“What you don’t know can’t hurt you.”
There are times when the old adage still holds true, and times when it couldn’t be further from the truth. For healthcare IT and security leaders, not knowing what devices are on the network is one of the biggest barriers in securing data.
Throw in the fact that many organizations are using legacy biomedical devices, and it becomes infinitely more difficult.
“Historically, there hasn’t been a lot of focus on making sure these devices are secure, because they were never really connected to anything until the advent of Meaningful Use. We weren’t really thinking about that as we were implementing our EMRs,” said Theresa Meadows, CIO at Cook Children’s Health Care System, during a recent healthsystemCIO webinar.
Now, all of that is changing, and biomedical device security is moving to the front burner. In fact, it’s one of the key initiatives of the Healthcare Industry Cybersecurity Task Force, an initiative Meadows has been involved with for several years.
Last week, Meadows participated in a panel discussion on this timely topic, along with Will Long, CISO at Children’s Medical Center, and Mayuresh Ektare, VP of Product Management with ZingBox, during which they identified best practices and talked about ongoing challenges with securing biomedical devices.
The problem, according to both Meadows and Long, stems from the fact that when most legacy devices were built, manufacturers didn’t provide a mechanism for updates. As a result, “we have to figure out either how to remove them from the environment, or how to segregate them and determine how we’re going to deal with those things,” noted Meadows. “This isn’t a one-year problem; this is a 10 to 15-year problem for most organizations because the funding is just not there to replace these devices.”
The good news is that there are solutions that won’t break the budget. According to Ektare, the best option for most organizations is a three-pronged plan: build out a comprehensive inventory of all devices found on the network, securing the devices, and provide ongoing management of vulnerability patches.
The ‘what’ sounds relatively simple; the ‘how’, on the other hand, is not.
“Biomedical devices have a long shelf life and many have very limited support from the vendors,” Ektare said. And sometimes – in fact, the majority of the time – they’re running an old version of the operating system. “That’s why we need a completely new approach to securing these devices.”
And although there is no one-size-fits-all approach, there are best practices that organizations can leverage to more effectively keep these critical devices – and the patients who use them – safe.
Know your environment. “It starts with understanding all the medical devices you have in your environment, and what level of risk those devices present,” said Meadows. This can be daunting, as the number of devices in most organizations has increased significantly with the advent of IoT, but it must be done.
Inventory is everything. “The fact that we currently lack a single framework that allows us to manage, monitor, and secure this diverse set of devices is the most challenging aspect,” noted Ektare. “Getting that centralized inventory is the first step.”
Create a risk profile. Beyond knowing what’s out there, health IT and security leaders need to categorize devices according to how they’re used, and whether they can cause patient harm if they malfunction, according to Long. “All those categories make up the risk profile.”
Patching may not be enough. Devices such as infusion pumps don’t allow installation of anti-virus software; therefore, leaders need to “wrap a complete security stack around all the devices” to help mitigate risk, stated Long.
Make it a team sport. Like many efforts, successfully securing biomedical devices requires collaboration among multiple constituencies, including IT, security, infrastructure team, applications, and biomedical equipment. “It takes all these teams working together to find the best method for security,” said Meadows.
Segment as needed. One of the advantages with biomedical devices, according to Long, is that they tend to act the same way all the time, which makes it easier to detect anomalies. Segmentation can help control traffic, which in turn can reduce risks, said Long. But, like many aspects of cybersecurity, visibility is crucial, noted Ektare. “You need to understand what attack vectors can affect your devices. Having that situational awareness informs you as to how to target your micro-segmentation strategies.” Rather than segmenting the entire network, it’s a good idea to start with the most critical medical devices.
Be proactive. Whereas a network can automatically detect a cell phone or laptop and apply policies, a medical device like an infusion pump has to be manually provisioned and secured, said Ektare. By implementing a complete solution that maintains strict access through zero-trust policies, organizations can more effectively detect threats.
And be reactive. “If, after applying best practice measures, something happens to the device, that’s when the reactive approach kicks in and we have to work with multiple departments who have feet on the ground to touch these devices and develop a comprehensive remediation workflow,” he noted.
Assess before buying. At Cook Children’s, a team was appointed to perform risk assessments on all new pieces of medical technology before they’re brought into the fold, according to Meadows. “We’ve created a policy where the organization can’t purchase a piece of equipment without first going through that security process.”
Maintain a birds-eye view. IT and security leaders need to be aware of all the ways in which devices can enter the healthcare system, whether it’s through demos, research, or normal procurement of operations. “You need to be plugged into that and know what purchases are happening,” said Long. And it’s not about saying ‘no,’ but educating others on the risks a device might post.
Spread the word. Along with sending threat information to the appropriate parties (for example, the Health Sector Coordinating Council) so it can be disseminated across the industry, vendors like ZingBox are implementing early warning systems so that if a device is impacted, other customers can take precautionary measures. “Health systems need to take advantage of these platforms, because biomedical devices are unique. Protecting them requires a different way of thinking in terms of how you can create a transparent shield around devices without actually touching them,” said Ektare.
Use your voice. Long and Meadows are among many healthcare IT and security leaders who are advocating for change, and working to bolster security across the organization. “We’re working with manufacturers and industry groups to get full disclosure from manufacturers on what are the components in these devices, and how better to secure them,” said Long.
And it doesn’t stop there. They’re also pressing manufacturers to build devices “that are secure and have good cyber hygiene from the beginning. I’m really looking forward to a day where those devices are built with a simple security stack that doesn’t allow any software that wasn’t deployed at the time it was manufactured, to run on those devices,” he noted.
Meadows believes health systems, manufacturers, and government agencies need to work as a three-legged stool to find ways to remove legacy devices from the environment or secure them — without having to purchase new equipment.
“That can’t always be the answer,” said Meadows.
Fortunately, she believes the industry has made great progress in the past few years when it comes to providing resources and sharing best practices. For more information on the guidance that’s available, visit the Healthcare and Public Health Sector Coordinating Council’s website, or access the latest HHS recommendations (Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients).
To view the archive of our webinar — Biomedical Device Security Update (Produced in Collaboration with CHIME) — click here.