A potential solution for improving critical IT infrastructure security

[dfd_single_image image=”1768″]

As a senior solution architect, I am always concerned about ensuring that the core systems are secure and working effectively.  The recent hacking of various Government and health networks has yet again highlighted the hacking risks we all face in today’s internet world.  When the Federal Parliament House network, one of the best designed and defended data networks can be breached, it goes without saying that any business that uses internet technology is at risk.  Especially small to medium businesses, who do not have the resources or expertise to build and monitor rigorous hacking activity. There was a time when the biggest risk was having a server or PC crash, but today that is only part of the story.   As all of our security specialists state, we need to build layered, actively monitored security. But it that possible for small to medium business?  If a business stores personal customer information the time will come when it when it will be essential, as one significant data breach could potentially put an end to their business.

So how can we protect sensitive information? This will depend upon the sector, and the technology the sector uses. In both the health and the utility sectors I can see this coming sooner than for other industries, because of the public outcry and impact a breach has on our communities. One approach that would substantially improve the situation would be to create an isolated network for these industries. if we look at the health sector, there are over 12,900 GP clinics and16,585specialists, all of whom are prime candidates for hackers.

One solution would be to create a private network, servicing the GP clinics that could be run by the RAGCP in each state, each practice would have a commercial grade firewall router, running a secured link to a central router, and all of the clinics data would be passed across this link. The central router would provide a connection to the internet and secured connections to other health networks, e.g. medicare, andmanage viruses and actively monitor for illegal access attampts.The staff at the clinic would not see any change in their access to health services, but all of their traffic would be secure and continually monitored for hacking attempts. This approach would also address the ‘end-point’ security issues associated with the MHR system by ensuring that hackers cannot get accessto a patient’shealth data via a doctor’s PC.

The same approach could be used for other health services providers. While installing and managing an isolated network is expensive, I believe that if we look at the down side risk of the current environment, it would be a good investment. A network of this type could also be used to increase the integration of clinics with other health providers.

Similar approaches could be implemented for other industry sectors where the risk of being hacked is justified. A number of people have called for Government intervention, I do not believe that is needed. There are many industry hardware providers that could provide these types of solutions, and the Australian Signals Directorate(ASD) could provide oversight on the implementation and operation of the networks to ensure the hacking risks are managed appropriately over time. So it is possible to substantially reduce the risk of hacking attempts that could seriously affecting the Australian community, through the smart use of network technology.

Ross Anderson
Chief Technologist
EVADO Clinical Software