- Healthcare organizations allowing mobile devices to access IT infrastructure need to manage which devices are granted rights to their network. Network access control (NAC) protects the network by passing devices through security clearance protocols before network access is granted.
NAC designates a set of security protocols that communicate with the network, directing the network on how each individual device is cleared access the secure network. NAC defines where users can go on the network with their device and what they can do with the information accessed.
The service activates the first time a device attempts to access the network. The device is only permitted to access the security resources the NAC solution uses to allow or deny the device access to the network. Once the device is cleared, the NAC solution can implement role-based restrictions based on the user’s clearance level or other restriction criteria determined by the IT department.
NAC is also used to check the health of endpoint devices. NAC restricts access to certain parts of the network based on antivirus and antimalware scans. If a device does not meet the minimum antivirus requirements, it is denied access to the network.
NAC is not new to the enterprise IT infrastructure security world. Gartner points out in their 2016 NAC Market Guide that the NAC market is mature as shown by the fewer number of vendors and the “relative stability of NAC capabilities,” making them solid solutions.
One of the key motivators for implementing NAC technology was the rise of bring-your-own-device (BYOD). Some organizations embraced BYOD and implemented policies for the secure use of personal devices to access corporate data. Organizations that did not implement a BYOD policy or officially restrict the use of personal devices on the corporate network were faced with unauthorized BYOD and shadow IT due to the consumerization of IT.
Consumer devices began to technologically surpass enterprise devices. Personal mobile devices and apps downloaded from public app stores provided users with better ways to work. Users were not aware of the danger their unauthorized personal devices were putting the network in, forcing organizations to officially allow the use of personal devices under strict policies, or ban the use of personal devices altogether.
Partners Healthcare CISO Robert Jennings Aske shared with HealthITSecurity.com the difficulty his organization had because employees wanted to use technology they were familiar with on their personal devices to access the secure network. Aske stated:
We have a ‘Dropbox problem’ where people want to bring [file-sharing solutions] into work and we tell them ‘no’. But we do recognize that as a problem in that they should use tools like that, so we’re looking at corporate equivalents. And we’re also looking at technologies like network access control (NAC) to better secure the personal devices people are bringing into the workplace.
Steve Piper, CEO of CyberEdge Group told HealthITSecurity.com, “NAC is an important weapon within many organizations’ arsenals and for good reason. Many [see NAC] as a versatile tool that could support protection efforts ranging from BYOD policy enforcement to configuration management.”
The Gartner Market Guide advises IT security managers selecting an NAC solution to:
- Justify investment in NAC by evaluating the impact of improved visibility and control on the organization's risk exposure.
- Determine which enterprise mobility management (EMM) solutions are already installed on the network to identify providers that have direct integration with these existing EMM solutions.
- Utilize profiling features for Internet of Things (IoT) device identification to establish a continual process for discovering these devices on the enterprise network.
BYOD policies and the rise of the internet of things (IoT) in healthcare organizations increases the number of points of connection on an organization’s network. More connections equal more opportunities for malware to invade the network.
Organizations should invest in NAC solutions to improve control and visibility of network access and increase control of IoT and BYOD. Denying network access to potentially harmful devices prevents malware from accessing the network through personal devices.