Dec 9, 2020

Healthcare Network Segmentation – Bridging the NAC Gap

ethernet cables

Updated December 7, 2022.


Hospitals face the challenge of not only securing medical devices, but all devices across a healthcare delivery organization (HDO). With the goal to ensure patient safety, maintain operations, stay compliant, and secure all PHI, many HDOs are looking at network segmentation as they look to secure all connected devices in their environment.

Network Segmentation Strategy – The Most Common Approach Has Gaps

Most healthcare organizations have employed some form of network segmentation as part of their overall cybersecurity strategy. The technique is used to improve security and is commonly utilized by network operations and security teams to isolate various systems from one another including Medical, IT, OT and IoT systems.

Healthcare Network Access control

The most common approach for performing network segmentation today is via Network Access Control (NAC). Unfortunately, NAC systems can be complex to deploy and have poor visibility to all the devices on the network – specifically medical, OT and IoT devices. This makes achieving the goal of network segmentation difficult, if not impossible. 

For network segmentation projects to succeed, what is needed is complete visibility to all devices on the network, full context about the behavior & security posture of each device and the ability to apply automated enforcement of network segmentation based on policy. Let’s take a closer look.

First Things First. See Every Device. Know Their Behavior.

Identifying and classifying every device – medical or otherwise – is fundamental. Knowing what medical and other devices are in your environment, where they are, and how they’re being used is critical – whether in a single hospital, in a lab, across a campus, at remote clinics, or in support facilities. Armis is purpose-built to discover, identify, and profile every device in your environment and is ideal for medical device security initiatives

We identify each device’s make, model, type, serial number, operating system and version, last known location, MAC and IP address, as well as  applications running on the device. For medical devices, we also provide critical information like FDA classifications and MDS2 details, along with risk and vulnerability scores. We do this with a passive, agentless solution, so there is nothing to install on devices, and no risk to disrupting a device – critical when that is an infusion pump, heart monitor, or MRI machine.

Equally important, we not only identify and classify medical devices, but we track their behavior over time, so we have context of what a device is, how it should be behaving, and if it is behaving suspiciously or maliciously.

Network Segmentation In Practice

With complete visibility of all devices on the network, as well as full context about their behavior & security posture, the Armis platform can apply automated enforcement of network segmentation based on policy. For example, based on device attributes and known good behavior, we know that a diagnostic imaging machine should be communicating with a clinical tablet, but not connecting to the internet. So, a policy can be created to segment this device to prevent “bad” behavior from occurring in the first place.

We enforce network segmentation and security and can automate blocking or quarantining actions through integrations with existing infrastructure components. Based on policy thresholds that you set, Armis is able to automatically segment, block or quarantine devices via your existing wired or wireless infrastructure, NAC, switches, WLC or firewall, as seen in the diagram below.

Healthcare Network Segmentation Best Practices

In clinical environments, however, it is a best practice to balance security needs with patient care. Auto-segmenting unknown or guest devices to a Guest Network seems relatively straightforward. 

However, when it comes to devices delivering patient care, we recommend the strategy of ‘HI over AI.’ This aligns with security and biomed teams we work with currently, who prefer Human Intelligence or review over Artificial Intelligence or complete automation.

The Benefits Armis Provides

With this approach, Armis delivers the following benefits to CISOs, CMIOs, and BioMedical Engineers:

  • Full Device Visibility – Identify and classify all devices, medical or otherwise
  • Continuous Passive Tracking – Real-time analysis of the behavior of all devices of their behavioral, connections, and interactions 
  • Vulnerability and Gap Analysis – Real time information a devices states including state, OS, patch status, exposures, FDA recall status, active threats, and more
  • Automated Network Segmentation – Apply dynamic policies to ensure medical and other devices are placed on the appropriate network
  • Automated Policy Enforcement – Integrate and work with existing IT and security management beyond segmentation for mitigation of identified risks and threats.

Our platform helps organizations to implement a network segmentation approach. Armis allows HDOs to apply dynamic policies to ensure all connected devices are behaving appropriately and properly confined to the segments they need to be on so they can ensure medical device security and compliance, and keep patients and information safe and secure.

To learn more or schedule a demo, click here.

Related Articles:

Get Updates!

Sign up to receive the latest news