Today’s hospitals rely heavily on medical devices to maintain a high level of patient care and safety. With an average of 10-15 medical devices per bed in a U.S. hospital, a 1,000 bed hospital could have up to 15,000 medical devices to manage.
That’s a significant challenge for hospital staff when it comes to locating the devices or knowing whether a device is being used or not. In the 24x7x365 fast-paced world that is a typical hospital, having on demand access to life-saving medical equipment is critical.
On top of that, more and more of these devices are connected and continue to be networked. This presents an additional challenge of managing and securing the devices from a cyber attack.
Unfortunately, the existing hospital IT network toolkit isn’t equipped to deal with Clinical network security, and with hospitals increasingly under attack, reputation, finances, and patient safety are all at risk.
Look beyond standard asset inventory
Having an accurate inventory of all your connected medical, IOMT and IoT devices can help, but it’s not enough. You’ll also want to consider:
- The device availability, criticality to patient safety, and PHI confidentiality. The FDA medical device classification and the JCAHO equipment function can help determine these
- The device vulnerability posture, and the impact on availability, patient safety, and PHI confidentiality. These arise due to vulnerabilities in COTS software, or medical specific vulnerabilities defined in ICSMA advisories
- The device compliance posture, whether it is running outdated software
- Risk scoring and management capabilities with the ability to automate guidance – so you don’t have to source that kind of expertise in your staff
- Usage and suitable maintenance windows
None of that specifically addresses the elephant in the room – your hospital’s cyber security hygiene. Many hospitals are already leveraging some form of cyber security, whether firewalls, vulnerability scanners, or a managed security service.
Yet, healthcare remains the most targeted industry sector in the United States. According to the 2021 Horizon Report on the State of Cybersecurity in Healthcare, healthcare accounts for 79% of all reported breaches.
Clearly, traditional cyber security solutions aren’t robust enough to prevent the increase in attacks. While segmenting your network to protect your most critical devices can minimize disruptions to hospital operations, it’s a difficult and time consuming process to get proper segmentation in place.
Risk Management for Connected Devices
There are numerous factors that lead to a medical, IoT or IoMT device being vulnerable to a cyber attack, including:
- Outdated or unpatched software – medical devices may require patches to keep them up to date
- Insecure protocols – devices may not have proper authentication or authorization protocols
- Lack of built-in security controls – devices may not have antivirus or endpoint protection
- Lack of centralized management – medical devices running a Windows OS can have wormable ports open (RDP, SMB) that a hacker can exploit
- The device type – a general IoT device such as an Amazon Alexa might send PHI to the cloud in an uncontrolled manner
With all that going on, how can a perimeter-based security model prevent a hacker from gaining access or from moving laterally through the network to get to these devices?
Vulnerability management solutions don’t have visibility or scope of medical devices to effectively handle these issues either. A managed security service might be able to tell if a network breach has occurred, but if ransomware gets to a medical device, it can lie dormant and be nearly impossible to detect.
The issue resides in the approach – protecting a multi-vendor network consisting of different types of connected assets with a traditional cyber security solution isn’t the answer. The perimeter-based security model doesn’t cover cloud-based endpoints or BYOD devices, so it’s not as effective in a hospital environment.
A Layered Approach
Why not consider focusing on the assets or devices themselves rather than the broader network?
A new approach to addressing the security gap is Device-Centric Risk Management (DCRM). DCRM offers a layered approach to cyber security that protects each device, driving remediation and mitigation directly on your medical and IoT assets as well as the broader network.
With DCRM, you prioritize the assets most at risk, and then apply recommended actions to remediate or mitigate the risks associated. For example, you would focus on remediating those devices that had known credentials issues or known exposed RDP ports and understand what the expected risk reduction is in each case.
As you continue to identify and remediate these known issues, the corresponding risk decreases.
Of course, you can’t ignore the network aspect here – the devices sit on the network, and therefore, you’ll want to allow only authorized traffic to flow to and from the devices via allow-list policies. You add another layer of protection by restricting certain devices from communicating with one another through block-list policies.
Through these two layers (on-device and on-network), you have essentially built an internal “firewall” around each device. But DCRM adds a final layer of protection from the perimeter. You can further prevent unauthorized access by enabling next-generation firewalls (NGFW) to apply automated blocklist policies directly to the devices themselves.
DCRM can significantly reduce the risk to your network – even if a breach occurs via phishing or ransomware attack. By implementing multiple layers of security, the DCRM approach is inherently more robust than focusing security and risk management solely on the network layer.
Bear in mind that there is no silver bullet, the security layers must work together to reduce exploitation of the devices. And while that significantly mitigates the risk, the potential for a breach is always present.
Ultimately, you want a single point to prioritize and take action, with demonstrable expectations of risk reduction and automation of workflows to enforce policy along with a NAC or next-generation firewall to identify the on-device actions.
For More Information:
If you want to learn more, below are several sources for your reference.
- Technation webinar – Device-Centric Risk Management (DCRM): 5 Use Cases for Streamlining Vulnerability Remediation and Mitigation
- Brochure – CyberMDX Healthcare Security Suite
- CyberMDX DCRM overview
- Case study – CISO of Metro Health Secures All Devices