The healthcare industry is continuously on the bleeding edge of innovation, deploying connected healthcare devices that enhance operations and improve the quality of care. With 10-15 connected devices per bed, the need for visibility and security of these devices is critical for patient safety. In fact, the urgency for this is increasing as healthcare organizations face a surge in cyberattacks such as ransomware. However, unlike conventional IT assets like laptops, many of these devices are agentless and cannot be secured using traditional security solutions. But often organizations overlook the protection of medical devices, which is now becoming a target to get into organizations’ internal network.

This episode briefly covers the importance and considerations for securing medical devices in healthcare, the medical device security program, the fundamental requirements before anyone begin, and the important use cases to address.

Healthcare organizations are attempting to improve results and lower costs by embracing digital transformation. To achieve these goals,  more connected medical and healthcare devices are being deployed to help gather data, improve operations and enhance the quality and delivery of care.  This is a laudatory objective from a business perspective, but it creates more opportunities for cybercriminals, by expanding the attack surface available to them.

Medical devices go through various approvals(FDA, etc.) before being deployed, are not always designed with security in mind, and many run outdated operating systems that cannot be patched. The first phase is to see exactly what constitutes the attack surface. To protect a healthcare organization, we need to see what connected devices could be targeted, compromised, and leveraged by our adversaries. This means discovering all healthcare devices that are part of that attack surface, and quite often, security teams are unaware of at least some of those devices. Visibility includes not only classifying what the device is at a granular level but also where it is connected and what it is communicating with; these are critical to locate, patching, or securing these devices.  Healthcare organizations need to consider a “whole hospital” visibility — visibility not just into medical devices but also into other connected devices that are used for hospital operations. For example, an interconnected HVAC system that is attacked may impact air quality in surgery rooms, while an infected elevator control system could impact the ability to transport patients.   The next step is identifying risks. Understanding the risk to an organization requires understanding what is vulnerable. To fully understand the attack surface and effectively protect it requires visibility and the assessment of risk for devices, this should include clinical risks such as recalls and vulnerabilities, along with the importance of the device. For example, a vulnerability associated with a medical device in the operating room needs to be patched right away, but perhaps a vulnerability for a device used in a research lab is not as high of a priority   The final step is enabling security policies to secure these devices, including the importance of segmentation or network segmentation in particular.

There were several challenges in this area. Firstly, healthcare organizations need to develop pre-purchase standards for devices, document security weaknesses, and work with vendors to address the weaknesses. A cross-functional team to define security standards, and built this into the procurement process is a good start. This ensures that every new device that is onboarded meets security criteria.   Another challenge is having one source of truth of comprehensive asset inventory for all devices. This requires integration of all devices discovered and consolidating this within the CMMS/CMDB database. There will be some foundational work on asset reconciliation to ensure that the initial set of devices discovered is the same as what is in the CMMS/CMDB.   Tracking software vulnerabilities from various sources (Internal or external) and prioritizing which ones to remediate in the context of impacted asset and patient impact, exploitability, exposure, etc is important. Proactive segmentation for a massive volume of devices that run outdated operating systems is critical. This required the ability to baseline “normal” communications flows for every set of devices and collaboration with networking teams to ensure segmentation policies are automated and applied across the network infrastructure.

I will finish this episode with my concluding remarks that, The security of connected medical devices starts with granular details of what the device is, as well as how it is communicating and what it is communicating with  – The “whole hospital” visibility is critical to ensure we identify all devices and therefore eliminate any blind spots when it comes to risks.  – Full lifecycle vulnerability management includes prioritizing risks based on the organization’s business impact and the importance of assets, focusing facilities/estate teams on the devices they are responsible for, and optimizing workflows for patching/remediation – When we understand what the device is and what it is doing in the network, we can also gain device utilization insights to optimize operations – Segmentation is a critical best practice to mitigate risks.