Segmentation in network environments is nothing new. It’s common for administrators to segment the network based on logical functions and security controls. For example, the finance department is one segment, and the sales department is another segment. All segments can send traffic to email servers (for example), but user traffic does not enter finance or sales segments unless the user is authorized to access them.
Micro-segmentation is much more granular than traditional compartmentalizing of network environments based on logical function. With micro-segmentation, networks are sectioned off into even smaller workloads with additional security controls limiting authorized access to specific user groups.
In a healthcare environment, micro-segmentation facilitates better data security of protected healthcare information (PHI). Instead of having a large network segment, healthcare organizations can compartmentalize their servers down to the application level. Usually, micro-segmentation is applied in a virtualized environment in the cloud to better protect data center resources, but it can be applied on-premises also.
Let’s say that you have a healthcare application for patient payments and another application to store patient healthcare information. Micro-segmentation involves creating two workload segments foreach application. Should attackers gain access to one workload, they would be limited to the specific workload and unable to make lateral moves to other segments. The micro-segmentation strategy limits the damage after a compromise and contains the threat.
HIPAA doesn’t specifically require micro-segmentation, but it does require organizations to deploy physical and technical safeguards against unauthorized PHI access. The method is yours to choose, but micro-segmentation is a best practice that keeps healthcare organizations compliant with technical aspects of HIPAA including encryption of patient data, threat mitigation, data access security controls, and event logging.
If you have legacy systems, you probably already have infrastructure set up to secure data. Micro-segmentation is likely a change in your strategy, so you may need guidance. Here is a step-by-step guide to get you started:
Assess current network architecture and identify segmentation opportunities. An audit of your network environment is the necessary first step. Build your segmentation plan on the audit of resources, where they are located on your network, their functionality, the data every resource stores, resource risks, and the users that need access to these resources.
Choose the right tools and technologies for micro-segmentation. The tools that you use to manage a micro-segmentation environment depend on your architecture and logical strategies. For example, you’ll need a virtualization software to segment servers. Software like VMware maybe a good option, but other virtualization applications may be a better choice for your organization. You’ll need software to monitor the environment, manage data access, deployments, zero-trust management, and software-defined perimeter management.
Develop policies for segment access control and monitoring. Planning is important in the design and deployment of segmentation. Legacy systems often have idiosyncratic requirements that make it difficult for administrators to consistently deploy the same infrastructure without experiencing bugs. You might choose to test segmentation on a smaller and non-critical section of the network first, and then deploy a strategy to the rest of the network. User groups and policy planning is key to protecting data, so map out user groups with users that need access. Remember to follow the principle of least privilege, which means that users should have access only to the data necessary to perform their job functions.
Legacy systems have their own challenges, and most healthcare organizations have been in business for years and kept their old legacy infrastructure. Enterprise systems are often in production for decades, so they have at least one legacy system in service. These systems pose the biggest challenges for administrators, because they are necessary for production but aren’t supported by developers.
Deprecated software no longer supported by its developers means no more bug fixes or security patches. Once threat actors find a vulnerability, they have plenty of time to exploit it as they know that the developers will not release a patch. Micro-segmenting these legacy workloads minimize damage from a compromise by limiting the threat to the compromised segment rather than allow the attacker to make lateral moves across the environment.
Migrating to the cloud might be a better option for legacy applications where micro-segmentation is more easily deployed. Cloud environments are built with more efficient technology to lower costs of maintenance and uptime, and most cloud providers have the tools already available to segment workloads. During the planning phase of micro-segmentation, it might be beneficial to migrate to the cloud.
Several emerging trends make micro-segmentation more scalable and efficient for administrators. The first is automation. Instead of manually scaling resources, healthcare administrators can run scripts in the cloud to automatically deploy resources.
Organizations can add artificial intelligence (AI) to their infrastructure along with automation tools to monitor and send alerts.Monitoring data access is a HIPAA requirement, and AI monitoring works with heuristics and builds a baseline of user patterns. Both these factors play into alerts and detecting threats including zero-days.
To improve your HIPAA compliance and security posture, micro-segmentation protects your PHI and other patient data from threats.Legacy systems are infamous for their unpatched vulnerabilities, mainly for their lack of developer support and continued maintenance. You can limit damage from a compromised legacy system by segmenting it from the rest of the environment.
To get started managing your risk and building a security strategy, meet with an Access Point expert.
Resources
