Ian Bolland spoke to Bob Vickers, head of UK&I at ORDR, and Ryan Hewitt, CEO of Smartgate, to discuss hyper-connectivity in the clinical environment, and what solutions such as ORDR can pick up from medical devices.
ORDR is a system for connected medical devices that can operate within a healthcare organisation, such as an NHS Trust. It could be described as a firewall with extras. Not only does it act in a protective manner, but the software shows up details from a device that could prove vital to its user.
Hewitt explains: “We’re able to gain low level information around the device: the device type, the hardware that it’s sitting on, the software that it’s running, patch versions that it’s got. That in itself is quite unique but ORDR takes it a step further than that.
“If it’s a medical device it shows has there been any recalls from the FDA or whoever the manufacturer of that device is. From a clinical perspective you can understand the utilisation of devices so not just from a cybersecurity point of view, but also a clinical engineering and a procurement point of view.
“We can provide a lot of valuable data surrounding utilisation of the devices – whether they’ve missed any service intervals – there’s a lot of really low level, valuable details that we can provide into the NHS or a medical environment.”
As well as security aspects, the software can also provide information surrounding any product recalls that may have come from the manufacturer – in a way that those who operate in the automotive industry will be accustomed to.
Vickers explains that given ORDR does work closely with manufacturers around the world. He outlines that operating systems that medical devices operate on can be out-of-date – which is where the security issues arise and are beyond the manufacturers control.
He said: “The manufacturers can only do so much to make their products as secure as they can but that’s a long, long process. What we can do, in this case to a healthcare organisation, is say ‘you accept the fact that a lot of the manufacturer’s equipment is not as secure as it should be so it’s therefore incumbent on you to put in another system to make it secure, to mitigate that threat as much as possible’.”
Vickers adds that a lot of IOT devices are connected to a system, and not all of the devices are for medical use. He explains that in order for any organisation to get a grip on security, they need to know exactly what is connected.
“The first thing to do is given them visibility of exactly what’s there so step one: we can tell them exactly what’s attached to the network and once you’ve identified that then you can start doing something about it.
“I would say it’s a more intelligent firewall at a device-by-device level, not just medical device, but any device that’s attached to an infrastructure.”
Hewitt explains that ORDR’s offering of a ‘more intelligent firewall’ includes artificial intelligence and machine learning, that can secure devices a healthcare organisation won’t necessarily have control over – explaining that IoT devices account for 20-40% of the devices that are on any hospital network.
“These devices are the low hanging fruit as they are unmanaged and unsupported by the organisation. That will be because of a huge proliferation of out-of-date Windows operating systems, devices with default usernames and passwords on, all kind of easy pickings for someone who wanted to come in and exploit an organisation and this has been a challenge within the medical and healthcare environment for some time now.
“We secure devices that they don’t have any control over. There aren’t any products on the market from a traditional cybersecurity point of view that can do that. To secure a device you need to have control of that device but in healthcare there is a massive percentage of devices that they have no control over whatsoever.”
This can include anything regarded as smart device in people’s homes such as an Amazon Alexa, Hewitt referred to one example in the United States which saw as Tesla car connected to the system.
He also explained that if old operating systems can be running medical devices, it’s not necessarily within an NHS Trust’s control.
“All of the big-ticket items, CT scanners, MRI scanners, they will be shipped with an out-of-date operating system, and the NHS organisation that’s just bought that piece of equipment can’t touch it at all. It would invalidate their service agreement with the provider of that hardware. Their hands are tied. They have to plug in these devices which they know will add a vulnerability into their network.”
So, what advice should be given to companies in order for them to guard against security threats and these vulnerabilities?
Vickers sums up by saying: “Get visibility, understand exactly what’s attached to your network first. You don’t know what you don’t know and that’s the very first step. Then from there you can build a plan to start mitigating against threats so step one – visibility. That’s critical.
“The way that ORDR works is that once we’ve collated all of this information on the network, we can then continually compare what’s going on in the customer’s network to threats as they emerge.
“We are continually adjusting, tweaking, evaluating and updating the database that we’re working from to make sure that our ability to mitigate threats is as up-to-date as possible.”