Network segmentation approach

As discussed in Network segmentation - An introduction for health and care organisations, proper planning is crucial to achieve effective network segmentation. Below are some of the tasks we recommend you complete before implementing segmentation.

One of the most important requirements for achieving effective network segmentation is for organisations to create and maintain an up-to-date inventory of all assets connected to the clinical network.

Data Security and Protection Toolkit (DSPT) section 9.3.8 states “The organisation maintains a register of medical devices connected to its network”. This will include all imaging diagnostics devices and categories - see imaging diagnostics component breakdown.

Asset discovery

You must prioritise creating an up-to-date inventory of all assets connected to the clinical network. Information related to the medical devices and other components connected to the network can be gathered via different means:

Existing data sources – found within your organisation and includes, for example, clinical engineering, service management and commercial documentation

Vendor/manufacturer – either via the manufacturer’s disclosure statement for medical device security form (MDS2) or other vendor device documentation. Note that the device IP address and hostname info is assigned by the organisation not the vendor.

Physical assessment – a manual inspection of the device by an your staff in addition to accessing the device via a local terminal port on the device can reveal the some of the above information.

Network devices – the information related to the hostname, IP address and MAC addresses, can be acquired from the network devices (for example routers and switches) connected to the same clinical network as the imaging diagnostic devices.

Discovery tools – Recently, the growth of discovery tools that specialise in connected medical devices (CMDs) means organisations are acquiring and deploying these tools on the network for a period (in listening mode) to identify the CMDs, the network traffic to/from the imaging diagnostics devices and communications protocols used.

Your subject matter experts should contact their regional security leads for advice on emerging markets and recommendations to the most appropriate tool for your network.

MAC address lookup – device MAC addresses are useful when trying to identify imaging diagnostic devices connected to the network and where a device MAC address is unknown. The manufacturer's organisationally unique identifier (OUI) can offer a clue to identifying the device on the network. Below are links to sites where you can search for a given device MAC address to identify the manufacturer or a manufacturer name to identify its OUI:

Another important task to complete before implementing network segmentation is to determine the type of assets an imaging diagnostic device communicates with as part of its normal operation. Similar to asset discovery in section above, this information can be either be supplied by the device manufacturer or identified by discovery tools deployed on the network. For each imaging diagnostic device, you are required to:

• identify which resources it communicates with (internal and external) and why it communicates with the resource/s
• determine which connections to/from medical devices are for clinical data transfers and which are non-clinical communications
• determine the connection method used for the communication (for example over the network, WiFi, direct internet access or other)
• identify the communications protocol used in the communication (such as HTTP, HTTPS, FTP, TLS, SSH, VPN tunnels) 

Post identification, you should create and add imaging devices to logical groups based on a common criterion such as functionality, physical location, or manufacturer.

You should decide your segmentation criteria due to your unique understanding of your environment and unique risk posture, amongst other factors which aren't mutually exclusive. For example, having a certain asset type spread across multiple segments could give better organisational resilience than having all those assets in one segment.

Draw up a network topology map to show how the devices that are in scope communicate with associated devices and services, and how access can be enabled for remote updates to be delivered if this is appropriate for the device in question.

Based on all the information acquired, we recommend that you undertake a risk assessment to determine the most appropriate segmentation strategy to adopt. You should consider the various factors defined in the Network segmentation - An introduction for health and care organisations.

A risk assessment should be undertaken with a clinical safety officer to ensure that any segmentation strategy is compliant with clinical safety and that service disruption is in accordance with your business continuity plan.

Your trust's subject matter experts can use any risk assessment methodology or reference a risk assessment standard (for example ISO27005, ISO31000 or NIST SP 800-30).

As stated in Network segmentation - An introduction for health and care organisations, you can use different methodologies to achieve effective network segmentation including, for example:

• demilitarized zone (DMZ)
• virtual local area network (VLAN)
• micro-segmentation
• software-defined networking (SDN)

In this chapter we describe how to implement network segmentation using VLANs.

Virtual local area network (VLAN)

In its simplest form, a VLAN can be defined as a custom network partitioned and isolated into independent segments on a computer network creating a segmented broadcast domain. It enables a group of devices located in various local area networks (LAN) to be combined into one logical virtual network that is administered like a physical LAN.

A VLAN can be configured to span multiple physical network segments and essentially makes devices or network nodes physically located in different locations communicate with each other as if they were located in a single LAN, when they exist in one or several separate LAN segments.

VLANs provide logical segmentation of an organisation’s network by creating separate broadcast domains and assets that are assigned to a VLAN logically grouped together based on a common criterion defined by an organisation. For example functionality, department, criticality or data sensitivity.

Private VLAN (PVLAN) and Virtual Extensible local area network (VXLAN) are other VLAN variants which provide additional network segmentation options to network subject matter experts considering how to achieve effective network segmentation.

VLAN configuration approaches

You can employ different VLAN configuration approaches, such as:

• port assignment
• IP subnet
• MAC address
• application 
• device assignment
• protocol assignment

Software-defined networking

SDN is a relatively new concept in networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network. The network control and forwarding planes are separated, allowing the network to be intelligently and centrally controlled using software applications deployed on SDN controllers as depicted in figure 1 below:

Figure 1: Software-defined networking

This diagram illustrates the 3 planes of network communication; the application plane, the control plane, and the data plane.

The SDN controller sits between network applications and hardware to direct network traffic.

APIs (such as RESTful API or Java API) are used for communication between the SDN controller and network applications.

The SDN controller communicates with the forwarding devices (hardware) via APIs using protocols such as OpenFlow, OVSDB, NETCONF and SNMP.

Micro-segmentation and zero trust Model

The zero trust model (ZTM) is a security model that takes a 'never trust, always verify' approach to security and, unlike traditional networking models, it recognises that malicious threats and actors can be either external or internal. It therefore requires granular verification of user and device identity, whereby access to resources is granted based on the principle of least privilege, no matter where the user is located in relation to the network perimeter.

The National Cyber Security Centre (NCSC) defines zero trust as an architectural approach where inherent trust in the network is removed, the network is assumed hostile, and each request is verified based on an access policy.

With zero trust, organisations increasingly use identity-based and device-based controls for enforcement instead of traditional IP address/access-list based segmentation.

Micro segmentation is a technique used to achieve zero trust, by dividing a network into secure zones, enabling the isolation of workloads by applying security policies at a granular level. The deployed security policies ensures that only authorised users, endpoints and other assets (including CMDs) can access the applications and data housed in each micro segment.

Essentially micro-segmentation creates separation between resources on the network using software policies, instead of configuring it at the hardware level. By deploying these security policies, network subject matter experts can determine what resources or services each segment is allowed to access. Various approaches can be adopted to achieve micro-segmentation, for example:

• application segmentation
• environmental segmentation
• user segmentation
• process/service-level segmentation