Network segmentation - An introduction for health and care organisations

Cyber-attacks are increasing in frequency and sophistication. Due to the ever evolving and increasingly digital nature of health and care, organisations are becoming more susceptible to such attacks. Cyber attackers find the networks of healthcare organisations attractive for two main reasons:

1. They are a rich source of personal confidential data.
2. These networks usually consist of different types of devices and technologies with inadequate security controls.

As an example, in December 2021 the Health Service Executive (HSE), a large geographically spread organisation which provides all of Ireland’s public health services, published the report of an independent review into the ransomware cyber attack on its IT systems which took place in early 2021. The report identified that the HSE's National Healthcare Network:

“is primarily an unsegmented (or undivided) network… This network architecture, coupled with a complex and unmapped set of permissions for systems administrators… enabled the Attacker to access a multitude of systems across many organisations and create the large-scale impact that they did.”

This is the concept of lateral movement.

Lateral movement consists of techniques that cyber threat actors use to gain control of remote systems and thereafter, consolidate their position on the network. The National Cyber Security Centre (NCSC) associates the following activities with lateral movement:

Reconnaissance: “Following the initial compromise of a host, the first step in lateral movement is to perform internal reconnaissance of the network. This gives the attacker an idea of their location within the network, and its overall structure.”

Privilege Escalation: “To solidify their presence and maintain persistence, the attacker will usually try to compromise additional hosts and escalate their privileges, ultimately gaining control of their target (such as a domain controller, a critical system, or sensitive data). Any credentials that the attacker collects will give them (what appears to be) legitimate access to more hosts and servers.”

Sabotage: “Once the goal or target has been reached, data can be exfiltrated, or systems and devices sabotaged.”

The intended audience for this document is the employees of health and care organisations responsible for the architecture, design, implementation, maintenance, and improvement of their network security, including senior information risk owners (SIROs) and data protection officers (DPOs) contributing to asset inventory and classification information relevant to making a success of network segmentation.

Network segmentation improves network security by creating smaller network segments of assets grouped by a defined criteria and granting access only to traffic authorised by an approved security policy. Network segmentation will also greatly increase the difficulty for an attacker to reach their goal once in the network, as their point of entry may not have any means of reaching the target sensitive data or critical asset.

A properly segmented network will improve network security by limiting the 'blast radius' of any cyber-attack. It mitigates the lateral spread and impact of a malicious code across the network by:

• containing traffic within each network segment
• reducing the attack surface
• limiting the adverse impact of a cyber security incident, helping organisations recover with minimal impact on patient outcomes

In addition, network performance may be improved as only authorised traffic is permitted to and from assets on the network whilst unauthorised traffic is blocked.

Network segmentation is only part of the overall set of controls required to improve the security of an organisation’s network. It should also include other controls such as:

• regular and up-to-date patching of assets (software, application, security for example)
• regular vulnerability scanning and penetration testing of the network (internal and external)
• continuous monitoring of the network to identify suspicious activities - enable audit logging of user activities on assets for audit trail evidence and future forensics
• robust and regularly reviewed access control policies

Organisations can choose from a variety of methods when deciding to implement network segmentation on their local area network (LAN). For example:

Demilitarised zone (DMZ) – A DMZ can be described as a perimeter sub-network between the public internet and the organisation’s internal network, adding a layer a security to inbound traffic. Organisations could investigate the possibility of creating DMZs as an initial step in introducing segmentation.

Virtual local area network (VLAN) – A VLAN can be described as a custom network created from one or more local area networks enabling a group of devices to be combined into one logical network. The result becomes a virtual LAN that is administered like a physical LAN, and each network segment is an independent logical unit. VLAN segmentation must be accompanied with layer 3 inspection to achieve effective segmentation, and additional controls are required to restrict inter-VLAN traffic.

Network access control lists (NACL) – An NACL is an approved list of authorised traffic which can be used to implement segmentation at the network layer ensuring that only approved traffic, contained in the NACL, is allowed to enter a network segment. An example is 802.1X or MAC authentication ACLs, which apply specific ACLs to a device or device group, no matter where in the network the device is located.

Application Segmentation – This refers to the method of segmenting applications from the rest of the network.

Zero trust security – Abolishes the concept of a trusted network within an organisation's corporate perimeter and advocates creating micro perimeters of control around critical assets and enforcing strict access controls, network segmentation and identity management.

Micro segmentation – Micro Segmentation is a technique used to divide a network into secure zones allowing the isolation of workloads by applying security policies at a granular level. Each micro segment is responsible for ensuring that only authorised endpoints can access the applications and data housed on its segments.

Software-defined networking (SDN) – SDN is a relatively new concept in networking where the network control and forwarding planes are separated, allowing the network to be intelligently and centrally controlled using software applications deployed on SDN controllers.

Organisations may wish to implement network segmentation in separate areas of the network, potentially in phases based on the result of an internal risk assessment to avoid disruption to service. The focus areas below are not an ordered list but will depend on your specific network landscape and circumstances. Examples include, but are not limited to:

Information technology (IT): assets connected to the network including applications, computers, servers, appliances, network devices (such as switches, routers, hubs, firewalls), laptops, desktops, tablets and office peripherals (such as printers, scanners, copiers).

Internet of things (IoT) devices: these devices can communicate over the internet - for example CCTV, voice control devices and alarm systems.

Medical devices: due to their criticality and sensitivity medical devices should be segmented from the network. Examples include MRI or CT scanners, ultrasound and X-ray devices.

Internet of Medical Things (IoMT): internet-connected medical assets used to connect healthcare information – for example ventilators, infusion pumps, insulin pumps and IV pumps.

Operational technology (OT): devices built to perform monitoring and/or control functions in automation systems – for example building and automation systems, HVAC and water pumps.

Backups: organisations should look to segment their data backups from the network to isolate them from a potential cyber-attack, in particular ransomware.

Management plane: the network management and traffic monitoring interfaces should be segmented away from production interfaces. An out-of-band IP network dedicated for device management means you can effectively remove side to side access between network devices if compromised on a production IP or network. Access to the management network could then be strictly controlled with ease, and access control and authentication
onto the devices locked to just the management port.

Demilitarised zones (DMZ): usually a logical segment used to separate an organisation’s local network from external untrusted sources – for example the internet.

Wireless zones: wireless devices and environments should be properly segmented on the network and corporate wireless zones should be segmented from public/guest access. In addition, blocking direct device to device traffic within a wireless network (client isolation) can help block lateral movement.

A host of technologies can be used to implement the different network segmentation options available to healthcare organisations:

Stateful firewalls – These are intelligent layer 4 policy enforcement devices that can be used for effective network segmentation. They enforce installed firewall policies that should normally allow only traffic explicitly permitted to and from a network segment and deny all other traffic.

Routers – Routers are layer 3 network devices used to connect networks, forwarding data packets between network segments. Routers enforce rules defined in NACLs, directing traffic from one network segment to another based on source/destination IP addresses, protocol, service and port numbers.

Switches – Switches are devices that can operate at either layer 2 or 3 of the Open Systems Interconnection (OSI) model and can be used to implement VLAN segmentation, grouping assets into logical domains and forwarding traffic between segments. In addition, layer 2 or layer 3 ACLs can be implemented on most managed Switches.

SDN controllers – In software-defined networking, the control plane is regarded as the intelligent hub of SDN, provided by centralised SDN controller software. SDN controllers intelligently manage all network traffic decisions communicating via API to the network applications (application layer) and physical switches (data layer) in the various network segments.

Virtual routing and forwarding (VRF) – VRFs can be described as the TCP/IP layer 3 equivalent of a VLAN. VRF technology enables multiple instances of a network routing table to co-exist on a router at the same time. A VRF can be configured on one or more physical or logical interfaces and, because the VRFs do not exchange routing information, packets are forwarded between interfaces on the same VRF only.

We recommend following the guidance below to achieve effective network segmentation.

Asset Inventory

Create an inventory of all assets on the network. For example, applications, software, servers, network appliances, medical devices, computers and tablets, office peripherals, wireless access points and printers.

For each asset, record the:

• type and model
• operating system (OS) type and version
• hostname
• IP address
• physical location

Asset functionality

Identify and document the main function(s) of each asset in the inventory list.

Asset classification

Use a relevant methodology to classify each asset based on:

• the sensitivity of the data it processes or stores (for example personal confidential data, personally identifiable information (PII), internal or public data)
• criticality to the delivery of health and care services
• business criticality and impact, for example critical national infrastructure

Asset communication

For each asset in the inventory:

• identify which resources it communicates with, and why
• determine which connections to/from medical devices are for clinical data transfers and which are non-clinical communications
• identify how access can be enabled for remote updates to be delivered if this is appropriate for the device in question
• determine the connection method used for communication (for example within the local wired or wireless network, direct internet access, or other)
• identify the communications protocol used in the communication (such as HTTP, HTTPS, FTP, TLS, SSH or VPN tunnels)
• draw up a network topology map to show how the devices that are in scope communicate with associated devices and services

Logical segmentation

Assign and segment assets into logical groups based on appropriate organisation-defined criteria. For example:

• critical network infrastructure - such as Active Directory servers, DNS servers, system management servers, backups, mail servers or out-of-band management
• functionality – department, role or associations for example
• device types – such as medical devices, medical computers, network appliances, servers and office peripherals

Technologies

Such as IoT, IoMT, OT and IT.

Connectivity requirements

WiFi, internet accessible, local only, extranet accessible or a combination, considering both inbound and outbound connectivity.

The overall security posture of an organisation’s network is only as good as its weakest link, and network segmentation is an effective tool to reducing such weak links. Some of the risks and challenges to effective network segmentation include:

1. Poor planning - This is probably the most important aspect of network segmentation, as improper or insufficient planning can result in poor segmentation, which could lead to service disruption. Organisations should devote sufficient time and resources to the planning, design, and implementation effort necessary to achieve effective network segmentation. Factors to consider should include a full audit of the existing network, options for segmentation, required technical expertise, and an assessment of the necessary investment to commit to the task.
2. Incomplete asset inventory - Lack of an up-to-date inventory of assets on the network is a common obstacle to achieving effective network segmentation.
3. Inter-device communication - Understanding the full requirements of network traffic is important to avoid unintended disruption to network communication as a result of segmentation.
4. Over-segmentation - Due care must be taken not to create extremely complex and over-restrictive segmentation which can be counterproductive and lead to inaccessible assets on the network.
5. Insufficient segmentation - Insufficient network segmentation can lead to weak security spots on the network which can be exploited and undermines the objective of segmentation.
6. Poor access control management - Effective network segmentation must be accompanied by proper access control management of users, network devices, applications etc to ensure access to system components is explicitly granted on a need to know and least privilege basis.
7. Poor IP Address management - A strong and well-defined IP address schema is a important factor when considering the segmentation design, especially when linking into VRFs, Routing and firewall rule design.
8. Choose appropriate solution - Each organisation should choose the most appropriate segmentation option and technology for its network, taking into consideration implementation cost, legacy systems, current and future business requirements, etc.

Segmenting medical devices and infrastructure components on a network must be undertaken with due care and robust understanding of the associated risks, as security needs must be balanced with patient care.

Medical devices present unique risks and challenges to effective network segmentation for the following reasons:

Differences in device types – Medical devices are manufactured with different technologies (such as IoMT, IT and segmenting the different technologies requires different strategies.

External connectivity requirements – Medical devices often need connectivity to external vendors, such as for software updates and patches. Any segmentation strategy must ensure necessary communication is not blocked as this could affect device functionality. A thorough and detailed understanding of each external connection is required prior to segmentation.

Internal connectivity requirements – Most medical devices require connectivity to resources within the organisation, to deliver healthcare services. Any segmentation strategy must ensure such communication channels remain available to avoid risk to patient safety.

Below are some network segmentation principles that organisations should adopt in the process of implementing network segmentation:

National Cyber Security Centre - 10 steps to cyber security

National Cyber Security Centre - Preventing lateral movement

Implementing Network Segmentation and Segregation - Cyber.gov.au

Architecting network segmentation - CERT NZ

Cybercriminals targeting critical healthcare institutions with ransomware (interpol.int)

HSE publishes independent report on Conti cyber attack

Guidance on protecting medical devices - NHS Digital

NCSC Cyber Assessment Framework (CAF) guidance

National Security Agency Cybersecurity Technical Report - Network Infrastructure Security Guidance