Protecting Healthcare Legacy Systems with Micro-Segmentation

By

Rick Leib, CISO for Client Services at Access Point Consulting

Protecting Healthcare Legacy Systems with Micro-Segmentation

Understanding Micro-Segmentation

Segmentation in network environments is nothing new. It’s common for administrators to segment the network based on logical functions and security controls. For example, the finance department is one segment, and the sales department is another segment. All segments can send traffic to email servers (for example), but user traffic does not enter finance or sales segments unless the user is authorized to access them.

Micro-segmentation is much more granular than traditional compartmentalizing of network environments based on logical function. With micro-segmentation, networks are sectioned off into even smaller workloads with additional security controls limiting authorized access to specific user groups.

In a healthcare environment, micro-segmentation facilitates better data security of protected healthcare information (PHI). Instead of having a large network segment, healthcare organizations can compartmentalize their servers down to the application level. Usually, micro-segmentation is applied in a virtualized environment in the cloud to better protect data center resources, but it can be applied on-premises also.

The Role of Micro-Segmentation in Healthcare Security

Let’s say that you have a healthcare application for patient payments and another application to store patient healthcare information. Micro-segmentation involves creating two workload segments foreach application. Should attackers gain access to one workload, they would be limited to the specific workload and unable to make lateral moves to other segments. The micro-segmentation strategy limits the damage after a compromise and contains the threat.

HIPAA doesn’t specifically require micro-segmentation, but it does require organizations to deploy physical and technical safeguards against unauthorized PHI access. The method is yours to choose, but micro-segmentation is a best practice that keeps healthcare organizations compliant with technical aspects of HIPAA including encryption of patient data, threat mitigation, data access security controls, and event logging.

Implementing Micro-Segmentation in Healthcare Settings

If you have legacy systems, you probably already have infrastructure set up to secure data. Micro-segmentation is likely a change in your strategy, so you may need guidance. Here is a step-by-step guide to get you started:

Assess current network architecture and identify segmentation opportunities. An audit of your network environment is the necessary first step. Build your segmentation plan on the audit of resources, where they are located on your network, their functionality, the data every resource stores, resource risks, and the users that need access to these resources.

Choose the right tools and technologies for micro-segmentation. The tools that you use to manage a micro-segmentation environment depend on your architecture and logical strategies. For example, you’ll need a virtualization software to segment servers. Software like VMware maybe a good option, but other virtualization applications may be a better choice for your organization. You’ll need software to monitor the environment, manage data access, deployments, zero-trust management, and software-defined perimeter management.

Develop policies for segment access control and monitoring. Planning is important in the design and deployment of segmentation. Legacy systems often have idiosyncratic requirements that make it difficult for administrators to consistently deploy the same infrastructure without experiencing bugs. You might choose to test segmentation on a smaller and non-critical section of the network first, and then deploy a strategy to the rest of the network. User groups and policy planning is key to protecting data, so map out user groups with users that need access. Remember to follow the principle of least privilege, which means that users should have access only to the data necessary to perform their job functions.

Overcoming Challenges

Legacy systems have their own challenges, and most healthcare organizations have been in business for years and kept their old legacy infrastructure. Enterprise systems are often in production for decades, so they have at least one legacy system in service. These systems pose the biggest challenges for administrators, because they are necessary for production but aren’t supported by developers.

Deprecated software no longer supported by its developers means no more bug fixes or security patches. Once threat actors find a vulnerability, they have plenty of time to exploit it as they know that the developers will not release a patch. Micro-segmenting these legacy workloads minimize damage from a compromise by limiting the threat to the compromised segment rather than allow the attacker to make lateral moves across the environment.

Migrating to the cloud might be a better option for legacy applications where micro-segmentation is more easily deployed. Cloud environments are built with more efficient technology to lower costs of maintenance and uptime, and most cloud providers have the tools already available to segment workloads. During the planning phase of micro-segmentation, it might be beneficial to migrate to the cloud.

The Future of Micro-segmentation in Healthcare

Several emerging trends make micro-segmentation more scalable and efficient for administrators. The first is automation. Instead of manually scaling resources, healthcare administrators can run scripts in the cloud to automatically deploy resources. 

Organizations can add artificial intelligence (AI) to their infrastructure along with automation tools to monitor and send alerts.Monitoring data access is a HIPAA requirement, and AI monitoring works with heuristics and builds a baseline of user patterns. Both these factors play into alerts and detecting threats including zero-days.

Conclusion

To improve your HIPAA compliance and security posture, micro-segmentation protects your PHI and other patient data from threats.Legacy systems are infamous for their unpatched vulnerabilities, mainly for their lack of developer support and continued maintenance. You can limit damage from a compromised legacy system by segmenting it from the rest of the environment.

To get started managing your risk and building a security strategy, meet with an Access Point expert.

Resources

To Enhance Your Cyber Operations

How Pen Testing and Continuous Attack Surface Management Work Together

How Pen Testing and Continuous Attack Surface Management Work Together

As the digital perimeter continues to dissolve, security leaders are rethinking how they manage cyber risk. Penetration testing and vulnerability management remain essential—but they’re no longer enough on their own. Today’s attackers exploit what lies beyond your defined scope: misconfigured cloud buckets, forgotten subdomains, exposed APIs, and rogue SaaS apps. To stay ahead, organizations need not just testing, but visibility. That’s where continuous Attack Surface Management (ASM) comes in.

Find out more
Beyond Domains: The Expanding External Threat Landscape

Beyond Domains: The Expanding External Threat Landscape

As organizations strengthen their internal security, attackers are shifting their focus — exploiting what’s outside your firewall. The external threat landscape has evolved far beyond just domains and IP addresses. Today, it includes employee data on data broker sites, leaked credentials on the dark web, chatter on adversarial forums, and impersonations through ads and decentralized platforms. In this article, we highlight what you need to know about these risks and how to improve your visibility. 

Find out more
The Hidden Risks of Domain-Based Threats — and How to Defend Against Them

The Hidden Risks of Domain-Based Threats — and How to Defend Against Them

Domain-based threats have become one of the most persistent and underestimated risks organizations face. From lookalike domains designed to deceive, to infrastructure missteps that invite attackers, the danger is real — and growing. During a recent webinar hosted by Access Point Consulting, we explored these threats, why they matter, and what you can do to protect your brand, customers, and employees.

Find out more