Across a health system’s digital terrain, the most vulnerable assets are connected medical devices. If those devices become compromised, the infiltration could impact a patient’s privacy, health and safety. Moreover, it could shut down care delivery for days, weeks or longer, with long-lasting financial and reputational impacts.
According to Deloitte, an estimated 70% of medical devices will be connected by 2023. This surge of IoMT assets is creating new opportunities for threat actors to exploit. While an interconnected world drives efficiencies, it also expands the attack surface and creates more opportunities for operational challenges should these assets get breached or need to be taken offline.
Medical device security is a serious concern. Many IoMT and connected medical devices run on outdated systems, and hospitals have limited visibility into and control over them, which hampers efforts to identify critical events, zero in on the source of the problem and effectively respond. Meanwhile, there’s a significant shortage of cybersecurity personnel. Teams are shrinking in size, specialties are siloed and manual triaging of security events is causing alert fatigue.
To automate security, organizations need a well-thought-out defense architecture that is user friendly and easy to scale. Unfortunately, there’s no silver bullet. When rolling out a comprehensive cybersecurity program that focuses on medical devices and clinical assets as the most exploitable points of failure, there are 10 essential steps to execute.
1. Get a complete inventory of all connected assets
The first step is to inventory all connected assets spanning the entire hospital network, not just IoT and IoMT devices. Also take stock of supporting technologies, like networked cameras or printers, that exist within your broader IT ecosystem.
If you use a CMMS or inventory management system, it can serve as a baseline to evaluate your progress as you find and map assets not previously recorded. If not, consider a strong cybersecurity solution that automatically identifies and maps devices through their presence in the network . Without a system like this in place, you face potential risks associated with hidden or forgotten medical devices that you’ll never know about.
2. Implement a monitoring solution
Implementing a monitoring solution enables you to understand network traffic flow patterns. Since hospital networks are composed of many devices that use a mix of general, industry-wide and vendor-specific protocols to communicate, normal usage patterns may look different for each device type and model.
A SPAN or TAP port will need to be installed at the appropriate network switches to passively monitor traffic and communication requests running through the network infrastructure. However, a SPAN or TAP will never provide a complete picture because it is difficult to put everywhere. You need monitoring that covers far more techniques to discover, classify and assess every asset on the network. Communicating and integrating with the network infrastructure via Netflow, sFlow or IPFIX, for example, is another way to gather traffic flows and protocols that may be easier to implement.
Making sense of traffic flow patterns is at the root of good healthcare cybersecurity. For practical purposes, devices that serve similar functions or are used in similar ways should be identified and classified together under the same security policy groups and controls.
3. Cross-reference endpoints with known devices and communication protocols
The master inventory list resulting from your existing records and monitoring should be cross-referenced against a database of known unique device identifiers (UDIs) and associated communication protocols. Visibility alone is not enough. For device endpoints in the network, you need to understand them and their role in the clinical ecosystem. Without that understanding, it will be all but impossible to recognize whether network interactions running through those endpoints are legitimate.
If there are any devices on the list that don’t appear in the database, you’ll need to fill that gap. Usually this requires a human researcher or team of researchers devoted to the task – detailing the device’s associated protocols by pulling vendor documentation, drawing from publicly available sources and reverse engineering the remaining gaps based on experience, raw coding skills and experimentation . This isn’t always possible for hospitals to do, given resource constraints, which is another reason to implement a solution that does this automatically.
4. Assess vulnerabilities
All your inventoried devices should be reviewed for outdated or otherwise vulnerable software and operating systems, default passwords or known vulnerabilities that haven’t been properly patched. Some medical devices already contain disclosed vulnerabilities upon release. While it may be tempting to skip this step if all the hardware and software is relatively new, you should still conduct an assessment to ensure no additional vulnerabilities exist . There may also be SBOM (software bill of materials) vulnerabilities – ones you wouldn’t think to look for because the software is deeply embedded in the devices.
5. Establish baselines
By monitoring network interactions, metadata and protocols, you can identify all the devices connected to the network. Moreover, recording the device type, vendor, model, version and hardware IDs (MAC and serial number) will create a granular map of the hospital’s asset ecosystem.
Using this information, you can set parameters to describe the expected network behavior for each device group. By charting the bounds for interquartile ranges and standard deviations within those expected behavior patterns, you can build alert thresholds, a practice known as baselining. By identifying anomalous deviations from the established baseline, security analysts can quickly spot and attend to threats.
The more detailed the information held for each device, the easier it will be to monitor vulnerabilities and find when changes such as software patches or segmentation are required.
6. See more with machine learning
Beyond visibility, understanding what’s going on among devices is the bigger challenge. That’s where machine learning comes in. An automated cybersecurity solution should leverage machine learning technologies to monitor communications and extract significant network characteristics for analysis, which involves mapping similarities and differences between medical devices and using that map to build device peer groups. These groupings help to identify anomalies rapidly and accurately by comparing current and historic device behaviors to those of the peer group.
7. Audit your network configurations
The next step is auditing the hospital’s network structure and recommending improvements to segmentation. Neglecting proper segmentation allows a hacker who has gained unauthorized access to move laterally to other network components or connected devices without obstruction.
To prevent this, employ segmentation that draws concentric internal perimeters around strategic devices at different levels throughout the network. In a medical environment, use this configuration around each asset type. These perimeters limit access to each service inside every asset, restricting access to legitimate parties only and reducing the attack surface.
8. Integrate monitoring and management into a single viewpoint
All your network and device insights should be integrated into the security team’s preferred interface – whether SIEM, NAC or network security system – to provide an enhanced organization-wide view of the network. That view should reflect actual integration among your security tools and how they work together to take the right corrective action, immediately and automatically . Output from these systems should also be aggregated within dashboards and reports to increase senior management awareness and confidence in your cyber operations.
9. Look for new attack vectors
Vulnerability research isn’t a one-and-done undertaking. It needs to be ongoing for all deployed devices. In a lab environment (disconnected from a hospital’s operational IT ecosystem) replicate all device porting configurations and study them for possible backdoors. Conduct penetration tests, scrutinize remote control capabilities and investigate protocol version revert commands for possible security implications .
Risk scores should be assigned on the individual device level as well as for the organization as a whole. Translate all vulnerability information into remediation instructions and actions to be taken accordingly.
10. Refine and automate your processes to stay in front of the threat
Continuous network monitoring for new devices ensures network segmentation and governance doesn’t degrade over time. Newly discovered devices should be automatically assigned to the proper device-type grouping and mapped to the well-defined network segments . If traffic patterns are detected that violate the baseline standards for a given device, the node should be automatically quarantined at the network level – don’t rely on host-based controls. If the traffic in question is more ambiguous, it should be flagged for review by an analyst.
The 10 steps outlined here represent a layered approach to medical device cybersecurity that helps you fortify you defenses by building smart layers of clinical network cybersecurity, including:
- Continuous, real-time discovery and in-depth visibility mapping of all connected assets – including medical devices, IT devices, infrastructure, IoT, IoMT, VPN, contractors, building systems and more
- Ongoing risk assessment of each device considering known vulnerabilities, potential for attack and the device’s operational criticality
- Tailored security access policies for each device based on device type, an understanding of the clinical network and the organizational hierarchy
- Proactive monitoring for and remediation of attack conditions, leaning on AI-enhanced deep packet inspection (DPI) and medical protocol anomaly detection
By tackling the same challenge from multiple directions, this approach helps you build redundancies so that when one layer is compromised, the others will still provide necessary protection. Cyber threats can’t be eliminated completely, but an attack on your digital terrain can be made so difficult to carry out that it wouldn’t be worth the attacker’s effort .
Learn more about how cloud-based IoT and IoMT security can protect your health system’s patients, data, financials, and reputation.
About the author
Tamer Baker enjoys helping customers build strategies and regulatory compliance policies, improve cybersecurity posture and position their organizations as a best-in-class provider based on NIST, CIS, zero trust and other frameworks. He has specialized in compliance automation strategies in CDM, C2C, healthcare, finance/banking and more.