Cybersecurity vulnerabilities have haunted healthcare IT security executives for years, especially when it comes to protecting medical devices and other assets linked to internal networks or the Internet.
The problem is extensive, as large healthcare systems typically have thousands of devices, often from hundreds of manufacturers, in use — many of which are several years old, running off old software platforms that are difficult to protect. The growing challenge of protecting medical devices and ensuring the integrity of a provider’s internal networks was the topic of a webinar entitled, “Leveraging Risk Management as a Cornerstone of Your Connected Assets Security Strategy.”
A critical factor in this battle is the large number of devices that connect to hospital networks. These can range from laptop computers used by clinicians to smartphones, Internet of medical thing (IoMT) devices, smart TVs, and even vending machines, said Kristopher Kusche, VP and CISO at Albany Medical Center, a five-hospital system based in upstate New York.
Managing the multiplicity of devices is made more challenging because of the ease with which they connect to hospital networks, either directly by cables, or increasingly through WiFi or Bluetooth, Kusche added.
Further complicating the matter is the fact that more of these devices are being used “outside the four walls of the hospital,” said Jonathan Langer, co-founder and CEO of Medigate, largely for telehealth and remote patient monitoring.
Todd Greene agreed, adding that wireless connections have expanded the footprint for vulnerability. “Wireless is quite ubiquitous in any organization, and trying to figure out how to protect networks is a big issue,” noted Greene, who is VP and enterprise CISO for Atrium Health, one of the nation’s five largest health systems.
As healthcare organizations make decisions on purchasing these smart and connected devices, it’s important for IT executives to be involved in the process, particularly to ask pointed questions about security protocols and whether they can transfer patient data to the cloud, he said. For example, when Atrium wanted to standardize on one brand of infusion pump across its system, IT provided its security perspective on the purchase of potentially thousands of the devices. That included subjecting the top candidates to penetration testing to ascertain whether manufacturers’ claims could be verified.
At Albany Medical Center, a biomedical security program is in place that mimics what the health system uses to assess and mitigate risks through its IT security program, “and that begins at acquisition, vetting the solution and going through a risk assessment process, even before it gets into your environment,” Kusche said.
Beyond that, IT departments need special awareness of the potential risks and, in many cases, their lack of sophistication in managing the vulnerabilities, he said. “We understand that our typical IT toolsets can’t handle medical devices in the way we need to; we do use technologies that allow us to have a real-time view into these devices. You have to understand they are a little different and then compensate for those differences,” he noted.
This is where microsegmentation – a practice that puts medical devices on networks that don’t connect directly to the backbone supporting major IT systems – can offer an effective layer of protection, according to Greene. For some classes of devices, “we have elected to firewall those off and restrict them to only the access they need to have,” he said. His department also amps up oversight of any devices that send data to the cloud.
Management by committee
Both Albany and Atrium use committee structures that review security practices. Pulling participants from across the organization, these panels review medical device vulnerabilities and can make tough recommendations on practices, mitigating some of the backlash that IT departments might face from always having to nix actions because of security concerns.
IT departments often are left to manage these complex device challenges with few resources, said Langer. “Security patching is hard because of the diversity of devices, and it’s a whole process – not just technology – that systems need to go through to ensure that vulnerabilities are remediated.” Security patches are hard to come by because device manufacturers often contend that they may expose them to reconfirming that the new programming doesn’t compromise the device and patient safety. Greene said that position is often an excuse used by device manufacturers, and more needs to be done to ensure timely release of security-related patches for devices.
Large providers need to band together to talk to vendors about getting needed security patches faster, Langer noted. “Several of our customers have worked together in a collaborative approach with vendors to get better outcomes – that changes the dynamic. Some forward-leading manufacturers understand that the dynamic has changed.”
The key nowadays is to have a strong security foundation, Greene concluded. “We’re trying to build cybersecurity at the foundation, so it’s constantly at the forefront of our minds; it’s built into each one of those steps, so that onboarding is really a risk review. If data is being sent outside the organization, let’s get the data governance office involved. And we also have a risk management strategy that is uncovering risks associated with connected devices.”
To view the archive of this webinar — Leveraging Risk Management as a Cornerstone of Your Connected Assets Security Strategy (Sponsored by Medigate) — please click here.