That’s very convenient for the vendor, but it creates a security nightmare for IT managers. These types of connections need to be blocked by on-premises firewalls except when specific vendor intervention is requested.
Healthcare IT teams must also maintain a checklist of actions to take when a support ticket is closed, including ensuring that any temporary configuration changes to devices and network firewalls are reversed or otherwise properly documented.
IT managers should also provide specific training to their teams on the dangers of working with third-party vendor support teams. For example, it’s common to upload device configurations to third-party vendor support sites, complete with lightly encrypted passwords. Identifying and mitigating the risks associated with third-party support should be included in internal policies and training.
3. How Mature Is Your Advanced Network Security?
Enterprise IT teams assume limited physical access by strangers to their network infrastructure; healthcare IT teams are operating in an environment where people are wandering around everywhere at all hours. This calls for a level of network security beyond simple network access control tools. As with IoT, the key strategy is isolation, ensuring that communications between devices are as tightly limited as possible.
Healthcare IT teams have to address both the physical presence of third parties in their facilities and the virtual presence of third-party suppliers and support teams on their networks. With a high level of device isolation, the risk that unauthorized access will spread across the network is minimized.
Further encryption steps are warranted in healthcare IT departments. Physical-layer network encryption used to be an unfamiliar, military-only requirement, but enterprise network vendors now make it easy to enable switch-to-switch encryption.
Healthcare IT managers should take advantage of this free feature. It’s unlikely that an intruder would gain access to switch-to-switch communications, but it could happen, and remote network monitoring tools make it easier than before.
READ MORE: Follow these best practices to improve cyber resilience in healthcare.
4. How Can You Adopt More Application Encryption?
While network-layer encryption is being rolled out, application-layer encryption should become a nonnegotiable requirement for any software used in a healthcare environment.
For legacy applications that don’t include encryption, IT teams can use an application delivery controller (or load balancer) to add encryption, but this is only a partial step. One of the common techniques of attackers is to use a packet-sniffing tool such as “tcpdump” on the local host or virtualization server, and if the traffic is encrypted only up to the ADC, passwords and patient data will still be flowing in the clear.
Closing the vulnerability of unencrypted traffic should be a priority for healthcare IT teams, and not just because of the obvious threat vector. Unencrypted traffic is a symptom of very outdated software without a solid secure development commitment from the vendor. Products that vendors insist can’t be encrypted need to be moved to the top of the list for retirement and replacement.
