Breach Prevention: Bulletproofing Healthcare Network SecurityInterview with Roark Pollock of HP Tippingpoint
With more than 220 major health information breaches reported to federal authorities so far under the HITECH Act requirements, healthcare organizations are looking for effective strategies to prevent breaches and avoid headlines. One critical element to any breach prevention strategy is beefing up network security.
With a hodgepodge of networks, applications and operating systems to manage - maintaining security and preventing breaches can be difficult. The challenges are daunting, but solutions are at hand. This is the perspective of Roark Pollock of HP Tippingpoint. In an interview, Pollock discusses three specific challenges:
- Regulatory compliance;
- Patch management;
- Virtualized environments.
Pollock is in Product Marketing in HP Tippingpoint's Security Products Group. He is a technology leader with over 18 years of product management, product marketing, sales and engineering experience in startup and public companies .In his career, he has led various product management and marketing teams in developing and launching more than 25 new products
Prior to joining HP Tippingpoint, Pollock grew company revenue 66% at TManage in two years as the first product manager and 34% at MegaPath in two years as a product management Director/VP.
TOM FIELD: To start off, why don't you tell us a little bit about yourself and your role with HP Tippingpoint, please?
ROARK POLLOCK: I've spent about 20 years in the technology field, and about the last 10-plus years I've been managing and marketing both telecom and security products and services. Really in the last five years, I've been specifically focused on managing security products and services. Now today, with the new formation of the HP networking organization within HP, I am responsible for product marketing for the HP Tippingpoint products and have been managing the product marketing organization within Tippingpoint for about the last three years.
FIELD: So, Roark, as we look at healthcare, what do you see as being the top issues affecting healthcare networking security today?
POLLOCK: If I were to outline my top three, the top one has got to be organizations. All healthcare organizations today are dealing with the need to maintain regulatory compliance. They've got a lot of different areas of regulatory compliance they're dealing with. The second one is probably dealing with and being able to maintain effective patch management processes and systems. And probably the third one is -- and this is relevant not only for healthcare, but for a lot of organizations today -- dealing with the growth of virtualization within their datacenter environments and being able to assure that they're maintaining an effective security posture in those newer environments.
Regulatory ChallengesFIELD: Great issues. I want to ask you questions about each of them. Let's take regulatory compliance up top. We hear a lot about HITECH and HIPAA. Of all the regulatory issues that affect healthcare organizations, which ones do you see as the most challenging to security leaders today?
POLLOCK: The way I look at it is as it's less on the actual regulatory requirement than what it is that the different healthcare organizations are really trying to secure today. There are two areas that come to mind that are very challenging, and they are both dealt with or addressed by regulatory issues today. One is they are trying to maintain security around all of the patient medical information that is collected by most healthcare organizations today. That is just an amount of data that keeps growing every day. Then, also, almost all of your healthcare organizations today have to deal with securing payment credit card information. All of them take payment through one form or another that involves credit card information that is addressed by PCI. So, in general they are dealing with HIPAA and PCI -- probably the two biggest regulatory compliance issues that they have to deal with.
Both of these really deal with protecting data. The way I think about protecting that data is most companies will look at it and break it into a number of areas. I look at three different areas of data protection. There is, first off, dealing with data at rest, data that is sitting in a datacenter somewhere. That usually involves protecting their datacenter with something like a firewall or an intrusion prevention system or both.
Then you've got to deal with data in motion, and that is data that is moving across your network and may be moving in and out of your network. So that is generally dealt with by traditional data leakage prevention systems and can also be somewhat addressed with intrusion prevention systems as well.
Then you've got data in use, and this usually refers to data that sits on a laptop or a desktop that somebody is using. That is something that usually gets addressed by anti-x type solutions -- anti-virus, anti-malware solutions -- and ensuring that you've got good encryption on those machines, so that if a machine were to get lost, the data doesn't fall into the wrong hands.
Patch ManagementFIELD: So, Roark, another topic you touched upon is that healthcare organizations today have got a hodgepodge of networks, applications, operating systems -- all of these patched regularly. How do they stay on top of those tasks?
POLLOCK: There are two different areas that companies have to deal with today. One of them is just dealing with what I will call just normal IT operating systems and applications, and ensuring they keep those up to date and patched and maintained, so that the vulnerabilities that exist within those systems are patched effectively. And I think of Microsoft systems, Microsoft Tuesday, being probably the obvious one that everybody is dealing with on a pretty regular basis. But most companies are doing a pretty decent job staying up to date with and using the right tool sets to address you know these normal IT operating systems and applications, the more recent applications.
The place that I think they get into areas where it is more challenging is when they have very old operating systems or applications, which a lot of times can be the case in healthcare. Where they have older applications that were developed, and the people that developed them are no longer with the organizations, updating those or patching them can be a scary situation. So a lot of time, they don't. They either don't patch those, or there are no patches available for those types of applications or operating systems. And the same thing with older medical devices or even critical medical devices that may be used in healthcare organizations, where the operating systems in those can be very proprietary, and to update those can require approval by the medical device companies or the vendor, and it can be a very slow process.
So, one of the ways of maintaining an effective virtual patching solution is to use an intrusion prevention system that is basically applying what I'll call filter sets to cover those individual vulnerabilities that exist within these older applications and these older operating systems. So you're using the IPS as a method to affect a virtual patching system instead of having to patch the actual applications and the actual operating systems themselves. That is one way that a lot of companies will address and mitigate some of those products with those older systems.
Virtualized EnvironmentsFIELD: Another topic here: Increasingly we've seen virtualized environments in all organizations. How do you see healthcare and security leaders continuing to ensure security and privacy in these virtual environments?
POLLOCK: It's a big topic for a lot of companies, not just healthcare. But today more and more companies are virtualizing more and more of their datacenter infrastructure. There is a lot of discussion around how to effectively secure those virtualized environments. What I usually talk about with most customers today is to think about this in a two-part framework. Effectively, what most companies need to think about is how do they segment up different parts of their datacenter? Whether it is a physical infrastructure or it's running on the virtualized infrastructure, how do they segment off their payment card data from their other internal applications? How do they keep their patient records separated off within the datacenter from other applications?
So the way I walk customers through this it is a two-phase process. The first one is making sure that they are enforcing protection or separating the datacenter from the rest of their access network. That means having firewall capabilities and intrusion prevention systems isolating the datacenter from the rest of their access network.
The second phase is being able to create these trust domes within the datacenter and maintain those trust domes so that data can't move from one trust dome to another without either being inspected or being blocked by a firewall system.
Today at HP Tippingpoint, we've introduced something called the Secure Virtualization Framework that effectively allows companies to create this segmentation within their datacenter. It's a single solution that allows them to do that with a single set of policies to cross both their physical and their virtualized datacenter for infrastructure.
So it is all about trying to make sure you are maintaining the same security posture for applications that are running in your virtualized environment that you would in your physical datacenter environment.
Key Agenda ItemsFIELD: Roark, final question for you. Given everything we've talked about today, if you were to forecast in the months ahead, what would you say are the key agenda items for ensuring healthcare network security?
POLLOCK: Well, I think looking forward looking into the future, other than the things that we've already talked about; I would say there are a few things that stick out in my mind in the healthcare areas. One is I think they are going to continue to deal with the issue of maintaining regulatory compliance, especially as we talked about in these virtual datacenter environments. So that is an area I think is going to continue to be an issue for companies in the years to come.
Two, I think in many healthcare networks they have to deal with their networks being increasingly open and how to secure those networks. I think that gets back to how they maintain some sort of segmentation within their networks on an ongoing basis. So I think that is something they are going to have to deal with on a go-forward basis.
And then the last one that I think of is there is just so much growth from a web application standpoint, especially in the healthcare industry, to make the data that they provide accessible to many different audiences, I think companies are going to have to deal with how to secure these web applications that they may be developing themselves or having other people developing, and that means being able to embed security all the way from the development phase of those web applications and having some sort of proactive security for those applications once they're deployed in those networks.