- Patient data to be backed up, with off-site backups
- Patient data to be treated as sensitive data, should be kept within the network
- All end devices to be protected against ransomware and other attacks
- IPSEC VPN from office to remote location, with off-site firewall dialing in to establish VPN connection even when behind NAT device
- Windows server performs incremental backups locally every 15 minutes, and full backup once a week to a NAS located offsite through VPN tunnel
- Data Leak Prevention technology used to prevent patient files from leaving the network through the internet
- IPS and anti-malware services running at the network edge to prevent attacks from entering the network
When Clinic P approached Megatron Technology, it had foreseen legislative changes which would require healthcare service providers to place more of an emphasis on data protection and business continuity. Initially, its network was like any other SME's network—a router with wireless capabilities providing internet access, and a NAS with which to store patient records.
Clinic P knew that it's patient records were not backed up (except for a built in RAID array, if one considers that a backup), and that the lost of these records would have tremendous implications for the business. Clinic P wanted a solution which would allow for access and retrieval of patient records even when the clinic was inaccessible.
In addition, Clinic P wanted to ensure that its end devices were protected against malware and ransomware to protect against having all patient data encrypted or illegally transported out of the network.
Megatron Technology identified a solution which would achieve all of these requirements with minimal hardware procurement. First, Megatron Technology implemented a site-to-site VPN from the clinic to a remote location using two small firewalls. Without static IP addresses, Megatron Technology leveraged upon the built in Dynamic DNS service, configuring one firewall to dial in to the other firewall and send keep-alives to keep the tunnel up at all times.
Megatron Technology replaced the NAS with a small Windows Server, and placed the server in the office behind the firewall. The NAS was then moved to the remote location as the off-site backup storage. The server was configured to remotely backup all data into the NAS every weekend when no one was in the clinic. The VPN ensured that all data traversing the internet is encrypted.
The wireless router was converted to a wireless bridge and placed behind the firewall, and Unified Threat Management was turned on at the firewall. With Intrusion Prevention and Application Visibility, potentially dangerous applications were blocked. With this, most attack signatures were detected and dropped at the firewall, and blocking connections to TOR acted as a second layer of protection.
Data Leak Protection was also implemented at the firewall, such that any unauthorised sending of patient records out of the network were blocked at the firewall.