Cybersecurity On The Front Lines

With healthcare leading the most at-risk industries, Wayne Smith, head of cybersecurity at Firelands Regional Medical Center, takes us through his network security strategy.

We’re starting a new podcast series devoted to providing practical advice to pros trying to tackle their day-to-day cybersecurity challenges in the real world. To get there, we’re interviewing a few of our partners and customers, representing organizations of all shapes and sizes, and getting to know all the tools, policies, and procedures they rely on every day.

Episode Table of Contents

• [01:09] The Firelands Security Stack
• [06:20] Backups and Disaster Recovery
• [07:55] Web Filtering and DNS Filtering
• [11:30] The State of Healthcare Network Security
• [15:52] Are Security Frameworks Important?
• [17:45] Layering Up to Quiet the Noise

Cybersecurity in Healthcare, with Firelands

In our first podcast, we’re focusing on healthcare with Wayne Smith, who heads up cybersecurity at Firelands Regional Medical Center, a 227-bed hospital located in Sandusky, Ohio. For a relatively small healthcare organization, they demonstrate particular sophistication and expertise in cybersecurity, and they juggle their IT priorities extremely well.

Who is Wayne Smith?

Wayne has over 13 years of experience in networking, IT infrastructure, and cybersecurity. He’s worked at Firelands for 11 years. Initially charged with infrastructure (servers, router switching, and firewalls), he’s been prioritizing cybersecurity more and more over time.

Prior to joining healthcare, Wayne worked as a VAR consultant, first delving into cybersecurity in 1999 with an email filtering tool. His background is a strong asset to Firelands, whose mission is to stop security attacks before they reach the desktop. And as most breaches start out with email, they use three layers of email filtering, much of it open-source and configured to prevent anything bad from reaching their users.

In our interview, Wayne walked us through a unique and certainly thorough network security philosophy. We asked him to share details around his cybersecurity stack, to explain what he uses behind the scenes, and how the hospital deals with training and disaster recovery.

The Firelands security stack

Firelands uses Sentinel Outpost furthest out on the edge of the network. Then, off a tap, they have a Security Onion device running Emerging Threats Pro rules. At the gateway, it’s a FortiGate with an additional IPS module and other tweaks to its configuration. Wayne explained that on the tap, in addition to Security Onion, there’s a commercial sandbox, which has the functionality for a sniffing interface that can trigger IDS alerts. That gives the hospital another view into the world in front of the firewall.

For additional visibility, Firelands uses a managed SIEM on the inside, with two ELK stacks – one focused on the inside and one on the outside. Wayne shared his experience of struggling to find security partners who fit Firelands’ specific requirements, especially around EDR products.

Staff security training

Firelands employees receive regular security training, and the hospital uses a tool called Report It that allows for anything suspicious to be flagged to the service desk and security team. Firelands prioritizes stopping issues before they impact patient care. It’s also why, before blocking anything, the security team spends a considerable amount of time understanding the ramifications that any restrictions might have.

Backups and disaster recovery

Firelands is currently transitioning to a cloud-based solution specific to their primary EMR system. It keeps their medical information backed up, secure, and clean.

The hospital is also exploring solutions to place more data into the cloud. While the cloud can be a more cost-effective way of storing data, and precautions are being taken due to the sensitivity of patient information, cloud security is complicated, and these aren’t decisions that are taken lightly. The priority to protect patient data also means all their vendors are vetted and must demonstrate significant healthcare expertise. Firelands never makes compromises for vendors who will not strictly adhere to security best practices.

Web filtering and DNS filtering

Firelands relies heavily on web filtering, multiple layers of DNS filtering, and additional restrictions on specific user activity, like file downloads. For example, Firelands has a very limited number of users who can download executables from the Internet. These policies all relate back to the strategy of fighting the war before it reaches the endpoint.

When we asked about whether the security team at Firelands receive a lot of pushback from the organization in terms of locking things down, Wayne explained they don’t. When Wayne started his role at Firelands, a vulnerability assessment had just been carried out. The assessment had not only highlighted areas of improvement but also allowed Wayne to have a say in what the security environment should look like.

Whenever a security bypass is requested, the team works together to assess the potential risks, and passing the information along to the hospital’s executives to make the best possible decision. In Wayne’s opinion, executive buy-in is easy to get as long as the security department can show they are using existing tools and technology in the best possible way.

In our estimation, Firelands’ security posture is significantly ahead of other smaller healthcare organizations. They’ve been slowly but surely implementing more measures for several years now, thanks to Wayne’s experience working at an ISP at a time when cyberattacks were frequent and tightening rules was a necessity.

Are security frameworks important?

We also asked Wayne about security frameworks, such HITRUST, CIS Controls, or NIST. Wayne’s view is that while frameworks are incredibly helpful, updates to them can take time, and attackers are quicker. At Firelands, the focus is on identifying and covering any holes to stop the organization from fighting the war on the workstation. Wayne explains that when the threat gets to that stage, it is a harder battle to fight.

Why Sentinel?

When we asked Wayne about why and how Firelands chose Sentinel as one of their vendors, Wayne explained they were implementing a model that would utilize multiple vendors to firewall traffic before it reached the inside of their environment. Additional firewalls allow for extra filtering, like DNS filtering, for example. So Firelands started looking into options for a Layer 2 firewall in front of the head-end firewall for cleaning out attacks.

When looking at their firewall logs, the team noticed that a lot of the traffic hitting them was from benign scanners. They started looking at those IP addresses on VirusTotal and quite often Sentinel’s CINS Army list would pop up, blocking some of the most egregious ones.

Firelands started looking into who produced the CINS list, and that’s how they found us.
The decision to have an additional layer also meant that a lot of traffic that Firelands did not need to worry about would be blocked. All remaining traffic that was getting blocked at the firewall or that triggered the firewall IDS started to become more relevant. Investigating that traffic made sense because the attacker had to work harder to get that far.

Conclusion

Firelands has a strong cybersecurity posture because they started early. They commissioned a vulnerability assessment and penetration tests, and they were willing to look at those results objectively to find the most important holes, and get them filled in.

While this is an attitude that not many organizations share, our conversation with Wayne proves that failing to understand, highlight, and then resolve any weaknesses when it comes to cybersecurity only leaves a company exposed to further and more serious (and potentially expensive) damage.

Wayne’s wide set of skills and experience certainly contribute to the amount of buy-in he has in his organization. But when it comes to security, Firelands is doing things the correct way, as long as, at their core, they can still prioritize patient care.

For more information on how some of our clients prioritize their budget decisions and use various tools across their networks, check out our monthly podcast. We share honest, objective takes from real people fighting bad actors on the front lines.