The Evolving Scope of Web Security in the Healthcare Space

Iain Lumsden, GSLC, GCTI, GCED, Director of Information Security, Denver Health

Iain Lumsden, GSLC, GCTI, GCED, Director of Information Security, Denver Health

We have seen a big change in how we connect to and leverage the internet in our daily lives from both a personal and business perspective. Through the development of technology, we have seen more and more devices now requiring internet connectivity to function, and this increased utilization has changed the way we have looked at web security.

Going back ten years, we were primarily focused on blocking malicious websites, scanning for malware, and enforcing human resource policies around acceptable use. This was typically done via Internet proxies, through which all outbound internet connectivity went through for corporate assets. Most of the traffic was not encrypted and could be examined in plain text, which helped protect corporate assets as well as reducing the risk of data exfiltration.

"The biggest challenge all organizations are experiencing at that moment when it comes to web security is through the rapid adoption around Internet of Things (IoT) devices"

Over time we have seen a dramatic increase in the development of Software as a Service (SaaS) and Infrastructure as a service (IaaS) platforms that have changed the way we interact with web-based services. At the same time, we have also seen more websites and services leveraging encryption which has made it harder to evaluate the traffic being sent or received.

It has become important for organizations to now have a method to decrypt any web traffic being sent or received to ensure that risks are identified and dealt with appropriately. Malicious actors, while traditionally using unencrypted methods to distribute malware or exfiltrate data, have been leveraging encrypted sessions more than ever to try and avoid detection.

Decrypting web traffic is a very important part of any security program these days and even more so when you are talking about Data Loss Prevention (DLP). In the Healthcare industry, like many others, we need to ensure that Protected Health Information (PHI) and Personal Identifiable Information (PII) is being shared appropriately and securely. To ensure this is happening, we need to be able to decrypt internet traffic so it can be analyzed by a DLP system to ensure there is no data exfiltration taking place. Without having that decryption in place, we would be blind as to what data is being uploaded to a secure website, and this is a risk that needs to be addressed.

At the same time, we need to be able to decrypt that traffic to help detect and prevent the execution of exploit kits such as Rig, Angler, and Nuclear from delivering malware into our network. These exploit kits have been used to spread Ransomware, Banking Trojans, Keyloggers, and Remote Access Trojans. These exploit kits typically compromise legitimate websites and then redirect unsuspecting users to a different location that then evaluates the endpoint against certain vulnerabilities. If the vulnerability exists on the endpoint, it then triggers the malware payload leveraging that vulnerability to establish itself within the computer and ultimately the corporate network.

Due to the threats of data exfiltration and endpoint compromise, it is very important that web security is an area of focus for any organization. There are public and private feeds that can be leveraged within a web security solution to block identified websites that might have been compromised and they can also be tuned to be more aggressive in blocking access to sites that have a poor web reputation. Through a defense in depth methodology, we can examine the reputation of a web application or site, analyze the traffic being sent and received, and use Intrusion Prevention Systems (IPS) to reduce the overall risk.

Ransomware has been a big topic for many different industries in the past five years and this is especially true in Healthcare. Payloads can be delivered via E-Mail or using exploit kits but for them to function they need to have a connection to the internet to retrieve encryption keys and gather more instructions through a command and control connection. Because these connections are done over the internet, controls can be applied to stop that from taking place or at least detect when they occur and alert information security personnel to respond. To reduce risk when it comes to ransomware it is important to have strong e-mail and web security controls in place.

The biggest challenge all organizations are experiencing at that moment when it comes to web security is through the rapid adoption around Internet of Things (IoT) devices. While the focus has been on securing devices within the corporate network, the increase of IoT devices has changed that model and we are now having to protect more devices that connect to the internet outside of the organization’s traditional controls. This is especially true in Healthcare where we are seeing more consumer and commercial biomedical devices being leveraged. These devices are improving how we can provide healthcare to patients outside of the hospitals and clinics with connectivity to the Electronic Health Record (EHR) systems. This is allowing for real-time monitoring to take place and reduces the number of visits a patient might need to make to see their primary care provider. While this change is beneficial from a patient care perspective, it is an area that we need to be thinking about when it comes to web security.

Instead of thinking about protecting corporate assets that are primarily on our controlled network, we are now having to expand those borders to protect external devices. We need to be able to provide the same level of protection to these devices and this requires a change in how we have traditionally viewed web security. Rather than deploying security solutions that resided in our data centers at the perimeter of our network, we now must leverage cloud-based options to protect remote devices. These devices should be able to connect to the cloud-hosted web security solution from any location and have the same policies applied to them as on-site corporate assets. We still need to be decrypting the traffic, blocking malicious sites or connections, and examining traffic for potential data exfiltration.

With the introduction of the 5G networks and enabled devices, we are about to enter a time where there will be even more connected devices than ever before. These connections are faster with less latency and lower power consumption requirements which will enable smart devices to perform real-time monitoring and be smaller than before. This coupled with the increased development in consumer-based biomedical functionality it has the potential to change healthcare dramatically and we need to ensure that we keep up with these changes when it comes to internet security.