Blog

Tackling Threats and Protecting Patient Safety: Tips from a Healthcare Security Guru

Ellen Sundra | July 25, 2019

Internet of Medical Things (IoMT) is no longer the future – it’s happening now. The IT, IoT and medical device landscape in the healthcare sector is growing exponentially, adding to the complexity of these networks. Healthcare IT and security personnel face challenges to remain compliant and enforce patient safety and privacy. As a result, maintaining a complete inventory of assets in real time and swiftly separating critical or vulnerable systems from threats to easily detect and remove security risks is crucial. Therefore, knowledge and tips from Security Gurus in healthcare are increasingly vital so everyone can learn and deploy these best practices.

For that reason, I sat down with Erik Decker, CISO and Chief Privacy Officer of University of Chicago Medicine, for a conversation about how the Health Industry Cybersecurity Practices (HICP) Task Group tackles common healthcare security threats and protects patient safety with actionable steps recommended by over 150 healthcare IT professionals. 

Visibility means control, control means safety

Healthcare IT and security staff often have difficulty seeing everything on the network due to the sheer number of devices and technology on hospital networks.  Many devices run on outdated versions of Windows or proprietary operating systems. This creates a plethora of ways to enter the network and carry out an attack. Ransomware attacks have become an increasing threat to the IoMT, amongst other security risks that medical security experts are trying to fight.

“You’ve got to know what you know to be able to secure what you know”, said Erik Decker. Just like monitoring patients’ vital signs to be able to contain a spreading disease, instituting a robust IT Management process that ties directly into the supply chain and procurement processes makes it easier to maintain the inventory of the equipment.  As many devices are installed and removed without the knowledge of the IT and Healthcare Technology Management (HTM) staff, network discovery tools are “incredibly useful” for this effort, according to Decker.

Unfortunately, some of the discovery tools are agent-based, which means a piece of software needs to be installed on each device, and not all medical or IoT devices provide that possibility. As a perspective, our agentless device visibility capabilities found 4,500 more devices than one healthcare customer knew were connected because previous visibility tools couldn’t detect them.

Another challenge is that some discovery tools only do periodic scans of the network – and not all devices are connected 24/7, so some might be missed in the scan. When building a complete asset inventory of IT, IoT and medical devices to protect against ransomware and to minimize medical device risk, it is important for asset discovery tools to have continuous monitoring capabilities to uncover potential attack vectors and vulnerabilities, and to be able to do it on any device on the network, whether it’s possible to install an agent in them or not.

To update is to save lives

Medical devices that connect to the network often use legacy operating systems, which requires security patches to prevent incidents. Patching medical devices properly requires staying on top of the Manufacturers’ patch release cycle and holding them accountable to deliver a security solution. When the inventory is easily available thanks to the visibility tools, it’s easier to make sure all of the connected devices run on the newest software available.

Erik’s guidance is to focus efforts on mitigating uncontrollable risks – especially cases that can put patients’ lives in danger. FDA states that the device manufacturer should inform you of uncontrollable risks from their equipment and issuing a compensating control within 30 days and providing a patch to fix the issue within 60 days. It helps to include that requirement in contracts with vendors to hold them accountable to their security patch responsibilities, and to create a robust management process to implement patches immediately as soon as they become available.

How many degrees of separation?

Asset segmentation, used to isolate and protect critical assets on the network, requires planning and then monitoring once it’s deployed. “Make sure that you have a solid plan about what you are trying to do – avoid assumptions”, said Erik. This is where the data collected from the right discovery tool really pays off. By providing context, such as device type, location, and communication patterns, it helps creating safety buffers between them, as separating critical assets avoids disruption to everyday operations.

Erik proposed segmentation that creates separate security zones for these areas:

  • Data Center assets
  • Critical asset and medical device technology
  • IoT devices
  • Building management systems

It’s important to remember SamSam – the ransomware that broke into the open Remote Desktop channels, laptops and other devices connected directly to the internet, penetrated critical portions of many hospitals’ operations, and disabled crucial access points for security personnel. A reasonable segmentation strategy could have minimized the damage for those cases as it contains the damage to a localized area.

But the strategy itself is only the beginning – to make it work, it needs to be standardized. According to Erik, “The process is the hardest part, especially keeping the segmentation maintained.” That is why the University of Chicago Medicine organizes weekly meetings that use Lean Six Sigma process improvement methodology. IT works with other organizations to analyze the Key Performance Indicators (KPIs), and what counter measures should be put into place if the plan doesn’t work the way it should.

Closing in on the threat

Anti-malware software is also a critical component in battling ransomware and protecting medical devices. The challenge for healthcare is installing and maintaining current versions on all connected devices. Especially in larger organizations, this process needs to be automated and monitored, which is not always as obvious as it sounds.

Combining all the data from network management, visibility, and anti-malware tools helps monitoring and closing in on threats hidden behind unusual network activity and learn how to properly respond to incidents.

Want to know more? Watch the full conversation with Erik Decker in the Top Cybersecurity Practices (HICP) to Mitigate Cyber Threats in Healthcare webinar.