This is the first post in a three-part series. It explores how security teams in the medical space can work together with clinical engineering to mitigate the many risks associated with connected devices. Building a dedicated security layer is especially important for medical IoT solutions. To begin building that layer, the first step is to gain visibility into your connected medical devices and the context of their on-network behavior.
Healthcare security leaders face many challenges, but one of the trickiest is cyber-protecting medical devices. Unprotected medical devices lead to more occurrences of data breaches and an increased risk to patient safety. With the growing cyber-threat on hospitals, it isn’t a question of whether or not these devices need better protection; it’s instead a matter of how security teams can successfully plan and execute protection strategies for their medical devices as quickly and effectively as possible.
Building a Dedicated Layer of Defense
To protect medical devices on a network efficiently and safely, security teams must build a dedicated layer of defense that addresses the most urgent cyber-risks. This must be a careful and thoughtful process that adheres to the specific clinical requirements of the initiative and the overall constraints of the healthcare environment.
We’ve put together a series of articles on how security teams in the medical space can work together with clinical engineering to mitigate the many risks associated with connected devices. This blog series provides a framework for mitigating the cyber-risks of connected medical devices by breaking down the process into its essential building blocks. It aims to provide decision makers with a place to start.
In this three-part series, we’ll discuss:
- Gaining visibility into your connected medical devices and the context of their network behavior.
- Properly identifying, assessing and scoring the cyber-risks of medical devices on your network.
- Working with limited resources while still building a solid foundation that will enable effective cyber-risk mitigation strategies.
Making On-Network Devices Visible
Of the many challenges healthcare security leaders face, medical device cybersecurity is one of the trickiest. Hospitals have always been driven by clinical considerations when acquiring medical devices. Cybersecurity is only just beginning to become part of the procurement decision process. Furthermore, if you try to retrofit traditional IT security on the installed base of medical devices to mitigate their high exposure to threats, you get limited results and risk interfering with clinical operations.
To protect the connected medical device network environment efficiently and safely, healthcare security teams need to build a dedicated layer of defense that addresses the cyber-risks. This process needs to be handled carefully, paying special attention to the specific clinical requirements and constraints of the healthcare environment.
Building this new cybersecurity layer for medical devices should be treated as a marathon, not a sprint. It’s a multi-staged, ongoing process. Even if the resources for this goal are limited, it’s important to start early in building a solid foundation to implement effective risk mitigation strategies in the future.
Medical Device Visibility
Medical devices are seen as black boxes on the network, or they’re not seen as all.
A common situation in healthcare organizations is for the security teams to not have visibility into the connected medical devices. They don’t know how many devices are connected, what types of devices they are, who they’re connected to, and whether their network behavior is normal and expected for these types of devices.
To properly assess and mitigate the risk of medical devices on your network, you first need to be able to see them, understand what their function is, and know how they should be communicating over the network.
Discovery and Classification
Different organizations may have different levels of visibility into their connected medical devices, but based on our discussions with healthcare CISOs, this is one of the areas that needs to be improved most urgently.
Security teams need to be able to see all the medical devices connected on their IT network.
Medical devices have traditionally been under the responsibility of clinical engineering. While organizations are now shifting the responsibility for medical device connectivity to IT departments, the information regarding the medical assets can’t always be accessed easily by security teams.
The first step security teams need to take, before addressing medical device cyber-risks, is to create a data-rich inventory of the medical devices connected on the network.
There are several things that need to be considered when creating a detailed inventory of your connected medical devices.
- Active network scanning can disrupt the operation of medical devices. It is important to stick to passive discovery methods, such as analyzing traffic from a switch TAP or mirror port.
- Network discovery tools that are designed for discovering IT systems won’t recognize medical devices.
- Building an inventory of the medical devices can be a gradual process because of the large number of devices and device types.
- This is not a one-time activity, but rather a continuous ongoing activity because devices will be added, replaced and removed from the network.
Aim to build a database of the various attributes for each device, including the IP address, device type, department where it’s located, the device brand and model, its operating system version and application software version, and the version of its latest security patch. The more information you can get on each device, the better, especially with the data that will help you determine vulnerabilities at a later stage of this process.
Once you have started building a data-rich inventory of your connected medical devices, the next step is to examine which other systems each device is communicating with. This is an important precursor for risk analysis because understanding the nature of a device’s network connections lets you determine how exposed the network is to external and internal threats.
Here are the basic things you need to know for each connection to a medical device:
- What are the other systems the device is communicating with?
- Are the device’s communications within the hospital IT network or is its communications to external locations via the Internet?
- Are the external communications known and expected for this type of device?
- Are there unnecessary links between medical devices and other systems within, or outside the hospital network, due to network misconfigurations?
- Are the device’s internal communications isolated within VLANs?
- Are the device’s external communications isolated within VPN tunnels?
This mapping of the medical device network ecosystem will help you understand the likelihood of a cyber-attack on the device when you start assessing the cyber-risks associated with that network of devices. But before that, there’s an extra step you should take to get a better understanding of the devices’ network behavior patterns.
Security teams need to be able to distinguish between data flow you would find on any connected digital system and data flow that’s part of a clinical workflow.
Being able to recognize a device’s communications as part of the clinical workflow will enable you to accurately assess the impact of a potential cyber-attack on a device, and it’ll also help you predict the effectiveness and risk of different mitigation measures. Security teams and clinical engineering need to start working together to build this knowledge base for their clinical network environment.
Here is some basic information that security teams need to start collecting for the connected medical devices:
|Which connections to and from the devices are for clinical data transfers and which are non-clinical communications?||Mapping the clinical workflow ecosystem will let you avoid interference with critical dataflows and will make it possible to recognize suspicious anomalies in clinical workflows.|
|Does the device transfer or store Protected Health Information (PHI)?||Devices with PHI are more likely to be targeted by cybercriminals seeking to steal or encrypt valuable information.|
|Does the device connect to patients directly, such as infusion pumps and pacemakers, or indirectly, such as patient monitors?||This information will help accurately classify devices based on their risk to patient safety.|
The activities covered in this post represent the first stage in the process of medical device network cyber security, which is to gather rich data on the devices, their network connections and their applications.
In Part 2, we will provide a step-by-step process that security teams can follow to leverage this rich data for accurately assessing the cyber-risks of the medical devices.