Look Before You Leap! - NCHICA · 2017-06-08 · Look Before You Leap! Network Access Control and Network Segmentation (NAC/NS) June 2017

Look Before You Leap! Network Access Control and Network Segmentation (NAC/NS)

June 2017

Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)

Member firms and DTTL Copyright © 2017 Deloitte Development LLC. All rights reserved. 36 USC 220506

What You’ll Learn Today

Agenda

Topic Content Presenter(s)

Introductions • Who Are We? Kurt Griggs, Mayo Clinic

Jim Bearce, Deloitte & Touche, LLP

NAC/NS Business & Internal Audit Perspectives

• What is Network Segmentation & Network Access Control

• Why Is NAC/NS Important

• Understand & Assess

• Plan, Prepare & Monitor

Kurt Griggs, Mayo Clinic


NAC/NS Planning • Success Requires Detailed Planning

Shane Swanson, Deloitte & Touche, LLP

Shawn Riley, State of North Dakota

Regulatory & Cybersecurity Consideration

• Business Characterization

• NAC/NS Security Considerations

• Cybersecurity Framework

Shane Swanson, Deloitte & Touche, LLP


Shawn Riley, State of North Dakota

Question & Answers

1

Our Team

Collaboration At Its Best



Our Team Collaboration At Its Best

Mayo Clinic

• Kurt A. Griggs, IT Audit Manager

State of North Dakota

• Shawn Riley, Chief Information Officer

Deloitte & Touche, LLP

• Jim Bearce, Sr. Manager

• Shane Swanson, Specialist Master

A Meeting

of the

Minds

2

NAC / NS Business Perspective

What is NAC & NS? Why is it Important?




Network Segmentation (NS)

The splitting of a computer network into many “sub networks” known as segments.

Segmenting allows organizations to group applications and like data together (e.g., clinical, education, research, admin).

Segmenting your network allows you to limit the range of access provided to an insider, partner, or a third party.

Network Access Control (NAC)

A method to enhance security of a network.

Enables you to restrict the availability of network resources.

Permitted endpoint devices must comply with a defined security policy.

Benefits

Reduces Congestion

Improves Security

Allows You To Contain Network Problems

Helps You Restrict Access

What Is NAC & NS?

3




Healthcare providers face unique challenges:

Cybersecurity Challenges:

• Cyber security threats (Hacktivists, Nation-State, Criminal Organizations)

• Patient and employee privacy (PII / PHI)

• Risky medical devices (Connected Medical Devices)

Regulatory Challenges:

• Strict privacy laws and guidelines:

− Health Insurance Portability and Accountability Act (HIPAA)

− Payment Card Industry Data Security Standard (PCI DSS) Enhanced security

Innovation Challenge:

• Organization’s must find new ways to secure and protect:

− Patient medical, financial, and protected health information (PHI)

− Personally identifiable information (PII)

− Proprietary Information (Intellectual Property)

Why Is It Important?

4

NAC / NS Internal Audit Perspective

Understand, Assess, Plan, and Monitor



Clinical Drivers Business Drivers

Organizational Drivers (Leadership, IT, Non-IT, IS)

Text

NAC/NS

• Stakeholder Engagement • Goals & Objective • Pre-Assessment • Design • Implementation

• Patient Safety • Patient Privacy • Innovation

• Interdependencies • Innovation • Efficiency

NAC / NS Internal Audit Perspective Understand and Assess Identifying and understanding NAC/NS Clinical, Business and Organizational Drivers

5



Plan, Prepare, and Monitor

NAC / NS Internal Audit Perspective

Detailed Plan of Attack Operational Readiness Monitor & Report

(During and After)

• Define Security Objectives

• Low Level Design (Comprehensive & Updated Continuously)

• Pilot Testing Using Test Environments

• Detailed Implementation Plan with Interim Milestone Validations

• Resources

• Management of Device Types

• Third Party Collaboration

• Training

• Implementation Milestones

• Testing Results

• Quality Goals

• Key Performance Indicators

6

NAC/NS Planning

Success Requires Detailed Planning



NAC Planning

Network Access Control looks easy, it smells easy, well….. It is NOT easy

Considerations when planning

Fully understand where you are going to implement

• Diversity of health environments is huge

You will need a complete, accurate inventory

• Do you KNOW where your systems are right now?

Put extra effort into your profiles

• And test them, and test them some more

• Know the characteristics of profiles up front

Understand the use cases

Know ALL of the onboarding processes

• Both current and future state

Expect to put in extra time on certificates & Public Key Infrastructure (PKI)

• Process, process, process

You will never be done – operational tail is long


Technology is easy, people and process are hard

Given the maturity of network access control solutions, many healthcare IT leaders under estimate the complexities of implementation.

7



Complete Asset

Inventory

Develop Use Cases

Onboarding Processes

PKI & Certificates

NAC Planning Success Requires Detailed Planning Given the maturity of network access control solutions, many healthcare IT leaders under estimate the complexities of implementation.

8

What Assets / Devices / Applications

What Facilities / Regions and Segments

Define Use Cases (etc., Med. Devices, PHI)

Device / User Profiles

Process for Onboarding New Users / Devices

Authentication of Users / Devices



NS Planning

Network Segmentation looks hard, it smells hard, and you guessed it…

It is harder than that

Considerations when planning

You need to know EVERYTHING that happens on the network

• Every thread, every packet

Typically your customer knows NOTHING that happens on the network

• The customer, and even the vendors rarely know how their applications communicate

You will be tempted to over do the segments

• If you build one, you will feel like you need thousands

Stakeholders and workflows are critical to success

Some people will think segmentation is a silver bullet

Find a partner – one that can demonstrate previous success


Network Segmentation has great potential to increase security while significantly lowering the operational expenditures over models like “zero trust in the data center.” Planning for segmentation is complicated and requires considerable depth.

9

Cybersecurity / Regulatory Considerations



Sensitive data to protect

Increasing expectations for the protection of sensitive information – including personally identifiable information (PII) for current and past employees, payment card data, sensitive financial information and customer information.

Evolving regulatory expectations that include new SEC guidelines requiring the disclosure of cyber breaches and numerous state breach reporting requirements.

Extended attack surface

As mobile, web-based applications and telematics are used to enhance customer service and drive operational efficiency, they also present new attack vectors that could be used by an adversary.

Many organizations now may make attractive targets for activists, nation-states.

*The diagram is for illustrative purposes only.

Cybersecurity Considerations

As organizations grown through acquisition and evolve their services and/or products, the nature of cyber

risk the organization faces continually changes.

Business environment characterization

10



Cybersecurity Considerations NAC / NS Security Considerations

Network Access Control

Monitor mode can have a great value

• Inventory, identification

NAC is a physical control

• Value is different and needs to be weighed with a much sharper eye

Be aware of PKI requirements

• Enterprise PKI - for e-prescribing?

Device and User can be integrated together to create a solid Identity Management security approach

Network Segmentation

Very useful for managing specific pain point systems

• Win XP, specific medical devices

If done well, you will have a very secure environment

• Managed devices, managed users, managed protocols, and managed ports

Threat Landscape & Evolving Infrastructure

11



Governance &

Oversight

The organizational structure,

committees, and roles &

responsibilities for managing

cyber risk

Policies &

Standards

Expectations for the

management of cyber risks

Risk Metrics &

Dashboard

Reports identifying risks and

performance across cyber risk

domains; communicated to

multiple levels of management

Management Processes

Processes to manage risks in

cyber risk management and

cyber risk oversight

Tools &

Technology

Tools and technology that

support the risk management

lifecycle and integration of risk

with cyber risk domains

Operating

Model

Components

Business

Objectives

Compliance Growth/Innovation Brand Protection Operational

Efficiency

Risk-based Decision

Making

Cyber Risk

Domains

9. Vulnerability

Management 12. Cyber security

Operations

10. Threat Intelligence 13. Predictive Cyber

Analytics

11. Endpoint Monitoring 14. Insider Threat

Monitoring

Vigilant

5. Application Security

and Secure Development

1. Risk & Compliance

Management

2. Identity & Access

Management

6. Asset & Change

Management

7. third-party Risk

Management

3. Data Protection &

Management

4. Infrastructure Security 8. Physical &

Environmental Security

Secure

15. Crisis Management

16. Resiliency &

Recovery

17. Cyber Simulations

18. Incident Response &

Forensics

Resilient

Cybersecurity framework A strong cyber risk framework aligned with industry standards, leading practices, and cyber risk principles can help organizations manage both, cybersecurity risk as well as regulatory compliance risks.

Cybersecurity Considerations

12

Q & A – THANK YOU!

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and

their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not

provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the

“Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of

public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms..

Copyright © 2017 Deloitte Development LLC. All rights reserved.

36 USC 220506

http://www.deloitte.com/about

Documents

Look Before You Leap! - NCHICA · 2017-06-08 · Look Before You Leap! Network Access Control and Network Segmentation (NAC/NS) June 2017