A Modern Approach to Cybersecurity for Healthcare Providers

IT security and network teams at healthcare providers around the world must ensure the utmost patient care, rapidly adopt new technology – EMR, PACS applications, network-connected medical equipment and mobile devices – while enabling safe access to patient data from hospitals, remote clinics, physicians’ offices, business affiliates and a myriad of devices. While doing so, they must also ensure compliance with increasingly stringent regulations that impact patient data and medical equipment – and systematically detect and block a rising volume of threats. The Security Reference Blueprint for Healthcare IT enables these organizations to protect patient care, protect patient data from compromise, rationalize the scope of compliance, improve uptime and availability, and prepare hospitals to meet new and emerging technological challenges while reducing the security threats across their organizations.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper

SECURITY REFERENCE BLUEPRINT FOR HEALTHCARE IT

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 2

Table of ContentsI. ExecutiveSummary 3

II. SecurityConcernsforHealthcare 3

III. ReferenceBlueprintGoalsandSecurityPrinciples 4

IV. CoreSecurityPrinciples 5

Policy-BasedApplicationVisibilityandEnforcement 5

VirtualSegmentationwithZeroTrust 6

ProtectionAcrosstheNetwork 7

a. Private, Public and Hybrid Clouds 7

b. Endpoints 8

AdvancedZero-DayAttackProtection 8

TimelyReporting,ThreatIntelligenceandCorrelation 9

V. SecurityReferenceBlueprintforHealthcare 9

DMZ 10

GuestWi-FiZone 11

EndpointZone 11

PCIZone 11

MedicalDeviceZone 12

DataCenterZone 12

ThreatIntelligenceandCorrelation 12

MigrationtoPaloAltoNetworksNext-GenerationSecurityPlatform 13

RegulatoryCompliance 14

VI. Summary 14

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 3

I. EXECUTIVE SUMMARYThe Security Reference Blueprint for Healthcare IT enables healthcare organizations to reduce the security threats and, ultimately, protect patient care, prevent patience data from being compromised, rationalize the scope of com-pliance, improve uptime and availability, and prepare hospitals to meet new and emerging technological challenges.

II. SECURITY CONCERNS FOR THE HEALTHCARE INDUSTRYWith the growth of connected medical devices, on-demand medical information – for patients, physicians, insurers – and the mobility of clinical staff and other changes in healthcare environments today, the security of the networks that support patient care and the institutions themselves must evolve. Most large hospitals today use internal networks to manage the delivery of healthcare within the enterprise, but many are expanding their reach into other institutions and organizations, using either internet-based or wide area networks (WANs), which creates more risk of exposure.

The expansion of healthcare IT systems is a worldwide phenome-non that has been strongly influenced by government mandates, such as HIPAA1 and HITECH2 in the United States, PIPEDA3 in Canada, and similar privacy legislation and regulations published by the European Union4 and its member countries.

Unfortunately, the reality is that medical devices, clinical infor-mation systems and networks are exposed to the same security threats as other types of commercial software and hardware. These threats can affect a large population since hospitals typical-ly act as service providers to a broad audience, including clinical and non-clinical staff, patients and even guests of patients.

These threats are part of a growing trend of attacks looking for in-formation about monetary value, resulting in breaches of personally identifiable information (PII) (e.g., Social Security number, birthdate), protected health information (PHI) (medical record number and insurance account information, etc.) and financial information (e.g., credit card numbers and other financial records), which can be sold on the black market and used to perpetrate insurance fraud, identity theft, credit card abuse, or possibly reputation damage or blackmail. Currently, the black market value of medical information is estimated to be worth 10 times more than that of a credit card.5 Cyberattacks will cost hospitals more than $305 billion over the next five years, and 1 in 13 patients will have personal data compromised by a hack.6

An effective security strategy that incorporates key security principles can address the types of exposure and damage cited above, as well as reduce inefficiencies in hospital networks caused by unauthorized applications or the misuse of hospital network resources. This paper discusses how the Palo Alto Networks® Next- Generation Security Platform enables hospitals to imple-ment these principles to detect and prevent threats to hospital networks and improve hospital network efficiency while reducing complexity and unnecessary overhead. The end goal: maintain patient care, protect patient data, and ensure ongoing regulatory compliance within your hospital.

1. Health Insurance Portability and Accountability Act2. Health Information Technology for Economic and Clinical Health Act3. Personal Information Protection and Electronic Documents Act4. Data Protection Directive in the European Union5. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 6. https://newsroom.accenture.com/news/cyberattacks-will-cost-us-health-systems-305-billion-over-five-years-accenture-forecasts.htm

The Palo Alto Networks Next- Generation Security Platform is a natively integrated platform that brings network, cloud and endpoint security into a common architecture, with complete visibility and control. This platform approach ensures your organization can detect and prevent attacks, streamlines day-to-day operations and boosts security efficacy, and prevents threats at each stage of the attack lifecycle. https://www.paloaltonetworks.com/ products/platforms.html

Security subscriptions on the platform are seamlessly integrated to add protection from both known and unknown threats, classification and filtering of URLs, and the ability to build logical policies based on the specific security posture of a user’s device. https://www. paloaltonetworks.com/products/platforms/subscriptions.html

Palo Alto Networks WildFire™ cloud-based threat analysis service provides dynamic analysis of suspi-cious content in a virtual and physical environment to discover unknown threats. It then automatically creates and enforces content-based malware protections. It also detects malicious links in email, proactively blocking access to malicious websites.

A resilient and scalable on-premise hardware appliance version of this unknown malware analysis solution is also available and able to query the WildFire cloud to leverage threat intelligence there.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 4

III. REFERENCE BLUEPRINT GOALS AND SECURITY PRINCIPLESThis Security Reference Blueprint for Healthcare IT describes a security framework using the preventive capa-bilities of the Palo Alto Networks Next-Generation Security Platform. Using this blueprint enables healthcare security and IT professionals to maintain or improve patient care while maintaining the availability of the hospital network and protecting patient data. To do so, this blueprint can help:

• Prevent threats associated with vulnerable connected medical devices.

• Protect healthcare operational networks from critical downtime or service interruption.

• Prevent data breaches and the loss of sensitive, confidential patient information.

• Highlight key network infrastructure assets that require extra scrutiny in order to preserve security and prevent data leakage.

• Identify network security deployment and management best practices.

• Leverage the capabilities of the Palo Alto Networks Next-Generation Security Platform to stop credential theft and the exfiltration of PII and other sensitive data.

• Comply with relevant regulatory requirements (e.g., HIPAA/HITECH, PIPEDA, EU Data Protection Direc-tive, PCI DSS,7 FDA Safety and Innovation Act) and industry security standards and recommendations (e.g., NIST Framework for Improving Critical Infrastructure Cybersecurity8).

Unlike most industries, security risks in healthcare can impact human life and health. Of late, the security industry has identified vulnerabilities in several medical devices, which if exploited, could endanger patient lives and the broader hospital network. The healthcare industry has also been impacted by advanced attacks, as well as less targeted, but potentially equally damaging, malware infections from unwitting users. In addition to the security risks, healthcare network users often waste precious network resources on unauthorized or unnecessary applications, which, while not directly related to security, pose risks to the operational networks that can be just as impactful.

There are several types of threats that impact hospital networks. Two of these can impact any unprotected organization: opportunistic malware with no specifically targeted victim; and exploits for any instance of its targeted, vulnerable application. The third type of threat to hospital networks is targeted attacks. These three types of threats can be prevented and the network secured with a threat prevention and network-secured approach that relies on a next-generation security platform and some key security principles to protect patient care, sensitive healthcare operations from interruption or downtime, and medical information from unautho-rized access and leakage. These core security principles include:

• Visibility and effective control and enablement of applications and activity to reduce the threat footprint and minimize needless bandwidth consumption.

• Virtual segmentation to prevent movement of malware through the network using a Zero Trust approach.

• Protection and defense of systems at all places in the network, across all network traffic on endpoints, in data centers, in remote locations and at major internet gateways. This includes off-network endpoint protection and ongoing defense, regardless of location or device.

• Advanced malware detection technology to identify and prevent zero-day, as well as known, malware attacks.

• Timely reporting to enable IT, cybersecurity and intelligence professionals to coordinate actions.

• Immediate and automatic sharing and distribution of threat intelligence between systems.

The subsequent sections address each of these principles in detail.

Palo Alto Networks can provide a Security Lifecycle Review that consists of a one-week analysis of your environment with a complete report at the conclusion. For more information:

https://www.paloaltonetworks.com/resources/videos/slr

7. Payment Card Industry Data Security Standards

8. https://www.nist.gov/cyberframework

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 5

IV. CORE SECURITY PRINCIPLES

Policy-Based Application Visibility and EnforcementWhile healthcare organizations are challenged to balance security with the needs of the physicians, surgeons and medical staff they serve, and the applications they demand, a positive-enablement approach makes such balance possible. IT teams can make contextual, policy-based decisions regarding which applications to block or allow for specific user communities or groups. This provides much more flexibility when catering to the needs of specially designated network users, or groups of users, while drastically reducing the threats on the network.

To effectively protect a hospital network, security and network teams must get visibility into applications, connected devices, and individual users (beyond simply IP addresses) and their impact on security. By using a next-generation firewall to characterize applications, hospitals can immediately reduce their threat posture. The hospital can choose to block applications that carry the highest risk (e.g., P2P applications), which imme-diately reduces the network’s threat footprint and, thus, exposure to potentially malicious software and the likelihood of a data breach. As part of the application policy creation process, hospitals can approve applica-tions by user group, contextually, ensuring users can access the applications that they need. It is important to note that using a port-based firewall or applying port-based policies on a firewall cannot distinguish the status of an application as risky, simply unauthorized, or safe and of business value, and therefore cannot effectively protect the network.

To move to an application-based, threat prevention model:

• Start implementing application-based firewall rules for a few non-critical applications with smaller user bases in order to demonstrate success.

• Develop a strategy to implement application-based firewall rules in-line with the hospital’s business objectives. For example, some hospitals may decide to start with the highest risk and business-critical applications; others may prefer a location-based rollout of application-based rules.

• Iteratively lock down applications according to the approved strategy, and enforce consistent security policy rules for users and groups with similar access and application requirements.

Application-based firewall policies can help control access in the following ways:

• Identify frequently used applications so you can more easily highlight unknown or potentially risky applications. You can first monitor traffic across your next-generation security firewall to learn and understand what’s legitimate, or not, and put a traffic classification strategy in place.

• Identify risky applications, for instance:

◦ Cloud-based file sharing sites (e.g., Dropbox, Box) ◦ Data transfer and exfiltration ◦ Suspicious DNS ◦ P2P

• Look for other dynamics within your environment, such as:

◦ Port scanners and/or vulnerability scanners ◦ Third-party networks that are not approved

• Build groups for traffic to always block:

◦ Applications such as Tor, BitTorrent, Dropbox ◦ IP ranges including geo-location – does your data center need to talk to China?

• Identify, monitor and analyze all encrypted traffic, especially from external websites (SSL/TLS). While many applications and websites use encryption for privacy, malware authors are increasingly delivering encrypted malware payloads. All encrypted network traffic should be examined for the presence of malware or inappropriate usage (see Figure 1).

By implementing granular application identification, not just port-based filtering, administrators are in a position to gain greater visibility and control and reduce their risks significantly.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 6

Virtual Segmentation With Zero TrustIn some of the latest targeted attacks against the healthcare industry, attackers used spear phishing and so-cial engineering techniques to gain access through the unwitting victim to the target network. Many attackers are not only able to penetrate their target network but often successfully establish a beachhead and remain undetected for a significant period of time while continuing evasive and damaging action. Any such attack can impact patient care, patient data and regulatory compliance within your hospital.

The Zero Trust approach, first coined by Forrester,9 makes it very difficult for such an adversary to succeed. This same approach makes it difficult for everyday malware to move across the network. Based on the verification of all users, devices and applications traversing your network, establishing Zero Trust boundaries10 effectively compartmentalizes your user groups, devices and/or data types, such as PCI and healthcare- regulated data.

There are three major benefits of segmenting your healthcare systems into discrete zones:

• Limit the scope of vulnerability:

◦ Separate vulnerable parts of the network, vulnerable medical devices and/or old servers that cannot be patched from others.

• Limit data exfiltration:

◦ Segmentation limits the amount of data that is compromised in a breach.

• Improve and limit the scope of compliance: ◦ Fewer devices, workstations and servers are subject to compliance audits.

Virtual segmentation can focus on isolating and protecting systems based primarily on the level of sensitivity of data contained within the zone and the level of risk if that data is exposed. The firewall can be config-ured to block all traffic into the zone and use whitelisting to allow only known, trusted traffic. Whitelisted

9. www.forrester.com10. Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect traffic for threats.

Figure 1: Palo Alto Networks Next-Generation Security Platform Application Control Center indicates the top applications in use on the network, activity by user, threats, and other blocked activity, which are helpful in

gaining visibility and, ultimately developing and evolving policies for your network.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 7

applications are then continuously monitored for security vulnerabilities and malicious activity. This tactic stops unknown, malicious software from entering the zone. It can be configured to authenticate which users have access to data or applications within the zone. It also reduces the effort required to demonstrate compli-ance (e.g., during an audit) by limiting compliance reviews to only the type of data stored in the zone.

There are two separate, but complementary, virtual segmentation strategies that:

• Control north-south traffic entering a network, or private, public or hybrid cloud

• Control east-west traffic entering and exiting a virtual machine (VM)

These Zero Trust boundaries, zones or virtual segments of the network enable you to defend each zone from any malicious traffic either entering or exiting that zone. To prevent malware movement, and to defeat lateral movement of advanced attackers through a target hospital network and thwart the attack, it is necessary to apply the controls at all of these key entry and exit points. Virtual segmentation zone examples can include:

• Networked or mobile medical devices subject to regulations (e.g., the U.S. FDA Safety and Innovation Act), including vulnerable connected medical devices.

• Applications and databases containing protected health information (e.g., EHR, laboratory, pharmacy).

• Administrative data and applications (e.g., scheduling, billing, supply management).

• Guest and patient Wi-Fi internet access.

• Access to business partners, such as external laboratories, pharmacies, physicians’ offices, outpatient clinics, and insurance providers.

Each zone in the network should be protected by its own Next-Generation Security Platform appliance, which brings several benefits. Beyond validating the whitelisted applications and their intended users, the security appliance performs several other important security functions on traffic entering and exiting a zone:

• Threat Prevention blocks malicious files with signatures for known threats.

• On-premise or cloud-based malware execution and analysis environment detects and then subsequently blocks zero-day threats. The on-premise solution includes options for resiliency and controlled exchange of threat intelligence with the cloud-based environment for improved efficacy.

• URL Filtering blocks access to malicious websites and URLs, and shares newly discovered malicious do-mains and IP addresses with the community cloud as they’re discovered.

By applying this Zero Trust approach, healthcare organizations can protect critical medical functions and sen-sitive information from unauthorized applications or users from exfiltration, reduce the exposure of vulnerable systems, and prevent the movement of malware throughout the network.

Protection Across the NetworkIn addition to application visibility and Zero Trust virtual segmentation, to ensure effective security across the cyberattack lifecycle, there are a few other considerations for your network.

Private, Public and Hybrid Clouds After applying the application whitelisting and Zero Trust regime to the network perimeter, hospital IT staff can pursue the same for the heart of their data centers. Today, hospitals have a host of options for their data centers: from traditional data center architecture to private, public or a hybrid public/private cloud. Many healthcare organizations are consid-ering adopting cloud architectures (whether public or private) for future use. Implementing virtualization for existing applications within the data center not only reduces costs and improves security, it also provides a foundation that simplifies future migration to a full cloud architecture.

While Zero Trust addresses the protection of both north-south (network segmentation) traffic entering and exiting the data centers and east-west (VM segmentation) traffic between applications within those data centers as their own segments, it is worth noting a few more considerations for these environments:

Did you know? Palo Alto Networks Next-Generation Security Platform provides visibility and control over SaaS applications in your network. Then, among those that are sanctioned, Palo Alto Networks Aperture™ SaaS security service pro-vides protection of your data in those environments, with complete visibility across user, folder and file activity to prevent exposure.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 8

• Reliability: Consider active/active high availability for your north-south boundary firewalls to continu-ously synchronize their configuration and session information, ensuring that, in the event of a hardware failure, no traffic is lost and performance is not degraded.

• Orchestration and management: Use centralized management to ensure policies can keep pace with the rate of change to your virtualized workloads. In VMware® NSX® deployments, automate firewall provi-sioning through predefined APIs.

• Policy consistency: Centrally define and consistently apply policies to all devices to reduce complexity, which could lead to gaps in threat protection. Use centralized management to serve as a single point of management for all firewalls, both physical and virtual.

Extending Zero Trust to your SaaS environments is important to protect data from accidental disclosure in those environments and hospital networks from threats originating in SaaS. Ensure only approved SaaS appli-cations are allowed on your network, and then extend your hospital security policies and security to them.

EndpointsTo effectively protect all endpoints on the hospital network, IT teams should comprehensively enforce the Zero Trust model down to the endpoint. Particular attention should be paid to the endpoints, such as con-nected medical devices, where threats from external sources can impact critical surgical and other medical procedures. This is particularly true where the organization may be running legacy endpoint systems or those with unpatched or unpatchable systems, such as Windows® XP, which are no longer supported by their vendors. All endpoints should be covered by your endpoint security strategy, including virtual and physical desktops,11 laptops, virtual and physical servers, and connected medical devices – regardless of patch, signa-ture or software-update levels.

There are two main threats to the endpoint: executable malware and exploits that target specific application vulnerabilities. It is critical to protect against both, but exploit prevention is particularly important even within whitelisted applications, as zero-day threats can appear at any time.

To effectively protect the endpoint:

1. Employ lightweight agents to monitor for both exploit techniques and malicious executables.

2. Apply policy-based restrictions: Organizations can easily set up policies restricting specific execution scenarios. For example, you may want to prevent the execution of files in the Outlook .tmp directory or a particular file type directly from a USB drive.

Security and IT teams should also enforce the Zero Trust model for mobile and specialized devices. There are three major categories of mobile and specialized devices to consider: Windows or Mac® laptops, smartphones and tablets (e.g., iPad®, iPhone®, Android™), and specialized medical devices (e.g., monitors, infusers, dialysis machines). Depending on the type of device, these capabilities should be incorporated into the security program for mobile devices, where possible:

• Secure connectivity, via a VPN tunnel over the internet to the hospital network, should be used to pro-tect communications.

• All managed devices should be checked regularly for security status to ensure the device has updated security protections.

• All mobile malware on the device that could impact the hospital’s network should be identified and addressed.

• When a mobile device is verified to be up-to-date and clean of malware, granular policies should be established to determine which users and devices can access sensitive applications and data from that device. The policy criteria can be based on application, user, content, device and device state:

◦ Identify device types; such as iOS, Android, Windows, Mac devices ◦ Identify device ownership, such as personal (BYOD) or hospital-issued ◦ Identify undesirable, insecure device states, such as rooted or jailbroken ◦ Apply file blocking based on content and content type ◦ Control data movement between apps on the mobile device

11. Laptops can be especially at risk if users access a vulnerable public network, such as a Wi-Fi hot spot at a hotel or airport. If a returning user then connects an infected laptop with your corporate network, the risk of infecting other systems undetected increases significantly.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 9

• On an ongoing basis, the same scanning should be applied as that on the network: ongoing exploit (IPS) and malware (AV) protection for mobile threats and URL filtering for malicious websites.

Advanced or Zero-Day Attack PreventionAdvanced attacks and zero-day malware must be handled swiftly, and automation must be used to ensure threat prevention immediately upon attack or zero-day discovery. This is critical to prevent subsequent evasion and attack attempts. As any unknown file attempts to enter a trusted perimeter or network zone, that file should be detonated within an advanced malware execution environ-ment for static and dynamic analysis, as well as for automatic signature generation for any discovered threats to all deployed firewalls.

Timely Reporting, Threat Intelligence and CorrelationCohesion between IT, cybersecurity and intelligence professionals is im-portant for reducing the threats to any network. Coordinate across endpoint, data center, networking and security teams to understand the potential threats to your hospital’s network, to improve security, ensure immediate access to priority events and enable automatic sharing and distribution of intelligence. With a next-generation security platform approach, this coordination and collaboration is easier

Dat

a Ce

nter

Endp

oint

sAppliance Appliance Appliance

Satellite Clinic

MedicalDevice Zone

PaymentServers

POS Devices

EnterpriseDirectory

ElectronicHealth

Records

Data CenterZone

Endpoint Zone

DMZ

PCIServers

ER

Site-to-Site VPN

Web Portals,VPN Clients

Surgery Nursing

InternalWi-Fi

BillingHR

Payroll

Internet

Appliance

ApplianceAppliance

Appliance

Appliance

Appliance

Vendor Access(Payers, Suppliers)

Site-to-Site VPNPrivate WAN

(MPLS)

MedicalDevices

Patient WebPortals

Laptops& Phones

Laptops & Phones

PCI Zone Guest Wi-FiZone

DMZ Servers

External patient & staff access

Next-generation security appliances can be deployed as physical or virtual devices.

VM-SeriesVM-Series

VM-Series

VM-Series

Figure 2: Security Reference Blueprint for Healthcare IT

Palo Alto Networks GlobalProtect consists of three components:

GlobalProtect Portal

The GlobalProtect Portal provides the management functions for your GlobalProtect infrastructure. Every client system that participates in the GlobalProtect network receives policy and configuration information from the portal.

GlobalProtect Gateway

The GlobalProtect Gateway provides security enforcement for traffic from GlobalProtect agents/apps based on applications, users, content, device and device state; extends a VPN tunnel to mobile devices with GlobalProtect application; and integrates with WildFire to prevent new malware.

GlobalProtect Client

The GlobalProtect client software runs on end-user systems and enables access to your network resources via the GlobalProtect portals and gate-ways you have deployed. The GlobalProtect agent runs on Windows and Mac OS systems, whereas the GlobalProtect app runs on mobile devices.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 10

because of the interoperability across all of the security capabil-ities discussed above. Individual next-generation security plat-form and management platform views can be customized per administrator or department while still sharing views to alerts and other activities of interest across the bank network. Refer to Section V for an overview of specific capabilities that im-prove this reporting and threat intelligence correlation.

V. THE SECURITY REFER-ENCE BLUEPRINT FOR HEALTHCARE ITThe key security principles outlined in this paper can be fully realized with the capabili-ties of the Palo Alto Networks Next-Generation Security Platform to protect your organi-zation from endpoint to network core. This section provides a high-level reference blueprint for Healthcare IT which incor-porates the security principles using the Next-Generation Security Platform.

While your architecture de-cisions, including appropriate virtual segmentation, will be determined by your own unique network requirements, the example blueprint in Figure 2 segments the network into several security zones as follows.

URL filtering: Enables access to all whitelisted sites with bandwidth control for designated categories and more.

Known threat prevention: Detects and blocks common or known malware on the network. Com-mand-and-control signatures flag both inbound and outbound requests to malicious domains, protecting your data from being stolen, while DNS sinkhole technology allows an administrator to redirect any outbound request to a malicious domain or IP address to an internal IP address. This feature prevents those requests from ever leaving the network and compiles a report of compromised machines on which incident response teams can act.

Advanced or zero-day attack prevention: Advanced threat prevention and detection using a malware exe-cution environment for automatic signature generation for all deployed security appliances. All unidentified files should be sent to Palo Alto Networks WildFire for the static and dynamic analysis of potential threats. This capability can be deployed as an on-premise appliance or as a cloud-based subscription service. Data on previously unknown, zero-day threats that are identified are automatically distributed to all subscribed WildFire customers.

Prevent theft of corporate login credentials: Phishing attacks have become more sophisticated over the years. Individuals have been duped by customized and well-crafted email messages from spear-phishing campaigns. Building upon user and content visibility, the Next-Generation Security Platform can block the transmission of legitimate corporate login credentials to websites with phishing characteristics.

Medical Device Zone

PCI Zone

DMZ Zone

DMZ Servers

Guest WiFi Zone

Endpoint Zone

Data Center Zone

LaptopsWorkstations

Mobile Devices

Medical Devices

Vendor-providedWorkstations

POS PCI WorkstationsPCI Servers

Mobile DevicesPersonal Laptops

Servers VM-Series

Figure 3: Segment your healthcare network into zones

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 11

Start by defining the segments of your network, aka “zones.” A minimum baseline of zones should include DMZ, Data Center, Guest Wi-Fi, Endpoint, PCI and Medical Device. The PCI Zone would include workstations that collect credit card numbers and PCI servers. See Figure 3.

DMZThe DMZ Zone is the primary internet-facing zone. It contains two primary next-generation security appliances: one for hospital staff access (including links to external satellite clinics) and one for guest Wi-Fi access. External users can access specific resources, such as patient scheduling or the hospital website from the Internet. External staff can also access internal systems via a VPN.

As previously noted for the principles of Zero Trust, all traffic into and out of the DMZ – as with any other zone – can be scanned by Palo Alto Networks next-generation virtual or physical security appliances to guard against malicious payloads or inappropriate data leakage.

Guest Wi-Fi Zone The Guest Wi-Fi Zone contains an assortment of unmanaged patient-owned devices, which introduces risk for any healthcare provider – especially if hospital staff can connect internal PCs to the Guest-Wi-Fi zone. The Next-Generation Security Platform provides true isolation of high-risk BYOD devices in the Guest Wi-Fi zone by restricting access to non-managed devices, and continually scans all traffic into and out of the zone for malicious behavior and known malicious websites with additional components of the security platform.While the user devices within the Guest Wi-Fi network zone are not themselves scanned with an agent on the device, all traffic into and out of this zone is scanned for malicious behavior, and known malicious sites are blocked by URL scanning.

Endpoint ZoneThe Endpoint Zone contains all staff computers and mobile devices (e.g., laptops, tablets and smartphones). Employees using a mobile device access the network using a Wi-Fi router. A separate Guest Wi-Fi zone provides direct access to the internet and prevents any access to internal networks.

Due to the challenges with patch management, current software levels on endpoints are difficult to maintain. Traps, with its multi-method prevention techniques for malware and exploits, can serve as a compensating control and is also a suitable replacement for antivirus.12

Internal endpoints (Windows XP with SP3, Windows Vista, Windows 7, Windows 8.1) and Windows Server platforms (Windows Server 2003, Windows Server 2008, Windows Server 2012) can be protected with Traps to ensure that any exploits on vulnerable systems, regardless of patch status, are immediately thwarted. The agent will automatically prevent attacks by blocking techniques, such as thread injection. When unknown .exe files are discovered, the Traps agent will automatically query WildFire with a hash and submit the unknown .exe files to assess their standing within the community.

Mobile devices (including both PCs and handheld mobile devices) can be protected by Palo Alto Networks GlobalProtect™ network security for endpoints. All unidentified files should be sent to the WildFire malware execution environment for the static and dynamic analysis of potential mobile threats. Enable two-factor authentication for even more protection for mobile devices.

PCI ZoneThe PCI Zone is intended to isolate endpoints and servers that process or store credit card information. Healthcare providers who do not isolate such devices are required to include the entire network in the scope of PCI assessments. The scope of PCI compliance can be limited to a single PCI Zone as long as all the pro-cessing and any storage of unencrypted credit card information is limited to that zone. There are actually two PCI zones to segment PCI data: the PCI End User Zone contains user devices (i.e., finance department users)

Palo Alto Networks Traps™ advanced endpoint protection is designed to identify exploits as they attempt to execute and block the execution of malicious code. Traditional antivirus software depends on malware signatures, which may not always be up-to-date in the case of zero-day malware or exploits. Rather than run as a separate process scanning for malware, the Traps agent, automatically injects itself into each process as it is started and monitors all application activity, looking for patterns of behavior that are unusual or that have been seen with previously documented exploits. When it identifies such behavior, the agent will automatically trigger and block the ad-vanced attack that would otherwise evade detection.

12. Comparison of “Next-Generation” Security Products 2016 by AV-Comparatives, November 2016.

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 12

and the PCI Server Zone contains servers in the data center that process or store credit card information. The flow of credit card data between the zones is limited to specific applications or any user directory attribute, like a department security group. For example, the finance department could be allowed to access the PCI Server Zone, but all other users are restricted.

Medical Device ZoneThe Medical Device Zone contains all medical devices that connect to the hospital network either by Wi-Fi or wired ethernet. Medical devices should be considered high risk based on the fact that many have unsup-ported operating systems (i.e., Microsoft Windows XP), are not patchable, and do not have any local threat protection whatsoever. Segmentation of these device types in a zone lowers the risk to patient data and patient care by ensuring that network traffic is monitored for threats and only approved applications are allowed to traverse the zone boundaries (i.e., Active Directory® authentication traffic).

Data Center ZoneAs previously noted, Zero Trust addresses the protection of both north-south (network segmentation) traffic entering and exiting the data centers, and east-west (VM segmentation) traffic between applications within those data centers, as their own segments. In addition to the north-south and east-west protections, Palo Alto Networks Next-Generation Security Platform can address the reliability, orchestration and management, and policy consistency that is necessary in these environments, as addressed above.

The Data Center Zone isolates clinical applications and data from users in the Endpoint Zone, which have to pass through a next-generation security appliance located at the zone boundary. The firewall component of the next-generation security appliance prevents unauthorized users from accessing the zone, and blocks all traffic except for whitelisted clinical applications, such as Epic, Cerner or McKesson, or other non-clinical applications (billing, CSR, etc.). Role-based access control (RBAC) is made possible based on the user’s security groups in the Enterprise Directory, which specifies which applications the user can access. Additional application-specific, role-based permissions (e.g., physician, RN, lab personnel, hospital administrator, IT administrator) are handled by the applicati on itself.

As with the DMZ and the principles of Zero Trust, all traffic into and out of the zone is scanned to guard against malicious payloads or inappropriate data leakage with:

• URL filtering:

• Known threat prevention

• Advanced or zero-day attack prevention

For orchestration, Palo Alto Networks offers an XML management API that enables external cloud orchestration software to connect over an encrypted SSL link to manage and configure Palo Alto Networks security appliances. The exhaustive and fully documented REST-based API allows configuration parameters to be seen, set and modified as needed. Turnkey service templating can be defined for cloud orchestration software, so that the security features within the Next-Generation Security Platform become part of the data center workflow. Palo Alto Networks Panorama™ network security management can also centralize man-agement to ensure policies keep pace with the rate of change to your virtualized workloads. In VMware NSX deployments, automate firewall provisioning through predefined APIs.

The Palo Alto Networks VM-Series of virtu-alized security appliances supports the same security features available with physical secu-rity appliances, allowing the safe enablement of applications flowing into and across your private, public and hybrid cloud computing environments. The VM-Series supports VM-ware ESXi™, NSX and vCloud® Air™, Amazon® Web Services (including AWS® GovCloud), KVM/OpenStack® (open source), and Citrix® Netscaler® SDX™. For a complete list of private and public cloud security considerations, refer to Security Considerations for Private vs. Public Clouds.

VMware and Palo Alto Networks have integrated security for software-defined networks to provide:

• Automated, transparent insertion of next-generation network security services in software-defined data centers

• Complete next-generation security capabilities for all traffic within the data center

• Dynamic security policies that understand the context of the virtual machines in the data center

https://www.paloaltonetworks.com/partners/vmware.html

Palo Alto Networks | Security Reference Blueprint for Healthcare IT | White Paper 13

Threat Intelligence and CorrelationThe combination of these products and their integrated reporting capabilities allows security administrators to coordinate insights to improve security, ensure immediate access to priority events, and enable the automatic sharing and distribution of intelligence.

This coordination and collaboration is easier with interoperability across all of the security capabilities discussed above. Individual next-generation security appliance and management appliance views can be customized per administrator or department while still sharing views to alerts and other activities of interest across the hospital network.

Within your own hospital network, Palo Alto Networks provides prioritized, actionable security intelligence on attacks that merit immediate attention in AutoFocus™ contextual threat intelligence service. Autofocus builds on billions of threat artifacts from over 5,000 advanced malware execution environment subscribers and ap-plies unique l arge-scale statistical analysis, human intelligence from the Palo Alto Networks threat intelligence team, and tagged indicators from your organization and a global community of cybersecurity experts also using the service. AutoFocus provides full context on attacks, such as who is attacking, how they are attempt-ing to compromise the network, and if any indicators of compromise are already present on the network.

Oftentimes, the same industry faces attacks by the same adversary. In the healthcare industry, where there is growing interest in patient insurance data for fraud and cybercriminal profit, there is more reason to act swiftly. Palo Alto Networks Threat Intelligence Cloud enables the swift sharing of threat signatures, so that all parties can benefit from threats discovered across all organizations and within your industry, while AutoFocus enables organizations within the same industry to understand what others have seen within their industry.

Through MineMeld, available as an open source tool or as part of AutoFocus, organizations can integrate pub-lic, private and commercial intelligence feeds to further automate prevention in the environment. Moreover, AutoFocus can feed indicators into MineMeld, which can then automatically create new prevention controls for Palo Alto Networks security appliances. Ultimately, this enables organizations to take action on the indica-tors of compromise (IOCs) by generating new prevention-based enforcement for their security services.

Migration to Palo Alto Networks Next-Generation Security PlatformWhen you are ready to realize the threat prevention benefits of the Palo Alto Networks Next-Generation Security Platform, the Palo Alto Networks Migration Tool makes it easy to migrate from IP/port-based firewall rules in legacy firewalls13 to application-based rules in Palo Alto Networks next-generation security applianc-es, while minimizing the risks of the change. As shown in Figure 1, the Palo Alto Networks Application Control Center depicts the top applications and sources that you can use in establishing visibility to understand the needs of your particular organization while making decisions on how best to reduce risk.

A phased approach via documented change control is highly recommended. Successful deployments typically first perform a like-for-like migration of firewall rules to the Palo Alto Networks firewall component of the platform. Then, after about 15 days, the deployment team uses the migration tool to begin the iterative pro-cess of defining application-based policies to replace the legacy port-based policies. After the last migration phase, the port-based rules are removed, and the application-based policies remain.

In future phases, the deployment team can work with the hospital business departments to take full advan-tage of the application policies technology by restricting access to individual applications based on the desired criteria (for example, Active Directory security groups, or location-based user IP address ranges).

Healthcare organizations today do not have to become another headline or statistic. Beyond that, healthcare organizations are subject to government and industry regulations that impose stiff penalties on non-compliant entities. Table 1 outlines a subset of the U.S.-based HIPAA Security Rule14 requirements that a covered entity must adhere to and those Palo Alto Networks products which support the rule. A similar mapping can easily be supported for PIPEDA, the EU Data Protection Directive and other country-specific regulations governing healthcare.

13. The Palo Alto Networks Migration Tool is compatible with Juniper, Cisco, Check Point, Fortinet and McAfee configuration files.14. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

Regulatory Compliance

VI. SUMMARY The healthcare organization that implements these effective security controls with the Zero Trust prevention focus of the Palo Alto Networks Next-Generation Security Platform can protect the hospital network, maintaining patient care, protecting patient data and helping maintain regulatory compliance, all while enabling even the most demanding of users and ensuring the security of the network.

4401 Great America ParkwaySanta Clara, CA 95054

Main: +1.408.753.4000Sales: +1.866.320.4788Support: +1.866.898.9087

www.paloaltonetworks.com

© 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. healthcare-it-security-wp-030817

HIPAA Security Rule and Privacy Rule RequirementsAppliance Firewall

Additional Appliance Functions Traps

Ensure the confidentiality, integrity, and availability of all e-PHI (protected health information) they create, receive, maintain or transmit.

√ √ √

Identify and protect against reasonably anticipated threats to the security or integrity of the information.

√ √ √

Develop and implement procedures for guarding against, detecting, and reporting malicious software.

√ √ √

Protect against reasonably anticipated, impermissible uses or disclosures. √ √

Authorize access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).

√

Implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

√

Implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.

√ √

Implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

√ √ √

Make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intend-ed purpose of the use, disclosure, or request.

√

Develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.

√

Develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

√

Table 1: Mapping of Palo Alto Networks Next-Generation Security Platform capabilities aligned to HIPAA and other privacy requirements