The medial device and diagnostic industry is mammoth, grossing billions of dollars every year. At every moment, hospitals rely on medical devices to deliver critical data used in the care and life-saving treatment of patients. Demands for innovation and portability have created a surge of devices we’re currently classifying as the Internet of Things. These devices are easy to use, convenient, and many times on the ‘cool’ radar. Unfortunately, securing these technologies often slows production and impacts ROI for manufacturers, and therefore, security controls are often omitted or weakened.
How did we get to this point? Let’s take a journey back in time.
Historically, BioMed equipment has been deemed a black box that is not only untouchable, but unquestionable by enterprise. For longer than we care to admit, health systems have procured and simply plugged in devices and any associated network hardware without a single question or concern. Most recently, as we’ve all heard and read, there is a plague of medical device hacking, from confirmed penetration with insulin and infusion pumps, to the fear of hacks against implantables resulting in death. The threat landscape continues to implode, in no small part due to the smart room phenomenon that we’ve all championing.
While our computing environments will never be 100 percent secure, making the right strategic decisions and tactical moves will position every organization to proactively fight the known and unknown enemies.
First, let’s consider the contract. Key contract language, in the realm of IT security, is usually absent for a few reasons. While there are any number of talented people in procurement, they’re not technologists. I’m a firm believer of the notion that you can’t protect what you don’t understand, and when contract language is reviewed and approved without the right folks from IT, it usually results in gross security gaps and costly steps to remediate.
So, what should you include, and what requirements should you insist on?
- Integration into YOUR established security framework
- Secure deployments and associated criteria
- Handling vulnerable equipment
- Yearly SOC and/or SSAE16 reports when applicable
- The right to audit, for services provided
- Data sanitation, for any hosted models
Secondly, let’s talk about network and security architecture. We still have way too many flat networks out there. Despite the adoption of proxies, VPNs, etc., they become nothing but a mere stumbling block for the adversary who can get past these controls and have total reign over your network. It’s quite an understatement to say that finding a downtime window in a hospital is extremely problematic, even when simply updating or patching a system. Therefore, the thought of ripping and replacing the network fabric becomes a daunting task many avoid at all cost. Sooner or later, it must be done. While network and security architecture requires highly skilled technical individuals, it’s critical for these folks to understand that consultation with the business will make the difference between success and failure. Understanding business side operations and workflows is a must; without it, the most beautiful architecture will be fractured due to exceptions and bandages.
What elements should your network and security architecture adopt?
- You still need the basics, firewalls, proxies, IDS/IPS
- Network Segmentation on both the wired and wireless networks
- Design your network segmentation to best meet security and business operation needs, i.e.
- Based on data classification
- Depending on types of devices/technologies, etc.
- Deploy firewalls, IDS/IPS at key segmentation points
- Adopt behavioral analytics
- Require Two-factor authentication
- Ensure Log aggregation and correlation
- Automate important processes whenever possible
Now let’s put the pieces together. Having the right contract language and network/security architecture is extremely important, but not enough to solve the problem. Operations is key. Way too often, vendor promises dissolve into thin air, and without validation, your expected safeguard or control just doesn’t exist. The result? The next big breach.
Operational success depends on the following:
- Dissecting the environment: This begins with learning everything about the solution, from programming languages to authentication and interfaces. Documentation and data flows are a must.
- Vulnerability scanning: Since real-time scanning on BioMed equipment is impractical for obvious reasons, scanning upon deployment and then periodic (monthly, quarterly) is a must. Whenever vulnerabilities are identified, the right language in the contract is your safety net to have those issues remediated accordingly.
- Secure deployment: Ensuring default passwords and weak protocols are disabled is critical. Don’t take anyone’s word for it — ensure this is tested.
- Two-factor authentication: Relying on password security is as effective as leaving your door wide open and hoping no one will walk in. Regardless of regulatory requirements, safeguard systems and data with a two factor challenge.
- Weak SSL: It’s difficult to find a ‘secured’ web page that is not susceptible to any number of serious vulnerabilities. Monthly validation of these key website should be performed.
- Asset inventory: An inventory of all BioMed equipment with relevant data (location, make, model, vendor, other, etc.) must be up-to-date at all times.
- USB security: depending on the type of device and workflow, control USB use and data exfiltration on associated devices.
- Behavioral analytics: despite all of the other controls and good intentions, understanding network traffic and behavior is the pulse best used to diagnose whether the system is running well. Deploy a solution that provides such intelligence.
- Training: This is an area that is largely overlooked, having the right people with the right skills triaging incidents. Constantly evaluate staff skills and improvement needs.
IT Security is all about mitigating risk and constantly taking the time to review your environment. What contracts need tuning upon renewal? What network/security architecture hardening is needed? What operational changes can you quickly make to safeguard the environment and ensure a robust and reliable network?
Don’t let your organization get hacked. Act now!