Tri-County Health Department
TCHD Layered Network Security Model
Brief description of LHD: Tri-County Health Department (TCHD) serves over 1.5 million people in Adams, Arapahoe and Douglas Counties in Colorado, from 11 offices in a 3,000 square mile area. TCHD employs approximately 400 public health professionals and offers over 60 programs/services ranging from birth certificates, immunizations and health care referrals to restaurant inspections and infectious disease investigations. The agency's jurisdiction includes 26 municipalities and 3 unincorporated counties, 15 school districts with more than 360 public schools, 12 acute care hospitals, 3 Federally Qualified Healthcare Centers with multiple facilities, and 3 community mental health service providers.
Public Health Issue: Cyberattacks on health care facilities emerged as a major issue in 2017 with the global WannaCryâ€ ransomware outbreak. Although public health agencies were not a direct target in this episode, they have been subject to security breaches, an issue addressed by The Nations Health publication of the American Public Health Association in a recent article entitled Public health increasingly facing cybersecurity threats: Health field a top target for attacks which noted that while hospitals and health care systems work to beef up their defenses against cyberattacks, more hackers may see public health as a soft target.â€
Goals and Objectives: With the growing urgency of this problem, TCHD is committed to protecting all types of data that is housed within the organization and takes cyber threats very seriously. The goal was to create a layered security infrastructure that would combat external and internal threats to TCHD data, while also protecting against data loss, corruption, or theft.
Objective 1: Protect against Malware and Viruses from External Sources.
Objective 2: Protect against internal attacks or breaches.
Objective 3: Secure all TCHD data from loss, corruption, or theft.
Implementation: With the prevalence of cyber-attacks, phishing scams and ransomware targeted specifically at health care organizations, TCHD's Information Technology Team implemented a five-phase protection program to upgrade and secure all internal systems against these threats.
Phase 1: Inbound Cloud Protection for all Email.
Phase 2: Externally Facing Firewall.
Phase 3: On Premise Email Scrubbing Appliance.
Phase 4: East West Internal Firewall.
Phase 5: PC Endpoint Protection.
Intended / Actual Outcomes: The intended outcome was to ensure that multiple layers of security were implemented to properly protect against cyber security threats. Actual outcomes have demonstrated that the LNS model was able to protect TCHD against the massive WannaCryâ€ ransomware outbreak, while several health care facilities were severely impacted. In addition, no HIPAA related breaches have occurred due to the Digital Leak Prevention technology that scans all outbound file transfers to ensure they are free of Personal Health Information (PHI) or Personally Identifiable Information (PII) data. Additionally, the firewall utilized by TCHD is configured with GEO Protection, a mechanism which allows the organization to drop inbound requests originating in countries that frequently perform cyber-attacks, network probing, or attempts to gain entry into systems. After activating GEO protection based upon the research of which countries frequently attacked TCHD systems, network attacks dropped from a high of over 5,000 attacks per week, to just under an average of 12 per week. With less potential attacks to contend with, TCHD systems are more secure, instantly blocking a connection that if left untouched could create a potential breach situation.
Public Health Impact of Practice: The impact of the LNS model upon public health is ensuring that the data, which is critical to the operation of a local health department, is secured, monitored and protected.
Website of LHD: http://www.tchd.org
Public Health Issue: The problem that TCHD addressed in this proposed model practice is that of cyber security and the vulnerability of local health data due to lack of security controls. The Layered Network Security (LNS) model addresses these concerns.
Target Population: The target population for our practice is the entirety of TCHD staff, as well as external partners that share and collaborate with TCHD to create data. As such, the LNS model reaches 100% of the population by securing all data.
What has been done in the past: Previously, only an external firewall appliance was utilized to shield the internal TCHD network, along with endpoint protection on each machine While this protected the TCHD network from external attacks, internal attacks could have potentially propagated through to TCHD servers. In addition, Email messages were directly delivered to the Email environment without the added security of the Cloud Protection Service and internal Email appliance.
Why is the current practice better?: The current practice is better because an external firewall can only combat against attacks originating from the outside. The new LNS model was implemented to combat external threats, as well as the inclusion of an internal firewall, called an East â€“ Westâ€ (EW) firewall. This firewall separates the user Virtual Local Area Network (VLAN) from the server VLAN. This means that if a machine on the TCHD network becomes compromised, in order to spread via Server Message Block (SMB) or other vulnerabilities, the network traffic from the compromised machine would have to traverse the EW firewall.
This is one phase of the TCHD Layered Network Security (LNS) model, which also includes hosted cloud security that scrubs Email attachments before delivering them to a local appliance through the external TCHD firewall, which conducts a full packet scan. Once Email is scanned via the external firewall, it is delivered to a local on premise Email appliance. This Email appliance conducts a third scan before delivering the message to the local Exchange 2016 mailbox store. Upon this Exchange 2016 server resides a full endpoint protection antivirus suite which provides real time scanning upon the server, detecting potential threats that may have passed through the previous layers of security.
Each of TCHD's 56 servers has this endpoint technology, as well as every PC upon the TCHD network. Each TCHD remote site must traverse the fiber connection to the Administrative Office and through each firewall in order to send or receive data. Each TCHD laptop is encrypted with a hard disk encryption tool called Bit locker, as well as a boot up Basic Input Output System (BIOS) password to prevent against theft by forcing the user to enter a pre boot up password. All of these separate technologies are brought together into the innovative LNS model.
The proposed model practice demonstrates that the layered security present in the new LNS model far exceeds the capabilities of the older network security systems by adding 3 additional security layers (noted with *):
Layer 1: Cloud Protection Layer*
Layer 2: External Firewall
Layer 3: Local Email Appliance*
Layer 4: Internal (E/W) Firewall*
Layer 5: Endpoint Protection
-Layer 1 (Cloud Protection Layer) is provided by a HIPAA compliant cloud hosting service that ingests all Email bound for TCHD. Email is one of the primary vectors for phishing attacks, viruses, and whaling attacks, therefore, the cloud layer scans all Email messages for patterns, as well as running the sending IP address through a reputation filter. If that IP address or IP block has been reported by other Barracuda Email Filter (security vendor) users or Barracuda specialists globally to blacklist providers, the Email is blocked. This grants a global eye upon questionable content, and allows real time blocking of dangerous content.
-Layer 2 (External Firewall) is comprised of a powerful externally facing firewall appliance that scans all incoming data from Layer 1, as well as any active web connections. This appliance also utilizes GEO-Protection to block connections originating from countries that have actively attempted to perform any type of security probe or attack.
-Layer 3 (Local Email Appliance) conducts a third scan scouring the Email message for incorrect headers, spoofing evidence, or virus laden attachments upon the delivered message before transferring that message to the local Exchange mailbox store.
-Layer 4 (Internal E/W Firewall) is comprised of a secondary firewall that resides internal to the TCHD network. This scans all traffic from internal workstations to the cluster of servers that TCHD houses (56 total). This is the most innovative piece of the LNS model, as it represents the latest security thinking and practices to ensure that even if internally compromised, the data and servers would be protected.
-Layer 5 (Endpoint Protection) consists of a powerful endpoint protection software that resides on every PC. This endpoint protection not only combats against viruses, but also malware, spyware, blacklisted web content, URL filtering and heuristics behavior analysis.
Innovation of current practice: While TCHD is utilizing existing tools to implement the LNS model, this constitutes an innovative and creative use of security technology to ensure that if one layer of security allows a threat through, the subsequent layers will detect and neutralize the threat before data is compromised, which could impact the entire organization's ability to practice public health in the community. , To the best of our knowledge, this approach has not been utilized by local health departments prior to this implementation.
Evidence base of the current practice: The TCHD Information Technology team based this LNS model on evolving strategies for cyber security in Governmental and Private organizations.
Goals and objectives of practice: Due to the far-reaching impact upon community partners and staff when new security models are introduced, TCHD staff members remain the focus as an internal customer. The goal was to implement the LNS model in phases to allow collaboration and testing with TCHD staff.
Steps taken: Community partners were involved to ensure that Email correspondence, electronic records, and any other data transmissions were not impacted by the LNS model.
Time frame: The implementation of the LNS model took place over a period of 5 months, beginning in January of 2017. This allowed sufficient time to implement the LNS model in stages to lessen impact upon TCHD staff and TCHD partners.
Other Stakeholders Involved: In addition, TCHD's Board of Health and three sets of County Commissioners, representing the counties served by TCHD, supported improved cyber-security by approving the funds to invest in this technology, as well as the approval of a new Senior Security Network Administrator position to combat cyber security threats.
Startup or in-kind costs: Costs were budgeted and paid for under the TCHD Information Technology budget, which included hardware, service, and maintenance costs of the layered systems. Cost breakdown is as follows:
Layer 1: Price included with Layer 3
Layer 2: $35,550 initial cost, $4,110 maintenance per year.
Layer 3: $4,791 initial cost, $1,960 maintenance per year.
Layer 4: 35,550 initial cost, $4,110 maintenance per year.
Layer 5: $14,000 initial cost (for 600 seats), $4,780 maintenance per year.
What was found out: To date, the Layered Network Security model has proven very effective in preventing loss of data, security breaches, data leakage of Personal Health Information (PHI) or Personally Identifiable Information (PII), and HIPAA compliance. The best indicator of this occurred during the WannaCryâ€ and Petyaâ€ ransomware virus outbreak that occurred in May of 2017. The LNS model was in full production right before the outbreak event, and the TCHD I.T. Team monitored TCHD LNS systems closely, and were witness to over 2,000 infected messages blocked at the very first LNS layer. These messages contained the known subject line of Your Invoice #XXXXXâ€, containing the WannaCryâ€ payload. Further investigation into these files uncovered that the payload had been blocked due to the Barracuda reputation list, and had denied the delivery. Had the ransomware virus made it through the first layer of defense, confidence was very high that the second LNS layer would have scrubbed the virus, and had it not, it still had three layers to navigate. This would prove difficult for any virus to propagate in the TCHD LNS environment. The objective was to create a safe and secure computing environment for TCHD staff and partners, and that goal is a great success.
Primary data sources: Primary data sources were Solarwinds Orion network monitoring database, the Barracuda Cloud Service portal, GAIA firewall management engine, and BNC monitoring tools. All tools are operated in house by TCHD I.T. staff. The performance measure utilized was maintaining a non-compromised system state through a major virus outbreak due to the LNS model.
Performance measures used: Standard Information Technology metrics such as malicious packets blocked, network focused attacks blocked, network monitoring and throughput.
Results Analysis: Results were analyzed via TCHD I.T. Team meetings and live Network Operations Center monitoring. System generated reports of firewall activity, as well as network system performance were generated weekly and disseminated.
No modifications were made to the practice as a result of the data findings.
Lessons learned: The lessons learned from the LNS model implementation were numerous. Much of the undertaking involved out of the box thinking that had not been attempted previously. The sustainability of the LNS model is excellent. Each layer of the LNS model is budgeted for annually as part of normal operating I.T. budget costs. This is not only due to the success of the LNS model, but the desire for TCHD to lead the way into the future of public health, which relies entirely on a secure and efficient Information Technology backbone. It was also understood while navigating the WannaCryâ€ and Petyaâ€ ransomware outbreaks how vulnerable health care organizations are, and how important protecting health department data is to the continuity of operations.
Lessons learned in relation to partner collaboration: It was found that TCHD partners were quite interested in the LNS model, and frequently brought forth questions on functionality and how the LNS model could assist their organization to better secure their sensitive data.
Cost/benefit analysis: A cost to benefit analysis was not performed.
Stakeholder commitment: A stakeholder commitment is very strong, as the Board of Health, TCHD Executive Team, and staff support the efforts of TCHD I.T. to provide a secure computing environment. The sustainability plan coincides with the Master Information Technology Plan, which outlines the path forward with security projects that utilize the latest technology. It is the wish of TCHD that other local health departments enact their own LNS model to properly protect the wealth of data housed in each. Data usage is expanding, never to contract again, and steps must be taken to protect that data to ensure that public health work done in the community is never impacted due to a lack of I.T. security focus.