Securing connected medical devices to protect the future of healthcare

28 May 2021 14:00

Bob Vickers, head of UK&I at Ordr, discusses cybersecurity blind spots in health, and explains how they can be tackled in the “new normal” world.

The healthcare industry is continuously on the leading edge of innovation, significantly improving the quality and delivery of care at an accelerating pace. Internet connected devices are now a significant part of the network ecosystem, especially as we continue to navigate the “new normal” brought on by the pandemic.

Specialised Internet of Medical Things (IoMT) devices perform patient monitoring, treatment and diagnostics; while additional IoT and operational technology (OT) devices control facilities, improve operations and enhance communications. These devices can vary widely and are a critical part of business operations and to the patient care experience - but they are invariably not designed with security in mind. IoT devices such as smart displays, temperature and motion sensors, as well as printers can be compromised and become an attack vector. Facilities systems such as heating, ventilation and air conditioning (HVAC), elevator controls and cameras are also a critical part of healthcare operations and must be protected. Even medical equipment such as MRI scanners, and infusion pumps, can all act as ingress points.

These devices generally cannot be taken out of service, even to be ‘patched’, and typically have an expected service life of many years. Often, they run on rudimentary operating systems, can be difficult to discover via traditional asset inventory, cannot be scanned via vulnerability management solutions and cannot support corporate endpoint security agents. These devices can be business, IT and cybersecurity blind spots, presenting a major threat for healthcare organisations, and patients alike.

Cybersecurity blind spots in medical devices

Healthcare organisations can be especially vulnerable to ransomware attacks, often due to outdated operating systems on some connected devices. Complicating matters further, these healthcare networks consisting of IoT, IoMT and OT devices may have different operational owners, creating a wide attack surface if not properly managed. This mandates the need for a common platform that can deliver visibility and security for all devices, not just medical.

This can be achieved with an all-encompassing platform for IoT, IoMT and OT discovery, management and security - with comprehensive features that serve security, networking teams and clinical technicians. This type of platform facilitates the discovery of all devices and a better understanding of vulnerabilities. It can also provide alerts on product recalls, weak passwords, or show certificates associated with every device. By ensuring visibility and monitoring activity, healthcare organisations can evaluate risks and mitigate them – essentially safe-proofing the organisation.

The University Hospital Southampton NHS Foundation Trust (UHS) in the UK, needed to gain full visibility over what exactly was connected to their network, understand the associated risk and determine how to mitigate the ‘east-to-west’ lateral movement threat from cyber exploitation. This is a common challenge within the NHS, as many different departments connect a multitude of devices and a wide range of medical equipment to a hospital network.

Ordr is helping protect UHS from potential cyber threats and cyber criminals looking to ransom or steal valuable data, including patient information. UHS teams can now discover every connected device, profile device behaviours and risks, and automate responses. They can identify devices with vulnerabilities (Ordr takes CareCERT feeds, amongst many), weak ciphers, weak certificates, and active threats, but also those that exhibit malicious or suspicious behaviours. By securing unmanaged connected devices, they can not only protect their assets and critical patient data, but also drive cost-avoidance associated savings.

Securing healthcare devices as a critical part of operations

IoT and IoMT adoption also introduces another challenge; that of ‘Shadow IT’ devices – devices that are deployed without the knowledge or approval of the IT department. To tackle security issues, it’s necessary to get a full understanding of precisely what is attached to their network and what it is doing. IoT devices have specific and predictable communications patterns - for example, video cameras need to connect to a camera management system, and medical imaging devices need to communicate to a central PACS or DICOM server. Mapping each device’s unique communications pattern can profile exactly how it should behave.

However, understanding what the device is doing goes beyond visibility to behavioural profiling and classifying devices and risks. Real-time discovery, monitoring, and behavioural analytics only matter if IT and security teams can act on the resulting insights, quickly and effectively. Healthcare organisations need practical segmentation that actually works – a platform that can dynamically create policies to segment devices and “allow” only the appropriate “sanctioned” communications - based on the device profiling information. These policies can then be enforced automatically on existing infrastructure, like firewalls, switches, network access control platforms and wireless LAN controllers. In the event of a security incident, policies can also be generated to quickly isolate an infected device.

After gaining visibility and securing every connected device, IT teams can leverage usage insights to improve capital purchase decisions, help clinical engineering teams determine the longevity of certain devices, and enable comparison of fleet equipment operations across facilities. These equipment insights include MRI systems, CT scanners, and X-ray machines – thereby helping ensure data-driven moves, adds, and changes as teams scale their capacity.

Managing connected device to manage the future of healthcare

Connected devices are undeniably a significant part of today’s enterprise IT architecture, especially within healthcare. The challenge is securing them, as many of them are business critical but notoriously susceptible to cyber threats. Left undiscovered, unmanaged and unsecured, they can put hospitals and therefore patients, at risk.

There is an urgent need, more than ever before, to address the visibility and security of unmanaged IoT, IoMT, and OT devices – especially as healthcare organisations are currently under immense pressure to cut costs and leverage resources efficiently to face the plethora of challenges brought on by the pandemic. With the right tool, security teams can increase visibility into IoT risks, bring devices into compliance, manage procurement and capital spend. By leveraging automation to drive efficiencies, healthcare organisations can identify areas of over or under use, freeing-up resources to treat more people in need.

Related

Ways of optimising power and security in BLE medical devices

The rising importance of cybersecurity and compliance in healthcare

Setting new standards for wireless medical devices

Zener launches course to protect medical devices from cyber threats