29th November 2022

Securing the Healthcare Network Write-up

This session focussed on network security, exploring how Block works with NHS clients to adopt an enhanced network security posture, the tools and techniques that are used to do it, including reducing cyber risk and increasing cyber resilience, protecting and securing traditional IT, medical devices and OT all whilst ensuring ease of management.

Paul Yarwood has spent the last 8 years helping the NHS overcome their network and security challenges and has led the adoption of network security in some of the UK’s largest NHS organisations/Trusts.

Matthew Mahoney, formerly CTO at a large NHS Health Board, has a wealth of hands-on experience from defining strategy and consolidating infrastructure, to opening a specialist critical care centre 6 months early during the pandemic – and the technology decisions that supported that.

The Outcomes Healthcare Needs

Healthcare security challenges are complex, networks are sizable, and endpoint types are numerous with a diverse group of owners, making understanding ownership and management difficult. This is further compounded by a target-rich environment where patient data and life-critical devices are prevalent.

A lot of the security challenges we see Trusts facing are symptoms of the network security architecture models in operation today. Networks are typically built on an implicit trust model, meaning the network is broken up into zones and most security controls happen at that zone boundary, with limited visibility and control within any given zone.

The NHS should consider shifting thinking towards new types of security models, particularly zero trust. It’s important to understand that there is a difference between a zero trust security model, which is a set of principles, and a zero trust network architecture, which is the implementation of these principles.

What we’re really trying to do with zero trust is reduce the size of security zones, we want to move our enforcement control right down to the endpoint, in network terminology, we’re trying to get right to the endpoint, user, application or service that we need to protect. This allows much more granular control over network access permissions and segmentation, removing implicit trust from the system through additional context in the controls we apply.

Building Security

Block suggests using a four-step approach, that make up the building blocks of a zero trust network architecture. A layered approach allows the adoption of controls in a systemic manner, ensuring controls work in concert to provide defence in depth, whilst managing risk in the environment.

Network Access Control – Identify devices and control access to the network, unify Wired, Wireless and RAVPN access.
Segmentation – Reduce the internal attack surface and increase resilience against threat propagation through the environment.
Contextual Access – Incorporate context from overlay security controls such as Endpoint posture, NDR / Vulnerability Scanning and IoT Security Tools.
Zero Trust Network Access – Least privilege access principle enforced by the network, all connections are authenticated, authorised, and inspected.

How to Transition

A common challenge with this transition is that most NHS organisations have decentralised procurement, with individual departments buying equipment without the IT department’s knowledge and then calling the help desk saying the network port isn’t working. This is where stakeholder engagement is key, if stakeholders know what is happening, they will know that a device will not work without IT granting it access, and therefore will be more inclined to speak to IT earlier in the process.

Paul recommends using a 3-point process when implementing each layer of enhanced network security:

Monitor Mode
Enforcement Mode
BAU Operations

Key Considerations

Stakeholder engagement is critical, if you want to adopt a zero trust model, you will need stakeholder buy-in, keep in mind that your users are stakeholders, if the consumption model of the network does change, you need to make sure your users are aware of this and why you’re doing it.

Set objectives as early as you can and make sure that you understand any limitations with your existing infrastructure.
Organisations don’t stand still as you implement your network changes with new devices constantly coming in, plan for the need to potentially adapt to these devices.
When implementing these technologies, expect a little bit of an uptick in support tickets, the reason being, you’re typically finding risk and resolving through incidents and support tickets.

Thank you for taking the time to read this post. If you would like to find out more and hear Paul run through real life examples, why not watch the session in full? Alternatively, if you have watched the session and still have questions, fill in our form and we’ll pass your questions on to Paul/Matthew or arrange a session with them to follow up.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37712409-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	1 year 24 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Resources

Securing the Healthcare Network Write-up

The Outcomes Healthcare Needs

Building Security

How to Transition

Key Considerations