a guide to understanding and implementing network access ... · a relatively new approach to...

A Guide to Understanding and Implementing Network Access Control in Healthcare Networks

October 10, 2007 BN-104-02-10001-02

Healthcare networks today face numerous network security challenges. The growth in remote access VPN and wireless network access in healthcare networks has been dramatic—healthcare is the leading industry in terms of telecommuting usage, and is also leading in the adoption of wireless applications and technologies. Implementation of Computer-based Patient Record (CPR) applications are driving the need to increase access to the patient data housed in these systems.

With the increased access requirements come challenges for IT management in securing access to the healthcare network. Determining who is accessing the network and from what devices is difficult. Assessing the health of the user’s device, and controlling what network resources they are allowed to gain access to are significant problems. High profile security threats such as the Blaster worm exposed the reality that internal networks are only as strong as their weakest link, which are oftentimes nomadic computing devices that connect to numerous networks. The healthcare IT environ-ment is further complicated by the fact that many organization intermix IT devices and networked medical devices on the same LAN. Preventing network security problems from impacting patient care is a critical priority.

Network Access Control, a new network security technology, offers immediate solutions to many of the problems that hospitals and medical facilities are experiencing. Network Access Control (NAC) products supplement the capabilities afforded by traditional perimeter security devices such as firewalls. NAC solutions do this by determining user identity, ensuring endpoint compliance in device security posture, and by controlling access to specific network resources based upon the user’s role.

Bradford Networks NAC Director is a comprehensive Network Access Control solution that is well suited to addressing the requirements of healthcare organizations. NAC Director provides a complete feature set for healthcare organizations, providing unique capabilities such as access point management, which enables device authentication for medical devices, and out-of-band edge enforcement, which analysts recommend as the most secure, flexible, scalable, and cost-effective method for offering Network Access Control.

Whitepaper

Jim Hietala, CISSP, GSEC, GCFWCompliance Marketing Group


CONTENTS

INTRODUCTION..........................................................................................................................1

INDUSTRY TRENDS IMPACTING SECURITY OF ELECTRONIC MEDICAL RECORDS

& PROTECTED HEALTH INFORMATION...........................................................................................1

HEALTHCARE NEEDS MORE SECURE NETWORKS ............................................................................3

INTRODUCING NETWORK ACCESS CONTROL .................................................................................3

NAC DEPLOYMENT MODELS..........................................................................................................4

WHAT PROBLEMS DOES NAC SOLVE FOR HEALTHCARE ORGANIZATIONS? ........................................6

BRADFORD NAC DIRECTOR SOLUTION OVERVIEW..........................................................................7

NAC DIRECTOR BENEFITS TO HEALTHCARE ORGANIZATIONS..........................................................9

ABOUT BRADFORD NETWORKS ....................................................................................................9

October 10, 2007 BN-104-02-10001-02


INTRODUCTION

Today’s healthcare practitioners continue evolving knowledge and best practices in treating life-threatening illnesses with medical breakthroughs and innovative pharmacological remedies. These healthcare advances require the parallel integration of new types of information technology (IT) to realize their full potential.

New types of Computer-based Patient Record (CPR) applications, along with advances such as closed-loop medication management, will play a large role in determining the success of these new practices and treatments.

Key to implementing these new electronic systems is the ability to provide open access, while managing and enforcing security on healthcare networks. The key to protecting access to CPR systems, and the Electronic Patient Healthcare Information (EPHI) that is stored on them, is securing endpoint devices, including PC’s and IT systems, mobile multifunctional wireless healthcare terminals, laboratory analytical instruments, bedside treatment devices and laptop systems.

To adequately secure healthcare electronic systems requires the means to:

• Enforce security policies for users and devices

• Identify and restrict users and devices that violate policies

• Manage identities and control users on specific devices

• Inspect device health, and quarantine and remediate devices with security issues

INDUSTRY TRENDS IMPACTING SECURITY OF ELECTRONIC MEDICAL RECORDS, AND ELECTRONIC PROTECTED HEALTH INFORMATION

Electronic healthcare applications and medical devices are following established IT industry trends by evolving from legacy specialized, proprietary and monolithic systems to systems that are open, standards-based, and distributed. A 2005 Rand Corp. study found the U.S. healthcare industry could improve treatment and lower costs through increasing the adoption of advanced IT methods and technologies, saving up to $81 billion in the annual $1.7 trillion U.S. healthcare budget. 1 Policy-makers have taken note of the potential savings and are seeking wider use of automation for greater healthcare efficiencies and faster service delivery.

Widespread adoption of Virtual Private Networks in the healthcare industry is enabling remote access and telecommuting. The mobility needs of healthcare users and providers, requiring 24-hour access to critical information and systems, are driving change. The always-on healthcare universe includes scattered communities of doctors, specialists, PAs, nurses, EMTs, labs, pharmacies, administrators, consultants and contractors providing outsourced services. Information industry analysts International Data Corp. report that telecommuting is more widely used in healthcare than any other industry2. Telecommuting connects the remote healthcare user community of EMTs, remote diagnosticians and pharmacies, to large hospitals and clinics.

October 10, 2007 1 BN-104-02-10001-02


Figure 1 - The Growing Universe of Wireless Devices in Healthcare Organizations

Wireless is another information technology widely used in healthcare. Wireless devices in hospitals and clinics have become ubiquitous, with more than 80% of healthcare providers in a recent survey reporting the use of mobile wireless devices. Wireless has increased the efficiency and effectiveness of mobile caregivers and providers by delivering quick access to critical and sensitive healthcare information3. This widespread usage of wireless devices accessing clinical and administrative systems has resulted in an explosion of unidentified and uncontrolled mobile client devices accessing sensitive healthcare information.

Another trend causing increased exposure of sensitive healthcare information is being driven by regulatory agencies, industry standards bodies and other market forces seeking to wring more efficiency from the healthcare system. The American National Standards Institute (ANSI), the Healthcare Information and Management Systems Society (HIMMS), the U.S. Dept. of Health and Human Services and others are pushing for the development of a U.S. National Health Information Network (NHIN) to standardize information exchange and interoperability. NHIN seeks to automate the exchange of information for diagnosis and treatment, clinical procedures and laboratory tests, and to streamline payments. This information exchange for both the clinical and administrative sides of electronic healthcare applications broadens the healthcare user community accessing EMR’s. On a local and regional level, numerous geographic areas are creating Regional Health Information Organizations (RHIO’s) with similar goals of providing access to health information across multiple healthcare organizations in a given geography.

A final healthcare trend impacting exposure of EPHI is the single communications backbone network serving this diverse community of users. Most hospitals cannot afford separate and dedicated physical networks to segment users by their need to access sensitive healthcare information. Economic realities place all categories of users and devices – wired or wireless, and medical devices or IT devices - on a common communications backbone. Clinical, laboratory, pharmacy and administrative users typically share the network infrastructure with visitors, suppliers, consultants and contractors.

All of these trends are driving the need for more access to EPHI, and consequently the need for more secure networks, to ensure that only authorized users are permitted access to sensitive information.

October 10, 2007 2 BN-104-02-10001-02


HEALTHCARE NEEDS MORE SECURE NETWORKS

The industry trends to open up access to CPR in efforts to drive down the cost of healthcare are causing widespread security issues for providers.

First, the universal adoption of mobile devices and remote access greatly compounds the problem of securing sensitive healthcare information. While seeking to improve efficiency by opening up healthcare networks to more mobile devices, providers are increasing their risk in managing a large community of unidentified mobile wireless devices. The problem of securing anonymous mobile healthcare endpoints is further aggravated by the fact that many of the remote and mobile devices are privately owned. They are not under the direct control of the hospital or caregiver, which limits the organization’s access to the privately owned devices, greatly increasing the difficulty in enforcing proper security policies and procedures.

The nomadic nature of many healthcare clinicians causes further problems. By connecting to multiple networks, nomadic users can (and have) become digital “Typhoid Mary’s”, introducing viruses, worms, and other malware onto multiple provider networks. The devices used by nomadic workers are typically under the control of the user, not the providers. The provider organizations have an absolute need to be able to assess the health of these devices before allowing them to access their network.

A third healthcare trend aggravating security headaches is the intermixing of various types of network traffic on the shared backbone network found in most hospitals. The healthcare user community spans casual users, Internet surfers, visiting medical professionals, as well as critical medical devices, healthcare caregivers and IT systems. The mixed traffic from this divergent user community greatly increases the difficulty of applying required risk-management principals such as “need to know” and “least privilege”.

Each user – regardless of originating device - must be properly identified, their access to sensitive healthcare information controlled, and their access privileges enforced according to established security policies.

Figure 2 – NAC is a Key Defense-in-Depth Component

October 10, 2007 3 BN-104-02-10001-02


INTRODUCING NETWORK ACCESS CONTROL

The key to securing healthcare networks and access to CPR systems and EPHI is to properly secure the users and the devices they use to access the network. Traditional security products such as firewalls and anti-virus gateways were not designed to address these issues. This is the problem area addressed by Network Access Control (NAC) solutions.

Network Access Control definition: a method by which hardware and software grant access to enterprise network resources after first authorizing the user and device and verifying the device's compliance with the enterprise's security policy. (www.wikipedia.com)

A relatively new approach to addressing network access and security issues, Network Access Control (NAC) provides solutions to problems that healthcare organizations are experiencing with network access and security. What an individual can do on a network is a function of three factors – who they are; what device they are using; and when, where and how they are connecting. Unlike firewalls, which protect access at a specific point into the network, NAC is user-centric and mitigates the risk associated with each user wherever and however they connect.

A complete NAC solution assesses these factors in real-time to protect the network and ensure

adherence to established policies. This includes:

• Providing network access based on user identity

• Assessing pre-connect device security posture

• Quarantining non-compliant devices and offering self-remediation

• Providing policy-based access to network resources

• Monitoring post-connect posture and behavior and enforcing network use policy throughout the

network session

NAC DEPLOYMENT MODELS

Network Access Control implementations vary considerably in how they are architected and deployed. Careful consideration regarding network design, availability goals, and the types of client devices used is required in order to determine the best NAC approach. Network Access Control solutions can be categorized based upon the enforcement and implementation model supported. The four most popular enforcement models are:

Edge enforcement: NAC solutions in this category use a network device at the edge of the network, usually a switch, to enforce access controls. These solutions generally leverage VLAN’s to segregate users and their access rights based upon their roles. Solutions in this category generally are highly scalable, and they are highly secure, because users are authenticated and their device security posture is checked before being granted access to the network. NAC products using edge enforcement can also provide more (and stronger) options for authentication of endpoints. These include 802.1x authentication, with binding of the user authentication to the actual connection.

Within the edge enforcement category, there are two implementation approaches. The first utilizes the network switches themselves to deliver the access control and identity management functionality. This approach requires a homogenous switched network, and may require extensive hardware replacement or upgrades to fully implement NAC. The second type of edge enforcement implementation uses an out-of-band controller to make policy decisions, and uses existing switches to implement and enforce policy decisions.

In-line enforcement: Some Network Access Control technologies utilize a hardware-intensive in-line deployment model, wherein appliance devices are installed as in-line network elements. The appliance devices are generally deployed at critical points in the network, for example between workgroup network

October 10, 2007 4 BN-104-02-10001-02

http://www.wikipedia.com/


switches and the backbone network, or between wireless LAN’s and the backbone network. In-line NAC deployments tend to be quite costly to acquire and implement, as they require a significant number of appliance devices to provide coverage for large networks. In the in-line enforcement model, access control decisions are usually made a little deeper in the network, versus edge enforcement. In-line enforcement also introduces single points of failure that can be a concern.

Hybrid enforcement: This category of NAC solutions combine in-line and edge enforcement techniques. For example, a given users access may start out as in-line, and once the user and their IT device pass the authentication and security posture checks, the NAC controller will use the edge switch to move the user onto a VLAN based upon the user’s role.

Protocol enforcement: NAC products utilizing protocol-based enforcement are primarily geared towards ensuring endpoint compliance. This approach is generally not considered to be very secure, as it uses DHCP and IP address assignments to segregate user access. The DHCP-based approach is easily defeated by a user or attacker with a rudimentary knowledge of IP address configuration.

Assessing the relative security provided by each type of NAC implementation is difficult, however it is clear that the closer that the enforcement device sits to the end user, the more options are afforded in terms of authentication and security mechanisms available, and the stronger the security will likely be. Edge enforcement NAC products, which connect directly to the user, provide the widest range of authentication options. The table below summarizes the relative merits of the various NAC implementation types:

Inline

Enforcement

Hybrid

Enforcement

Protocol-based

Enforcement

Edge Enforcement

Security Greatest level of

security; enforcement

occurs at the point of

network access

Progressively less security; enforcement occurs deeper in the

network, leaving more areas vulnerable / uncontrolled

Flexibility Greatest level of

flexibility in

enforcement methods;

protocol-independent

(IPv4, IPv6, etc.)

Progressively less flexibility in enforcement methods; may be

dependent on behavior of particular protocol (e.g.

dependence on DHCP, or may not natively support IPv4 to

IPv6 migration, etc.)

Risk Least intrusive; with

granular deployment

options for lowest risk

of network disruption

Changes to network topology and/or protocols are more

intrusive with limited granularity (often “all-or-nothing”) which

increases risk of disruption to network

Scalability Most scalable; load of

enforcement is spread

across network fabric

for greatest scalability

and performance

Inline nature of enforcement reduces

scalability and has significant impact

on performance

Protocols relying on

broadcasts or

multicasts limit

scalability and

performance

Cost Most cost-effective

approach; leverages

security functions of

existing infrastructure

to reduce capital and

operational costs

Inline enforcement approach has

highest capital cost (more NAC

servers/appliances); operational costs

are higher, particularly for

troubleshooting

Similar to Hybrid

capital cost; less

cost-effective than

Edge since existing

network

infrastructure is not

leveraged

October 10, 2007 5 BN-104-02-10001-02


WHAT PROBLEMS DOES NAC SOLVE FOR HEALTHCARE ORGANIZATIONS?

NAC solutions are not intended to replace existing perimeter security products such as firewalls and anti-virus gateways. NAC instead addresses numerous problems that are not solvable by these established technologies, such as:

Healthcare network security challenges: NAC addresses this by:

Who is on my network at any given point? Identity management authenticates all end users,

and multi-point identity matching can pinpoint not

only who is using the network, but from what

devices

What is the health (in terms of security

posture) of the devices accessing my

network?

Endpoint compliance checks on the health of every

device accessing the network, before the device is

granted access to the network

How can I ensure that users are given access

to authorized resources, but are kept out of

systems that they are not authorized for?

Role-based access control limits user access to only

those systems they are authorized to connect to

How can I flag devices that have security

issues, and keep them from harming other

devices on our network?

Devices found to have security problems are

automatically quarantined

Out of necessity, we have a shared network,

with both medical devices and IT systems and

PC’s attached to it. How can we keep them

segregated?

NAC solutions that support VLAN’s are able to keep

medical devices and network traffic separate from IT

systems and PC’s, ensuring that these are

segregated even though they are sharing a common

network

Many of our medical devices are FDA

regulated, and this impacts our ability to

patch them. They are also not capable of

supporting agents.

Some NAC solutions provide the ability to perform

device level authentication (MAC address), and to

use access control policy and VLAN’s to keep these

devices on separate network segments.

We need an automated way to deal with

devices that have security issues- we spend

an inordinate amount of help desk time

dealing with PC health and security problems.

NAC solutions can quarantine and offer self-

remediation capabilities to dramatically reduce help

desk costs

October 10, 2007 6 BN-104-02-10001-02


BRADFORD NAC DIRECTOR SOLUTION OVERVIEW

Bradford Networks is an innovator in the Network Access Control market. Bradford’s NAC Director is a proven network access control solution. Bradford provides an out-of-band NAC solution that leverages existing network infrastructure to enforce security policies at the edge of the network:

Figure 3 – Bradford Networks Out-of-Band Architecture

NAC Director’s architecture enables the solution to be highly scalable. By leveraging existing network switches with VLAN capabilities, the Bradford solution is also very cost-effective. NAC Director provides the broadest interoperability support in the industry, having been tested for interoperability with leading network switches, security devices, and client security software.

Bradford’s NAC Director provides comprehensive network access control features and capabilities. Key features of NAC Director include:

• Availability of persistent (for PC’s) and dissolvable agents (well suited to kiosks)

• The ability to support device level security, important for supporting networked medical devices

• Endpoint compliance checking

• Quarantine for devices with inadequate security posture

• Role-based access control, to segment user access according to organization policies, and

the user’s role

• “Get out, stay out” feature that keeps intruders out of all network access ports, wired and wireless

• Support for wireless and VPN access, as well as wired LAN access

• Broad interoperability with key switches, security devices, and client software

• Automated self-remediation capabilities for users and their devices

• Unique access point management capability to support networked medical devices

• Complete audit trails of all access activity

October 10, 2007 7 BN-104-02-10001-02


Network Access Control Capabilities: Bradford NAC Director:

Endpoint compliance checks Validation checks for AV, anti-spyware, OS,

required and prohibited software

Vulnerability checks- Nessus scans, Bradford and

independent scans

Authentication of all network attached devices

and users, from wired, wireless, and VPN

connections

Seven point match for authentication- User, user

role, device name, MAC address, IP address,

network access point, time of access

Quarantine capabilities Devices quarantined on separate VLAN’s until

their security posture is verified, validated, or

remediated

Device and user authentication, and role-based

access control

Device authentication via MAC address, 802.1x

authentication, and user authentication via

ID/password

Access control based upon groups, roles, and

VLAN’s

Guest access roles with limited access rights Role-based access, with separate VLAN’s for

guest access, with limited privileges

Access control based upon roles and groups,

VLAN’s to segregate

Access control rules for separate communities of

users, and their permitted system access, VLAN’s

are used to enforce access control

NAC Director also can control usage of P2P, file

sharing, gaming, etc., and can trigger actions

based upon external device outputs (IDS, IPS,

SNMP traps)

Authentication and role based access control

ensure that only authorized users are allowed

access

NAC Director’s edge enforcement and seven point

match for authentication ensure that only

authorized users are allowed access, and they are

only permitted to access authorized resources

Integrated solution that uses existing switch

infrastructure and VLAN’s to control and

segment access

NAC Director’s out-of-band architecture leverages

existing switch infrastructure and VLAN’s to

partition network access

User and device level authentication, and agent

and agent-less operation to support devices with

embedded operating systems (e.g. medical

equipment)

Access point management feature to authenticate

devices, including networked medical equipment,

that cannot support agents or user level

authentication

User authentication coupled with role-based

access control, and detailed reporting on access

help to satisfy multiple HIPAA requirements

System reporting and logs from NAC Director help

with multiple HIPAA requirements

October 10, 2007 8 BN-104-02-10001-02


NAC DIRECTOR BENEFITS TO HEALTHCARE ORGANIZATIONS

The Bradford NAC Director solution provides numerous benefits to healthcare organizations. NAC Director greatly enhances network security, providing user authentication for all network access. NAC Director also ensures that systems with security health issues are quarantined and prevented from causing problems on the network. User’s access is restricted to only those network resources that they are authorized for. Help desk costs are reduced significantly, as users are given the opportunity to easily remediate device security health issues themselves, and because once NAC Director is installed, systems that are infected with a worm or virus have no opportunity to spread it to the entire network.

NAC Director is one of the few network access control solutions that enable healthcare organizations to fully leverage their existing network switches and wireless access points to improve security. With limited IT budgets in most hospitals, Bradford’s out-of-band NAC approach provides maximum security without requiring network switch replacement, or a hardware intensive in-line NAC approach.

With clinical medical devices and CPR systems becoming critical to the delivery of quality patient care, preventing outages due to security events is paramount. NAC Director maintains network availability and prevents network outages caused by major security events.

ABOUT BRADFORD NETWORKS

Bradford Networks develops advanced network access control solutions for wireless, wired and VPN networks. Bradford’s out-of-band appliances leverage existing network infrastructures and investments to deliver automated identity management, endpoint compliance and usage policy enforcement services. Bradford helps IT managers address the challenges of guest access, unmanaged devices and regulatory compliance.

www.bradfordnetworks.com

October 10, 2007 9 BN-104-02-10001-02


ENDNOTES

1 Rand Corp., The Diffusion and Value of Healthcare Information Technology, 2005, Anthony Bower et al

2 IDC, Telecommuter Profile – 2005, Tom Walsh et al

3 Healthcare Information and Management Systems Society I(HIMSS) Leadership Survey, 2005

October 10, 2007 10 BN-104-02-10001-02

a guide to understanding and implementing network access ... · a relatively new approach to...

Documents