In building a comprehensive healthcare network protection strategy, asset visibility is foundational to your success, but in many ways it’s only the beginning. Taking the next step towards network segmentation requires you to not only have awareness of all connected assets but also understand how, when, and to which other devices they communicate.
Understanding your network traffic is the key to successful segmentation policies and the logical next step after you’ve achieved the proper data foundation in place. Find out how crucial network traffic analysis is to securing your healthcare organization’s network and learn the ins and outs of analyzing device communications in both clinical and non-clinical workflows to further your goal of network protection.
Network traffic analysis refers to the process of monitoring and evaluating device communications over the network to identify issues, like abnormal activity or suspicious device behaviors to enhance overall hospital operations. Having the ability to analyze network traffic is key to segmentation as knowing how and with what other devices your assets communicate with can help you group together the right devices during the segmentation process.
According to Claroty’s Global Healthcare Cybersecurity Study only 25% of healthcare systems globally describe themselves as having a mature approach to network segmentation - that is, fully segmented their enterprise IT, visitor, and other networks from their medical devices, as well as implemented granular microsegmentation between different device types and access control lists within different VLANs.
Having proper network segmentation is particularly important for healthcare organizations where patient care and safety is the number one priority. Ensuring that connected devices are properly connected to the network and are only in communication with devices they should be can ensure patients are properly protected, in the event that an attack were to occur.
However, CPS (cyber-physical systems) are common blindspots in healthcare networks. In fact according to the State of CPS Security Report, 22% of hospitals have devices that bridge corporate and guest networks, easily opening them up to threats should an adversary gain access to the guest network. Additionally, the report found that 4% of devices used in surgeries aren’t even connected to the corporate network and instead operate on a guest network, the least secured and most exposed place for these critical devices to be connected. When it comes to devices that are mission-critical to the proper operation of patient care, it is especially critical to understand how they are operating, where they are in their device lifecycle, and what device communications are taking place. Using asset visibility to discover where critical devices are connected in order to segment them is the first line of defense to protect assets with a direct impact on patient care. Network traffic analysis is the cornerstone to safely segmenting devices and ensuring the right assets are grouped together.
Before you can even start analyzing network traffic, you must ensure that you have asset visibility for every single connected device on your network - it’s impossible to analyze the traffic of devices you haven’t discovered on your network. CPS assets in healthcare, like clinical devices, are notoriously difficult to discover, especially with traditional methods. Using deep packet inspection (DPI) is one sure way to discover CPS devices on your network and ensure you know exactly what a device is, critical information (OS, model number, etc), its protocols and how it communicates, and more. As you think about putting the proper data foundation in place, consider both active and passive monitoring methods that can provide a reliable level of accuracy, while providing comprehensive device profiling that showcases a strong depth and breadth of technical attributes across your network.
Once you have a complete asset inventory and know each asset’s protocols, it’s time to evaluate typical network traffic to see how often devices communicate and which devices they talk to. This can help you establish the baseline for your network traffic. The baseline illustrates where your devices are sitting on the network and what typical network traffic looks like so you can easily detect abnormal behaviors in the future. This baseline also allows you to take the first steps to develop network protection enforcement policies and monitor segmentation policies moving forward.
With your baseline established, it’s important to develop an alerting system for any abnormal behavior or enforced policies so your security team can swiftly respond to any suspicious or abnormal activity. This is also important for maintaining compliance with your established policies and regulatory bodies. Using a CPS protection platform to monitor network traffic and alert your security team to abnormal behavior is key to enforcing your organization’s policies and staying ahead of threats to your network.
Another key step in network traffic analysis and segmentation is to identify and properly enforce the components of your existing network infrastructure. Firewall and NAC are the most important to consider for segmentation programs. By choosing a solution that can identify CPS assets, analyze network traffic, and enable policy enforcement across your existing network infrastructure, you can greatly streamline operations and as they are critical to protecting patient information.
Claroty xDome is purpose-built for healthcare CPS protection with network protection functionality as a core part of the solution.
Visualize device communications filtered by site, network, and communication types
Receive recommended ACL policies directly within the platform while integrating with your existing network infrastructure
Utilize a zone-based approach to simplify the process of monitoring, refining, and enforcing communication policies
Simulate policies to visualize how recommended policies would impact your unique environment and risk posture before they are enforced
Automate policy compliance monitoring through continuous monitoring alerts to help address policy deviations
These critical functionalities help healthcare organizations monitor and analyze their network traffic, effectively segment the network, and enforce policies that will secure connected devices and protect patient safety.
To learn how your healthcare organization can better monitor network traffic, speak with a member of the Claroty team.
How to Put Network Protection for Healthcare Into Action
Overcoming the Challenges of Clinical Zero Trust
7 Essential Tips for Improving Operational Efficiency in Healthcare
Interested in learning about Claroty's Cybersecurity Solutions?