HalamkaThe internet can be a swamp of hackers, crackers, and hucksters attacking your systems for fun, profit and fraud.  Defending your data and applications against this onslaught is a cold war, requiring constant escalation of new techniques against an ever increasing offense.

Clinicians are mobile people.  They work in ambulatory offices, hospitals, skilled nursing facilities, on the road, and at home.   They have desktops, laptops, tablets, iPhones and iPads.  Ideally their applications should run everywhere on everything.   That's the reason we've embraced the web for all our built and bought applications.   Protecting these web applications from the evils of the internet is a challenge.

Five years ago all of our externally facing web sites were housed within the data center and made available via network address translation (NAT)  through an opening in the firewall.   We performed periodic penetration testing of our sites.  Two years ago, we installed a Web Application Firewall (WAF) and proxy system.    We are now in the process of migrating all of our web applications from NAT/firewall accessibility to WAF/Proxy accessibility.

We have a few hundred externally facing web sites.  From a security view there are only two types, those that provide access to protected health information content and those that do not.   Fortunately more are in the latter than the former.

One of the major motivations for creating a multi-layered defense was the realization that many vendor products are vulnerable and even when problems are identified, vendors can be slow to correct defects.   We need  "zero day protection" to secure purchased applications against evolving threats.

Technologies to include in a multi-layered defense include:

1.  Filter out basic network probes at the border router such as traffic on unused ports

2.  Use Intrusion Prevention Systems (IPS)  to block common attacks such as SQL Injection and cross site scripting. We block over 10,000 such attacks per day.   You could implement multiple IPSs from different vendors to create a suite of features including URL filtering  which prevent internal users from accessing known malware sites.

3.  A classic firewall and Demilitarized Zone (DMZ)  to limit the "attack surface".

Policies and procedures are an important aspect of maintaining a secure environment.   When a request is made to host a new application, we start with a Nessus vulnerability scan.

Applications must pass the scan before we will consider hosting them.   We built a simple online request form for these requests for access to both track the requests and keep the data a SQL data base.    This provides the data source for an automated re-scan of each system.

Penetration testing of internally written applications is a bit more valuable because they are easier to update/correct based on the findings of penetration tests.

One caveat.   The quality of penetration testing is highly variable.    When we hire firms to attack our applications, we often get a report filled with theoretical risks that are not especially helpful i.e. if your web server was accidentally configured to accept HTTP connections instead of forced HTTPS connections, the application would be vulnerable.   That's true and if a meteor struck our data center, we would have many challenges on our hands.  When choosing a penetration testing vendor, aim for one that can put their findings in a real world context.

Thus, our mitigation strategy is to apply deep wire based security, utilize many tools including IPS, traditional firewalls, WAF and proxy servers, and perform periodic re-occurring internal scans of all systems that are available externally to our network.

Of course, all of this takes a team of trained professionals.

I hope this is helpful for your own security planning.

John Halamka, MD, is the CIO at Beth Israel Deconess Medical Center and the author of the popular Life as a Healthcare CIO blog, where he writes about technology, the business of healthcare and the issues he faces as the leader of the IT department of a major hospital system. He is a frequent contributor to THCB.

Share on Twitter

1 Response for “A Multi-Layered Defense for Web Applications”

  1. websites says:

    Is your website easy to read if noy you will not make any sales. Using a landing page is the best way to sell anhything on the internet today. Give away something for free and collect the Name and Email Address for future use. Gert a simple blog going to generate traffic. This will work to get your website going and make money.
    Robert

Leave a Reply

THCB BLOGGERS

FROM THE VAULT

The Power of Small Why Doctors Shouldn't Be Healers Big Data in Healthcare. Good or Evil? Depends on the Dollars. California's Proposition 46 Narrow Networking
MASTHEAD STUFF

MATTHEW HOLT
Founder & Publisher

JOHN IRVINE
Executive Editor

JONATHAN HALVORSON
Editor

JOE FLOWER
Contributing Editor

MICHAEL MILLENSON
Contributing Editor

ALEX EPSTEIN
Director of Digital Media

MICHELLE NOTEBOOM Business Development

MUNIA MITRA, MD
Clinical Medicine

Vikram Khanna
Editor-At-Large, Wellness

THCB FROM A-Z

FOLLOW US ON TWITTER
@THCBStaff

WHERE IN THE WORLD WE ARE

The Health Care Blog (THCB) is based in San Francisco. We were founded in 2004 by Matthew Holt and John Irvine.

MEDIA REQUESTS

Interview Requests + Bookings. We like to talk. E-mail us.

BLOGGING
Yes. We're looking for bloggers. Send us your posts.

STORY TIPS
Breaking health care story? Drop us an e-mail.

CROSSPOSTS

We frequently accept crossposts from smaller blogs and major U.S. and International publications. You'll need syndication rights. Email a link to your submission.

WHAT WE'RE LOOKING FOR

Op-eds. Crossposts. Columns. Great ideas for improving the health care system. Pitches for healthcare-focused startups and business.Write ups of original research. Reviews of new healthcare products and startups. Data-driven analysis of health care trends. Policy proposals. E-mail us a copy of your piece in the body of your email or as a Google Doc. No phone calls please!

THCB PRESS

Healthcare focused e-books and videos for distribution via THCB and other channels like Amazon and Smashwords. Want to get involved? Send us a note telling us what you have in mind. Proposals should be no more than one page in length.

HEALTH SYSTEM $#@!!!
If you've healthcare professional or consumer and have had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us about it. Have a good health care story you think we should know about? Send story ideas and tips to editor@thehealthcareblog.com.

REPRINTS Questions on reprints, permissions and syndication to ad_sales@thehealthcareblog.com.

WHAT WE COVER

HEALTHCARE, GENERAL

Affordable Care Act
Business of Health Care
National health policy
Life on the front lines
Practice management
Hospital managment
Health plans
Prevention
Specialty practice
Oncology
Cardiology
Geriatrics
ENT
Emergency Medicine
Radiology
Nursing
Quality, Costs
Residency
Research
Medical education
Med School
CMS
CDC
HHS
FDA
Public Health
Wellness

HIT TOPICS
Apple
Analytics
athenahealth
Electronic medical records
EPIC
Design
Accountable care organizations
Meaningful use
Interoperability
Online Communities
Open Source
Privacy
Usability
Samsung
Social media
Tips and Tricks
Wearables
Workflow
Exchanges

EVENTS

TedMed
HIMSS South x South West
Health 2.0
WHCC
AHIP
AHIMA
Log in - Powered by WordPress.