Published March 2023 –
Healthcare delivery organizations (HDOs) have a mission to provide the highest level of care and best possible medical outcomes for their patients. A growing, sophisticated array of connected medical devices, sometimes referred to as the Internet of Medical Things (IoMT), are used in pursuit of that mission. The typical hospital operates between 10 and 15 IoMT devices per bed, and it’s not uncommon for larger, multi-campus organizations to have many thousands of IoMT devices in service.
HDOs rely heavily on these devices, but they create unique challenges for the clinical engineering and IT professionals tasked with monitoring and securing them. Most IoMT devices are not fixtures; they go where needed to support medical staff. A respirator used to provide care for a patient yesterday may be taken offline today and moved to another room and put back in service tomorrow. Devices can remain in service for many years and so a piece of equipment designed with the now obsolete Windows 7 operating system, for example, is now unsupported, unpatched, and vulnerable to cyberthreats. Recent studies have shown that as many as 75% of all medical devices in service today contain at least one security vulnerability, while half have two or more.
Unexpected and Stranger Things
Adding to the challenges is the fact that IoMT represents only a portion of the connected devices operating across an HDO’s network. Environmental and building controls, security monitoring and access control systems, communications equipment, and other devices comprising the Internet of Things (IoT) and operational technology (OT) connect and contribute to the delivery of patient care. Unexpected devices like Peloton exercise bicycles, vending machines, smart assistant speakers, and even Tesla automobiles (and other, stranger things) also find their way onto the network. All these devices have the potential to introduce risk into an environment and add to the headaches CIOs must deal with when managing and protecting the IT estate.
Because it’s common for HDOs to expect their IT organizations to wear multiple hats—operations management, cybersecurity, support desk—the challenge becomes one of prioritization. Most IT resources are dedicated to “keeping the lights on,” while other challenges are addressed case-by-case. Security is often not a primary focus unless there’s an incident, but like trying to plug holes in a leaky dike, soon you run out of fingers.
The added layer of management and security complexity introduced by IoMT and other connected devices can be daunting, but doing nothing is not an option, especially when you consider that connected devices were found to be the attack vector in 21% of ransomware attacks against HDOs, and that 88% of all cyberattacks targeting HDOs involve an IoMT device. Those troubling numbers demand urgent attention, yet a belief that an HDO must go from zero to Zero Trust in one move is unrealistic and can result in inaction.
The solution is to establish a security “maturity” model as a framework that encompasses IoMT and other connected devices across the whole hospital, focusing on continuous, incremental improvement. The maturity model helps organizations understand their current security posture, and charts a course for where it needs to be. This healthcare security maturity model is based on five principles:
- Asset Visibility: This includes creating a complete, accurate, and up-to-date asset inventory by automating discovery, classification, and gathering details for all known, unknown, and new devices.
- Vulnerability and Risk: This encompasses creating a risk-based view of devices by combining vulnerability insights, establishing device behavior baselines, reviewing external threat intelligence inputs, and overlaying organizational factors to gain a comprehensive view of risk and security prioritization.
- Reactive Security: This uses connected device insights and risk-based view from the previous stage to focus on key risks, gain operational efficiency, and improve efficacy in identifying, prioritizing, and remediating threats.
- Proactive Security: Now teams can start to react to new threats faster and with reduced human intervention and improve the security posture with proactive measures such as Zero Trust segmentation to reduce the attack surface ahead of threats.
- Optimized Security: Finally, teams build on the foundation they have created to expand and optimize their security methods with automation, optimized workflows, and integrations, aligning and scaling with organizational demands.
Step Forward with a Clear Plan
The idea is to achieve security optimization over time, recognizing that the IT estate and threat landscape are dynamic environments, and there is no finish line after which the CIO and CISO can finally take a breath. But with a clear plan and the right tools, including those that leverage security process automations, it becomes easier–once you take the first step forward. The good news is that this maturity model has been proven in HDO environments of every size and description.
In one instance, a well-known HDO recognized the limitations of manual efforts to locate, identify, and profile each connected device in its environment, ultimately realizing that the task was not only inefficient but impossible. Staff located devices the organization didn’t know it owned and discovered many other devices were missing, moving and, in the end, too numerous to keep track of. Furthermore, as they found devices they realized many were running Windows 7 and vulnerable to attack, but couldn’t be taken out of service. The organization invested in a connected device security solution to automatically discover and profile all of its devices – including those running Windows 7 and others that were lost, forgotten, or previously unaccounted for. They established a risk-based view of devices and used the security tool to create policy to reduce risk and keep the vulnerable devices in service, ultimately avoiding the cost and complexity of upgrades and replacement.
In the end, the HDO was better protected and on a path to Zero Trust for an improved overall security posture. Furthermore, by extending the life of older equipment without undue security risks, and by maintaining a complete and accurate inventory of devices and their use, they were able to save money by maximizing existing assets thus avoiding unnecessary expenditures.
About the Author
Chris Westphal is Cybersecurity Evangelist and Head of Product Marketing at connected device security solutions provider Ordr, where he helps drive awareness for connected device security and the value of the Ordr solution. Chris is co-author of “A Practical Guide: Implementing Connected Device Security for Healthcare Organizations,” a strategic roadmap for securing connected devices in healthcare environments. Chris brings over two decades of experience to his role with Ordr, including a background in cybersecurity, cloud, and data center technologies. Most recently, Chris was head of product marketing at Salt Security, the leader in API protection, and has held product marketing leadership roles at companies including VMware, Illumio, and Adallom (acquired by Microsoft).