Who (And What) Should Have Access to Your Network?

Preventing a data breach or network security lapse is a top priority for healthcare organizations worldwide. The very nature of the devices and data transmitted across every internal system, coupled with a typically (and often, alarmingly) low number of cybersecurity resources makes healthcare environments exceptionally vulnerable to a cyber attack. A recent HIMSS survey of 239 healthcare leaders and IT professionals revealed that as many as seventy-five percent of all those polled had experienced a significant cybersecurity event. Ransomware, email phishing, and even negligent internal users are just some of the many ways medical facilities across the country are constantly besieged by data breaches and intentional cyber crimes.

What to Know About Network Access

Network Access Control Plays A Key Role In Data Loss Prevention

With limited cybersecurity resources and understaffed IT teams, many healthcare executives don’t realize that effective data loss prevention isn’t an “all or nothing application,” but rather, a sophisticated, layered approach that relies on multiple levels of protection to systematically frustrate potential intruders. There is no final destination, only a thoughtful and persistent effort to mature the processes and technologies that identify and reduce risks to your critical data and infrastructure.  At the frontlines of a mature system defense strategy? Network Access Control (NAC).

At its core, NAC equips healthcare organizations with the ability to grant (or restrict) permissions to both users and devices trying to access the organization’s network and stored data intelligence. When properly configured, an effective NAC system quickly identifies system requests, while validating individual users, groups, and devices against a predetermined set of rules and algorithms. 

Unfortunately, while the concept of NAC protocol is relatively straightforward, effective deployment is often not so simple. There are countless factors to consider when determining who (and what) should have access to your system. Developing several mission-critical policies within your NAC can help streamline the process. Some vital considerations include:

Device And User Identification

The first step in an effective NAC solution requires identifying all potential users and devices within your digital channels. Most healthcare executives struggle to easily identify all possible system users and access use cases. However, device discovery adds additional complexity due to the rapid surge in connective devices and the increase in IoT technology, making it critical to develop a full inventory for a global network perspective before moving forward with any NAC strategy.

Establish Access Policy

Next, healthcare organizations must establish an extensive roles matrix that defines various permission levels for every individual device and user based on each unique and specific operational situation. As a general rule of thumb, most cybersecurity professionals recommend restricting permissions so every user or device can only access what is absolutely necessary based on role, function, or purpose in order to protect data intelligence, yet still uphold HIPAA regulations. 

Guest Access

Beyond internal users and devices, many healthcare facilities have outside users (patients, referral partners, vendors, etc.) that may also require access to the network at various levels. Outlining a thorough guest access policy with necessary connection restrictions allows guests to connect to the internal corporate network with reduced levels of cyber risk.

Endpoint Device Compliance

A thorough NAC also mandates the protocol for consistently assessing, maintaining, and updating compliance on all endpoint devices accessing the system. Devices that fail to meet approved standards should have system permissions revoked until the required patches or updates are installed. Additionally, in the event an unauthorized device or user tries to connect with the facility’s digital environment, a strategy should be put in place that instantly launches disconnection and notification to minimize potential network security risk.