Cybersecurity Practice #6: Network Management (small)

Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyberattack.

Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. Even if network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management and ensure that they are included in contracts for these services.

Sub-Practices for Small Organizations

Configure networks to restrict access between devices to that which is required to successfully complete work. This will limit any cyberattacks from spreading across your network.

• Disallow all Internet bound access into your organization’s network. If you host servers that interface with the internet, consider using a third-party vendor who will provide security as part of the hosting service.
• Restrict access to assets with potentially high impact in the event of compromise. This includes medical devices and internet of things (IoT) items (e.g., security cameras, badge readers, temperature sensors, building management systems).
• Just as you might restrict physical access to different parts of your medical office, it’s important to restrict the access of third-party entities, including vendors, to separate networks. Allow them to connect only through tightly controlled interfaces. This limits the exposure to and impact of cyberattacks on both your organization and on the third-party entity.
• Establish and enforce network traffic restrictions. These restrictions may apply to applications and websites, as well as to users in the form of role-based controls. Restricting access to personal websites (e.g., social media, couponing, online shopping) limits exposure to browser add-ons or extensions, in turn reducing the risk of cyberattacks.

Just as network devices need to be secured, physical access to the server and network equipment should be restricted to IT professionals. Configure physical rooms and wireless networks to allow internet access only.

• Always keep data and network closets locked. Grant access using badge readers rather than traditional key locks.
• Disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user “plugging in” to an empty port to access to your network.
• In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only.

Implement intrusion prevention systems as part of your network protection plan to provide ongoing protection for your organization’s network. Most modern firewall technologies that are used to segment your network include an intrusion prevention systems (IPS) component. Implementing IPS and configuring them to update automatically reduces your organization’s vulnerability to known types of cyber-attacks.

IPS are available as part of a suite of next-generation network applications or as stand-alone products that can be added to existing networks.

Threats Mitigated

1. Ransomware attack
2. Loss or theft of equipment or data
3. Insider, accidental or intentional loss of data
4. Attacks against medical device that may affect patient safety