Unless you’ve been living under a rock for the last 10 years, you’ve heard of the Internet of Things, or IoT as it’s commonly abbreviated. The subset of IoT belonging specifically to healthcare and its supporting technologies is called the Internet of Medical Things, or IoMT, and it’s made up of smart, connected devices that automatically collect, process, and digitally relay information from the physical world through a shared network infrastructure.
While it might be intuitive to think that the same security controls used to protect general IoT devices can secure IoMT environments, that would be a big mistake. The threat landscape and the malicious motives that dot it are vastly different for the Internet of Medical Things. As a result, a different, more tailored approach is needed for hospitals to safely navigate and clear a path through their unique mine fields.
The United States is home to 6,210 hospitals and some 120 million connected medical devices. That averages out to around 22,800 connected medical devices per US hospital. Those devices can take a wide range of forms, serving a variety of different purposes, and come from a number of different vendors – each device type, clinical application, and vendor having its own security implications. Per CyberMDX research, those thousands of devices typically distill into 150-200 distinct IoMT device families, together combining to account for some 20% of a hospital's total network endpoints. And the most vulnerable 20% at that.
Though many traditional NAC (Network Access Control) systems do a reasonable job in tracking primary network endpoints, most provide inadequate contextual information about their use, traffic flows or operational status — leaving system administrators struggling to make sense of the information they’re given.
NAC My Problem, Man
With such a large and diverse network to secure, you need 360° top-down visibility to intelligently define trust relationships between device families, restrict lateral (in-group) communications, logically impose segmentation regimens, and easily maintain network architecture per best practices. Traditional NAC technologies simply do not provide the level of visibility and context-awareness required to do that.
For example, many NAC systems rely on media access control (MAC) addresses to supervise and restrict communications. MAC addresses reflect network interface controller (NIC) IDs, but those IDs do not necessarily accord with the nature of the devices in which they’re embedded. In fact, a device and its NIC may not even come from the same manufacturer. As traditional NAC agents take a broad view of the network, relying on MAC addresses, they don’t typically see the IP or layer 7 information that is essential to revealing the true nature of the device and the context of its communications within the network.
So if you look at the network through your NAC, a given endpoint may be represented by, for example, its Huawei-associated MAC address. But if you look further, assisted by a healthcare-focused cyber solution, you may find that the device’s regular communications with, say, a restricted GE imaging server identify it as an MRI machine. Without the added visibility provided by a supplemental layer of cybersecurity, you would totally lack the device functionality insights needed to smartly define trust relationships between devices and device family-based security groups.
Similarly, from the management portal of your NAC enforcement agent, a CT scanner may appear as a “Windows 7” endpoint, and though the machine's workstation may indeed be running Windows 7, reporting it only as such misrepresents the nature of your digital ecosystem and fails to capture a huge amount of the information needed to properly monitor and secure the device.
These shortcomings should come as no great surprise. NACs are not holistic cybersecurity solutions so much as they’re platforms for cybersecurity policy enforcement. These platforms come, by default, attuned to the most common IT network threats in their most common permutations. While healthcare is another vertical to which such a platform can be applied, its network norms and threats are quite different from other networked IT ecosystems.
To get an accurate, granular view of your network endpoints and workflows along with an appropriately nuanced topological perspective from within your NAC, there’ll need to be a fair amount of manual fine-tuning — sometimes including boots on the ground, to bridge the gaps in the NAC agent’s vision and intelligence.
The Added Value of a Devoted IoMT Security Solution
A solution focused on IoMT and clinical networks, on the other hand, would be designed to address healthcare’s distinctive IT environmental needs and challenges. Highly granular visibility is required to achieve more precise baselining, and greater context-awareness. More accurate device classifications deliver greater functionality and safe use insights with which to define trust relationships.
A real-time viewpoint into inter-device traffic flows is needed to inform attack detection and smart access policies. Predicated on fluency in medical device protocols, the combination of general deviation from baseline analyses (finely tuned to normal HIT behavior patterns) with specific healthcare-tailored malicious activity detection, ensures a tighter patrol of your IT ecosystem and empowers a more rapid response to a potential incident.
With this granularly empowered and contextually informed active monitoring apparatus in place, each device can be assigned a risk score – based on known vulnerabilities, network positioning, and detected threats. Those composite risk factors can be aggregated and tabulated to provide risk profiles at the organizational, departmental, and device family levels.
Reproducing this level of insights and operational utility outside of a devoted healthcare network security solution would require a wealth of expertise in communication protocols (including the obscure and proprietary), medical devices and healthcare related IoT, HDO data flows, and clinical workflows — in addition to an abundance of spare time.
Some leading HIT security solutions even include regulatory reporting modules that reflect your compliance posture, say for HIPAA, while guiding and documenting actions taken to improve it.
Best-in-class solutions take their digitally derived insights a step further to provide operational optimization recommendations, original vulnerability research and protection, while at the same time automatically and continuously cross-referencing your inventory against updates and advisories from the FDA, ICS-CERT, and MDISS MDRAP – and issuing alerts to the relevant manager.
Leveraging device flow visibility and domain expertise, an advanced healthcare-focused cybersecurity solution can similarly detect and issue automated alerts about misconfigurations, connectivity issues, recalls, and more.
A Smart, Layered Approach to Healthcare Cybersecurity
For healthcare, traditional NAC solutions bring cybersecurity muscle as advertised, but none of the brains needed to wield it effectively. Of course, those brains can be fed into the system, but without any additional tooling, it will be very time consuming and labor intensive to properly configure and manage.
Whether it’s context-aware network visibility, risk assessment, threat intelligence and protection, or business-enhancing operational analytics, when it comes to complex healthcare environments, NAC enforcement agents normally need a helping hand.
Smart, healthcare-specific solutions integrate with NAC technologies to enrich the system with 360° monitoring, detailed classification data, and finely tuned security policies. Offering further functionality in the form of compliance enablement, risk management, and zero-day fortification, a layered and tailored approach is required to scalably and sustainably deliver end-to-end security to a complex and evolving medical technology landscape.