By Xu Zou
Many clinical engineers face the daunting task of being on the frontline of medicine, responsible for ensuring the continued operation of connected medical devices. This task is now more difficult than ever with the impact of recent cyber attacks spilling over from the IT side of organizations. The new wave of cyber attacks, which kicked off mid-2017, has continuously targeted health care organizations. Not only has the frequency of attacks increased, the focus of the attack has shifted and expanded beyond PHI/EMR. Connected medical devices are now squarely in the crosshairs of modern hackers, with the intent of disrupting services.
Ensuring the continuous operation of purpose-built and uniquely designed devices takes significant time and resources, requiring a close working relationship with device manufacturers. If devices are not designed with security in mind, and if manufacturers are not prepared to respond to modern cyber threats, clinical engineers are left with one hand tied behind their backs.
One approach I recommend to clinical engineers is to systematically break down their approach. You must walk before you can run.
Start Walking: Identifying and categorizing connected devices
Understanding what you’re trying to secure before you can secure it may seem like common sense. However, that concept has not typically been used in most security solutions. Traditional IT assets (such as laptops, PCs and servers) leverage a few well-known hardware and operating systems. This has allowed security vendors to develop a one-size-fits-all solution, such as a device that runs Intel processors with excess capacity to run AV and Windows OS with well-defined specifications. This approach is one of the primary reasons why traditional security solutions cannot secure connected medical devices.
Abandoning traditional approaches, clinical engineers should first find a solution that will assist them in discovering all connected medical devices, identifying the devices and ideally categorizing them. This level of insight offers several key data points. First, it provides a real-time accurate device count which allows clinical engineers to understand the scale of the challenge at hand. It also confirms the number of devices believed to be in service against the count actually being used. Second, with the cost of connected devices differing by several orders of magnitude, clinical engineers cannot take the same approach to each device on their network. Insight into the type of device is critical; consider the number of IV pumps that can be purchased for the cost of a single MRI machine. Third, as many clinical engineers can attest, device manufacturers have their own unique processes which vary greatly from one manufacturer to another. Being able to identify the manufacturer and model number offers significant insight for clinical engineers.
While these insights increase your field of view, many don’t associate the benefit directly to security. Imagine if you were able to assess how many connected medical devices were vulnerable to the WannaCry attack before a single PC or device in your network was compromised. What if you were able to identify which devices were using FTP protocol right after the FBI issued a warning of hackers leveraging the same protocol? What if you could identify how many IV pumps are affected immediately after ICS-CERT issues an alert? These are just a few of the security benefits afforded by having a new-found field of view into your devices.
Start Running: Securing connected devices
As you can imagine, the task of securing connected medical devices can be greatly simplified when you are armed with the details of individual devices. Recent advancements in artificial intelligence and machine learning are being employed in revolutionary ways to do just this. Being able to assess the normal behavior of an X-ray machine and identifying when the device has been hacked or misbehaving, without any human intervention, is now commonplace for modern security solutions.
The method of chasing the latest malware and reducing the response time from days to hours is simply not effective against modern attacks. Unlike other industries, a downtime of several hours for critical devices such as heart rate monitors or IV pumps is unacceptable. A security solution that can detect anomalies in real-time and can quarantine or take other remediation action is a must for any health care organization.
Hit Your Stride: Optimizing device operations
Security for connected medical devices, unfortunately, is not a set it and forget it project. The inventory of medical devices continually changes – new devices are often put into service and old devices are retired or moved to other locations. Therefore, your security must adapt to an ever-changing set of assets. If you are able to automate much of the first two steps above, you are very close to hitting your stride. You will gain insight into new connected devices and can rest assured that new devices are being continuously monitored.
You’ll truly hit your stride when you not only have insight into the security of every connected medical device, but all operational aspects of these devices. You can “predict” when devices are due for service based on actual usage rather than a fixed schedule. You can redistribute devices to maximize the ROI. And, you can pass audits in a breeze since your asset inventory is always up-to-date and accurate.
Xu Zou is the CEO and co-founder of ZingBox. Before starting ZingBox in 2014, he was senior director of Aerohive Networks, where he launched Aerohive’s cloud-based bring-your-own-device (BYOD) security product. Prior to Aerohive, he was senior director of Aruba Networks, where he managed Aruba’s industrial and carrier product line. He also holds 10 international patents on security and networking.
1 Comment
Pingback: Article: Approach to Medical Device Security – Walk Before You Can Run | AIMS by Phoenix Data Systems