There’s no doubt that digital tools are transforming healthcare and opening new doors in terms of how consumers choose to receive care and communicate with providers. Those doors, however, are letting countless devices onto the network, which is putting a great deal of pressure on IT and security leaders.
“It’s definitely a challenge,” said Chris Frenz, CISO & AVP of IT Security, Mount Sinai South Nassau. Solving it requires leaders to take on a very unpopular task: inventory. “In order to protect your network, you first need to know what’s on it,” he noted during a discussion with co-panelists Renee Broadbent (CIO, Southern New England Health) and Mohammad Waqas (Principal Solutions Architect, Global Healthcare, Armis).
And “it can’t just be a snapshot in time,” said Waqas – on the contrary. Health systems, particularly those who are far along on their digital journeys, need a complete, accurate, and up-to-date inventory of assets, the panelists noted. It also needs to be part of a structured security program that leverages tools and solid governance to adopt a proactive approach to device security.
One of the reasons why maintaining a proper inventory is so critical, according to Broadbent, is the sheer number of devices that can attach to the network. And it’s just not bedside devices; the list has grown to include wearables, cell phones, laptops, and countless others. “Trying to get a handle on which devices are on there is something we’ve struggled with,” she said.
Frenz agreed, noting that it’s critical not to overlook HVAC controls and pressure and humidity sensors, especially in operating rooms. “If the humidity gets too high or low, it can increase the rate of infection, which can have a huge impact on patient care.”
To Waqas, who spent several years on the provider side, it’s encouraging to know that connected care security has become part of the cybersecurity strategy for healthcare organizations. “We’re seeing that the scope is expanding. It no longer stops at the client-server; it’s also the peripherals that are connected,” he said, adding that a patient can interact with 8 to 10 different devices before touching a single medical device.
And it’s not just what’s on the network, but what it’s doing there. “It comes down to the context of how devices are being used,” said Waqas, citing the example of leveraging iPads to view ultrasounds. “This is not simply an iPad on the network; it’s an iPad being used in the context of clinical care.” Therefore, it should be on the biomed network rather than the BYOD network.
“The blind spot is growing”
However, as difficult as it is to protect devices that are being used in an atypical workflow, what’s even more burdensome is protecting devices that have been added without IT’s knowledge, he noted. Whereas in the past, purchasing happened through the IT department, now they’re coming in from all different sources. In fact, sometimes teams aren’t notified about new devices until requests come in to connect them to the WiFi network. “The blind spot is continuously growing,” he said.
Without proper visibility, safeguarding data simply isn’t possible. That’s where having the right tools and culture come into play.
Armis is focused on the former by providing real-time protection that enables users to secure all assets within the environment. “From a technical perspective, you need a tool that can do real-time discovery,” he noted. When a device is added to the network, it’s automatically assigned an IP and can easily be identified. It’s a strategy that he believes is conducive to healthcare, particularly “given the sensitivity and criticality of different types of devices in the ecosystem.”
It can also help security teams shift from a reactive to a proactive state, which is proving to be a difficult dance. Oftentimes, security teams are pulled into the conversation about a go-live having had little or no involvement in implementing new technologies. “If we don’t know about it, that means we haven’t done an appropriate risk assessment,” Waqas said. “And that creates delays in innovating patient care.”
On the other hand, if security teams are alerted by the software tools they use too often, it can result in fatigue, he noted, adding that it’s important to set parameters based on user needs. For example, what events warrant an alert? Are there different zones, boundaries, or network segments that need particular attention when devices are added? Some teams might want to be notified if a device enters the network that has been deemed high-risk based on traffic patterns. “You want to become aware of what users care about and what actions can be taken,” said Waqas.
This is where having a risk classification strategy comes into play, according to Broadbent. “Having solid policies and procedures for what can connect to the network and how that gets communicated can go a long way.” At SONE, her team has developed dashboards to categorize and prioritize risks, which has served them well. “We can’t respond to every single alert that comes through,” she added. “We need to stratify that and make sure we have protocols in place.”
Frenz concurred, noting that it’s important to “take the time to tune alerts and figure out what’s critical to your organization,” he said. “A lot of it can be reduced to automating some of the processes.” One example is to create profiles that enable the system to immediately recognize a device and apply the appropriate policies, which can reduce a lot of noise.
His team has found that “the more we begin to lock the network down, the less we’re triaging, the fewer incidents we’re having, and the fewer fires we’re putting out,” said Frenz, which creates a positive feedback loop. “Once you start getting the alerts down, your security staff can lock things down ever better, which further reduces alerts.”
“A culture of security”
For any of this to be effective, however, it’s critical to have a “culture of security awareness,” said Broadbent. “It has to be infused into your culture so that people aren’t afraid to talk about security,” or to even approach IT and security leaders with concerns. By keeping the lines of communication — and their office doors — open, Southern New England has established a solid framework. “People don’t have to sneak around,” she said. “We’ve removed the barriers.”
To view the archive of this webinar — Taking a Holistic Approach to Your Connected Devices Security Program (Sponsored by Armis) — please click here.