In part one of this post, I mentioned the issue hospital IT faces as more medical devices than ever are connecting to the network. In this post, we’ll take a look at the best way to secure these medical devices.
1. How can you protect it if you don’t know it exists?
-Identifying all of the devices on the network is the critical first step.
To protect the network from malicious events, we first need visibility into what devices are out there, not most of what’s connected, all of what’s connected.
Enterprises without an automated discovery mechanism often struggle to locate and identify devices on their network. They will know most of their segments, and most of the devices that are expected to be on their network (ie. routers, switches, authorized access points), but yet not have a complete picture of the network. Often, they will miss a laptop that is plugged into the conference room jack, the access point/router plugged into the desk under the executive’s desk, or the medical device that is attached to the network, but not managed by the IT team.
Organizations require a real-time, automated approach to discovering devices so that they can be properly categorized and managed.
While some solutions rely on 802.1x or identify devices by mac-address, these systems have significant downsides. The 802.1x systems rely on specific versions of network hardware and software and include a number of moving parts. The failure of any individual component or part will disrupt overall network connectivity.
Modern medical environments also contains devices that cannot run a supplicant or software agent, leaving the IT team to manage exceptions by mac-address whitelists that are hard to maintain and entropy as time passes. That can only be truly addressed by an agent-less network access control and security automation platform.
ForeScout’s CounterACT solves the identity problem in a platform agnostic way, without requiring agents on devices.
2. We know that devices are connected, but we don’t know what they are.
-Categorize each device into a device class based on purpose and attributes
Any given device will have a group of attributes that can be identified and used to determine the device, and separate it from other types of devices on the network. By identifying a sufficient amount of these attributes and using an automated security platform like CounterACT, varying postures can be mapped to different types of devices and enforced appropriately.
Device attributes to look for include:
- Network Segments – Are these devices found on a functional network segment?
- Open Ports – What ports are open on this device type?
- Sessions as a Client – Does this device type report to an application server?
- Sessions as a Server – Does this device act as a server for other devices?
- Banners –Does http, telnet or another banner identify this device?
- Applications or services – Do specific applications or services installed or running make this class of device unique?
3. We’ve got all of our devices categorized and grouped…now what?
-Determine the proper posture for the device type and remediation steps for out of compliance devices.
Once devices are properly identified and categorized, determine what posture components they should have.
Configuration items to look for:
- Antivirus – Installed, running and up to date?
- Firewall – Software firewall enabled and restricting traffic properly
- Services – Are all processes running as required for the device to operate?
- Encryption – Installed and functioning?
- Script Output – Execute a script on the host. Do you get the expected output?
Attributes will be highly dependent based upon the device and its function on the network, but this list is a good start.
This article merely touches the surface of how CounterACT can help managed medical devices. For more on ForeScout’s healthcare solutions visit https://www.forescout.com/solutions/industries/#healthcare.