According to a recent article, there are 10 to 15 million medical devices in U.S. hospitals today, averaging 10 to 15 devices per bed. That means that a 500-bed hospital could have 7,500 or more connected devices.
This is not only a management challenge, but a security challenge as well. Many medical devices are built primarily to improve patient care and increase efficiencies in the healthcare system. Yet they often have almost no built-in security, and they can’t be secured solely with anti-virus/anti-malware tools.
In addition, there are often multiple teams responsible for medical devices—the clinical or biomedical engineers who procure and implement them and the healthcare IT team who secures the devices. This shared ownership of medical devices can set you up for security failures.
So is it possible to lock down network-connected medical devices without impacting patient care? While there’s no silver bullet, here are some ways to significantly reduce the risk to these devices and ensure patient safety.
- Network segmentation – Because medical devices have minimal, if any, security capabilities, they’re a huge vulnerability not only to themselves, but to everything else attached to the network.
For example, a malicious actor could remotely access an internal, non-life supporting device and then use that internal device as a launching pad to exploit a vulnerability on another more important life-supporting device. This is an actual tactic used by attackers. With micro-segmentation, or role-based software-defined segmentation, policies are applied to limit the ability of attackers to spread from one device to another.
Segmenting all devices or applications can be operationally challenging and cost-prohibitive. Determining the role of each device (or application) then, as it relates to patient safety, becomes more important. For example, a life-critical device likely merits priority protection above all other devices. Getting segmentation right not only ensures network security, it ensures operational efficiency.
- Visibility – You can’t secure what you can’t see or measure. In other words, there are so many devices with so much data to evaluate that, for most healthcare IT teams, it’s hard to identify a pattern that might signal a potential attack. And if it’s hard to identify a problem, it’s nearly impossible to stop it.
Having visibility into the data enables it to be analyzed for behavioral aberrations.
- Behavioral analytics – An anomaly-based solution looks for inconsistencies in behavior from medical devices, and then quickly responds before a breach can impact patient care.
Consider reputation systems where large threat intelligence databases can determine whether systems are networking with systems of good/bad/unknown reputation. A device that’s communicating with an IP address that neither your organization nor the Internet has ever allocated is clearly suspicious and merits further investigation.
For example, a heart rate monitor charts a patient’s heartbeat and notes irregularities. If the device were breached, however, it might send out signals that the patient was having a normal heart rate when, in fact, they were experiencing a heart attack.
- Continuous monitoring, alerting and incident response – Most organizations are not equipped to evaluate security threats 24×7 and respond properly. Their primary focus is, as it should be, on their core business—in this case, patient care.
When an attack occurs, panic often sets in among IT teams and, in their confusion, they cannot act quickly enough to stop it. That’s why continuous monitoring and an incident response plan is so crucial.
Yet finding a security professional who can put a plan in place is difficult for all organizations, including healthcare. Global cyber researcher Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity positions by 2021, forcing organizations to compete for an extremely limited pool of security professionals.
Fortunately, a managed service security provider can give organizations the otherwise hard-to-find security expertise needed to monitor, identify and respond to attacks before they impact patient care.
- Differentiated medical policies – Like all organizations, not all healthcare devices are the same and they shouldn’t be secured the same. Healthcare organizations must differentiate security policies for devices according to their use. For example, life-saving equipment should have stricter security controls than routine diagnostic devices.
Why Logicalis: Your healthcare security team
Logicalis believes that medical device security must enable patient safety. That’s why we work closely with all levels of your organization to assess risk to your networks and put appropriate security processes and policies in place to control access, reduce the time to detection of malicious (and unintentional), and provide meaningful recommendations for moving forward.
- Capable – Logicalis has multiple global security operations centers (SOCs) staffed by skilled security professionals dedicated to going the extra mile to provide 24x7x365 monitoring to stay ahead of threats. Our SOCs are fully integrated with our Network Operations Centers, and our large scale allows us to maximize cost efficiency.
- Credible – Logicalis is not just compliant with ISO 27001, we are certified in it. We’re also HIPAA compliant, practice ITIL Foundation V3, are SOC II Type II certified, and are contributing members of CIS SecureSuite®.
- Experienced – Logicalis first developed its security operations in 2006, and we now have more than 400 customers under management.
- Culture – Logicalis doesn’t advocate for rip-and-replace solutions. Instead, we work with your existing investments to maximize your security posture.
At the end of the day, our goal is to make the world a safer place for patients.
Learn more about our security solutions by visiting us at HIMSS 2019 (booth 969) or by contacting us.
Ron Temske is Vice President of Security Solutions, responsible for growing Logicalis’ security business both domestically and globally and helping our customers leverage security both as protection and as a business enabler.