In-Depth

Case Study: Protecting Hospitals’ Increasingly Networked Systems

HIPAA mandates penalties for data disclosure. Here's how a hospital went about finding an intrusion detection solution.

• By Mathew Schwartz
• 01/12/2005

What’s the price of privacy? When it comes to protecting patient information, the Health Insurance Portability and Accountability Act (HIPAA) mandates penalties for any health care organization that improperly divulges the personal information of a patient.

Yet what happens if an organization is hit with a denial-of-service or worm attack that either transmits personally identifying information outside the organization or takes down a critical-care network? Given the rise in the number of viruses and worms (and their tenacity), Rockford Health System decided finding out wasn’t worth the risk—whether to its patients, their information, or the hospital’s networks.

Rockford Health System, based in Rockford, Ill., is the largest health system serving northern Illinois and southern Wisconsin, and has over 3,500 health care professionals. Facilities include the hospital and its main clinic, plus 11 remote sites. “We’re an integrated hospital and primary care clinic—we’re one of the biggest outside of Chicago. We’re also a Level 1 Trauma Center,” says Joe Granneman, manager of networking and data security at Rockford Health System, and also the HIPAA security officer. The hospital is also the state-designated go-to point in the event of a region-wide medical emergency.

Protecting the hospital’s network has never been so important—or difficult. “We’re getting to the point where medical care is converging with networking, and it sounds weird, but we’re starting a project now where we’re putting heart monitors on the network, so doctors will be able to monitor them from home,” says Granneman. Obviously, keeping that system up and running, regardless of attack, is a priority.

Another network-oriented project aims to prevent incorrect drug administration. Before a nurse hangs an intravenous (IV) bag to administer medication to a patient, the nurse first barcode scans it. A pharmacy server then checks the bag against patient information to ensure the medicine isn’t outside parameters—perhaps it has to be administered once every eight hours, and was already administered two hours ago. “My biggest problem with that is not necessarily the IV pump, but how do I secure the pharmacy system, because it has to talk” to all of the IV pumps, says Granneman. To an attacker, “a pharmacy system is a pretty juicy system, just because it can dispense medications, all that kind of thing.”

Those concerns came to a head with an internally generated denial-of-service attack. “A consultant brought in a notebook, and it was infected with one of those viruses from a year or a year and a half ago—Blaster or Nachia,” he says. In short, the virus trolled the network so strongly for connections that it crashed the firewall. While no patient-facing systems were compromised, it led Rockford to plan a better network defense.

Researching IPS Help

Grannneman started by researching intrusion prevention system (IPS) products via industry publications and analysts’ reports. He eventually settled on the Top Layer Networks Attack Mitigator IPS. “At the time I bought the Top Layer [router], “ which was about a year and a half ago, “there weren’t a lot of products doing the intrusion prevention,” he says. Today the device sits in his network, just behind the router.

Initially, he tested the router on an isolated internal network, running attacks against it. “We’re only connected at T1 speeds, but just to be safe we hit it at 100 Megabit speeds with attacks—and the CPU stayed up,” he says. So Rockford adopted the router. Today, he says he receives updates via e-mail, then loads them into the box. Granneman says he’s happy with the product.

One feature he’d like, however, is Cisco ISL VLAN compatibility, something Top Layer doesn’t yet have plans to roll out. “Since I’m using Cisco ISL VLAN trunking on my network lines, the router doesn’t understand that, because I’m using VLAN,” he says. Today he has about 65 virtual LANs, and “it can only see one VLAN at a time.” The VLANs simplify network administration. “We have six VLANs per closet. We break the network up into Layer 3 boundaries, because it really helps us with traffic control and traffic prioritization.” If there’s a network infection—or a misbehaving piece of equipment, the VLANs also keep the problem isolated.

He also has two gigabit links for his network, and even though the IPS has 1-gigabit throughput, “since it’s doing load balancing across those two gigabit links, it might not see the return traffic.” So to compensate, he’s picking and choosing which of his most-critical servers to protect instead of protecting the entire network. “With health care, I want to make sure I have the critical patient-care information” especially protected, he says.

While protecting against external attacks is important, Granneman says just the products used internally can be a problem. Many health care products, however, “misbehave,” he observes. Some blood-gas meters, for example “multicast like crazy,” which can compromise network throughput.

“Health care is a nasty place to be in networking, because health care vendors don’t care if it works on your network or not; they’re going to sell to the physician. As a networking person, you have some say but not a lot,” he notes. In other words, if a physician likes a product, that product typically gets adopted.

Then there are infections to worry about. Recently, an employee hooked up another infected PC to the internal network. Thanks to the Top Layer firewall, "we contained the infection to only three or four machines, and we were able to shut down the port where those devices were talking. With Top Layer, it’s contained automatically."

Still, Granneman also monitors the intrusion prevention logs, especially to see if the IPS marks a host as malicious, which it does if the host generates enough malicious traffic. “So I’ll go through and just filter them out, so they can’t even communicate with us at all,” he says.

Of the 3,000 events per day the IPS flags, most, however, are false positives. “You really have to know what you’re looking for when you’re going through these logs,” he says, and especially know how specific applications behave. For example, he says many receiving mail servers today first scan the server sending the mail to see if it’s real, and that scan can resemble a SYN flood.

Looking for Endpoint Help

Having seen what automation can do for network security, Granneman is especially looking forward to endpoint security initiatives, such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP). “We’re really starting to look into it, because the VPN is a point of contention for me, because I can’t tell what’s on the other side of it,” he says. He wants to be able to scan PCs before they’re allowed to get full network access, to first vet their patch and antivirus level. “Most of the time your security problems aren’t a malicious person trying to bring the network down, it’s someone who’s just infected and comes into the network.”

For the future, Granneman also hopes antivirus companies will increasingly tackle spyware. "I hate to run both a virus scanner and an anti-spyware scanner on a machine, because it’s just so slow. You’re going to take a huge hit."

Related Article

Untangling Endpoint Security Initiatives
http://www.esj.com/security/article.aspx?EditorialsID=1230