When it comes to network-connected devices, the old adage, ‘what you don’t know, can’t hurt you’ doesn’t apply. In fact, it couldn’t be further from the truth. And yet, for many healthcare organizations, the reality is that blind spots are everywhere.
According to Tamer Baker, VP of Global Healthcare with Forescout Technologies, most health systems vastly underestimate the number of devices that find their way onto the network. “It’s not a small gap between what they think they have versus what we’ve discovered,” he noted during a webinar. “It’s significant.”
University of Tennessee Medical Center was one of those organizations, admitted CISO John Jeffries. “It was eye-opening. We don’t know which devices are on there,” which means they didn’t know whether PHI was being shared. “With a large organization, it’s really hard to keep your finger on the pulse all the time.”
Recently, Baker and Jeffries discussed strategies for securing network-connected devices, along with Steve Dunkle, CISO at Geisinger Health System. It’s a task that is becoming increasingly difficult given the proliferation of digital tools in healthcare.
“There are some amazing things being done with these devices,” said Dunkle. “I’m awe struck by the capabilities they offer for providers and patients.” The problem, of course, is they can be connected a multitude of different ways, which “opens the door from a security perspective.”
Discovery, however, is only part of the remediation process. Not only do IT and security leaders need to know what devices are connected to the network – and how they’re connected; that information needs to be actionable and continuous, stated Baker.
That’s where organizations like Forescout can play a role, by offering numerous methods to track activity. “Discovery alone isn’t enough,” said Baker. Neither is simply adding another widget or dashboard. “It has to be actionable. And even more importantly, it has to be automated,” particularly in environments with multiple vendor solutions. It also has to be continuous, “because if you’re doing snapshots, the moment that snapshot is done, the network has already changed.”
It may seem like a daunting task, but it can be done if the appropriate steps are taken, according to the panelists, who shared the following best practices.
Key steps for securing connected devices
- Ask the right question. Dunkle, who has been in the security game for several decades, said a critical first step is to ask whether certain devices need to be connected to the network. “There are cases where they actually do not,” especially in healthcare. From there, he advised looking at physical security by locking down USB ports.
- Watch the traffic. One of Forescout’s primary objectives, stated Baker, is to ensure users can see which devices are communicating with each other, and in what ways. “We show you the traffic flows and give you the ability to write segmentation rules and simulate them,” he said. “As new devices join, you can turn on the controls within the same platform, do segmentation, and continuously monitor.” Most importantly, it’s done in a way that doesn’t interfere with patient care or disrupt the business.
- Leverage lists. “There are a lot of devices that connect to our network,” said Jeffries, whose team regularly leverages FDA tools to ensure devices are safe, and partners with departments such as biomed, clinical and operations, to make sure they’re up to date. “It’s a full-time job trying to get your head wrapped around all these devices and keep them patched.”
- Patching isn’t always the answer. In some cases, devices are simply too old to receive a patch; in other cases, organizations are in limbo waiting for vendors to deliver. “It’s the nature of the business,” said Baker. The answer? “This is where you put bubble wrap around these things, and put them in a segment where they can’t be exploited.”
- Look beyond IoMT. A common error IT and security leaders make is to zero in on IoMT devices, said Baker. The reality is that attacks and threats can come from numerous locations. “If I’m laser-focused on IoMT devices, what happens is that by the time the attack reaches us, it’s too late.”
Dunkle agreed, noting that although there are “solid threat detection tools specific to IoMT,” it’s critical to employ a more holistic strategy. “We’re taking an enterprise approach with threat detection,” he said, which enables them to detect lateral movement.
Without support from executive leadership and the board, however, none of this is possible, said Jeffries. At UT Medical Center, his team has found that providing real-life examples of breaches can help secure the funding needed to properly vet new solutions. That way, “they understand the reason behind it.”
Although it took some time to build buy-in, security reviews have become part of the workflow, which has made a tremendous difference. “It has helped change our culture,” he said. “We don’t get as much resistance now as we used to.” That, coupled with regular communication (through weekly emails) and collaboration among departments, has helped build solid relationships.
With that support, however, comes added pressure to keep data safe, noted Dunkle. “In some ways, it has raised the stress level a bit. We still have to move fast to facilitate innovative efforts. It’s our job to figure out how to do this.”
Finally, it can’t be overstated that the objective behind any security initiative is to ensure patient safety. “We often carry the torch that this isn’t about just an information breach or a potential delay of a service,” Dunkle said. “This is a patient safety concern. We have to be looking at these technologies, and doing it continuously.”
To view the archive of this webinar — Securing the Network-Connected Devices Fueling Your Digital Transformation (Sponsored by Forescout) — please click here.