NHSE publishes guidance on network segmentation for cyber security

NHS England has published guidance on network segmentation for healthcare staff members responsible for the architecture, design, implementation and maintenance of their network security, sharing oversight of how network segmentation can prevent or mitigate lateral movement across a network in the event of a cyber attack.

Network segmentation is described as improving network security “by creating smaller network segments of assets grouped by a defined criteria and granting access only to traffic authorised by an approved security policy.”

Seven options for segmenting the network are shared, including implementing a perimeter sub-network between the public internet and the organisation’s internal network to add a security layer (a demilitarised zone); or setting up a virtual local area network, or VLAN – a custom network created from one or more local area networks, which enables a group of devices to be combined into one logical network. All seven options can be found in more detail here. NHSE also shares information on the technologies that can be used to implement the different network segmentation options, along with recommended focus areas.

NHSE goes on to highlight best practice for healthcare organisations. Here, the guidance recommends that an inventory should be created of all assets on the network, with the main function of each asset identified and documented. Then organisations should use a relevant methodology to classify each asset based on the sensitivity of the data it processes or stores, its criticality to the delivery of services, and business criticality and impact.

For each asset, NHSE says organisations should identify which resources it communicates with and why; determine which connections to/from medical devices are for clinical data transfers; identify how access can be enabled for remote updates to be delivered if appropriate; determine the connection method used for communication; identify the communications protocol used in that communication; and draw up a network topology map to show how the devices within the scope communicate with associates devices and services.

Then, the guidance continues, assets should be assigned and segmented into local group based on appropriate organisation-defined criteria – such as their functionality by department or role, device type, or whether they are part of critical network infrastructure.

On the guidance, Doron Dreyer, from health tech supplier Cynerio, a platform for modern healthcare cybersecurity, said to HTN: “This is extremely important work done by the NHS on this important topic. Cynerio is proud to have contributed to these guidelines in the area of medical device security aspect. As we continue to work with the various NHS trusts across the country, we will continue to work with NHS England to find ways to increase cyber resilience.”

NHSE also shares ten key principles for network segmentation that organisations are encouraged to adopt in this process, including that the most critical assets should be deployed in the most secure network zones; that devices categorised as untrusted should be segmented from the corporate network; and remote access connectivity should be restricted and controlled for medical devices requiring these connections.

Additionally, the guidance includes risks and challenges around segmenting the network, such as poor planning, incomplete asset inventory and poor IP address management, with more detail provided here.

HTN previously covered guidance from the National Cyber Security Centre on how cloud services can be used securely.

We also shared updates to the ‘Keep IT Confidential’ online cyber security awareness toolkit, including two sets of resources for staff working in clinical settings and staff working within the adult social care sector.