Did you know that in the United States alone, over 76 billion instances of highly confidential Protected Health Information (PHI) have been reported to be exposed in breaches in the past 24 months?1
Unfortunately, the threat of cyberattacks in healthcare continues to grow as the industry faces the arduous task of securing highly valuable and sensitive information in Electronic Health Record (EHR) systems. While an EHR system offers many benefits, it also presents a tremendous security challenge. In particular, EHR systems contain sensitive information, such as individually identifiable health information that must be protected from unauthorized access under Health Insurance Portability and Accountability Act (HIPAA) guidelines and the recently updated Health Information Technology for Economic and Clinical Health Act (HITECH). 2
One approach to securing EHRs is microsegmentation, a network security technique that creates smaller, isolated network segments within a larger network. Each segment contains a specific set of resources or workloads, such as a specific application or type of data. By segmenting the network in this way, security policies can be enforced at a more granular level, making it more difficult for attackers to move laterally within the network.
So, what are the ways that you can implement a strategy of microsegmentation within your healthcare organization?
Cisco Secure Workload
Cisco Secure Workload is one of the solutions that can be used to implement microsegmentation in healthcare environments. This solution uses a combination of software-defined networking and policy-based security to create and enforce microsegmentation policies. Workloads are automatically classified based on their characteristics, and policies are applied based on this classification.
For example, a healthcare organization can use Cisco Secure Workload to create separate segments for EHRs, billing systems, and other applications. Each segment would have its own set of security policies, such as rules governing access control and data encryption. In the event of a security breach, the impact would be limited to the segment in which the breach occurred, rather than affecting the entire network.
Cisco Application Centric Infrastructure
Cisco Application Centric Infrastructure (ACI)is another solution that can be used to implement microsegmentation in healthcare environments. Cisco ACI is a data center networking solution that provides comprehensive policy-based automation and management of the entire infrastructure. It uses a declarative model to define the desired state of the network, and automatically configures the network to match that state. With Cisco ACI, microsegmentation can be easily implemented and enforced. Cisco ACI’s policy model allows for more granular security policies to be applied to individual applications or workloads.
Both Cisco Secure Workload and Cisco ACI can be used in conjunction or as standalone systems as part of your organization’s path to securing the EHR, leveraging application-focused microsegmentation either on-premises or in the cloud.
Microsegmentation can also be used to support compliance with regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and HHS 405d. By implementing granular security policies, healthcare organizations can demonstrate to auditors that they have taken appropriate steps to protect patient data. Also, microsegmentation is part of the larger zero trust journey outlined in the National Institutes of Standards and Technology framework (NIST SP 800-207).
In addition to improving security, microsegmentation can also help healthcare organizations improve network performance. By creating smaller segments, network traffic can be better managed, reducing the risk of congestion and improving application performance.
Security is a continuous journey, but Cisco can help you to navigate the landscape and walk with you as you mature. If you have questions on microsegmentation or on how to take the next step on your security journey, we encourage you to reach out to a member of our CX healthcare practice.
- HHS OCR Reporting: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information – as of Apr 20th 2023
- HR7898 – HITECH Act – Safe Harbor