Case Study: Protecting Electronic Medical RecordsNebraska Medicine CIO Brian Lancaster Explains Move to Virtualization, Microsegmentation
Virtualization and microsegmentation are helping to better protect electronic medical records and other critical systems and data at Nebraska Medicine, says the health system's CIO, Brian Lancaster.
Microsegmentation is an outgrowth of Nebraska Medicine's move to virtualize its infrastructure, he explains in an interview with Information Security Media Group.
"A couple of years ago, we had a need to migrate from one data center to a new private cloud data center. As part of the process, we took all the systems that were physical and virtualized as many as we could, which ended up as a high degree of virtualization," Lancaster says.
"We sat down with our strategic partner, VMWare, to look at what else we could to do give us benefits, and that led us down the path of network virtualization, with the primary or initial purpose of microsegmenting our electronic medical record environment."
The rapid digitization of patient records over the last several years has contributed to making the healthcare sector a prime target for cybercriminals, Lancaster says.
"To be honest, the healthcare industry's security controls haven't always kept up," he says. So healthcare is a big target, a lucrative target. And we want to be sure we have a secure environment as possible.
Nebraska Medicine is an academic health system with two hospitals, more than 1,000 physicians and 40 specialty and primary care clinics in Omaha and surrounding areas. The organization's electronic medical records system presents its biggest cyber risk, Lancaster says.
"It's a challenging environment. It has over 150 servers. It touches all aspects of our infrastructure ... And it also has many physical server components."
The CIO notes: "Our biggest risk isn't our secure perimeter, which is compliant through our firewall; it's really what happens once someone gets into our systems via a phishing attack or user error, or something of that nature."
Virtualization and microsegmentation help protect Nebraska Medicine's "most valuable assets"- its EMR - by protecting "east to west" network traffic, he says.
"Fundamentally, if you're able to restrict port traffic and open ports, it allows us to have more assurances if a breach occurs. At the server level - east-west traffic - it'll be restricted to one area and not get full access to additional systems and data."
In the interview (see audio link below photo), Lancaster also discusses:
- The security pros and cons of microsegmentation;
- Challenges in protecting enterprise EMR systems;
- Other security priorities for Nebraska Medicine this year.
As vice president of information technology and CIO at Nebraska Medicine, Lancaster is responsible for the vision, direction, coordination and oversight of the delivery of the highest quality information technology to the enterprise. Previously, he worked for EMR provider Cerner, where he was responsible for the strategy and direction of the population health management solutions and business unit.