Hospitals and the IoT: A Rx for connected device security – and patient safety

Part two in a series by Katherine Gronberg, vice president of government affairs at ForeScout. For part one, “Hospitals and the IoT: When Your MRI Machine is a Welcome Mat (For Hackers),” click here.

In my first piece, I addressed the security challenges of the fast-growing healthcare IoT landscape – especially troubling since patient safety (not just privacy) is now very dependent on the secure, proper functioning of a wide array of connected devices on hospital networks. Despite federal directives concerning medical device security, it remains a significant challenge. This is in part because efforts to mandate security at the design and manufacturing phases simply cannot eliminate all of the vulnerabilities found on any connected device. Methodologies for patching and upgrading devices aren’t a complete solution either, since their quality can vary and the processes themselves can be insecure. A different approach to securing connected devices on hospital networks is needed. Let’s break down the difficulties around protecting connected devices – and how hospitals can overcome them.

From the enterprise perspective, IP-enabled equipment is very difficult to detect on networks. Most existing tools that can detect and identify devices on a network require that an agent (a little piece of software) be installed on the device. However, the vast majority of medical equipment cannot support agents. With no way to identify devices with any specificity – and especially given the transient nature of these devices – one can easily see how in a hospital, devices are regularly plugged onto a network or moved without the authorization or even knowledge of the network security team.

Further, because devices can’t be scanned the same way a desktop or laptop would be – in part because most scans rely on an agent – it can be hard to determine what is going on inside a device. Regardless, active scans often take devices offline or break their warranties, which makes for unhappy medical staff and very unhappy CFOs. Finally, in securing medical devices, hospitals face the question of sheer volume. They must detect, classify, assess and remediate exponentially greater numbers of connected devices than traditional computing equipment, running a more diverse array of device operating systems. And, as noted above, traditional cybersecurity tools really can’t be used to do this.

I don’t want to gloss over the most important point above: the ability to detect and classify medical devices on your network has everything to do with patient safety. It allows you to profile a device (usually in a matter of mere seconds) to understand how that device is behaving versus how it should be behaving. If the device is behaving in an unexpected way, this is an indication of compromise and the hospital should remove it from service until it can be remediated. The ability of hospitals to make a determination of compromise based on a device’s behavioral profile is much more powerful and reliable than relying on a manufacturer or reseller to inform you of a vulnerability and issue guidance for remediation (to the extent that a vulnerability is even discovered, which is often not the case). The difference is critical: only one is within the hospital’s control.

Monitoring device behavior is not a new concept in cybersecurity. It’s one of the fundamental tenets of both the NIST Framework and Center for Internet Security (formerly SANS) Controls. They provide us best practices frameworks with universal applicability. What specifically do they prescribe?

● First, have a way to detect devices on a given network to make sure they are configured properly and are behaving as intended.
● Second, have an automated way to enforce security posture and regulatory compliance policies on devices. Automation is key because given the average number of devices on a network (in a hospital, maybe tens of thousands), manual enforcement of policies is impractical if not impossible.
● Third, make sure your network is properly segmented so that compromised devices can’t wander freely across your networks looking for data to steal and other devices to conscript.
● Fourth, buy tools that can communicate bi-directionally (a.k.a. integration, or “orchestration”) and that work in the cloud so that contextual information learned elsewhere on your network can be applied to your device ecosystem, and vice versa. If you find the Mirai malware on your surveillance cameras, wouldn’t it be great to be able to profile your medical devices for it too? You can.

Hospitals have become very adept at protecting ePHI, to a large extent because they have been required to do so for a long time. But the cyber threat for hospitals has grown rapidly in recent years to encompass the even more serious the threat of disruption of operations and patient care, thanks to the proliferation of connected devices. This month’s outbreak of the WannaCry ransomware (though it did not target IoT devices) is an eye-opening example of how hospitals’ operations can be brought to a standstill by unpatched Windows machines on their business networks. It foreshadows even greater disruption and potential physical harm – and, with it, legal liabilities and reputational damage that will come from similar types of attacks on hospitals’ networked physical infrastructure. It should also be said that the capability to disrupt hospital operations on a larger scale has national security implications. No enterprise can afford to wait for manufacturers to make medical devices safe (and we must really ask if such a state is even achievable). But this is true for hospitals in particular because of the sheer volume of networked devices they have, and the high (and growing) level of operational dependency on those devices.

The cyber “worst case” for hospitals looks very different today than it did even two or three years ago. It is no longer only stolen PHI and network downtime – it is targeted disruption and virtual lockout, courtesy of hospitals’ own IoT. It’s in everyone’s interest that hospitals reap the countless benefits of their connected environments, but we must work together to address their substantial downside.

Katherine Gronberg is vice president for government affairs at IoT security company ForeScout Technologies. She is based in Washington, D.C., where she works closely with policy makers and U.S. federal agencies on IoT security initiatives and programs. Prior to joining ForeScout, she was a professor at Georgetown University, teaching classes in cybersecurity and business-government relations. Katherine formerly was staff member on the Senate Appropriations Committee handling annual appropriations for a wide range of federal agencies.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months