With trends like work from home, remote patient monitoring, acute care at home, new ambulatory care models, etc., the topic of endpoint protection has become even more important for leaders that aspire to be business enablers.
This article is the fourth in a series. In the first article, we looked at the reasons for adopting Health Industry Cybersecurity Practice (HICP), followed by strategies to scale HICP to small organizations in the second article. Finally, in the third article, we looked at the first practice in HICP, i.e., email protection.
The second practice in HICP is endpoint protection. Vulnerable desktops, laptops, cell phones, computers-on-wheels are everywhere and often get stolen or attacked to launch ransomware or steal sensitive data.
Software vendors provided tools to help with these tasks, usually targeting enterprise or health system environments. Mobile Device Management (MDM) and small organizations are not typically written in the same sentence. But in 2022, it is a real option.
Before we dive in, let’s look at HICP practice requirements, followed by several products that can meet these requirements, and closed by looking at the potential costs for small organizations.
Looking at HICP practice requirements
HICP includes six security controls as basic endpoint protections. They are related to the local admin account on the computer, patch management, antivirus, disk encryption, firewall, and multi-factor authentication.
Removing the local admin account is critical because it has the permission to install/uninstall software or change system settings. As such, threat actors are targetting these accounts.
Since all software has bugs, patching the software is necessary before being exploited.
Besides patching, having an antivirus helps detect malicious software that somehow presents on the system. This malware could be caused by accidental download, manually triggered, or infected from the network.
When a threat actor manages to steal the device, the disk-encryption feature prevents the attacker from reading the data to preserve privacy.
To minimize network-originated attacks, having a firewall enabled would help to prevent attacks initiated by unauthorized connections from wired or wireless network.
When accessing remote servers, having multi-factor authentication enabled makes it more difficult for the attacker to abuse your credential.
Looking at Tools and Endpoints
We could use three categories of tools to address these six controls above: device management, endpoint detection and response (EDR), and authentication.
Another important consideration is the endpoints mix. For example, do we have Mac, Windows, or both? The idea is that we want to have the right tool, but consolidate tools to a minimum to minimize cost, risk, staff skillset, and maintenance tasks.
The proposed tools and endpoints mix is summarized in this table:
Looking at Microsoft Intune
Microsoft Intune is a cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAP) system.
Intune supports company-owned vs. employee-owned (BYOD) scenarios. With a company-owned device, you would perform device management (MDM). Whereas with BYOD scenario, you would protect the applications (MAM) related to your business.
With Intune, you can manage Android, iOS/iPad, macOS, and Windows devices. Essentially you would enroll the device that you want to manage into Intune. Once enrolled, you can manage these devices by deploying various policies and Configuration Service Providers (CSP).
From six HICP requirements, Intune can do 3 of them: removing local admin, setting windows updates for patch management, and enabling disk encryption.
Removing local admin
Removing local admin account is achieved through LocalUsersAndGroups CSP , with “U” (update) for “group action” and specifying the user that you want to remove under “remove member”. This CSP is similar to Group Policy Object (GPO) on desktop environment.
<GroupConfiguration> <accessgroup desc = ""> <group action = ""/> <add member = ""/> <remove member = ""/> </accessgroup> </GroupConfiguration>
Updating operating system and apps through Intune :
Enabling disk encryption tool (BitLocker) from Intune :
Looking at Microsoft Defender For Business (MDB)
Microsoft Defender For Business is a new security offering aimed at small-medium organizations. It brings enterprise-grade endpoint protection features to small-medium businesses with up to 300 employees. It is currently under preview .
MDB brings the following capabilities for endpoint protection: antispam, antimalware, antivirus, attack surface reduction, endpoint detection and response, automated investigation and response, and threat & vulnerability management. That’s a lot!
Let’s look specifically at features covered by HICP: antivirus and firewall.
Previously Microsoft had enterprise offerings called Microsoft Defender for Endpoint Plan 1 and Plan 2.
With MDB, Microsoft brings award-winning enterprise-grade antivirus to small-medium organizations. Below is the comparison between MDB, Plan 1, and Plan 2 .
Looking at Mosyle
For managing Apple devices (iPad, MacOS, TV), Mosyle offers 3 products:
- Business FREE (up to 30 devices)
- Device management
- App management
- Business PREMIUM (no device limit, minimum 30 devices)
- same scope as FREE version
- Device management
- App management
- Identity management
- Endpoint security
Mosyle’s website is light on documentation, but from what they advertise, it covers most of what HICP is asking for: software updates, disk encryption through FileVault, local user management, and antivirus .
There is another solution in the market called Jamf which geared more towards enterprise environment with hundreds/thousands of endpoints.
Looking at Cisco Duo
The last point from HICP is using MFA to access the remote server. Surprisingly, the answer is somewhat complicated for small-medium organizations on this one.
While not explicitly stated, the HICP document describes a scenario where a user needs to access a remote endpoint device (server). This server needs to authenticate the incoming user with Multi-factor authentication. For example, you are at home and need to log in to a windows server that hosts your EHR application. In this case, the windows server should initiate an MFA authentication before it lets you in.
I initially expected that I should be able to register a Windows device to Azure Active Directory and will be prompted for MFA authentication upon connecting via RDP, but it’s not that simple.
The affordable and simple answer comes from Cisco Duo Free . Essentially, we will replace the default authentication module from the operating system with the Duo’s. As a result, Duo will prompt you for MFA upon connecting to the server.
If replacing authentication module is not an option, then we should use a compensating control by placing this server behind a VPN that enforces MFA authentication.
Looking at the cost for an FTE physician with 3 support staff
Projected cost so far:
Endpoint protection is essential during the pandemic and beyond. As innovations are focusing on ambulatory and outpatient care delivery models, endpoint protection becomes a business enabler.
Endpoint protection tools are now becoming affordable for small organizations in 2022. For example, Microsoft releases mobile device management and endpoint security tools for windows endpoints, included at no additional cost with Microsoft 365 Business Premium. For Mac endpoints, Mosyle FUSE offers similar tools at $36/device/year.
These numbers are well within reach for small organizations, and leaders should incorporate endpoint protection in their strategic plan.