Making Healthcare Organizations More Secure with Smart Networking Decisions

When determining network topology and strategy, healthcare organizations need to take additional precautions in determining how devices communicate throughout their network. The overall network architecture of a healthcare organization often lays the foundation for the organization’s overall cybersecurity posture. At worst, poorly architected networks in healthcare settings can create inefficiencies and open the organization up to serious cyber-risks. Modern health systems can no longer ignore poor network hygiene, especially with the rise of IoMT and IoT in healthcare settings.  

Network topology and architecture historically referred to choices made in the physical layer of a healthcare organization’s connected device infrastructure – with the number of cables, ports, and other networking equipment being limiting factors in many cases. With the rise of virtual networking alongside physical networking for the important aspects of management, segmentation, and micro-segmentation, its crucial for healthcare organizations to consider many factors when determining network their network architecture.

Designing Network Topology and Architecture from Scratch

A hospital starting from scratch would want to start with some basic considerations.  Those would include:

• Segregating Medical Devices – Medical devices, or IoMT, are purpose-built for their clinical purpose. There is no upside, and considerable downside, to allowing unexpected network traffic to reach these devices. Believe it or not, Asimily routinely sees flat networks in hospitals in 2024, where any device can communicate with any other. Often, networks are initially set up by physical location – say a VLAN for each floor of a hospital – and remain that way.
• Know Your Flow – Each device can have a different required data flow to work properly. It may have a management server; it might not. It might have an archival server; it might not. Knowing what’s needed for each device to function properly is required for effective segmentation.
• Know your PHI – Anything that contains PHI will need to be identified and potentially segregated from non-PHI-containing servers and devices, to keep better track of access.
• Workstations – Workstations – by necessity – will be in a grey zone with access to back-end resources, PHI, and front-end practitioners.  As a result, they are often in their own category.  

Given the rise in attacks on healthcare organizations, with HIPAA Journal finding that 586 healthcare organizations experienced data breaches in the first 10 months of 2024, organizations would do well to deploy any sort of help they can in frustrating attackers. 

Other Considerations for Network Topology and Design

Physical topologies have largely remained unchanged for years. It’s expensive to run cabling through a building and triage connection points to limit signal degradation, especially through large hospital facilities. It’s not uncommon to find tree topologies in most buildings; those tend to be the most efficient for healthcare operations and have the least impact on signals. 

The rise of SDNs and virtual local area networks means that software-defined rules can now be divorced from the physical cabling in a building. Healthcare security professionals need to understand how communication should flow most efficiently and securely to ensure that clinicians can do their jobs while also protecting patient data. 

Other frustrations we’ve seen for organizations, later in the maturity of their network set up include:

• Not Planning for Monitoring – Modern IT, IoT, OT, and IoMT monitoring both for performance and cybersecurity rely on access to network traffic.  Either for actively investigating assets (typically for IT) or for accessing network traffic to detect devices and anomalies. This is especially important for IoMT because they cannot be safely scanned and rarely support agents or clients to aid monitoring.  Having centralized access to that network traffic is essential for securing environments through traffic analysis.
• Not Planning for Segmentation (Including Micro-Segmentation)- Many organizations are adding segmentation to their arsenal of defenses against attacks. It is a very effective tool to limit access and the blast radius of successful ones. However, most organizations we talk to take months or years to even partially implement their hoped-for plans. Still, hospital networks must plan for the additional need for segmentation and the necessary network resources to accomplish that. Primarily, that is sufficient networking infrastructure and bandwidth to allow any logical topologic overlay to flourish.
• Handling Legacy Networking Hardware – Sometimes, there is network hardware that just won’t go away. In the ongoing battle for IT dollars every year, networking upgrades are often easy to defer. These devices and their networking may not be able to participate well in virtual networks and may need special handling.  
• Ignoring Packet Capture – Someday, somehow there will be an incident that will require investigation. That investigation will go more smoothly with packet capture to understand if an asset, especially IoMT, is part of an attack or just behaving anomalously but not maliciously. One of the biggest costs faced in the incident response process is gathering forensic data, which is aided by letting the device traffic for any device be captured and stored (locally).  A network design that doesn’t allow for that can create costs (or worse – prolong an attack) down the line.

Best Practices for Evolving Your Network 

When setting up a logical network topology, IT and security teams need to balance efficiency and defense in equal measure. Clinicians need to be able to access the data necessary to do their jobs and provide patient care, but they need to do so within the secure confines of the network. In addition, IT and security teams must consider the rise of Internet of Things devices in healthcare settings and structure their network so it’s flexible as technology changes. 

Ultimately, healthcare IT and security teams need to: 

• Inventory their network devices – The first step in structuring a logical network architecture is understanding what the devices are and how they communicate. Use a passive or active scanning solution to uncover hidden devices that may not be known to central IT. 
• Connect devices in the appropriate network segments – If there are multiple segmented networks for specific device connections, ensure that these are deployed and monitored correctly. With any network topology, monitoring for effective communication across the network is key. [It is still critical to understand devices and their traffic patterns to understand how they can be exploited, and how that data flows across the network, ultimately leading to better segmentation and security.]
• Employ continuous network traffic monitoring – Monitoring the network for unusual traffic is key to maintaining security. Healthcare networks require tight security, and monitoring traffic for any unusual behavior is key. 
• Be prepared for Configuration Drift – Whether through accident or attack, sometimes devices’ configurations change from a secure state to a less secure state. Storing a known good configuration
• Segregate Medical Devices – If you did start with a flat network, segregating medical devices (and any servers necessary) is often a good start.

Employing an effective network topology and architecture and segmenting critical assets can ensure that medical equipment remains secure. This also ensures that devices are accessed only through appropriate channels and have limited internal connection points to limit lateral movement. Knowing how best to apply these techniques ensures that healthcare networks remain protected in an environment of increased risk. As healthcare organizations become more of a target, this will become more and more vital. 

To understand how Asimily can help protect healthcare networks, contact us today.