Can Your NAC Solution Protect Operational Healthcare Technology?
Despite increased awareness of the need to secure electronic health records, cybercriminals are still finding a way to access sensitive patient records.
Look no further than a breach of several U.S. healthcare institutions in May, when hackers stole at least 600,000 patient records and then tried to sell more than three terabytes worth of that confidential patient data on the Dark Web.
The security firm InfoArmor discovered the breach, and told the National Healthcare and Public Health Information Sharing and Analysis Center that these kind of cyberattacks aren’t limited to hospitals. Private clinics and the vendors and suppliers of medical equipment are also at risk because they share the same digital information with hospitals and healthcare organizations. In other words, the entire healthcare industry needs to be wary of cybercrime and to take precautions.
Healthcare Needs to Better Control Devices
A hacker needs to access only one system to gain access to personally identifiable information (PII) and other medical data. Because just about every system in healthcare connects to another system and a host of devices are accessing all of those systems, healthcare data is available to many parties. Add to that long list of exposure smartphones and tablets of patients and doctors who access WiFi networks at hospitals and it’s no wonder why healthcare data is not sufficiently protected.
And it’s not just computers and smartphones that put data at risk. Connected medical devices were involved in the attacks that InfoArmor discovered. Attackers were able to gain access to devices and then “backdoor” them. They extracted data from network segments that have connections with compromised medical devices and other networks where health care institutions stored the received patient data and other PII. In some of the healthcare facilities that were hacked, patient data was stored in Microsoft Access desktop databases, without any special user access segregation in place.
In January 2016, the U.S. Food and Drug Administration released cybersecurity recommendations for medical device manufacturers. The recommendations include the call for manufacturers to implement a structured and systemic cybersecurity risk management program and to respond in a timely fashion to identified vulnerabilities. It’s good advice, and should be followed by the entire healthcare industry.
Solid NAC Shines a Bright Light on Devices
Hospitals, doctor offices and clinics need a centrally-located solution that provides real-time network visibility and easy management of the wide variety of corporate-issued, personal and medical devices that access their networks. They can’t afford to have unknown devices gaining access to PII.
With devices constantly changing, it’s difficult for a traditional 802.1X-based NAC solution to make heads or tails of the complex network environment. Health care providers need a single solution that can provide 100% accurate visibility of their networks.
Portnox’s Network Access Control solution shines a light on each and every device that knocks on the network door. Going a step further, Portnox NAC has a unique device signature and fingerprint capability that lets healthcare organizations easily on-board, authenticate and validate networked medical devices. It scans and creates unique actionable signatures for even the most scan-sensitive medical devices. It assures full visibility and easy-to-manage compliant access controls of the many corporate-issued and personal devices reaching out to the network. Healthcare Organizations such as Southwestern Vermont Health Care are already enjoying the protection that Portnox NAC offers.
If doctors disabled the wireless capabilities of the pacemaker of former U.S. Vice President Dick Cheney to prevent possible assassination attempts, then it’s clear that any and all devices can pose a threat to health care organizations. A NAC solution such as Portnox can let hospitals and clinics focus on healthcare by helping them easily manage and control network access in a complex network environment that won’t change anytime soon.