1 Securing Distributed Enterprise Networks for PCI DSS 3.0 Compliance FORTINET White Paper 1 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance Accelerating Compliance and Simplifying Complex Networks Introduction Distributed healthcare networks have grown in complexity over the last decade as they expand network access and add more security technologies to protect their networks. The adoption of standards such as the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA have also improved the overall security of data in distributed healthcare networks. However, in light of many well-publicized data breaches and required disclosure by the HIPAA Breach Notification Rule, 45 CFR , it is clear that distributed healthcare networks are still vulnerable to being compromised. This paper will discuss some of the common challenges distributed healthcare networks face in securing their medical office buildings, home health operations, clinical settings, Cloudbased applications and business associates. This paper will also provide several specific ways Fortinet's comprehensive product portfolio can help secure and simplify distributed healthcare networks to accelerate compliance with PCI DSS 3.0 and HIPAA combined. Distributed healthcare networks better protect the personal health information of their patients (PHI and PII) by combining PCI DSS 3.0 with HIPAA security compliance controls and technical solutions into a single coordinated process. Mark Hanson Fortinet - U.S. Director - Healthcare Network Challenges A typical distributed healthcare network may include the following: "clinic-within-a-clinic" operations involving business associates Wireless LAN access for employees, business associates and patients Wireless ubiquity for critical applications support LTE to support Quality of Service (Q0S) requirements Power over Ethernet (PoE) powered-switch systems for VoIP phones or IP video surveillance systems Disaster recovery WAN access technologies such as 4G or satellite for back up and broadband primary Support for 'Clinic of the Future' initiatives Wireless inventory with Real-Time Logistics Intelligence (RTLI), patient analytics, customer web portals, social marketing, and smart digital signage Security Challenges What started out as an initial Firewall deployment in a clinic or medical building may have grown to include a range of technologies from several vendors: The Evolving Network in Distributed Healthcare Environments Distributed healthcare networks have grown in complexity over the last several years with the addition of numerous networking technologies to meet changing business requirements. Application Visibility and Quality of Services Control Web Filtering and Bandwidth Throttling Intrusion Prevention System (IPS) WAN Optimization Data Leak Prevention (DLP) Wireless Access Points End-Point Protection
2 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White Paper 2 These stand-alone technologies can create gaps in policy enforcement caused by separate devices with separate rule sets that lack central. They can also overwhelm small IT teams and drive up CapEx and OpEx costs, especially when duplicated over dozens, hundreds or even thousands of locations. PCI DSS 3.0 Compliance and Distributed Healthcare Networks The Payment Card Industry Data Security Standard (PCI DSS) is a global standard for data security of cardholder data that affects a very broad group of businesses including Healthcare. It applies to all entities involved in processing of payment cards, such as merchants, card issuers, processors, and service providers, as well as those that process, transmit, or store cardholder data. While PCI DSS has focused on retail its HIPAA/HITECH requirements overlap when considering required protections of Patient Health Information. There are 12 requirements within six control objectives in PCI DSS 3.0: Figure 1: Legacy, stand-alone systems in every location PCI DSS CONTROL OBJECTIVES CONTROL OBJECTIVE Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy REQUIREMENT Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Identify and authenticate access to system components Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for all personnel Version 3.0 includes several examples of best practices: PCI DSS version 3.0, the current version of the standard, includes many updates from the previous version of the requirements to reflect the evolving networking and threat landscapes. The intent of version 3.0 is to reduce confusion, misinterpretation, and reinforce best practices, and the majority of the updates are Clarifications or Additional Guidance to existing requirements. 2 The goal is to make PCI DSS compliance Business As Usual and to be incorporated in everyday business practices instead of being a periodic focus. 2 Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures version 3.0 Monitoring of security controls such as firewalls to ensure effective operation Detecting and responding to any security control failures Reviewing changes to the environment (such as new configurations or systems) in the context of PCI DSS scope before completing the change, and updating security controls appropriately Reviewing deployed hardware and software technologies to confirm that they are still being supported by the vendor and they meet the entity s security requirements
3 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White Paper 3 New Requirements There are several new requirements that will affect distributed healthcare networks in particular, due to their large number of locations, wide range of hardware and software systems deployed in those environments and use of managed services. Some examples include: New Requirement 2.4: Maintain an Inventory of System Components that are in Scope for PCI DSS Organization are now required to maintain a list of all system components (both hardware and software) including a description of each component s function, and interviewing personnel to verify that the inventory is current. New Requirement 5.1.2: For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. This requirement expands the requirement to include all systems that could be affected by malware, which includes open source and custom software, not just the critical systems previously identified. Requirement 8.5.1: Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. This requires service providers to use unique authentication credentials for each customer, such as two-factor authentication. The intent is to prevent multiple customers from being compromised by a single set of credentials. Limitations of Legacy Security Systems The PCI core requirements cover controlled network isolation, inbound/outbound traffic flows and DMZ implementation related to defining and protecting the Cardholder Data Environment (CDE) and in our opinion relate to protection of Patient Health Information. Specific functions include: Real-time perimeter anti-malware/anti-virus IPSec/VPN tunneling support Intrusion Detection/Prevention (IDS/IPS) Use of strong cryptography (SSL/IPSec) Default deny-all settings Support of digital certificates and two-factor user authentication Event monitoring Federated device and reporting Network vulnerability analysis support A legacy firewall cannot provide these services due to the lack of required functions and/or the lack of performance, whether it is at remote location like a store or distribution center, in a central location like headquarters, or in a datacenter. Organizations need the ability to deploy a single operating system with a range of firewall personalities, both physical and virtual. In addition to simplifying deployment and standardizing IT staff training, a single flexible OS also enables the delivery of the appropriate security and networking functions for a particular use case: At clinical and home health locations, a single all-inone device to consolidate all of the security functions and eliminate the cost and complexity of deploying multiple devices At medical office buildings, a high performance next generation firewall to provide the core network security features At hospital and data center operations, a high performance firewall to deliver core firewall functions Fortinet Network Security Solution Fortinet s FortiGate line of high performance network security devices can help organizations address the wide range of requirements of PCI while minimizing implementation and operational costs. FortiGate devices provide seamless integration of networking and security in a single appliance with the most comprehensive feature set of any consolidated network security device, including Anti-Malware/Anti-Virus, Intrusion Prevention, Application Control, SSL and IPsec VPN, Web filtering, support for two-factor authentication, and asset discovery/vulnerability. Customers can deploy as much or as little technology as they want, based on their specific requirements. PCI DSS 3.0 states Network segmentation of, or isolating (segmenting) the CDE from the remainder of an entity s network, is not a PCI DSS requirement. As a best practice, however, network segmentation reduces the scope and cost of the PCI DSS assessment, reduces the complexity of maintaining controls, and reduces risk to an organization. Every FortiGate supports physical and virtual segmentation of data with switched ports and the ability to create virtual domains to isolate the CDE and significantly reduce the number of systems in scope. Segmentation is beneficial for older legacy medical imaging systems that can no longer be patch and can t be replaced due to budget constraints.
4 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White Paper Co n nect i v i t y / B us i nes s C ont i nui t y Every FortiGate device supports multiple connectivity options for business continuity, such as broadband lines (e.g., DSL, Cable, T-1/T-3), integrated V.90 and 4G, in a single device Figure 2 - Comprehensive security and networking feature set with every FortiGate physical and virtual appliance The FortiGate family of appliances includes physical and virtual appliances that range in form factor from compact desktop models to chassis-based systems delivering over 500 Gbps firewall throughput. Every FortiGate system offers complete yet flexible network services and threat protection that meets and exceeds the compliance requirement: 1. Fi r ew al l Enables network segmentation using virtual domains, VLANs and switched ports for traffic segmentation/isolation. Prevents unauthorized access to critical resources 2. In t r u s i o n P r e v e n t io n S y s t e m ( I P S ) Detects and blocks network intrusion and other hacks by cybercriminals 3. Ap p l i c a t i o n C o n t r o l Identifies and stops malicious application activities while allowing only authorized applications 4. We b F i l t e r i n g Blocks visits to or content from malicious site 5. VP N Encrypts and protects data transmitted across untrusted networks 6. Ad v a n c e T h r e a t Pr o t e c t i o n Anti-Malware engine and Sandbox integration prevents malicious code exploitation, detects targeted and advance persistent threats 7. Da t a L e a k Pr e v e n t i o n ( D L P) Discovers and prevents unauthorized transmission of sensitive data 8. Vu l n e r a bi l i t y M a n a g e m e n t Automatically and routinely scans to ensure that systems and applications are at appropriate patch levels and vulnerabilities have been addressed 9. Vi s i bi l i t y & M o n i t o r i n g Provides monitoring, logging and notification of incidents or suspicious activity that may indicate an incident allowing organizations to quickly respond 10. Sw i t c h e d Po r t s a n d H i g h Po r t D e n s i t y Every FortiGate device includes switched Ethernet ports for network segmentation and data isolation. High port density consolidates connectivity, networking and security into a single device Figure 3 - FortiGate devices consolidate security, networking, and connectivity into a single device Wireless Security Solution In addition, every FortiGate device has an integrated Wireless Controller, enabling organizations to consolidate wired and wireless traffic and enforce polices consistently. Administrators can plug in wireless access points directly into a FortiGate device, which allows the FortiGate to eliminate the need for a separate stand-alone wireless network and the need to try to duplicate policies on separate network and wireless security systems. All of the FortiGate desktop models (FortiGate-20C through the FortiGate-90D) offer FortiWiFi versions, which incorporate a Wireless fat client. Many FortiGate devices for remote locations and offices support Power Over Ethernet (PoE) which eliminates the need to supply power to wireless access points, VoIP handsets, IP security cameras or other IP-based devices. Wireless Access Points Requirement 11: Regularly test security systems and processes. Requirement 11 contains several components related to Wireless Access and the need to inventory Wireless Access Points and detect Rogue Access Points. FortiAP Thin Wireless Access Points enable simple, costeffective, and secure Wireless Network Access. FortiAPs are an ideal solution for extending FortiGate protection to the wireless network. The integrated Wireless Controller within every FortiGate device eliminates the majority of the cost of deploying a wireless network.
5 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White Paper 5 With models designed for small clinics and home health operations, distributed medical buildings, as well as highdensity Hospital and Data Center locations, FortiAPs allow consistent enforcement of security policies across both wired and wireless networks. The FortiGate Rogue AP detection engine, including the onwire detection feature, automates the scanning process and continuously monitors for unknown APs and determines if any unknown APs are on the network. Figure 4 - FortiOS contains an integrated wireless controller, eliminating the need for a separate wireless network High-Performance ASICs Fortinet provides high-performance network security with custom ASIC (Application Specific Integrated Circuits)- based silicon processing hardware. Custom content and network processors are able to offload compute-intensive security processing from the general purpose CPU, reducing the load on the CPU. Traditional Security Appliances that use multi-purpose CPU based architectures becomes an infrastructure bottleneck. The only way for a Network Security Appliance to scale is via purpose built ASICs to accelerate specific parts of the packet processing and content scanning function. Optimum path processing (OPP) is used to optimize the different resources available in packet flow. Sy s t e m - On - A - Ch i p P r o c e s s o r ( Hy b r i d A S I C) Integrates all ASICs including CPU into a single process for best price/performance This off-loading of traffic enables Fortinet appliances to deliver unmatched performance and low latency, as well as support a wide range of security services. These levels of performance are critical as networks are upgraded to take advantage of increasingly faster LAN and WAN standards, such as 40-Gigabit Ethernet and beyond. Co n t e n t P r o c e s s o r A S I C Accelerates content security, such as application control and intrusion prevention Ne t w o r k P r o c e s s o r Accelerates network security tasks such as Firewall, VPN and IPv6 translation Figure 5 - FortiASIC custom processors outperform traditional CPU-based architectures
6 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White 6 Easy deployment of database activity monitoring/audit across hundreds of databases via centralized policy Provides Privilege change data for User Access and integration Out-of-the-box reports help meet security and PCI DSS and HIPAA/HITECH compliance requirements Centralized Management Centralized Security Management, Logging, and Reporting FortiManager TM & FortiAnalyzer TM FortiManager Security Management appliances allow you to centrally manage any number of Fortinet Network Security devices, from several to thousands, including FortiGate, FortiWiFi, and FortiCarrier. Network administrators can better control their network by logically grouping devices into administrative domains (ADOMs), efficiently applying policies and distributing content security/firmware updates. FortiManager is one of several versatile Network Security Management Products that provide a diversity of deployment types, growth flexibility, advanced customization through APIs and simple licensing. Centralized Authentication Integrated, centralized authentication with single sign-on and policy enforcement is critical to providing secure access to the appropriate systems that compose a distributed enterprise environment. In addition to Requirement described above, Requirement 8.3 in PCI DSS 3.0 specifies that two-factor authentication applies to users, administrators, and all third parties, including vendor access for support or maintenance. FortiAuthenticator User Identity Management Appliances provide two-factor authentication, RADIUS, LDAP and 802.1X wireless authentication, certificate and Fortinet single sign-on. It is compatible with and complements the FortiToken range of Two- Factor Authentication Tokens for secure remote access enabling authentication with multiple FortiGate appliances and third party devices. FortiAnalyzer Network Security Logging, Analysis, and Reporting Appliances securely aggregate log data from Fortinet Security Appliances. A comprehensive suite of easily customable reports allows you to quickly analyze and visualize network threats, inefficiencies and usage. FortiAnalyzer is one of several versatile Fortinet Management Products that provide a diversity of deployment types, growth flexibility, advanced customization through APIs and simple licensing. Protecting Web Applications Because web applications are exposed to the Internet by definition, the PCI DSS standard addresses them in detail in requirement 6.6. Web Application Firewalls (WAFs) provide an important layer of protection against vulnerable code, configuration errors, and advanced threats. Figure 6 - Fortinet's comprehensive approach to accelerating PCI DSS compliance in Distributed Enterprise environments The FortiWeb WAF provides specialized, layered application threat protection for enterprises, application service providers, and SaaS providers. Using advanced techniques to provide bidirectional protection against malicious sources, network and application layer DoS attacks and sophisticated threats like SQL injection and XSS, FortiWeb platforms help prevent identity theft, financial fraud and denial of service.
7 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White Paper 7 CONTROL OBJECTIVE 1. Build and Maintain a Secure Network and Systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy REQUIREMENT PCI DSS CONTROL OBJECTIVES 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters FORTINET SOLUTION FortiGate integrated firewall FortiDB vulnerability FortiAnalyzer OS vulnerability FortiWeb web application password checking 3. Protect stored cardholder data FortiDB vulnerability FortiWeb web application firewall 4. Encrypt transmission of cardholder data across open, public networks FortiGate IPSec VPN 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel FortiGate integrated Antimalware FortiClient integrated Antimalware FortiToken integrated Antimalware FortiMail integrated Antimalware FortiGuard automated Antimalware updates FortiGate integrated network vulnerability for remote locations FortiDB vulnerability FortiWeb web application security FortiAnalyzer network vulnerability for centralized locations FortiDB vulnerability FortiGate integrated database or hooks to Active Directory Fortinet professional services in partnership with FortiPartner VAR solutions FortiDB assessing and monitoring FortiAnalyzer event reporting, vulnerability FortiDB vulnerability FortiAnalyzer OS vulnerability FortiManager security policy FortiAnalyzer OS vulnerability
8 Secure Distributed Healthcare Networks for PCI DSS 3.0 and HIPAA Compliance FORTINET White Paper 8 FortiGuard Labs: Delivering Constant Threat Protection The FortiGuard Global Threat Research Team continually updates Fortinet products to address the latest threats. Fortinet deploys a variety of security filters for a variety of products including traffic anomaly filters, vulnerabilitybased filters, IP reputation, and signatures. Given the speed with which new attacks are released to the wild, it is imperative that organizations have protection in place to guard against the latest attacks. FortiGuard Labs, utilizing data centers around the world located in secure, high availability locations, automatically deliver updates to the Fortinet security platforms. With the FortiGuard Subscription Services enabled, customers can rest assured that their Fortinet security platforms are performing optimally and protecting their corporate assets with the latest security technology. Increased Bandwidth and Lower Costs As Distributed Enterprises move to support Store of the Future opportunities they are consuming more bandwidth. Unfortunately, existing MPLS deployments cannot support the need for bigger pipes due to caps on bandwidth. Conclusion Today s distributed healthcare networks are faced with the daunting task of having to add new technology to their networks in order to remain competitive while keeping sensitive data flowing through those networks secure. PCI DSS and HIPAA are the foundation of security in these networks, and require a wide variety of mitigating controls be in place to protect cardholder data and patient health information. Fortinet s consolidated approach to network security enables the FortiGate product family to provide unmatched protection by delivering high performance and consolidated security, for both wired and wireless networks in each remote location or branch, as well as at the enterprise edge and in the data center. Specialized technologies, including FortiMail, FortiWeb, and FortiDB, protect mail, web applications, and databases respectively at the data center or headquarters locations. Together, these technologies provide a comprehensive solution to secure distributed healthcare networks and accelerate PCI and HIPAAcompliance. An alternative is to move to sending traffic over IPsec via the integrated VPN functionality within the FortiGate device. This transition can result in a 6X to 8X performance increase while lowering costs by 50% or more.
Building the Fortified Wireless LAN Consolidated, integrated security for wired and wireless networks FORTINET Building the Fortified Wireless LAN PAGE 2 Contents Introduction to Wireless Security... 3
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of
s for PCI DSS Compliance A Trend Micro White Paper Addressing PCI DSS Requirements with Trend Micro Enterprise July 2010 I. PCI DSS AND TREND MICRO ENTERPRISE SECURITY Targeted threats, distributed environments,
White Paper: Managed Network Services Trends for Today s Enterprise Organizations Released December 2010 Spacenet Inc 1750 Old Meadow Road McLean, VA 22102 www.spacenet.com 866-480-2263 1 Table of Contents
Payment and Security Experts Implementing PCI A Guide for Network Security Engineers Updated For PCI Data Security Standard Version 1.2.1 Tom Arnold, CISSP, ISSMP, CFS, CPISM/A, PCI/QSA Partner, PSC Sponsored
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
Chapter 3 Controls and Safeguards Solutions in this chapter: Data Security Program Security Controls Technical Safeguards Access Control Activity Logging and Monitoring Software Assurance Change Management
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
White Paper Secure Network Access for Personal Mobile Devices What You Will Learn People around the globe are enamored with their smartphones and tablet computers, and they feel strongly that they should
Top 10 SIEM Implementer s Checklist Operationalizing Information Security Compliments of AccelOps www.accelops.com Table of Contents Executive Summary....................................................................
Customer Cloud Architecture for Big Data and Analytics Executive Overview Using analytics reveals patterns, trends and associations in data that help an organization understand the behavior of the people
Securing SCADA Infrastructure WHITEPAPER FORTINET SECURING SCADA INFRASTRUCTURE PAGE 2 Introduction Supervisory Control and Data Acquisition, or SCADA systems are specialized computer networks and devices
PCI DSS PCI Prioritized DSS Approach for for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 1 requirements
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
339 N. Bernardo Avenue Mountain View, CA 94043 www.airtightnetworks.net Overview With the rapid adoption of Wi-Fi networks by enterprise IT departments everywhere, network security now involves an entirely
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Trend Micro Deep Security Server Security Protecting the Dynamic Datacenter A Trend Micro White Paper August 2009 I. SECURITY IN THE DYNAMIC DATACENTER The purpose of IT security is to enable your business,
WHITE PAPER BENEFITS OF DEPLOYING CISCO UNIFIED COMMUNICATIONS WITHIN A CISCO INTELLIGENT NETWORK Adoption of IP Communications accelerated in 2005 as many businesses and organizations embraced this powerful
Virtual Patching: Lower Security Risks and Costs A Trend Micro White Paper, 2012 Trend Micro Deep Security Trend Micro, Incorporated» Hundreds of software vulnerabilities are exposed each month, and timely
Sponsored by VSS Monitoring Optimized Network Monitoring for Real-World Threats July 2011 A SANS Whitepaper Written by: Dave Shackleford Threat Overview Page 2 Drivers, Deployments and Gaps Page 3 Optimizing
Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for