Healthcare: Better, Simpler EHR Security With Application Level Control

Apr 28, 2014
3 minutes

During our recent Ignite conference, we discussed security challenges specific to healthcare with customers who’ve used our technology for several years, as well as organizations who are in the process of re-evaluating how to approach security in light of the digital revolution that’s taking place in the healthcare market.

In the healthcare environment you need to strengthen security, facilitate compliance with regulations such as HIPAA, and regain control of your network infrastructure resources. Below are three best practices that I wanted to share because all three make the case for application level visibility and control.

(1)  Application level control is better than port-based control

EHR systems transport and store Patient Healthcare Information (PHI), which is highly regulated – privacy of data and security is paramount for such deployments. While data is encrypted in most EHRs, it’s not unusual for healthcare application vendors to request that an unusually high number of ports be open for their application to function properly. This leaves too many opportunities for malicious traffic to intrude into your network. The only way to remediate such exposure is to deploy application level control as provided by our next-generation firewall.

(2)   Network segmentation based on applications better isolates PHI data and facilitates compliance

The list of applications, protocols and systems that are legitimate in a PHI environment should be well defined. By enforcing access at the application level you can more easily streamline your security: block everything but the few applications and systems allowed into the PHI environment. Our next-generation firewall also allows you to apply policies based on users and content/payload providing the most granular level of control available on the market today. User and application level visibility also happens to match the granularity needed by compliance audits, which makes the whole audit process a lot simpler.

(3)  Application level visibility improves quality of service and minimizes illegitimate traffic

Many healthcare facilities experience high bandwidth consumption (up to 40% of all traffic) from consumer applications such as online video and gaming that are brought into their facilities by staff and patients. Application-level visibility is the first step to understanding which applications clog your network and how you can work with your administration and HR staff to enforce tighter policies and rein in the use of your network resources for purposes other than the business of healthcare.

Healthcare has a unique set of security challenges, but you can directly apply the above arguments to any other sector with sensitive data such as organizations with credit card environments subject to the PCI DSS compliance. A recent survey research from Verizon on PCI DSS compliance highlights the obsolescence of port-based control in favor of application level.

Learn more about Palo Alto Networks solutions for healthcare.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.