly transition to the network security platforms that are right for any connection in your network. We have people, process and technology solutions available. Solutions are available for small practices and clinics, and we have the world's leading technology that has proven to scale to our nation's largest healthcare organizations.
The benefit you will receive is in the high-speed secure transfer of big data analytics, the secured enabling of BYOD, the protection of cloud-based applications, and the easing of the burden inherent in compliance. Another fascinating theory: next-generation high-speed secure networks can help deliver the consumer demand with the payer-provider shift towards changing healthcare delivery models like telemedicine.
Finally, it does not require the deepest of pockets. Simplification saves money and enables a business. For the cost of an existing IPS or web-filter renewal, you can instead have a high-speed unified holistic and heuristic solution, reduced complexity, simplified security training, and improved brand protections enterprise-wide.