This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
(Appendix A ) - This Symbol indicates that additional details related to implementation and working of a given solution can be found in the Appendix "A" under the reference number.
(Appendix B) - This Symbol indicates that Definition can be found in Appendix "B"
1.0 Sistuation Analysis
The key to build a secure network for SGH is to follow an approach that integrates defense-in-depth architecture. In a defense-in-depth approach multiple layers of security is built on to the network that protect it at various levels.
1.1 Vulnerabilities of Current network
Application, authentication and hospital information system runs on a single physical server - Single Point Of Failure
Running multiple services in a single physical server lead to severe security threats. If an attacker takes control of the server, data such as patient records and payment related data, passwords and all other critical data could fall in to wrong hands.
Hosting multiple services in a single box in also lead to severe performance degrades.
The internet routing functionality is also integrated in to the main server
As stated in the specifications, main server also functions as an internet router. This means that services such as NAT services running on the same server along with applications services and hospital information system. This means all incoming and outgoing internet traffic passes through the main server before leaving the hospital network or after entering network. This pose a greater risk to the main server as well as all data it is hosting because there is a higher chance for an attacker to compromise the main server. Specially attacks that originates from inside of the hospital network, finds it easy to exploit the weaknesses of the main server as all internet related traffic related to any particular internal host pass through it. This provide an easy open door to the attacker.
Only a single firewall is used in the perimeter of the network
In the current hospital network, all traffic is allowed or denied access to the network using a single firewall. By having a server that runs number of services and just one firewall to filter the traffic, forces the firewall to be configured to allow most of the traffic that is destined to the server. This create a security threat to the server as firewall can be only be configured using a set of broad rules to filter the traffic destined to server rather than more specific rules. It could allow a skilled attacker to penetrate through the firewall to the server with little effort.
Another weakness is that the firewall is deployed before the VPN termination device. This makes it impossible for firewall to inspect the incoming encrypted VPN data. If a remote clinic is compromised, an attacker can easily hide malicious content inside encrypted VPN packets and get pass though the firewall in to hospital internal LAN.
No Proper Segmentation of the Network
Once perimeter firewall allowed any traffic in to the network, it has the ability to penetrate to any part of the network as these is no segmentation of the network. Also attacks that originate from the inside of the hospital network find it easy to access any device or any part of the network with little or no security checks at all.
Only Tape Backup is used as the backup Media
Tape drive is the only backup media used in the network. There are regulatory requirements that makes it mandatory to store electronic health records for at least 7 to life time of a person. The tape media alone is not sufficient for storage and in case of disaster, tape media takes much longer to restore data compared to hard disk based backup media.
Broadband access is used as the internet connection channel
Currently SGH uses SDSL and ISDN as the mediums to access internet. These communication mediums are usually shared among number of subscribers, thus it poses a risk of data exposure. If a leased line such as T1 or T3 is used, it provide dedicated channel, reducing the data exposure.
2.0 Proposed Secure Network
Following are the security areas addressed by suggested secure network solution for SGH.
The solution includes a layered approach that enforces security measures at various levels that strengthen security of network infrastructure which endpoints utilize to communicate. Endpoints themselves are secured to minimize the possibility of attacks while measures are taken to minimize the vulnerabilities of applications that run on endpoints and the threats caused by web and email content which are accessed using the endpoints.
In a nutshell, the solution that we are proposing for SGH network poses an overall architecture similar to the following figure.
Figure 2.0: Modular architecture of SGH network
As shown in figure, Various security measures are taken to strengthen the network devices and services provided by three main parts of the SGH network which are Hopsital edge(perimeter), core and access. The entire network is managed using Out of band (Appendix B) network management technique to maximize the security by protecting the configuration and proper functionality of network infrastructure devices. Centralized access control adds a strong layer of security by allowing only authenticated users and devices in to network.
Following is the secure network we suggest for SGH.
Figure 2.0a: Secure SGH network
The proposed SGH network is designed to maximize the security of the network, network management and data. As stated by Convery S.(n.d), Network equipment access security in management is critical to the overall security posture of the network infrastructure. Out of band management (OOB) is used to securely access and configure network infrastructure devices using separate LAN segment (indicated using dotted lines). As stated in Cisco Medical-Grade Network (MGN) 2.0 pg.73, A significant limitation of the in-band management is its vulnerability to problems from the very devices that are being managed. OOB helps to eliminate this weakness. (Appendix A)
The network segment with Biometric access required PCs are monitored using Host IDS(HIDS) is because we can assume that many other people than the actual users have access to PCs in this segment or critical hospital data are accessed using these PCs, thus utilize biometric based authentication for tighter security. Whichever is the reason, it's evident that these PCs should be protected and it's done through HIDSs.
NIDS appliances are deployed in key points of the network to monitor malicious activities. The NIDS appliance in the DMZ, is deployed to monitor the activities in the perimeter of network. However the sensors of this NIDS are set to less sensitivity level compared to other NIDS in the network to prevent false positives. An IPS device is used in network administrator LAN segment because, this segment of the network is highly secure and if any suspicious traffic is detected, it's highly likely that it could be an attack and through IPS it can be prevented. Host Intrusion Detection Systems (HIDS) are installed in the administrator PCs to detect and alert the malicious activities seen in those systems thus providing an additional layer of protection. (Appendix A )
Firewall in DMZ is used to separate the internal network from less secure DMZ traffic. This helps to stop unauthorized outside traffic from entering the internal network. The firewall in management LAN is used separate admin PCs and network devices segment and to implement Private VLAN (appendix B) feature. This configuration restricts direct connection between any of the devices on this LAN and force all traffic to go through firewall where deep data inspection occur. It helps to prevent further attacks on other devices on this segment if any of the device is compromised.
All IDS, firewalls and servers are configured to save log files in the logging server for centralized logging and accounting. All logging data is transferred to the logging server using management LAN. This configuration helps to protect the logging data from attackers and prevent them from modifying or capturing any logging related data as only management LAN segment devices has access to this data. NTP is used throughout the network devices to set all devices time to one uniform value. This helps to correlate and compare events in log files when tracing malicious activities during forensic investigations. Using NTP also helps to be in compliance with regulations. As stated in MGN Network Architetcture 2.0, HIPAA explicitly calls out accurate time stamps as a contributing factor for appropriate access controls. The best way to insure accurate time stamps is NTP.
Apart from termination VPN connections, Edge router function as a stateful firewall as well. Having stateful firewall ensures that only packets belong to already authorized connections are allowed in to network. As stated by (A.wool, n.d) this simplifies the firewall administration and helps tighten security by only having to use selective and specific rules rather than using broad rules. The stateful firewall is often best suited for the hospital security due to its ability to track communications and the use of continuously updated state tables.(Barnes j, n.d.)
NAT translation functionality also built in to the edge router. NAT is used to hide the internal device addresses from outside network. This helps to prevent attackers from directly connecting to internal SGH devices IP address for malicious activities.
By creating a DMZ zone, helps SGH to service external users without allowing them in to the secure internal network. This greatly reduces possibility of attacks as internal stateful firewall blocks all externally originated traffic.
The DNS server(External) in the DMZ helps to service remote clinic users who connect to Internet through SGH network. By putting the DNZ server in DMZ, it's possible to offer domain services to external users without allowing them in to secure internal network and internal domain names server. This helps to add a layer of security and protect the internal DNS server from attacks. The server is protected using HIDS and a host based firewall which is configured to block all requests but DNS queries from remote clinics.
IAS server (External) (Appendix B) function as a proxy that forwards remote user authentication queries to RADIUS server (Appendix B). (suggested by R. J. Shimonski et al,2003) This method helps to protect the internal network by stopping the external authentication request at DMZ and not allowing user directly to internal secure RADIUS server.
Electronic health records and payment records are located in to a separate server rather than hosting it in the same server as integrated hospital information system. This approach is taken to protect data by not allowing vulnerability of one system to compromise the other systems.
RADIUS server is used to centrally manage authentication services in conjunction with NAC manager and IAS server, for both users and devices. It allows authentication information to be hosted on one place minimizing the security loopholes.
2.1 Content Security
Web and Email content filtering appliance is used in the proposed network (figure 2.0a pg.6) to filter inappropriate web content, Spam and malicious emails. This filtering helps to protect the SGH network from threats caused by email based viruses, worms, malicious content, phishing sites, botnet viruses and hijacked websites which could include malicious content. By filtering SPAM, it also saves network resources. It also provide the capability to securely communicate email messages and attachment using encryption and digital signatures. That ensures the confidentiality and integrity of health records and Protected Health information (PHI) that are communicated using Email. (Appendix A)
2.2 Data Backup, Business Continuity & Disaster Recovery
Proposed SGH network uses hard disk based backup as the primary backup solution for critical data backup. As stated in (Managing Storage Complexity for Healthcare Providers, 2007, pg14) in the case study of St. Mary's Regional Medical Center, Using Disk based backup is advantages compared to Tape based backup due to the considerably less times consumed in backup and recovery process. As a security measure, all backups are encrypted using Advanced Encryption Standard (AES). Tape backup can be used as a secondary mean of backup, for data that should be retained for long run such as medical images stored in picture archiving and communication systems (PACS).
The proposed SGH network uses a T3 WAN connection (which replaces ISDN line) to do off site back up to a remote data center. All data and applications in SGH network can be mirrored to remote data center using this method. This helps SGH to recover from a disastrous situation and helps business continuity.
According to E. Brown of Forrester research (Disaster recovery, business continuityâ€¦n.d), The newest approach in backup and disaster recovery is to use cloud based services and datacenters. For SGH, cloud based solution is an alternative to the proposed remote data center.
2.3 Network Segmentation using VLANs
Modern hospital networks consists of various wired and wireless endpoint devices with varying functionality and capabilities. These endpoints are used by hospital staff, visitors as well as residing patients to connect to network. Some of these endpoints include,
Workstations and laptops
Computers on wheels (CoW)
Biomedical devices, such as infusion pumps, patient monitors, ventilators, ultrasound, and MRI devices
PDAs and smart phones
The varying nature of the endpoints connecting to SGH network and the various people who use them, pose a great challenge when designing a secure network. Especially there are medical devices and hospital computers that share the wired and wireless access medium that should also be used to provide network services to visitors and patients. Network endpoints are often considered one of the weakest and therefore most vulnerable parts of any infrastructure (Cisco medical-grade network 2.0: security architecture, n.d).
We can use Virtual LAN to add a layer of security to SGH network by segregating different endpoint traffic in to different collision domains thus providing security. As stated by Convery S.(n.d), segmenting devices into separate VLANs on the hospital switches, the opportunity for security boundaries is increased. The weakness of not having proper segmentation in the current network, can be addressed by deploying VLANs.
Figure 2.3: VLAN segmentation of SGH network endpoint devices
Medical devices greatly benefit from this isolation of traffic, because they are usually designed to perform a specific task and has no ability to run any third-party security or encryption software. Furthermore, by providing a channel of its own to transmit medical images and other medical data, a layer of security is added to the data transmitted from these medical equipment, thus protecting from threats such as packet sniffing. As a whole, the use of VLAN segmentation allows for the restrictions to be applied closer to the source, therefore being more effective (Virtual LAN Security, n.d.)
2.4 Centralized Network Admission Control (NAC)
In the past, Malware such as Worms have successfully uses the weaknesses in endpoint devices and users to create havoc in many networks worldwide. Network admission control (NAC)(Appndix B) can be used control the access to SGH network from various endpoints to protect it. NAC works by only allowing endpoint devices with acceptable security measures to access the network from the designated network entry points while devices without adequate security are prevented from using the network. Using NAC hospital can,
Ensure that the devices connecting network are in compliance with SGH network security policy
Mitigate against the risks of Worms, viruses, application vulnerabilities and unauthorized access
Ensure the remote clinic devices compliancy to security requirements of SGH network security policy
Allow the access to hospital network only for legitimate users based on their credentials
In SGH network, hospital workstations, network connected medical devices, Remote clinic devices, guest laptops, and smart phone devices should undergo NAC scanning process before allowing access to network. (Appendix A )
Figure 2.4: Centralized NAC architecture of SGH
2.4 Wireless Network Access s
In SGH network, to provide maximum security all wireless devices are allocated in to their own VLANs as described in section 2.3, depending on the device type and users. In this configuration wireless medical devices, wireless hospital workstations and visitors' wireless devices are separated and put in to different VLANs. This helps to enforce varying security measures to protect SGH network as described in section 2.3. Apart from that following are some of the other Wireless security measures we suggest for SGH network.
All wireless communications should be encrypted using WPA2 using AES encryption with a key length of 192 bits. WPA2 is used due to its highly secure nature compared to other Wi-Fi security methods. (according to America's National Institute of Standards, AES key length of 192 bits or greater, assures the confidentiality of data for a foreseeable future. Cisco Medical-Grade Network 2.0: Security Architecture, pg70)
All wireless devices undergo NAC procedure for keeping unsecure devices out of SGH network
RFID (Radio Frequency Identification) tags can be used to protect the wireless devices used in network from theft. Using RFID tags attached to the device, an alarm sounds if the device leaves a certain physical boundary. ("Airespace Wireless", n.d.)
Medical devices and hospital wireless workstations are serviced using different access points while providing separate access points for guest wi-fi access. This way broadcasting of all but guest wi-fi access SSIDs can be stopped. This helps to keep visitors away from access points used for hospital devices.
2.5 Network Infrastructure Device Security
Network devices such as switches, routers and network intrusion prevention modules are part of the infrastructure devices of SGH network. To secure these devices following actions can be taken.
Switches and routers along with other communication equipment should be placed in locked environments for physical security.
Though we use OOB for managing devices in SGH, for added protection Secure Shell (SSH) and S-HTTP are used in place of less secure communication protocols such as Telnet and HTTP. It helps to preserve the integrity of device configuration data while in transit.
All unused services running on switches and routers should be disabled to reduce the threats caused by application vulnerabilities.
All default passwords in infrastructure devices must be changed to Secure passwords and ongoing passwords changes should be practices.
2.6 Medical Data and Application Security
Within a hospital network such as SGH, huge amount of electronic health record (HER) are transmitted daily. Constitutional as well as other requirements makes it mandatory to secure electronica health records to prevent hospitals from financial loss, loss of lives and reputation losses.
Electronic health records should be protected while they are being stored, transmitted and while in use to preserve both integrity and confidentiality. For this reason data storage, transmission and medical applications that uses these data must be secured in order to handle data.
Secure Storage of Electronic Health Records (Data Center Security)
In hospital environment EHR are located in a centralized Data center in hospital network for easier access for every department. This facility must be,
located in a secure environment from adequate measures to protect from fires and other physical damages to equipment
Maintain Logs for entry/exit while strictly limiting the access to the datacenter
2.6.1 Medical Application Security
Unlike most industries where a single login gets you complete access to applications and databases, health care systems require levels of authentication. (Gallant Al. 2009)
3.0 Remote Access
In SGH network it is essential to provide a secure path for remote clinics and mobile medical practitioners to securely access SGH network and communicate medical data. VPN is a communication mechanism we can deploy in SGH network to facilitate this ability.
For SGH network we implement Site-to-Site VPN (Appendix B) using IPsec Tunnel mode. Given the nature that Remote clinics are fixed locations and there are number of users should connect to SGH central datacenter simultaneously, Site to site VPN is more appropriate compared to remote access VPN.
Deploying IPsec to protect data, provide following security benefits for SGH.
IPsec encryption protects the integrity of data such as medical images and EHR communicated using VPN
Due to the fact that IPsec tunneling mode encrypts both header and payload, it helps to ensure the confidentiality of data.
Data origin authentication confirms the authenticity of the origin of the packets
Protect from replay attacks by rejecting aged or duplicate packets
Tunnel mode Encapsulates entire packet using DES, 3DES or AES encryption standards thus provide tighter security
It supports User and device authentication providing greater flexibility in deploying centralized network admission control
Figure 3.0: SGH VPN architecture
For endpoint authentication when establishing VPN connection, we use X509 Digital Certificates. For SGH network, this method highly suitable because of its scalability and it eliminate the risk of exposing the
4.0 Penetration Testing
 Out of Band Network Management (OOB) -
To provide OOB network management, all network infrastructure devices such as routers, switches and servers are designed with dual network interfaces, one of it connects to the general SGH production network and the other connects to the management LAN which is a separate network of its own. Through this management network interface, administers have the ability to connect to devices and carryout administration tasks without interference from the general production network traffic. As management data is transferred in a separate LAN with a different IP address range, this clear separation of production and management traffics helps to,
Configure all infrastructure devices to block any management traffic that is seen on the production network. Because Management data should not bee seen in the production network except management LAN. If it does, it indicates a possible malicious activity and blocking those traffic helps to mitigate the threat.
Protect device configuration data and other sensitive management traffic from threats such as data sniffing.
Greatly enhance the security of network infrastructure devices by limiting the hacker's ability to manipulate devices from any other location than from management PCs.
 NIDS/NIPS Configuration -
The proposed SGH network designed as a fully switched network. However switched network makes it impossible for IDS/IPS device to inspect all traffic passing the switch because switch does not broadcast traffic to all ports. As suggested by Vosson JP, 2005- To overcome this problem we use switches with spanning capability. In SGH network we connect all NIDS/ IPS devices to the spanning port of the switches. This helps the IDS to inspect all traffic passing the switch regardless of the network segment or VLAN.
 Content Security (Secure Email Communication) -
Web and email content inspection appliance found in the market today helps to securely send email messages using many encryption standards. Cisco, Norton and Juniper are some of the vendors who offer this appliances. Usually this appliance comes with a service plan from the provider. According to (Westervelt R, 2005), the appliance attached to the local network helps to secure outbound email traffic through encryption. The vendor offers the security for incoming emails through its own managed datacenter. When an email is sent out to a user it resides in vendors server and a link to it is sent to the receiver. Upon clicking on it, receiver connects to the vendors secure server using a secure connection and has the ability to securely receive and/or respond to email if necessary. The encryption technique such as AES (Advanced Encryption Standard) is used in encrypting the email messages for maximum protection. Which also allows the option of adding Digital signatures for emails to ensure the data integrity. This type of a deployment helps SGH to obtain end to end email protection for health data communicated via emails.
 Centralized Network Admission Control Architecture -
Network Admission control is essential for a medical grade network such as SGH because, apart from the medical devices and other hospital managed endpoints connect to hospital network, guest wireless internet access computers, smart phones and PCs of remote clinics also need to utilize SGH network services. These devices can be infected with malware or if not they might not have enough endpoint security measures. Furthermore there can be situations that residing patient or a visitor try to access internet using the wired network ports that are used by medical devices to connect to hospital network. In all these situations, in the perspective of security, it's necessary to allow only the appropriate device in the correct place of the network to protect the hospital network. Through the usage of NAC, non security policy compliance devices can be kept out of the network. Thus, adding a layer of security.
Figure A4: Centralized NAC architecture for end devices
As shown in the figure2.3.1, NAC servers/collector (Appendix) appliances are deployed in the entry points to the network; which are network switches. When a device tries to connect to hospital network, NAC server intervenes the communication and scan the device for security requirement compliancy. NAC server usually communicate with device using an software agent program (Appendix B) that runs on the device that needs access. On the hospital permanent workstations this software agent can be pre-installed while for guest devices and remote clinic devices, NAC server allows the downloading and installation of the software through a web based interface when the guest devices tries to access the SGH network for the first time. The agent software then scans the system to create a security status profile and communicate to NAC server.
This communication between device, NAC appliance (authenticator) and NAC Manager (authentication service) utilize a secure path. Passing the credentials in a secure channel provides mitigation against common threats such as eavesdropping. Extensible Authentication Protocol (EAP) (Appendix B) is used to establish a secure channel between the device and the authentication service.
Figure 2.3.1a: Device authentication process using secure channel
(source: Network Access Control, 2005, pg.3 )
NAC server in return, communicate with NAC manager which holds a central repository of minimum security requirement for each type of device, which then evaluate the end device security profile. If the profile is in compliance then it communicate with directory server to obtain necessary network credentials and instruct NAC server to allow or block the end device from accessing the network.
The NAC architecture is built on IEEE 802.1x (Appendix B) protocol based authentication and authorization. 802.1x gives the ability to allow network access based on credentials supplied by either the user or the device. (Barnes J, n.d.) NAC server uses Access control lists (ACL) in its operation to enforce restrictions at port level for end devices.
NAC for Medical Devices
Non-authenticating or non-NAC endpoints, such as patient monitors and infusion pumps, need to be monitored over time to ensure that their behavior is consistent with their known device type. (Biomedical Network Admission Control, 2007)
Medical devices such as patient monitors, smart infusion pumps and MRI scanning system are usually not capable of running third-party software. For this reason it's not possible to install any software agent on the medical device to profile the device for NAC authentication. In order to overcome this problem NAC profiler server (Appendix B) can be used.
As shown in figure A4, pg.21 NAC server/ collector appliance communicate with NAC profiler server when a medical device is connected to the wall ports at hospital network. The profiler server contains device profile for each medical device type that need to be controlled through NAC. The medical device profile is built using the information including, MAC address, manufacture and the embedded software types that are running on these devices as well as the ports that they should be connected to in the hospital network. Once NAC profiler compare the data sent by NAC collector that describe the medical device, NAC server compare it with the device profile in its database and signals NAC server appliance to allow or deny the access.
By implementing network admission control for medical devices, access to network can be easily denied for any other device than approved medical devices using the ports that are designated for medical devices. This protects the network from malicious users and visitors from accessing to the network using these ports.