“The concept of zero-trust is where you restrict all network communications to only communications that are essential for whatever particular device to function. It's basically the equivalent of putting a firewall in front of each device and locking it down so that the device can only do the communications it needs to do its job and nothing else. You're pretty much blocking everything by default unless it's explicitly an SSR.” - Chris Frenz, AVP of Information Security at Interfaith Medical Center
When it comes to networking and security, Interfaith Medical Center is widely known for being one of the first hospitals in the country to go zero-trust. They are a not-for-profit organization dedicated to providing quality healthcare to the residents of Brooklyn, NY, with approximately:
We sat down with Interfaith’s AVP of Information Security, Chris Frenz, to get his take on zero-trust and his 5 recommendations for other healthcare organizations as they start to think beyond compliance to ensure hospital network security.
Repeated ransomware attacks targeting hospitals have been dominating news headlines recently. Consider WannaCry: it didn’t just affect the PCs within hospitals, but encrypted network-connected medical devices, as well. This is a major patient safety issue, and it gives a new meaning to the term denial of service.
“Ransomware is something that we were very concerned with because protecting our patients is one of our top priorities,” Chris said. “One of the big issues within a lot of hospitals is they tend to have very flat networks, and flat networks allow attackers to laterally move through the organization and basically take a single compromise point with the new organization and begin to spread it to more and more systems.”
Overcoming the security challenges of healthcare today was a primary driver for Interfaith to partner with Extreme. In addition to implementing ExtremeSwitching, Interfaith uses Extreme Networks’ Access Control (NAC) solution, ExtremeControl, to implement policies that allow essential communications, while effectively putting each PC into its own micro-segment and making lateral movement between PCs near impossible.
In evaluating the decision to go zero-trust, the IT organization at Interfaith conducted a lot of security testing. “We simulated a malware outbreak within our organization. We use an EICAR test string, it’s basically a string of characters that are harmless,” Chris explained.
Testing revealed the network segmentation already in place was very effective at mitigating the spread of an outbreak. This led the security team at Interfaith to build on this strategy by increasing the level of segmentation within the network. “That was when we began to introduce things like the network access control solution, which allowed us to put policies in place to protect devices within the same village, or even on the same switch from each other. That was the justification for starting to go down the zero-trust road.”
Now that zero-trust is the standard operating procedure at Interfaith, security incidents are minimized. Even if occasional events happen within the network, they’re contained and easier to respond to.
As Chris pointed out, you can be 100% compliant, yet insecure. Compliance is a necessity, but it shouldn’t be the target when strategizing for security. It’s possible to check every single box, regardless of regulatory body, and remain extremely insecure. Chris says, “Think of it like aiming for a D grade in a classroom; if your goal is compliance, and you stop there when putting security measures in place, you may pass the class, but you won’t be doing an effective job.”
Remember to continuously test security to determine what your strategy is truly secure, not just meeting the minimum requirements. Download the 5 Steps That Go Beyond Compliance to ensure your security strategy is up to par. Want the complete story on Interfaith’s Extreme implementation, including establishing a zero trust network? See the full case study, or view the infographic on their zero-trust environment.