healthsystemcio.com

healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

Partner Perspective: Solving the Medical Device Security Puzzle

Published October 2019

According to Imprivata CTO Wes Wright, there is no one-size-fits-all approach to medical device security. However, there are four points every institution must address.

Wes Wright, CTO, Imprivata

Healthcare’s rapid shift to a completely digitized environment has introduced robust tools like smart medical devices to the hospital ecosystem and bedside workflows. This Internet of Medical Things (IoMT) will help extend and streamline care throughout the hospital and make clinicians more efficient and mobile with patient care. Unfortunately, this new technology also opens the door to increased risk and new potential points of exposure for healthcare IT infrastructures. The number of IoT devices could reach 20.4 billion by 2020, forcing healthcare IT executives to find new methods for securing our applications, data, and devices.

Due to this proliferation of IoMT and the use of cloud-based apps, I’ve taken to saying that, “Identity is the New Perimeter.” This means we have to know that the identities accessing our applications, data and, in this case, medical devices, are who we think they are. And that can only be done using a built-for-healthcare Identity and Access Management (IAM) system. Without this, you just can’t protect what you need to protect.

However, even with a great IAM system in place, no one tool will help us manage this new challenge – it’s a puzzle, and completing it requires us to find the right pieces. That puzzle will differ at each healthcare provider location, but each puzzle should cover at least these four areas:

1. First, you have to discover the devices. After you find the devices connected to your network, of course you’ll want to manage them. Many new discovery products have been introduced to the market over the last year, and most of these products will let you group devices based on traffic, while more sophisticated ones will build the groups for you automatically, and the most advanced will also enforce the groupings automatically.

2. Once you find the devices, lock down as many as you can with strong authentication. Far too often — in an attempt to reduce the burden of manual authentication and to focus more time at the bedside — clinicians find less-than-secure ways to access the tools they need for patient care, ultimately opening the organization to even more risk. A two-factor medical device access solution combines security and convenience by enabling fast, secure authentication across enterprise workflows while creating an auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.

3. Ultimately, there will be some devices you can’t lock down or some that you’ll want to lock down harder than others. Use host-based IP tools to “disappear” these devices. Sounds ominous, I know, but in this case it’s good. Put a HIP switch (another cool name) in your IT closet, then plug the device into a mini HIP switch, which then plugs into the RJ45 jack on your wall, and you just “disappeared” that piece of medical equipment. The only people who can find it are people you tell about it. Obviously, since this piece of the puzzle has a hardware component, it has the highest “cost” (physical and monetary). Otherwise it could just be done for the entire enterprise.

4. A final piece of the puzzle — the piece you’d normally find on the floor under the couch — is to deal with how medical devices talk. The majority of medical devices talk to only one server. Most infusion pumps talk to a single infusion pump server in the data center, it talks back to them and will generally talk to the medical record installed in the facility. This is how you can automatically build the groups with the sophisticated discovery tools mentioned above. They listen for these traffic patterns and tell you how to organize your groups based on those patterns. You can see the medical equipment talking to that single server, but so can the “bad guy” (if you didn’t “disappear” them of course). If you’re the bad guy and you see everything talking to a single point, that’s the point you’re going to attack (that is, if you’re a bad guy worth anything). That’s why you want to “scramble” the code. So, even if they know what to attack, the vulnerable parts of the code they’d normally attack aren’t where they expect them to be.

Now you’ve completed the IoMT puzzle. Your IAM system is the border/edge pieces of your puzzle with the pieces in the middle being:

  • Find the devices
  • Group and manage the devices
  • Lock down the devices you can
  • Disappear your important, or super vulnerable, devices
  • Scramble the code on the servers that talk to your devices

For the sake of your staff, patients, and their families, HIT executives need to get this puzzle solved.

Share