By Robert Bell /Special to Healthcare Facilities Today

Healthcare security leaders face many challenges, but one of the trickiest is cyber-protecting medical devices. Unprotected medical devices lead to more occurrences of data breaches and increase the risk to patient safety. With the growing cyber-threat on hospitals, it isn’t a question of whether or not these devices need better protection, it’s instead a matter of how security teams can successfully plan and execute protection strategies for their medical devices as quickly and effectively as possible.

Building a dedicated layer of defense

To protect the medical device network environment efficiently and safely, security teams must build a dedicated layer of defense that addresses the most urgent cyber-risks. This must be a careful and thoughtful process that adheres to the specific clinical requirements and constraints of the healthcare environment.

We’ve put together a blog series on how security teams in the medical space can work together with clinical engineering to mitigate the many risks associated with connected devices, and where to start.

Key Takeaways

In this three-part series we’ll discuss:

• Gaining visibility into your connected medical devices and the context of their network behavior.

• Properly identifying, assessing and scoring the cyber-risks of medical devices on your network.

• Working with limited resources and still build a solid foundation that will enable effective cyber-risk mitigation strategies.

Part 1

Of the many challenges healthcare security leaders face, medical device cybersecurity is one of the trickiest. Given their inherent vulnerabilities and the potential risk to patient safety, it isn’t a question of whether they need better protection, it’s a question of how to achieve it. Hospitals have always been driven by clinical considerations when acquiring medical devices, and cybersecurity is only just beginning to become part of the procurement decision process. Furthermore, if you try to retrofit traditional IT security on the installed base of medical devices to mitigate their high exposure to threats, you get limited results and even risk interfering with clinical operations.

To protect the connected medical device network environment efficiently and safely, healthcare security teams need to build a dedicated layer of defense that addresses the cyber-risks. This process needs to be handled carefully, paying special attention to the specific clinical requirements and constraints of the healthcare environment.

Building this new cybersecurity layer for medical devices should be treated as a marathon, not a sprint. It is a multi-staged, ongoing process. Even if the resources for this goal are limited, it is important to start early in building a solid foundation that will enable to implement effective risk mitigation strategies in the future.

This blog series provides a framework for mitigating the cyber-risks of connected medical devices by breaking down the process into its essential building blocks.

Medical Device Visibility

Medical devices are seen as black boxes on the network, or not seen as all.

A common situation in healthcare organizations is that the security teams do not have visibility into the connected medical devices. They don’t know how many devices are connected, what types of devices they are, who they’re connected to, and whether their network behavior is normal and expected for these types of devices.

To properly assess and mitigate the risk of medical devices on your network, you first need to be able to see them, understand what their function is, and know how they should be communicating over the network.

Discovery & Classification

Different organizations may have different levels of visibility into their connected medical devices but based on our discussions with healthcare CISOs, this is one of the areas that needs to be improved most urgently.

Security teams need to be able to see all the medical devices connected on their IT network.

Medical devices have traditionally been under the responsibility of clinical engineering, and while organizations are now shifting the responsibility for medical device connectivity to IT departments, the information regarding the medical assets can’t always be accessed easily by security teams.

The first step security teams need to take before addressing medical device cyber-risks, is to create a data-rich inventory of the medical devices connected on the network.

There are several things that need to be considered when creating a detailed inventory of your connected medical devices.

1. Active network scanning can disrupt the operation of medical devices – it is important to stick to passive discovery methods such as analyzing traffic from a switch TAP or mirror port.

2. Network discovery tools that are designed for discovering IT systems won’t recognize medical devices.

3. Building an inventory of the medical devices can be a gradual process because of the large number of devices and device types.

4. This is not a one-time activity, but rather a continuous ongoing activity because devices will be added, replaced and removed from the network.

Aim to build a database of the various attributes for each device including the IP address, device type, department where it is located, the device brand and model, its operating system version and application software version, and the version of its latest security patch. The more information you can get on each device, the better, especially with the data that will help you determine vulnerabilities at a later stage of this process.

Network Mapping

Once you have started building a data rich inventory of your connected medical devices, the next step is to examine which other systems each device is communicating with. This is an important precursor for risk analysis because understanding the nature of a device’s network connections lets you determine how exposed it is to external and internal threats.

Here are the basic things you need to know for each connection to a medical device:

1. What are the other systems is the device communicating with?

2. Are the device’s communications within the hospital IT network or are their communications to external locations via the Internet?

3. Are the external communications known and expected for this type of device?

4. Are there unnecessary links between medical devices and other systems within, or outside the hospital network due to network misconfigurations?

5. Are the device’s internal communications isolated within VLANs?

6. Are the device’s external communications isolated within VPN tunnels?

This mapping of the medical device network ecosystem will help you understanding the likelihood of a cyber-attack on the device when you start assessing the cyber-risks. But before that, there is an extra step you should take to get a better understanding of the devices’ network behavior patterns.

Clinical Context

Security teams need to be able to distinguish between dataflow you would find on any connected digital system and dataflows that are that are part of a clinical workflow.

Being able to recognize a device’s communications as part of the clinical workflow will enable you to accurately assess the impact of a potential cyber-attack on a device and will also help you predict the effectiveness and risk of different mitigation measures. Security teams and clinical engineering need to start working together to build this knowledgebase for their clinical network environment.

Here is basic information that security teams need so start collecting for the connected medical devices:

The activities covered in this post represent the first stage in the process of medical device network cybersecurity which is to gather rich data on the devices, their network connections and their applications.

In Part 2 we will look at a step-by-step process that security teams can follow to leverage this rich data for accurately assessing the cyber-risks of the medical devices.

Robert Bell is a Product Marketing Manager for Cynerio.