Healthcare Industry Insider Advice on Medical Device Security
Thirty IT, security, biomedical, and advisory executives participated in practitioner’s discussion on medical device security that covered a range of pertinent insights and observations. From an implementation journey, most organizations felt much ground still needs to be covered, starting with obtaining accurate inventory information, improving organizational alignment, and implementing more effective ways to compensate for device vulnerabilities. The event was at HIMSS 2018 and sponsored by CloudPost Networks , the Huntzinger Management Group , and Meditology Services , with Bill Reed moderating the panel and audience discussion.
Does your senior management take security seriously?
Uniformly for this self-selected audience the answer was yes inclusive of the board. But many face alignment issues between departments (IT, biomed/health services, security, risk and audit, legal) due to conflicting views on objectives, priorities, and roles. It was pointed out that unifying the organization is necessary for true change.
Where does biomedical engineering report?
Most see it moving into IT, some into facilities or under a chief nursing officer. Regardless of the reporting structure, implanting digital and security expertise in the group is a best many strongly recommend.
How secure is your institution?
Many felt the they’d rate themselves at 8 of 10, however not all were so optimistic.
Do you know what medical devices are on your network?
No. Even the estimates on raw numbers are way off – one provider mentioned initial numbers were wrong by 800%. Getting an accurate count and detailed inventory of medical and other IOT devices was acknowledged as an early step on the journey to secure medical devices. CloudPost was called out as an excellent solution to solve this problem.
What is your medical device security strategy?
The slogan Perimeter Plus One received the most head nods, as it offered both a pragmatic point of view and an effective rallying cry for an organization to pursue. A long dialog followed lamenting that segmentation is difficult and isn’t the end of the journey ensued.
Why is implementing network segmentation difficult?
One CIO summed it up for the group. Automation is needed to segment at scale to feasibly inventory devices and analyzing where they are as well as what they are doing. That information is required to define proper policies and audit the results. Everyone agreed traditional tools are clearly not capable of accomplishing the task and many in the room gave positive shout-outs to CloudPost as a game changer.
What is the scariest asset a cyberattacker can compromise?
Infusion pump were the first choice, followed by Nursing stations. However, one member mentioned elevators, which led folks to discuss the impact compromised building automation systems would have on disrupting large hospitals.
Will ransomware get smarter and start charging for value?
One attendee pondered how long it would take organized crime to develop ransomware that charged for value, like commercial products (vs other), so when it knowingly holds an in-use life-saving device hostage, the bill is much higher. While the opinion around the room concurred this was not going to happen in the coming few years, no-one questioned whether it couldn’t or wouldn’t happen.
What is one top priority you’d offer?
Top of the list for several larger providers is the need to protect privileged credentials. One organization was an early adopter of Microsoft EASE, an architectural approach to segregating domain admin credentials and rights in a separate and secure forest. This is not for the faint-of-heart.
What is a major concern of the security market?
Complexity. Like the opioid crisis, vendors have flooded CISOs with new tantalizing tools to address the next new perceived issue. This quick fix mentality is causing longer-term harm by shaving off resources without delivering notable improvement on the holistic wellness outcome that’s needed.
What do device manufacturers need to do better?
Provide more detailed information about the composition and limitations of the software on their devices. Specifics of OS, libraries, applications, versions, and patches would be a welcome relief. However, thus far this remains elusive, so providers are unable to conduct a detailed analysis of cyber risk. Historically, providers have been challenged to implement compensating controls to mitigate against known vulnerabilities, many participants stated CloudPost provided surgical protection with microsegmentation on a per-device basis.
What actions may the government take?
Politics aside, it was conjectured PCI-level regulation isn’t an unreasonable in the future. The room viewed this with mixed results. On the plus side of the ledger it could fundamentally transform the compliance process and give it teeth. However, the expense and drag on innovative service delivery could be crippling.