When it comes to securing third-party managed devices, the old adage that ‘knowledge is power’ holds true — but as cybersecurity leaders are learning, it’s only part of the story.
“You have to know what’s going on in your environment and you have to take a proactive approach,” said Brian Bradley, Healthcare Services Technical Manager at Optiv, in a recent panel discussion. Whereas in the past, when organizations could “get away with putting things off to the side and segmenting them,” the expectations have changed. Although awareness around the costs of cybersecurity breaches has increased, so has the number of managed devices that are connected to the network, which places enormous pressure on IT and security teams to protect data.
During the webinar, Bradley and co-panelists Clayton Phillips (CIO, West Tennessee Healthcare) and Tom Finn (Director of Market Development, Medigate by Claroty) discussed the steps they’re taking to secure the enterprise, and the challenges they’ve had to overcome.
Start with segmentation
One thing that’s certain? Medical devices — particularly those that are unmanaged — are the most exploitable points of entry. The first step in securing them, according to Phillips, is in “knowing and understanding exactly what’s on the network.”
Oftentimes, however, these devices fall under biotech rather than IT, which makes it nearly impossible to stay on top of vulnerabilities. By engaging with Optiv and Medigate, West Tennessee was able to gain visibility into the network. And although taking that step is critical, it can actually lull teams into a false sense of confidence, Phillips noted. “Once vulnerabilities are determined, you have to do something about it. If you’re not going to use the information and put a plan into action to mitigate them, it defeats the purpose.”
Like many “lean shops,” West Tennessee was dealing with an outdated infrastructure that provided no vision into what’s connected at the end of the network ports — and probing or scanning devices isn’t an option because of their delicacy. “They need to be discovered passively and they need to be managed in a completely different way,” said Finn, which was achieved using Optiv’s solutions and Medigate’s tool.
“Get to work”
“Once you get a handle around your inventory of connected assets, the first thing that happens is threat intel is processed and correlated to devices that have existing vulnerabilities,” Finn said. Mitigation plans are immediately activated, which in many cases results in rapid improvements to the overall security posture. “When you get to work quickly to mitigate vulnerabilities, you’re able to establish the momentum and show wins that, when reported effectively, have a tendency to keep the funding coming.”
However, while the wins may be quick, segmentation is a laborious process, according to Bradley, particularly for large and complex organizations, or those using older equipment. “It’s a monumental task. But by getting unmanaged devices segmented, you’re able to contain them in the event of a breach,” he noted. “It’s something every organization should be thinking about, because it plays a role in just about every aspect of security.”
Of course, as with any initiative, it must be approached thoughtfully, noted the panelists, who shared best practices for securing medical devices using segmentation.
- Build it into the process. Because it’s in the process of ripping and replacing the network infrastructure (which came about when a risk assessment found “areas of concern” stemming from older equipment), West Tennessee was able to build segmentation into the design. For network and security folks, it’s an ideal situation, said Phillips. “They’re like kids in a candy store. They want to do this right.”
- Minimize lag-time. When vulnerabilities are detected, leaders need to ensure as little time as possible lapses between the time of discovery and the mitigation process, said Phillips. Failure to do so can be considered negligence, he learned after a conversation with the chief legal officer. “That’s why I’ve pushed the team quite a bit to begin annotating and mitigating the risk right away.” Finn agreed, noting that “as long as you’re taking steps to secure assets that are connected and showing progress, that’s what the regulatory bodies want to see.”
- Cover your behind. Part of doing a thorough risk assessment, according to Bradley, is developing a corrective action plan that can be enacted quickly. This way, “if OCR shows up, you can tell them, ‘We already know about that and here’s what we’re doing about it,’” Finn said.
- Vet vendors thoroughly. In the past, organizations often failed to do enough to properly vet vendors, said Phillips, who encourages his team to ask tough questions — such as, ‘how are you protecting our environment and the data we share with you’ — and demand answers. His team is working with the project management office to develop a better understanding of the safeguards in place. “Our goal is to check on their processes to make sure they’re doing what needs to be done and hold them accountable for the protection of our data.” Doing so, said Bradley, is extremely important, particularly given the dynamic healthcare landscape. In his own experience, he has run into situations where the vendors have changed the location or ownership structure of their data centers and failed to notify customers. “Vendor vetting can’t be a one-time thing,” he said. “It has to be comprehensive, and it has to continue throughout the life of the contract.”
- Make it automatic. Having to check up on solutions providers, however, isn’t always possible, especially for organizations that are short on staff (or resources). This is where automation can play a key role. “You need a tool that automatically sends out questionnaires or assessments to the vendors and tracks how they’re doing,” Bradley said. “You need to know where the issues are, and you have to make sure there’s a strong relationship between the IT department and procurement so that if the assessment comes back with issues, you can make sure they’re being handled by IT.”
- Be strategic. As in any situation, simply purchasing and implementing security solutions isn’t enough. And in fact, if organizations are collecting data but fail to act on it, the security risk can actually increase, said Bradley, “because now they can prove that you knew about these vulnerabilities, but didn’t do anything about them.” Any purchasing decision, he noted, needs to be approached “from a strategic standpoint.”
It also needs to be viewed from risk-based lens, Bradley said. “You need to look at what are your company goals? What tools support those goals? What are the risks? That’s the key — getting that message to the board so that they continue to provide funding.”
Changes on the horizon
Another critical measure leaders need to take? Keeping a close eye on the marketplace, which Finn believes “is going to be completely disrupted over the next few years” from a solution provider perspective. “We’re within 24 months of seeing new segmentation products with technologies that integrate visibility that’s not limited to device identities,” he said, noting that it’s part of a larger evolution of segmentation from a “never-ending science project to something that can be accomplished.”
For that to become possible, it’s important to remain focused on the basics, according to Bradley. “A good security program starts with documentation; getting standard processes in place and getting them documented,” he added. “What kills you is when you don’t know. You have to have the right tools so you can see what’s in your environment and address it. If you don’t have the right processes and the right visibility into your network, you can’t protect it.”
To view the archive of this webinar — Best Practices for Securing Third-Party Managed Devices (Sponsored by Optiv and Medigate by Claroty) — please click here.