The healthcare sector is being targeted globally by cyber adversaries causing havoc to critical systems and infrastructure, impeding access to data, and even halting access to services and operations. Cyberattacks on healthcare entities can be particularly disruptive, given the potential impact on patients' lives.
To help mitigate these rising threats, NHS England has identified internal networks as a significant area of risk. They have worked with cybersecurity vendors to develop guidance on internal network segmentation, use cases and patterns.
In response to our engagement with NHS England, Palo Alto Networks published a paper on Network Segmentation Patterns for NHS, setting out how an organisation can apply our technology to deliver a Zero Trust network architecture.
Implicit trust is a term used to describe the elimination of security controls within a specific context — the most common is user location. For example, an NHS trust might allow a user located inside a hospital full access to all internal applications and only verify their identity once. However, the same user accessing resources remotely might be subject to additional security controls, such as MFA, posture checks, additional firewall and threat prevention policies, while accessing the same internal applications.
In typical network and security architectures, implicit trust is common, but a weakness that can be as damaging as any other vulnerability. Traditional perimeter-based security wrongly assumes that all devices and users within an organisation’s internal network can be trusted. Furthermore, the security stack is built around applications hosted within the local data centre. However, NHS organisations have evolved over time, and this approach no longer provides the security controls needed to protect critical assets.
For example, organisations are seeing a constant rise in the number of medical IoT devices on NHS networks. In addition, there are Building Management Systems (BMS), environmental and other non-medical IoT devices that are deployed throughout an organisation’s infrastructure. The NHS is also undergoing significant digital transformation, which drives adoption of cloud-delivered applications, distributed architectures, shared services, remote access and PCI requirements.
All of these are accessing data and services through the local infrastructure.
Not all NHS organisations are the same and no single solution is going to work for all entities. Organisations need to establish an approach that is simple to adopt, but flexible enough for different environments.
The solution is a Zero Trust Architecture not tied to a specific technology or product. This provides a flexible framework to mitigate the implicit trust problem within an organisation, internally and externally. Which means all users, devices and applications must verify each and every transaction, regardless of their location. The easiest way to think about it is to apply all the same controls internally that you would apply remotely — a simple, sensible and consistent approach to security.
However, while a straightforward approach is needed, it can still involve various technologies, and it can be difficult to visualise how this might be implemented, given the complexity of healthcare networks. This might include usability problems, such as SD-WAN, MPLS, branch sites, clinics and public cloud. This could also create technology constraints including SDN, microsegmentation, PCI requirements and patient access. A Zero Trust approach will help healthcare entities address all these challenges.
The paper Palo Alto Networks developed for the NHS delves deeper into the Zero Trust approach. It sets out the architecture and why this is now the recommended approach taken by organisations, such as the UK National Cyber Security Centre (NCSC), NIST, Microsoft and Google. Read a copy of the Network Segmentation Patterns for NHS paper, which is also available through the NHS Cyber Associates Network. It provides technical information on how Palo Alto Networks can support organisations to implement a Zero Trust Architecture, focusing on network segmentation, visibility and controls.