Medical devices are often the weak point in a hospital’s technology landscape and, if compromised, could affect patient privacy, health, and safety. The concern is even greater since medical devices are connected to all major data centers in the hospital and compromising a medical device could allow hackers access to the entire hospital network.
With the increase in connected medical devices, the risk for malicious attacks is growing. 89% of hospitals were attacked during the last two years and 77% of hospitals are concerned about unsecured medical devices.
With most major medical centers simultaneously running thousands of connected devices, the size and complexity of the attack surface that needs to monitored and protected is truly difficult to fathom. A well thought out defense architecture that is user friendly and easy to scale is essential for the secure and effective management of any large distributed network.
That said, there’s no silver bullet. And while a cat-and-mouse game between bad actors and defenders means the attack surface is constantly shifting, a layered approach allows you to fortify your defenses. Tackle the same problem from multiple directions and you can build in structural redundancies so that when one layer is compromised, the others still work.
4 Layers of Smart Clinical Network Cybersecurity
Implementing cybersecurity for a complex network with a lot of different devices from different vendors is not an easy task, and maintaining it throughout the entire network life cycle is even harder. Best-in-class cybersecurity solution providers manage the challenge using an integrated, layered approach, consisting of:
- Continuous, real-time discovery and in-depth visibility mapping of all connected medical devices;
- Ongoing risk assessment of each medical device, considering known vulnerabilities, potential for attack, and the device’s operational criticality;
- Tailored security access policies for each medical device, based on device type, an understanding of the clinical network, and the organizational hierarchy; and
- Proactive scanning for and remediation of attack conditions — leaning on AI-enhanced DPI and medical protocol anomaly detection.
A 10-Step Methodology for Hospital Cybersecurity
When rolling out a comprehensive healthcare cybersecurity program, focusing on medical devices and clinical assets as the most exploitable points of failure, the methodology can be broken down in 10 essential procedural steps.
The process should look a little something like this:
The first step is to prepare an inventory accounting, spanning the entire hospital network, for connected assets. Due to the highly integrated and digitally interdependent nature of modern healthcare operations, it's important that this inventory not be strictly limited to medical devices. To insulate the whole organization from cyber threats and to protect all otherwise unmanaged devices, you'll need to also take stock of supporting technologies — like networked cameras or printers — that exist within your broader IT ecosystem.
A version of this inventory list will usually already exist in the CMMS or inventory management system, and while those records are often far from accurate, they present a good starting point and serve as a baseline against which to evaluate your progress as you find and map assets not previously recorded.
If such a list is not available, that is fine too. A good cybersecurity solution should be able automatically identify and map devices through their presence in the network environment — regardless of whether they're connected through direct cabling, WiFi, serial porting, or any other network communication technology.
Install monitoring mechanism
A SPAN or TAP port will need to be installed at the appropriate network switches to passively monitor traffic and communication requests running through the network infrastructure.
Getting this monitoring apparatus in place as early as possible is important so that a picture of standard or baseline network traffic flow patterns can be constructed from a statistically and longitudinally significant sampling. Since the network is likely comprised of many devices using a mix of general, industry-wide, and vendor-specific protocols to communicate, normal usage patterns may look different for each device type and model.
Making sense of the flow patterns within this connectivity matrix is at the root of good healthcare cybersecurity. And it's easier said than done. For purposes of managerial practicality, devices that serve similar functions or are used in similar ways will need to be identified and classified together under the same security policy groups and controls.
Cross-reference endpoints with known devices and communication protocols
The master inventory list resulting from your existing records combined with live endpoint monitoring should be cross referenced against a database of known UDIs and associated communication protocols. This is essential for the tool to not just see device endpoints in the network, but to understand them and their role in the clinical ecosystem.
Without that understanding, it will be all but impossible to recognize whether or not network interactions running through those endpoints are legitimate.
If there are any devices on the list that don’t appear in the database, that gap will need to be filled. Usually this requires a human researcher or team of researchers devoted to the task — detailing the device’s associated protocols by pulling vendor documentation, drawing from publicly available sources, and reverse engineering the remaining gaps based on experience, raw coding skills, and experimentation.
Once you have the individual devices plotted, they should be reviewed for outdated or otherwise vulnerable software and operating systems, default or easily guessed passwords, and known vulnerabilities that haven't been properly patched.
Some medical devices already contain disclosed vulnerabilities upon release, so while it may be tempting to skip this step if all the technology indexed – both in terms of hardware and software – is relatively new, a brief investigation must be conducted, nevertheless.
By observing network interactions courtesy of the SPAN or TAP port, noting the metadata those interactions carry, and the specific protocols they enlist, we can identify all the devices connected to the network. Moreover, we’re able to record device type, vendor, model, version and hardware IDs (MAC and serial number) — creating a granular map of the hospital’s asset ecosystem.
Using this information, we can set up parameters to describe the expected network behavior for each device group. Charting the bounds for inter-quartile ranges and standard deviations within those expected behavior patterns, we can build alert thresholds. This is called baselining. By flagging anomalous deviations from the established baseline, security analysts can quickly spot and attend to threats.
The more detailed the information held for each device, the easier it will be to monitor vulnerabilities and find when changes, such as software patches, are required.
Get smarter and see more with AI
At the same time as you're identifying and correcting for existing threats, a best-in-class solution will leverage AI or machine learning technologies to accelerate and enhance deep packet inspection, and continually probe for new problems.
Seeing what’s going on within your network is (comparatively) easy. It’s understanding what’s going on that’s the bigger challenge and where AI is needed.
Using machine learning, CyberMDX’s MDefend solution, for example, inspects network traffic packets at the deepest and most context-aware levels possible — resulting in unmatched data profiling and risk assessment. MDefend automatically analyzes communications, extracting significant network characteristics for analysis by the MDefend “brain”. This AI-powered brain maps similarities and differences between medical devices and then uses that map to build device peer groups. These groupings helps to rapidly and accurately identify anomalies by comparing current and historic device behaviors to those of the peer group.
Audit segmentation configurations
Using the information from steps 1-5 above, an audit of the hospital’s LAN and VLAN structure should be carried out and recommendations for improved segmentation management should be issued.
A common failure of traditional network security, based on perimeter security paradigms, is that once an intruder gains access to a network, he or she can move laterally to other network components or connected devices without fetter.
A better approach for hospitals would be to smartly employ micro-segmentation to draw concentric internal perimeters around strategic fixtures at different levels throughout the network.
In a medical environment, this should be configured around each asset type. These micro perimeters limit access to each service inside each and every asset — hence restricting access to legitimate parties only and reducing the attack surface.
Integrate your monitoring and management into a single viewpoint
All of the above insights should be packaged together and integrated into the internal security team’s preferred interface — whether SIEM, NAC, or network security system — to provide an enhanced organization-wide view of the network. This is important in order to make sure that your different tools are actually playing nicely together and enhancing each other’s functionality, as well as to make it easier to set custom alert triggers — empowering more immediate corrective action.
Output from these systems should be aggregated within dashboards and reports to increase senior management awareness and comfort.
Look for new attack vectors
In parallel, original vulnerability research should be conducted for all devices in deployment. In a lab environment, disconnected from the hospital’s broader IT ecosystem, device porting configurations should be replicated and studied for possible backdoors. Penetration tests should be conducted, remote control capabilities should be scrutinized, and protocol version revert commands should be investigated for possible security implications.
Risk scores should be assigned on the individual device level as well as for the organization collectively. Wherever vulnerability information is gathered it should be translated into remediation instructions and actions should be accordingly taken.
Refine and automate the process to get out in front of the threat
The network is monitored continuously for new devices which, when detected, are processed and sent to the appropriate device type grouping — automatically plugging them into to the well-defined VLAN assignments — by the AI brain. This continuous monitoring also ensures segmentations and governance don't degrade over time.
If traffic patterns are detected that violate the established norms of healthy network behavior for the given device and VLAN, the offending node is quarantined and cleaned using the firewall or network access control technology. If the traffic in question is somewhat more ambiguous, it will be is flagged for review by an analyst.
Different cybersecurity solution providers will take different approaches to meeting the challenges of hospital cybersecurity, but any good solution will break down into layers and aim to systematically envelop your operation in ever-more hardened defenses. The threat can never really be eliminated 100% but an attack can be made so difficult to carry out that it would no longer be worth it to the attacker. That is pretty much the gold standard for healthcare cybersecurity.
Combining original vulnerability research, deep packet inspection, medical communication protocol insights, AI analysis, automatable micro-segmentation, and integrated security policy management, best-in-class cybersecurity solution providers are bringing unprecedented visibility and security to hospitals. A strong healthcare cybersecurity solution will deliver a non-intrusive, scalable architecture that is easy to deploy and use — ensuring data integrity, operational resilience, efficiency, and patient safety.