Read the Microsegmentation in Healthcare whitepaper here.
Last month HTN covered NHS England’s guidance on network segmentation for cyber security, sharing how segmentation can prevent or mitigate lateral movement across a network in the event of a cyber attack, offering practical tips and advice on the technologies that can be used, recommended focus areas, and more.
We recently sat down with Cynerio’s global head of customer success, Peter Kelly, to hear his thoughts on network segmentation, how Cynerio can support organisations in this space, and what success looks like in his view.
Hi Peter! Can you tell us a bit more about network segmentation and how Cynerio supported NHS England with the development of the guidance?
“I live segmentation every day – it’s the compensating control that organisations can use to secure their environment. At a previous organisation, we used to refer to it as a submarine; there are all these different compartments, and if you get a breach in one of the compartments, it can take down the entire sub,” Peter explained.
He stressed the need to “start thinking about cyber security differently”, stating: “It’s not if you get breached, it’s when you get breached. Segmenting the network and limiting the amount of space that an intruder can actually transverse is your best defence.”
There are three things you can do to mitigate a cyber security risk, Peter continued: you can repair it, segment it, or replace it. “Replacement obviously requires procuring new products, and even if you do procure and replace, you might still need to segment, and that procurement process might take a long time.”
Over the past six to eight months, Peter noted that he has seen hospitals around the world start to take on the segmentation approach, including here in the UK.
Cynerio’s sandbox
Peter described how Cynerio has built a tool that enables organisations to build a policy for segmentation. “It sets out who can talk to who – I call it a policy sandbox. You can build the policy in our solution and you can test it within the solution without affecting production.
“My background is IT operations, and I remember when there was no automation of firewalls and there’s so much to think about; I’ve been witness to many firewall changes where all of a sudden the helpdesk phone starts ringing off the hook, or users lose their connectivity. That happens because the policy had a flaw in it, but having this sandbox means organisations can try out their policy before this happens.”
Cynerio gets a copy of the network traffic, Peter explained, and can therefore help by validating it. “We can identify if there are violations in the policy, and whether those violations are by design; for example, is an MRI machine talking to the finance server when it shouldn’t be? You can go in and modify the policy, and then test again.”
Peter noted that there are different levels of network that can be segmented, from national to group level or beyond. “With segmentation, you can only go where you need to go. It comes back to the notion that people within the cyber security world often talk about, around zero trust.”
For ICSs, Peter continued, segmentation allows organisations to “reduce the attack surface”. In the event that a bad actor gets into a network, they can then only access one ‘room’ of that network, rather than jump from room to room. “That’s how attacks work – they find one vulnerable server, and from there they start jumping around.”
Recent challenges and learnings in this space
“The biggest challenge that every organisation has when it comes to cyber security, worldwide, is that there are not enough resources,” said Peter. “I can think of an example where the hospital didn’t have enough technicians so they relied on a vendor for patch upgrades. It had 750 patient monitors that needed to be upgraded, so that’s a case of getting the vendor on site, finding out when they can take each monitor down, doing the upgrade, and then bringing it back up. It becomes a long chain of necessary actions requiring project management in its own right because it require so much coordination.”
He reflected that a successful alternative he has observed in the United States involves the US’s joint commissions programme. “It’s an accreditation for the hospital, and part of that accreditation is demonstrating to the auditor that you have a preventative maintenance programme for your equipment,” Peter explained. “You need to show that you’re doing your patching and upgrades on all these pieces of tech. They’re trying to get to a point where equipment gets visited once and all the work required happens during that one visit, including cyber security.”
This has been the biggest thing that Peter has seen “move the needle” in this space, he said.
“There’s a lot of information about all of this,” Peter acknowledged. “At Cynerio we’ve spent a lot of time trying to focus that information down to what you need to do with your equipment. Our software can identify which pieces of equipment require patching – you might have 6,000 assets but only 1,000 can be patched.”
He also commented on the challenge of culture. “Even if an organisation has the resources to handle cyber security, raising awareness can be a challenge. We need it to become part of the day-to-day work that everybody does, and we need to collaborate – from my experience, successful organisations have strong collaboration between cyber security, IT including infrastructure and networking, estates and facilities, and medical engineering.”
Finally, looking to the future, Peter said that a maturity framework to benchmark hospitals in England in this space would be helpful. “We’re going to be launching our own Cynerio premiere league,” he said, “so we’ll be sharing more information on that soon.”
To find out more about Cynerio and their software, click here.