Healthcare and life science (HCLS) organizations face significant challenges when it comes to cloud network security. They:
Store high-value and sensitive data
Must comply with strict regulations including HIPAA
Need to minimize latency to provide the best possible patient and provider experience
Manage complex hybrid and multicloud architectures
Save cloud costs while maintaining security and performance
In a recent webinar, Aviatrix Senior Product Marketing Manager, Sam Pandey, and I discussed some of the cloud network security issues for healthcare organizations, focusing on the Blue Cross Blue Shield (BCBS) community. We explained how Cloud Native Security Fabric (CNSF) can overcome these challenges.
Key takeaways:
HCLS organizations like BCBS need cloud networks that are secure, performant, compliant, and cost-effective
CNSF provides end-to-end protection, repeatable architecture, secure site-to-cloud connectivity, and high-performance encryption for HCLS networks
Cloud Network Security Challenges for HCLS Organizations
I outlined some of the key challenges for HCLS organizations like BCBS when it comes to cloud network security:
HCLS Networks Contain Sensitive and Valuable Data
By nature, HCLS networks are attractive targets for threat actors: they carry personally identifiable information (PII) and personal health information (PHI, or ePHI). Anyone who can access this type of data can attempt medical fraud, phishing, or even blackmail. As a result, regulations like HIPAA, HITRUST CSF, and GDPR mandate certain cloud network security protections and have specific audit requirements.
With the Cloud, One Network Perimeter Become Many
Before 2015-2016, most healthcare networks operated in branch or office locations. These were on-premises environments behind a firewall that safeguarded the perimeter. With the rise of cloud service providers (CSPs) like AWS, Azure, and GCP, as well as the huge shift to remote work with the COVID-19 pandemic, data and traffic live in the cloud and users can log in from almost anywhere.
Application, workload, and user data became distributed. Architectures became much more dynamic as well, with organizations going through migrations and mergers and acquisitions as well as spinning up new accounts and moving workloads to different regions. This technically complex, dynamic, and distributed environment creates a wide attack surface for threats.
Compliance Standards are Getting Stricter
In response to an increasing landscape of threats and data breaches that expose sensitive data, regulatory bodies are updating HCLS compliance standards like HIPAA with stricter requriements for security policies, encryption, and identity and access management.
Cloud Networking Costs Can Be Staggering
Security costs and basic networking costs, like data transfer fees, add up. The totals can be staggering for enterprise HCLS networks even without considering advanced security options. These challenges create an urgent need for HCLS networks to have unified visibility, consistent security policy enforcement, and cost controls. Cloud Native Security Fabric (CNSF) offers all three.
Aviatrix Cloud Native Security Fabric
CNSF is a new market category in cloud network security spearheaded by Aviatrix. CNSF implements security that is:
Multicloud and multi-region – CNSF works across all the major cloud providers, including AWS, Azure, GCP, Oracle, and Alibaba.
Pervasive – CNSF integrates into the security ecosystem with other solutions like Wiz, Splunk, and Equinix.
Distributed – CNSF has a Distributed Cloud Firewall (DCF) feature that distributes firewalls throughout your network instead of forcing traffic through centralized chokepoints that increase latency. DCF pairs with a feature called Secure VPN that creates encrypted connections between physical sites like research centers or hospitals and the cloud, ensuring consistent firewall policies for all traffic.
Developer-friendly – CNSF supports Terraform and integrates security directly into landing zone creation so that when new applications are spun up, they are already in line with security policies.
Performant – Aviatrix CNSF uses a patented High Performance Encryption (HPE) solution that offers near line-rate encryption of 100 Gbps/second.
Automated – CNSF supports auto-scaling to scale up when demand is high but scale down in slower periods to save costs.
Simplified – CNSF creates an abstraction layer across CSPs to enable a common set of operations, security, and tooling, streamlining workflows and making them easier to maintain. The simplicity of CNSF increases time to value and makes it quick to implement.
How CNSF Works
The Aviatrix Control plane begins with the Aviatrix Controller and Aviatrix Copilot, which is available through cloud service provider marketplaces. To begin, you spin up an Aviatrix Controller with high availability and then onboard your CSP accounts. This creates a management plane with a central point for automation for hybrid cloud management.
CNSF's transit architecture uses a hub-and-spoke design; the data plane is made up of transit and spoke gateways. These gateways run on EC2 instances in AWS, virtual machines and Azure, and so on across cloud service providers, creating a fully meshed, repeatable architecture across clouds. This single pane of glass gives you full visibility of your network and any anomalies. Aviatrix also integrate with Proofpoint to help you spot malicious flows in your architecture.
Case Study #1: Maximizing Security and Performance while Minimizing Costs
I cited a case study in which a state-based healthcare organization with 2.5 million customers. This organization faced several significant challenges:
Costs – This organization’s data transfer costs for a network that included two AWS regions and two Azure regions were both high and unpredictable.
Compliance – This organization struggled to meet strict regulations for their multicloud environment.
Aviatrix CNSF transformed this organization’s network in two ways:
Cost – Aviatrix does not charge based on data volume as CSPs do. By replacing an AWS gateway with an Aviatrix gateway, we saved this organization a large amount in data volume fees.
Compliance – Aviatrix offers full encryption and visibility for traffic flows to help this organization meet its regulatory requirements.
Ultimately, Aviatrix helped this organization achieve a 52% reduction in multicloud networking spend by eliminating many of those data transfer fees, as well as increase uptime relative to one of their core applications around enterprise data marketplace.
Case Study #2: Zero Trust Network Segmentation
A second case study references a super-regional state-based healthcare company with multiple regions in AWS, Azure, and GCP as well as data centers. Onboarding new partners was slow, complex, manual, and expensive. They struggled to effectively implement network segmentation, a necessary security strategy to prevent lateral movement in the event of a breach and minimize the potential blast radius of an incident.
Aviatrix CNSF offered this organization a holistic, unified framework to build a repeatable architecture with network segmentation across AWS, Azure, and GCP. By integrating with Palo Alto, Aviatrix CNSF included next-generation firewalls (NGFWs) into this multicloud ecosystem. CNSF centralized network management and automation.
Aviatrix CNSF was able to meet a specific need for this organization: they had their “crown jewel” application in GCP and moved their electronic health records to GCP. Part of that project meant that they needed 20 Gbps of private API access into the Google API. CNSF was able to provide that access, empowering this organization to onboard major partners in weeks instead of months.
Case Study #3: High-Performance Encryption for Legacy Applications
The third case study concerned an independent state-based healthcare organization on the West Coast. This organization had two AWS regions and had plans to expand to two regions in GCP. One particular challenge was that this organization’s partner VPN connections terminated in a physical data center on physical hardware. As their physical hardware came to end-of-life, this organization had to determine whether to refresh the hardware or move their connections to Azure.
With Aviatrix, they decided to move those connections to Azure and terminate them on Aviatrix CNSF. CNSF also provided HPE for connections back to their legacy applications in a data center, creating a repeatable architecture which enabled them to expand to GCP as planned.
With healthcare-related data breaches increasing in frequency and scale, HCLS organizations like BCBS need to level up their cloud network security. CNSF strengthens security controls while enhancing cost management and performance to help organizations scale and continue to improve patient care and provider ease-of-use. Schedule a demo to see how CNSF can transform your HCLS organization’s network defenses.
Watch the full BCBS webinar on-demand: "BCBS Security Playbook: Learn Proven Cloud Native Security Strategies."
Learn more about how Aviatrix CNSF helps HCLS organizations overcome the healthcare compliance crisis.
