PCI-DSS is the set of security standards that seeks to extend consistent data protection practices across the credit processing industry. Any organization handling credit card data must comply with PCI-DSS regulations.

PCI-DSS compliance places a major burden on businesses, especially small and medium-sized enterprises. But companies can reduce the cost of compliance by intelligently scoping their credit processing environment.

Segmentation allows IT teams to apply network segmentation to protect credit card data while reducing the need to secure less critical system components.

This blog will introduce network segmentation in PCI-DSS. We will look at how segmentation works and how it contributes to robust financial sector cybersecurity strategies.

What is network segmentation?

Network segmentation separates network resources to control access and enhance security. In the context of PCI-DSS, network segmentation divides the cardholder data environment (CDE) from other system components.

Separating the cardholder data environment from other resources allows businesses to secure cardholder data. This is a major challenge of cybersecurity in finance. With proper segmentation, hackers will struggle to move from off-scope endpoints and apps to the CDE. Data breaches are much less likely.

Segmentation is not a PCI-DSS requirement. It complements other compliance tools such as encryption, access management, and firewall protection. If you have any doubts about core requirements, check out our PCI-DSS compliance checklist for more information.

However, the PCI Security Standards Council (SSC) has issued guidance advising companies to employ segmentation if possible.

As the SSC says, “Effective segmentation can greatly reduce the risk of CDE systems being impacted by security weaknesses or compromises originating from out-of-scope systems.” But it is not a magic bullet. Segmentation must work with other technologies and controls to achieve PCI-DSS compliance.

Understanding PCI DSS network segmentation scope

When discussing network segmentation for PCI-DSS, it’s important to assess the “scope” of controls required.

Scope refers to the extent of protection required to achieve compliance. Establishing PCI-DSS scope is a critical priority before applying segmentation.

Proper scoping provides security teams with the visibility and knowledge needed to locate and defend critical data. Scoping allows you to segment cardholder data from other parts of the network, boosting security and cutting costs.

There are three main categories to think about when carrying out a PCI-DSS assessment.

In-scope assets

Network resources that make direct contact with cardholder information. This includes payment systems, points of sale, credit card databases, communication tools, and even CRM systems. If an app or device holds credit card data, it is “in scope.”

Connected-to assets

These systems connect to in-scope assets but do not hold card data themselves. They may not require segmentation but must be tightly secured as part of the CDE.

Out-of-scope assets

Anything without access to the cardholder data environment is defined as “out of scope” and does not require the same level of protection.

The PCI-DSS regulations state that “even if the out-of-scope system component was compromised, it could not impact the security of the CDE.” This is a good way of approaching the scoping task.

If system components provide attackers with indirect access to cardholder data, it qualifies as in-scope. If not, you can relegate it to a lower priority level and concentrate resources where they matter most.

“Flat” networks where system components are connected to a single network switch are an important exception. In these cases, the entire network is categorized as in-scope.

In flat network settings, there is no such thing as an out-of-scope system. If an attacker gains access to any node on the network, they can potentially spread to systems handling credit data.

Why scoping matters to network segmentation

PCI-DSS scoping is a crucial first step in the segmentation process. You cannot create segments protecting cardholder data unless you know where that data resides.

Scoping maps data locations and flows. Compliance teams build a picture of how credit card data moves throughout the network, where it is stored, and who requires access. This provides a solid foundation for creating accurate and effective network segments.

Scoping also ensures that the segmentation process covers every asset. Security teams can start from the assumption that everything is in scope. They can then eliminate out-of-scope assets from the CDE and apply precise segmentation for cardholder data.

How to implement network segmentation for PCI DSS?

When carrying out a PCI-DSS assessment, it’s essential to keep one thing in mind: segmentation is not a substitute for comprehensive cybersecurity controls and policies. Network segmentation is part of a wider toolkit, not a solution to your compliance worries.

Having said that, PCI-DSS best practices advise that companies segment the cardholder data environment from other network systems. So how should you approach this task?

Network segmentation applies specific security controls to create sub-networks containing critical cardholder data. There are various ways of achieving this, including:

Firewall barriers between the rest of the network and cardholder data

Firewalls regulate network traffic across the CDE perimeter, preventing unauthorized access requests.

Data loss prevention (DLP) solutions

DLP tracks the movement of critical data, and works in tandem with firewall protection. Users cannot move or copy protected data without authorization. Security controls automatically block any unauthorized transfers.

Physical access controls for in-scope devices

Some workplaces may impose physical identity checks between CDE-connected devices and other offices or workstations.

Air gaps

Physical air gaps can also divide cardholder data from other network assets. Companies may choose to use two separate systems for payment processing and general operations.

Identity and access management (IAM) systems and multi-factor authentication (MFA)

Authentication systems require multiple credentials for any login. Secure network zones can require extra credentials before granting access.

Zero Trust controls on user privileges

Network managers should keep the number of users with administrative privileges as low as possible. Cardholder data environment access should only be available for users with appropriate permissions. All user access is seen as illegitimate until proven otherwise.

Continuous activity monitoring

Security teams can automate monitoring to track suspicious behavior. Tracking systems raise alerts when out-of-scope assets request access to a network segment within the CDE.

When you decide how to apply segmentation, the core challenge is determining which assets are in-scope and what lies out-of-scope.

Security teams must interview employees throughout the organization to understand how they use data. Employees can provide invaluable information about where cardholder data resides – knowledge that may not be immediately obvious.

The next step in PCI-DSS compliance is ensuring that network segmentation covers every part of the CDE. Elements to consider include:

• Applications handling cardholder data. This could cover web apps and locally hosted databases.

• Authentication servers and internal firewalls that connect with or defend the CDE. Protecting sensitive authentication data is a critical priority.

• Security services that ensure data security and guard cardholder data. This includes intrusion detection systems, malware scanners, and anti-virus tools.

• Log storage servers and backups. Any audit logs must be properly secured, including connections between active payment databases and historical logs.

• Virtual machines, apps, hypervisors, or virtual routers that store or process cardholder data.

• Network infrastructure such as routers, switches, hardware firewalls, and any other equipment that connects to the CDE.

• Network servers handling cardholder data flows from sites of payment and within the corporate network. This may include web, mail, proxy, and DNS servers.

• Third parties. Any third-party applications or users with access to payment or cardholder data storage systems lie within the CDE.

The critical task when applying PCI-DSS controls is mapping connections. Any endpoint or application that can access cardholder data needs to be secured.

It isn’t always easy to discover connections between system components. But a comprehensive planning process will generate enough information to keep your data breach risk low.

How can NordLayer solutions help?

Network segmentation is a critical part of PCI-DSS compliance. It allows organizations to separate the cardholder data environment from other system components. Attackers seeking access via remote devices or insecure endpoints will find it much harder to extract cardholder data.

NordLayer can help you build a security setup that meets PCI-DSS requirements. Our PCI-DSS compliance solutions make it easy to segment networks to protect cardholder environments. With Nordlayer, you can:

• Create groups of network users and assign different network access privileges to each group.

• Create Virtual Private Gateways for specific groups, resources, or websites.

• Use IP allowlisting with Dedicated IP addresses to allow authorized users and block others.

In the near future, we will also offer Cloud firewall functionality. This will simplify segmenting cloud-based credit processing environments with granular and flexible access controls.

However, network segmentation is not a single solution. Companies must couple PCI-DSS network segmentation with other security tools to be compliant. Nordlayer can help here as well. In addition to segmentation, our tools can help you:

• Install secure remote access solutions to transmit cardholder data safely.

• Set user permissions to block unauthorized access to every network segment.

• Employ quantum-safe cryptography in tunnel encryption to hide your traffic and online activity from users on the open internet.

• Put in place multi-factor authentication for users accessing cardholder data. Ensure only trusted users can handle customer information and keep data breach risks low.

Make PCI-DSS compliance manageable by partnering with an experienced security provider. Get in touch with the NordLayer team to explore smart data security solutions that make damaging data breaches much less likely.

A discussion with Mark Rowland, Co-Founder & Managing Director at Cutec, about how they solved client problems using NordLayer and what to expect for next cybersecurity’s major challenges and possibilities.

Cutec is a Managed Service Provider (MSP) and IT support company from England. Operating in the industry for 25 years, a 20-employee expert team supports a range of small and medium clients across the UK. Whether an organization has a staff of just a few or hundreds of people, Cutec’s role is to consult companies with technical focus and accuracy to fill in the vacancy of an internal IT person for the client.

The consultancy firm fills in the IT management and knowledge gap, which is a recurring issue for many businesses, especially smaller organizations Cutec gets to consult. However, conversing with different clients revealed another concern — there’s no cybersecurity mindset. Mark Rowland, a Co-founder and Managing Director at Cutec, shares his insight on how crucial security awareness is for business continuity. 

Business case: decentralizing single-site infrastructure

The client has been with Cutec for about 6 years — during this time, the company of 30 people expanded to an almost 300-employee organization. And as this financial services provider grew into a country-wide company, it started facing security challenges.

Being contained in one place and managing 20 people is relatively easy. However, the client business model involved advisors spread all over the country. Combine it with rapid growth during a short time and data sensitivity due to the nature of financial services — the need to protect databases, CRM, and phone systems was critical.

The foundational elements for security were there: the client had two-factor authentication, password management, and fixed IP in place. It’s secure enough for 20 people sitting in one office, but not if numbers jump to hundred users in dozen cities — circumstances urged for an extra layer of security.

An increasing number of VPN connections to internal applications started causing connectivity issues and quickly bogged the network. This was the turning point for Cutec to find a better solution for a VPN route that would ensure security.

Close-up on the solution

One of the available options for the client was to get much more powerful broadband for the HQ office, install hardware firewalls, and achieve the wanted level of security for an outrageous expense bill.

Moreover, the solution would bind everything to one location. From a disaster management perspective, it’s not sustainable for business continuity — if the power is cut off, the internet goes down, and all employees get disconnected despite their location.

The alternative was getting a NordLayer subscription. Although it meant paying per user license, it offered what the company needed — a fixed IP address that provided much-needed flexibility and stability.

Choosing NordLayer allowed upgrading and downgrading the number of member accounts as the staff comes and leaves and, most importantly, eliminating the dependence on the HQ office — if the power got cut off, server design allowed carry-on working.

Sorting out the inconvenience of in-house security

Deployment and maintenance of the on-premise solution meant a lot of man-hours. It included a remote connection to a client’s PC and setting up their VPN connection. 

NordLayer, on the other hand, provided a simple solution. The MSP had to connect to the Partner Portal and add the user, so they could complete the setup themselves — click the welcome link to install the VPN.

It’s worth mentioning that the client has no one in-house with the knowledge and expertise on cybersecurity. In this case, Cutec is an advisor and a guide for organizations’ cybersecurity strategy, closely collaborating with a single point of contact on-premise, the Technology Director, to help steer the business away from cyber threats.

Expert insights: take on SMBs security

The client scope Cutec works with is usually small-medium sized businesses without internally dedicated IT staff. Better to say SMBs have little understanding of cybersecurity. There’s a persistent tendency for a slow but inevitable change in the business mindset:

• A now-outdated perspective of ‘antivirus solves all our security problems’ was effective 10–20 years ago — today you have to think outside the box.

• Small-medium enterprises tend to give on-premise servers and migrate to the cloud more often. Core IT support is going to change. It will be more about picking the right cloud solution for people driving the migration to the cloud. Over the next three years, people will drop on-premise stuff and go to the cloud completely, and we’ll be there to help them with that.

• Cloud-edge solutions like NordLayer are going to get more popular over time. Teams work from coffee shops and McDonald’s — they connect to public Wi-Fi and hot spots and must protect their traffic with tools that work well.

A future notion on SMBs from sensitive industries

The cybersecurity landscape changed— now it’s about protecting yourself online. At our company, we notice clients are transitioning to online cloud services. The number of adopted vendors and service providers can be three, five, or a dozen online solutions and tools.

Previously, having a server in the office under lock and key with a firewall allowed us to assume that that was enough to keep the company secure. However, small businesses struggle to comprehend the gravity of cybersecurity.

After Covid, once people started connecting from their home PCs and smartphones, companies without proper security measures risked having their business data on employees’ personal devices.

Larger enterprises and governmental institutions already have an awareness – sometimes forced by insurance companies and bank regulations – of owning some security accreditations to filter down the risks. Meanwhile, small-medium enterprises don’t have this perception, and MSPs like Cutec help them drive in the right direction.

Our biggest challenge is overcoming the big issue of clients thinking that security is finite. Threats are layered and complex — getting an antivirus or a firewall might solve only a small part of the potential risks and gaps for threat actors to exploit. Instead, business owners and their teams must keep up-to-date with a cybersecurity mindset to guarantee business continuity.

Pro cybersecurity tips

Education on cybersecurity is increasing, and it is becoming a common topic of conversation. More and more employees and decision-makers now acknowledge a serious lack of digital security knowledge. To make the learning process easier, it’s better to ask questions and have some starting points. Here’re some pro tips you can begin with:

Explore cybersecurity to broaden your knowledge about threats and solutions for managing them. NordLayer offers layered-by-design network access solutions for all kinds of businesses and their team setups to rise to the challenges of a modern company. And at NordLayer, we care about guidance. Thus, explore our Cybersecurity Learning Center and Decision Maker’s Kit for in-depth support for building your own cybersecurity strategy.

Want to join forces to build a more resilient and aware cybersecurity landscape for businesses and organizations? NordLayer invites Managed Service Providers to seize the opportunity to join our Partner Program — reach out to learn more about it.

Cybersecurity for healthcare organizations involves protecting sensitive patient data from unauthorized access, use, and disclosure. It’s a strategic imperative for every healthcare business, but with the digitization of medical records, sharing sensitive information has become simple and, at the same time, much more exposed to cyber threats.

Cyberattacks often cause serious disruptions to patient care and lead to misdiagnosis and medical errors. Many studies have shown that ransomware attacks affected hospital mortality rates due to the lack of access to patient information. Also, as HIPAA Breach Notification Rule states, sensitive information violations can have serious financial consequences.

What other cybersecurity risks are healthcare organizations facing? And how can you mitigate them? Read on to discover the best practices for healthcare cybersecurity.

Key cyber trends for the healthcare sector

Over 93% of covered entities and business associates faced a breach in the last two years. According to IBM Data Breach Report, in 2022, the healthcare sector suffered the highest costs of data breaches. And although the number of breached records fell from 54.09 million in 2021 to 51 million in 2022, healthcare still remains one of the industries most affected by hackers. The commercial and public health sector is clearly under fire.

Cyber attacks will continue to plague the US health sector, the Healthcare Cybersecurity Report for 2022 states. The criminal ecosystem keeps evolving and adjusting to new security measures. Threat actors will increasingly look for and exploit vulnerabilities in the systems. Also, third-party vendors are more at risk now.

Other long-term trends are seemingly unrelated geopolitical events directly impacting the healthcare industry. Since the beginning of the war, the Russian government has regularly leveraged wipers and DDoS attacks. And the same applies to Russia’s allies, such as China, North Korea, and Iran. 

Cybersecurity challenges for healthcare organizations

Let us examine why the healthcare industry is an attractive target for threat actors. There are 3 main reasons for that trend: 

• Poor risk management

Healthcare organizations deal with connected medical devices (Internet of Medical Things), employees’ devices that don’t have adequate security measures, and several third parties that access Protected Health Information (PHI) and other critical assets. Ensuring adequate cybersecurity solutions that mitigate risk and address vulnerabilities in a legacy system is critical.

• A huge value of PHI on the Dark Web

Stolen patient data can be used for malicious activities like identity theft or healthcare insurance fraud. A single medical record is valued at up to $250 on the black market, and this information is worth about 50 times more than credit card details on the Dark Web.  All this means that patient privacy is at risk of being violated.

• Financial reasons 

It’s a major security risk for the industry. Suffering a ransomware attack, for example, means paying a large amount to the attackers. 

Top 6 cyber threats for healthcare organizations

Threats for the healthcare industry come in many forms, from ransomware to theft of personal information. In 2022, the biggest security breaches in healthcare came from phishing and malware attacks.

• Phishing

Phishing targets individuals by tricking them into disclosing sensitive information, clicking a malicious link, or opening a malicious attachment. The most common telltale sign of a phishing email is that it conveys a sense of urgency or preys on fear or greed. Scammers can also use social media, text messages, and voice calls for phishing. 

• Malware

It’s malicious software installed on a computer without a user’s consent. It can steal passwords or money or perform other malicious actions. Examples of malware include a Trojan horse, spyware, adware, or a virus.

• Ransomware

Ransomware is a form of malware that encrypts files on a user’s device and locks them out until they pay the hacker money to release them. 

• Theft of patient data

Stolen patient medical records may be sold on the dark web and used for insurance fraud or identity theft. Often, data recovery is not possible.

• Insider threats

These risks can come from current or former staff members or contractors and happen intentionally or by negligence. For example, an employee may accidentally click a malicious link in a phishing email or skip security protocols to make their job easier. 

• Hacked IoT devices

Hackers take advantage of vulnerabilities in devices connected by IoT, such as handheld devices, camera sensors, or CT scanners.

Top 6 cyber risks in healthcare

All the facts and statistics mentioned earlier mean one thing: cybersecurity in healthcare is a burning issue. Criminals can disrupt health businesses with malware, ransomware, or phishing. And damage the organization’s reputation and endanger patients’ lives. But apart from that, healthcare organizations are exposed to various cyber risks, such as unprotected access to PHI, human error, vulnerabilities of legacy systems, third-party vendors, and a lack of regular cyber risk audits. 

Risk 1: Unsecured access to PHI

According to new HIPAA encryption requirements, ensuring all sensitive patient data is unreadable, undecipherable, and unusable to any person or software program without access rights is mandatory. For your organization, it means implementing robust security controls that help store Protected Health Information (PHI) safely and protect it from unauthorized access.

Risk 2: Human error

82% of data breaches involved a human element, including social attacks, errors, and misuse.  according to Verizon’s 2022 Data Breach Investigations Report. Understanding how human error affects your organization can help you mitigate risks for the future. Almost one-third of such incidents involved a person abusing their use of internal resources. For example, a doctor shares access to their work-issued device with children, who click on a malicious link and download malware. 

Risk 3: Vulnerabilities of legacy systems 

Outdated technology opens doors for cybercriminals. Legacy devices and operating systems are vulnerable because they can’t update properly. This means inadequate security control and weaknesses in the system can’t be patched. 

However, some healthcare organizations delay transitioning to up-to-date security solutions because of tight budgets or complacency. They choose to fix a problem only after a system failure or a cyber attack. Deploying technology that encrypts data, monitors authorized users, and blocks unauthorized user access can help minimize cyber risks. 

Risk 4: Third-party vendors

The number of business associates that handle sensitive data has grown with the volume of electronic medical records. According to an analysis by Fortified Health Security, third-party vendors accounted for 16% of data breaches in the first half of 2022. 

In 2022, the largest third-party vendor data breach, which affected almost 4 million individuals, happened through a ransomware attack at Eye Care Leaders. The breach impacted at least 39 covered entities, as well. 

Risk 5: Compliance 

Healthcare organizations also face regulatory challenges. Protecting patient privacy according to the latest HIPAA and GDPR rules can be complex. Besides following compliance guidelines, your organization should implement the best cyber security practices. Failure to keep patient records private may result in substantial penalties and harm your reputation. 

Risk 6: The absence of risk assessments

Every healthcare organization should conduct a regular risk assessment to identify vulnerabilities and risks to the confidentiality and integrity of PHI.  The evaluation should determine your organization’s capabilities for detecting, preventing, and responding to cyberattacks. It’s also crucial to know where your sensitive information is, what threats your organization faces, and your system’s vulnerabilities and security holes. And what your action plan in case of an attack is. 

Best practices for healthcare cybersecurity challenges 

This year’s IBM Data Breach Report demonstrates no system is impenetrable. But healthcare cybersecurity is all about basic security measures that stop criminals and make them look for an easier target. What are the best practices for minimizing cyber risks? Here is a list of the strategies worth adopting: 

• Deploy verified cybersecurity software

Install cybersecurity software on every connected device and secure your network. 

• Update your software regularly

Prompt, regular updates will address patches and vulnerabilities.

• Train your staff on cybersecurity

Your employees should be aware of cyber threats and how to detect them. 

• Strengthen your system access controls 

Restrict access to your most sensitive data and monitor who accesses it.

• Conduct regular risk assessments 

Identify weaknesses in your system and mitigate risks. Determine where your sensitive information is and protect access to it.

• Ensure your business associates have strict security policies 

Some business associates have lax policies that can create problems for the healthcare organization they cooperate with. Don’t let stolen vendor credentials or data will compromise your organization. 

Cybersecurity solutions for healthcare organizations

Securing your organization from cyber threats can be overwhelming. Protecting your valuable data and critical equipment is complicated but doesn’t have to be complex. That’s why we have prepared a guide on security solutions tailored to the health industry.  

• Network security

The key to combating any external threats is network visibility and responsive protection. A solution that quickly isolates risks will prevent your network from being exposed. Setting permissions and policies for secure users and apps across multiple devices is also good. This way, you will ensure that only authorized staff will access your confidential data. 

• Application security 

The best way to secure access to your applications is to verify and authenticate every user, device, and connection. This Zero-trust approach enforces mandatory checks at every step and minimizes security gaps. It also enables your staff to work remotely and on multiple devices. 

• Endpoint security

If your devices are left unsecured, they can be a gateway for breaches, and an infected endpoint will affect your organization’s functioning ability. A comprehensive solution for endpoint protection uses data encryption and enforces unified security policies on all servers, networks, and endpoints. It also monitors 24/7 access to your resources, alerting you if there is suspicious activity. 

• Data security

Encrypting sensitive healthcare data can help conceal it from outsiders. MFA will add strength to authentication processes. Permission sets enable managing data access, meaning only authorized users can access it.  Everyone else will be blocked by default until granted the necessary privileges. Before you apply access controls, you need to classify your data accordion to its value and vulnerability. 

• Cloud data security

As healthcare organizations move their assets and data to the cloud, cloud services need robust protection. Cloud providers and businesses should share responsibilities to ensure data security, but this doesn’t mean you will always have a full view of your infrastructure. The provider may move data without you even knowing it. That’s why having a clear division of responsibilities is crucial. Also, you should encrypt everything in the cloud and set strict access permissions. You add IP allowlists to only connect specific IP ranges to your network. 

How NordLayer can help 

You can protect access to your sensitive data and transition your organization towards the SSE framework by implementing our solutions for Zero Trust Network Access.

NordLayer also provides an adaptive network security solution that easily integrates with your existing infrastructure and provides secure access to sensitive resources.

Contact our sales team and discover how to protect your patient data from cyber threats.

Disclaimer: This article has been prepared for general informational purposes and is not legal advice. We hope that you will find the information informative and helpful. However, you should use the information in this article at your own risk and consider seeking advice from a professional counsel licensed in your state or country. The materials presented on this site may not reflect the most current legal developments or the law of the jurisdiction in which you reside. This article may be changed, improved, or updated without notice.