{"id":1455,"date":"2010-12-17T22:23:00","date_gmt":"2010-12-18T06:23:00","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=1455"},"modified":"2010-12-17T22:23:00","modified_gmt":"2010-12-18T06:23:00","slug":"network-security-check-up-for-health-care-networks","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2010\/12\/network-security-check-up-for-health-care-networks\/","title":{"rendered":"Network Security Check-Up for Health Care Networks"},"content":{"rendered":"

Health care providers are an interesting situation with regard to network security.\u00a0 Like many industries, they\u2019re dealing with rapid technological change in the face of a variety of regulations \u2013 in the U.S. health care industry it\u2019s HIPAA and HITECH, and PCI \u2013 focused on the portability, security and privacy of PHI and the security of patients\u2019 credit card data, respectively.<\/p>\n

At the same time, their users are adopting many of the same high-risk, high-reward applications that users in other industries are adopting.\u00a0 The problem, as in most industries, is the high-risk, low-reward applications that so many health care employees use in addition to useful Internet-hosted applications.<\/p>\n

Recently, I had a chance to talk to a group of folks in health care \u2013 specifically folks concerned with network security.\u00a0 So I took a look at a cut of our Application Usage and Risk Report<\/a> data that included only health care organizations.\u00a0 I looked at actual application traffic across 118 different health care organizations.\u00a0 What I found was that despite regulations and privacy concerns, the application mix looked very similar to the mix that we see across all organizations.\u00a0 There were, however, a couple of differences.<\/p>\n

Webmail, Instant Messaging,, and Social Networking<\/strong>
\nHealth care users are good at staying in touch \u2013 perhaps a bit better than average.\u00a0 Webmail applications were found in every one of the 118 health care organizations I looked at, with Gmail, Hotmail, and Yahoo Mail topping the list.\u00a0 IM was only slightly less penetrated, with Yahoo, Google, and Facebook applications topping the list of chat applications.\u00a0 Finally, social networking applications are slightly better penetrated in health care organizations than the norm \u2013 with Facebook, and Twitter at 99% and 98% respectively.<\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

Filesharing<\/strong>
\nFilesharing applications were heavily used in health care organizations, again, despite any potential concerns regarding leaks or loss of patient information.\u00a0 The most common use of browser-based filesharing were applications typically used for business purposes \u2013 namely SkyDrive and DocStoc.\u00a0 But entertainment\/copyrighted content-centric filesharing was also common, where regardless of technology (browser-based vs. peer-to-peer), we found at 58%.<\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

The aforementioned communications and filesharing applications carry regulatory and data leak\/data loss risks as well as the typical malware risks.\u00a0 Pretty serious risks at that.\u00a0 But that said, many of these applications are in use to help health care users get their jobs done.\u00a0 One organization I talked to had a specific initiative on Facebook for helping their customers stay in shape.\u00a0 Other organizations use filesharing applications to move large image files efficiently.\u00a0 My point is that in many cases, safe enablement is the desired goal, not blocking.<\/p>\n

While I think the initial response of many network security folks focuses on negative control \u2013 as in, block Facebook, or block Gmail, or even Skype \u2013 others are looking at this from a different perspective.\u00a0 By adopting a traditional positive control model \u2013 in other words, default deny.\u00a0 This way, organizations can expressly enable health care applications like Carefx or Sentillion, or even health care middleware like HL7.\u00a0 More radically, organizations can enable specific groups (e.g., marketing) to use other applications (e.g, Facebook) for business or acceptable personal use.\u00a0 While there is always some power and control in being able to block certain applications, it\u2019s often easier, more powerful, and ultimately more secure to be able to allow the applications you want, mitigate the risks associated with those allowed applications, and deny all else.\u00a0\u00a0 This stance also has the benefit of focusing on enabling the business, which is always a more strategic position for network security professionals.<\/p>\n","protected":false},"excerpt":{"rendered":"

Health care providers are an interesting situation with regard to network security.\u00a0 Like many industries, they\u2019re dealing with rapid technological change in the face of a variety of regulations \u2013 in the …<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,6],"tags":[],"coauthors":[],"class_list":["post-1455","post","type-post","status-publish","format-standard","hentry","category-application-usage-risk-report","category-pci-compliance"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/1455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=1455"}],"version-history":[{"count":10,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/1455\/revisions"}],"predecessor-version":[{"id":1469,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/1455\/revisions\/1469"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=1455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=1455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=1455"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=1455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}