Healthcare network security

Leveraging Machine Learning to Automate Medical Device Insights

3 min read

Machine learning is totally transforming the healthcare industry; from how patient care is delivered, to how laboratory procedures are conducted, to diagnostics, all the way to how information from those processes is actioned, stored, and protected.  This blog post will focus on how machine learning technology is applied to connected medical devices in hospital networks. Specifically, I’ll try to unpack how machine learning helps to keep track of and secure those devices.

Gaining Visibility with Machine Learning

Being able to automatically identify and classify medical devices according to the most prescient operational and cyber factors is critical to any medical center’s efficiency and security. At the same time, it’s far easier said than done.

With so many different variables interacting in an ever-changing regulatory, protocol, and human behavior ecosystem, rule-based, programmable logic alone is ill-suited to the task. In an effort to avoid a Sisyphean predicament, smart solutions enlist machine learning.

For example, when a medical facility’s network is analyzed, a duly sophisticated solution – leveraging machine learning – can map the lines of communication running between medical devices and other nodes within the network to visualize your connectivity matrix, presenting a simultaneously granular and panoramic perspective. But, seeing what’s going on within your network is (comparatively) easy. It’s understanding what’s going on that’s the bigger challenge.

Without an understanding of “normal” networked device behavior patterns, seeing which MAC/IP addresses are communicating with which other MAC/IP addresses often tells you very little about the nature, legitimacy, and risks of that communication. That's because any given medical device is likely to mix general, industry-specific, and vendor-specific communication protocols and because different devices are required to be interoperable with each other. Making sense of this convoluted picture is where the value of machine learning is really put to the test.

A top-line solution will scrape and interpret meta data from the nodes in your network to quickly and scalably add context to device communications, grouping like assets together for easy micro-segmentation. In addition, by understanding and assigning device categories, baseline behavior can be established and statistically significant deviations from those baselines can be detected and escalated to the relevant administrator.

Case in Point

If you find what I’ve described until now a little abstract, please allow me to put it into some more concrete terms. At CyberMDX we fuse several proprietary machine learning methods to automatically analyze the behavior of each medical device in a hospital’s network, and then associate each device with a cluster of similar devices. Those clusters represent the device categories and are used to establish behavioral baselines.

Using DPI (Deep Packet Inspection) methods, we automatically analyze the network communications between devices and extract various textual and communication features. Those features are processed using still more machine learning methods. For example, NLP (Natural Language Processing) techniques are used to analyze textual data and extract meaningful attributes.


At this point, each medical device is characterized using all derived information. These characterizations are then processed and analyzed by our smart algorithm to find similarities between medical devices.

For example, we use unsupervised clustering to group medical devices into categories and sub-categories. Then, when a newly deployed medical device is identified, we rely on the nuanced understanding of those clusters’ boundaries and defining characteristics derived from machine learning in order to place the new device appropriately within one of the existing clusters and assign a corresponding category identifier.

What we get by leveraging machine learning is a way to be methodical and scalable in our applied intelligence without being rigid. This is industrial computing power with a degree of conceptual dynamism and fluidity that can only be achieved with an army of human minds or machine learning. That’s exactly why this type of technology is so perfect for securing a complex and opaque digital network. Accordingly, the particular metrics used (and the prominence with which they’re weighed) to spot and slot devices can change depending on the device and the network dynamics.

We also use graph models to represent relationships between individual devices and groups of devices. By analyzing the lay of the graph, we can identify peer groups and more clearly delineate anomalous behaviors that might indicate security breaches. One such graph is shown below.


The two yellow clusters (lower-right) are identified as a single broad category of medical devices, divided into two sub-categories (peer groups). The two gray clusters (upper-right) are also identified as a single broad category divided into two distinct sub-categories. The small gray grouping  shown on the lower-left corner represents another category of devices, containing a much smaller number of individual devices. The cluster made up predominantly (but not exclusively) of pink represents a fourth category of medical devices. The gray devices entangled with the pink cluster (middle-left) are new medical devices that were associated with the pink cluster after being processed by our machine learning models.

Checking the computer’s work, so to speak, by manually assessing the category and sub-category of each medical device, we found the clustering and prediction of new devices to be highly accurate.

The analyzed behavior of each device is also used for unsupervised anomaly detection. We compare the communication behavior of each device to its historical norms, as well as  to the behavior – both current and historical – of its peer group. This allows us to detect deviations from the expected behavior in real-time, and to alert relevant administrators when such deviations occur.

For example, if a blood pressure device falls victim to cyber-attack, its communication behavior will normally change as a result. The relationships between the attacked device and its peer group might also change. These changes register as anomalous deviations that trigger alerts and be reflected in an augmented risk score for the device.

Leveraging Machine Learning for Deeper Insights & Stronger Security

For decision makers at medical centers intent on improving their cyber posture and closing any outstanding security gaps, the fusion of Deep Packet Inspection and Natural Language Processing, leveraging machine learning offers an approach uniquely capable of meeting the ambition.

Without the ability to automatically recognize, visualize, and sort medical device categories, you’d be hard pressed to properly understand, restrict, and secure network interactions. What’s more, you’ll be slow to detect and respond to network anomalies that may portend cyber incidents (attacks).