Spurred by competition, razor-thin operating margins, and government regulation, healthcare organizations are under immense pressure to quickly and regularly implement new technologies. Unfortunately, this mad rush to adopt new technologies often leaves security planning on the back burner. When security is finally considered, it is typically implemented in the form of inadequate stop-gap and temporary solutions, not to mention soon eclipsed by further tech adoption.
In a fast-paced and highly competitive environment, it is understandable that security considerations could be easily overlooked. However, attackers are not going to give you pass when they see you’ve left your network vulnerable. That's why hospitals must incorporate the principle of “secure by design” into their tech and business planning and adoption – from the outset. That means decision makers need to be thinking about a comprehensive, holistic, and forward-looking cybersecurity plan. This plan must include the adoption of endpoint detection and response (EDR) solutions capable of continuously monitoring your network and rapidly responding to dynamic threat scenarios.
Medical device security in healthcare today
Medical devices are quickly proliferating, and yet the organizational leaders tasked with overseeing their implementation believe that cybersecurity plans are lacking. In a recent webinar hosted by Clearwater Compliance and delivered in partnership with CyberMDX, roughly 80% of participants admitted they don't believe their organization has a comprehensive program for securing their medical devices. That lack of confidence is striking when considering the potential consequences of a compromised medical device.
Data breaches can be extremely costly to healthcare organizations. Once a network is compromised – a growing threat as the number of connected devices in any given network expands – attackers can shut down hospital operations, establish backdoors into the network to steal electronic personal health information (ePHI), or even hijack devices and manipulate functionality. In 2017, for example, the widespread WannaCry ransomware exploited Bayer's Medrad device and allowed attackers to hold critical systems hostage until a ransom was paid. Devices like infusion pumps can also be targeted by malware, granting attackers the ability to alter device operations and potentially risk patient lives.
Given the severity of the possible consequences, it’s critical that healthcare organizations shore up their defenses before implementing new technology, as well as consistently reevaluating the strength of their network defenses. The complexity of healthcare networks – and the connected devices within them – requires continual monitoring and the ability to adapt to evolving threats at a moment's notice. Managing these risks is extremely difficult without the aid of EDR software.
Challenges in Managing Medical Device Risks
Before addressing vulnerabilities in the Internet of Medical Things (IoMT) network, it's critical to understand the key challenges that typically undermine an organization’s cybersecurity measures. By identifying these gaps before building a holistic medical device management policy, they can be filled before they become a problem. Some of the most common cybersecurity challenges facing healthcare organizations include:
- Lack of visibility into inventory: Many organizations maintain hundreds or thousands of connected devices, but oftentimes these devices are not visible in IT and security management systems. Lack of visibility into existing inventory makes risk management virtually impossible.
- Management complexities: Even when organizations do have visibility into their inventory, it's not always clear how to best categorize devices into logical groups for managing risk and implementing controls.
- Failure to patch operating systems: Out-of-date software creates huge vulnerabilities for healthcare organizations. In the case of WannaCry, the exploited vulnerability could have been patched by simply updating the version of Windows running on the targeted machines. The prospect of a being hit by a cyber catastrophe that would have been avoided had you only installed available software updates is particularly hard to countenance. And yet, it is also one of the most common ways that hospitals leave themselves exposed.
- No risk analysis and management: Risk analysis is lacking altogether in many organizations, making an effective response impossible, let alone preventative planning. Even when risk analysis is conducted, many organizations never follow through in remediating known vulnerabilities and smartly reducing the attack surface.
- Insufficient controls: What’s more, most hospitals fail to put the controls in place to ensure a proper and prompt response should something occur. Anti-virus protection, firewalls, NACs and other controls are essential defensive measures to combat threats. Healthcare organizations must invest in network levers to provide granular control over every connected device and strategically configure their security architecture around those controls.
With all these challenges in mind, organizations can build a comprehensive and proactive cybersecurity management plan for current and future medical devices. Some of the significant challenges facing administrators – including lack of visibility, management complexity, and risk analysis – can be addressed with the help of robust EDR solutions. These solutions can support human efforts to defend the system by providing real-time insights and alerts when anomalies are detected.
A duly advanced EDR solution, when coupled with a thorough risk management plan, the right policies, and the proper procedures, ensures your network will be defended comprehensively, proactively, and intelligently.
Compliance and Mission Completion
The pace of tech adoption is only likely to increase as better devices and software become more cost-effective. The only solution then is to establish a cybersecurity plan that takes the proliferation of medical devices into account. This plan needs to govern the procurement, implementation, and maintenance of every device on your network. But what exactly does that look like?
Government regulations set forth by HIPAA and the FDA stipulates that healthcare organizations must meet several basic requirements regarding medical device security. These include the development of a device lifecycle plan and accompanying policies and procedures; the establishment of a comprehensive live inventory of all devices; the ability to perform risk analysis and management on all devices; and ongoing auditing and monitoring. Failure to abide by these regulations naturally invites lawsuits, fines, and further government scrutiny, so it's critical to meet these requirements.
However, these measures alone are not enough for a comprehensive cybersecurity plan; to the contrary, they represent a bare minimum and a logical place to start as you begin building your medical cybersecurity risk management program.
Taking Inventory of Your Internet of Medical Things Devices
The ability to identify and assess the sensitivity and vulnerability of each device is the foundation of an effective device management strategy. After all, you can’t secure what you can’t see.
But device identification and mapping alone isn't enough; you also need context. Without visibility you can’t orient yourself, chart your path forward, and take note of obstacles on that path. But without context, you're liable to lose sight of the forest for the trees and you’ll struggle to assess your progressing along charted course – let alone to course correct.
Only by coupling highly granular visibility with full context awareness, can you properly manage your hospital network security. In practice, that means not just knowing what connected devices you have deployed and having eyes on their network traffic, but also understanding what those devices are meant to do, how they’re meant to behave, and how they compare to other devices in those respects. You'll need that context to accurately classify devices and place them into well-defined security group to be governed by corresponding tailored security policies.
These groupings should be based on risk profiles, clinical functionality, clinical criticality, and trust relationships with other networked devices. Where relevant, lateral and inter-group communications should be restricted to remove possible points of malicious entry and proliferation.
Risk Analysis, Mitigation, and Response
Once a system is set up to identify and continuously assess the devices in the IoMT network, it's imperative to gauge the level of risk to which an organization is exposed and to develop a response plan accordingly. That means auditing for and addressing known vulnerabilities – such as out-of-date software, uninstalled available patches, weak or default passwords, sloppy or mistaken segmentation configurations, etcetera. With a clear accounting of your connected device inventory, these fixes are easy enough to implement. Protecting against unknown vulnerabilities can be a little trickier. Which is why smart tooling is essential.
With a simultaneously granular, panoramic, and context-aware view of your digital ecosystem and endpoints, a smart management tool can extract nuanced baselines for healthy network behavior on the individual device as well as on the group level, and then establish data-driven thresholds for the non-standard deviations from baseline that would suggest a problem. This whole process is conducted automatically by leading healthcare cybersecurity solutions – doing the heavy lifting in patrolling for potential unknown vulnerabilities on an ongoing basis.
Once an issue is flagged and managers are alerted, there will need to be a comprehensive set of policies and procedures that govern the response process. An intrusion detection system is of little use if the team doesn't know how to react to the information provided.
- What are the immediate next steps?
- How is traffic turned off to & from the affected network segment?
- How is the incident validated?
- Who else is to be notified?
- What documentation and reporting is needed and to whom should it be sent?
- How are the affected devices and infrastructure components cleaned?
- How are normal operations to be altered for the period of time that equipment and infrastructure is offline?
- How is business continuity training handled?
- What is the protocol for reintegrating the affected segment back into the network post-incident?
Actionable steps, with roles and responsibilities clearly delineated, for responding to live cyber incidents should be well-known, well-rehearsed, and reflected in the EDR system (under a variety of different conditions).
Of course, ongoing monitoring, analysis, and review will still be needed. Healthcare IT is an ever-changing space, with new threats and vulnerabilities always arising. Moreover, each organization will continue to acquire and implement new technology, so a management plan needs to account for that.
Smart EDR solutions provide a way for administrators to automate and streamline ongoing monitoring and analysis, acting as an ever-vigilant watchdog and freeing up IT resources to be directed where they’re most needed.
Prioritizing Secure By Design in New Technology Procurement
The dynamic digital environment in which healthcare organizations operate today is rife with risk. Constant technological advancements along with intense business pressures make cybersecurity a moving target – complicated by the fact that sensitive ePHI makes healthcare organizations a valuable target to attackers.
The only way to effectively manage all these different challenges is to bake security into your organization as early and often as possible. First that means awareness, then planning, then action. When you take on new technology you need to consider how it affects your security posture, what unique vulnerabilities it introduces to your digital ecosystem, how it will fit into your existing hospital network security architecture, and what you can do to limit risks.
It’s not just a matter of asking those questions either; you need to really consider them. Sometimes that may mean passing up on a particular piece of technology you were otherwise keen on because of its cybersecurity implications. Other times it may mean pushing vendors for greater security support commitments or even somewhat augmented device designs.
And of course, you’ll also need to have some sort of security apparatus in place capable of ongoing network monitoring and endpoint risk assessment, as well as rapid incident detection and response support.