If running Internet-only PCs is not possible, then the best strategy is a robust security policy backed up by a security infrastructure that mitigates risk exposure, provides regulatory compliance and protects sensitive data. To prevent data leakage and manage employee productivity, controls must be in place that can monitor and control all IP-based traffic entering and leaving the network. Therefore, in addition to standard HTTP traffic, it's important to look at email, VoIP, instant messaging, file transfers or other enterprise applications communicating over IP. This can be achieved with a variety of technologies, including network packet filtering, data leakage prevention (DLP) and Web security gateways.
You've certainly taken a positive step by adding a Web security gateway to your network defenses, as most perimeter technologies are actually designed to protect websites and applications, not internal network users. Web security gateways protect internal network users from threats while surfing the Web, as opposed to Web application firewalls (WAFs), which are designed to protect websites and applications from attacks.
Effectively securing and managing enterprise networks, especially those transporting sensitive medical data, requires an informed understanding of the status, trends and events relating to all network activity, and a Web security gateway can provide this with real-time monitoring and user activity analysis. With most Web security gateways, all communication channels pass through them. Because a gateway scans outbound content to stop sensitive data leaving the network, it is a lot easier to coordinate content policies and support regulatory compliance.
With the constant proliferation of malicious sites, I would recommend a Web security gateway that uses the latest reputation-based URL filters as basic URL-filtering techniques struggle to stay up to date. Trend Micro Inc.'s Web Gateway Security product, for example, combines URL filtering with real-time Web reputation and content scanning. Also, in a mixed-needs environment like yours, granular control is an essential feature so that users who do not need access to Web content and sites such as YouTube or content such as ActiveX and MP3 files can be blocked, or only allowed access at certain times. Blocking access to inappropriate sites, particularly music and video, can also greatly reduce network utilization.
You shouldn't, of course, rely solely on gateway products. Client-based protection, such as antivirus and antimalware, is essential as a second layer of protection. Client-based defenses, however, need to be augmented by security awareness training for all your network users, focusing particularly on your acceptable Internet usage and data-handling policies. Since phishing attacks are now so common, be sure to prepare staff for social engineering attacks so they can recognize and resist them. Given the highly sensitive nature of the data on your systems, your HR department should thoroughly vet any staff hired to work in IT administrative roles, such as system and database administrators, as they, too, will have access to this information. Policies and procedures for allowing different levels of access to sensitive information need to be in place alongside encryption for data at rest and in transit.
Finally, the Health Insurance Portability and Accountability Act (HIPAA) states that your organization must have the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and to the secure transmission of that information. I would check with your compliance department whether your current policies and controls meet your legal obligations. Providing your physicians with direct Internet access from PCs that have access to such data could hinder the organization's compliance posture.
For more information:
- Have an application security question? Read more responses from Michael Cobb.
This was first published in November 2009