By Joseph E. Fishel, CBET, MBA
About 2,500 years ago, the city of Troy was protected by a high wall around the city. The invading Greeks had tried for 10 years to breach the wall with no success. As the story goes a peace offering was given in the form of a wooden horse and left outside the gate. Inside the wooden horse were 30 men. That night after the horse was moved inside the wall they emerged and opened the gates and the Greek army entered Troy and that was the end of Troy.
This happens every day in the cyber world. Viruses are brought in on computers, tablets, cellphones, thumb drives and not intentionally introduced. The Greeks (or virus) is now inside the wall. Patching and antivirus have been issues on medical devices for years and are always behind when the latest virus hits the cyber world. This makes them the most vulnerable. So, what can we do?
We built a perimeter wall to prevent invaders from coming in, but how do we protect from within? The simplest way is to start with is an enterprise policy and procedures for employees. IS/IT usually has one but it doesn’t mention medical devices yet they have the same vulnerabilities as the IS/IT departments computers. This policy needs to prohibit the use of thumb drives, plugging in of cellphones and tablets into medical devices or hospital computers. If all employees are aware of the vulnerability you now have a higher percentage of the intrusion not coming from employees. The employees are also your eyes to prevent patients and visitors from doing the same. This policy needs to include accessing the Internet from a medical device. Lab and imaging devices have Internet access on them so that they can communicate with the vendor. These should not be used to go out and check personal email or surf the net. This is, in essence, opening the door to hackers and providing access to the network.
There are several different approaches to protect from within and sometimes you have to use all of them to achieve your goal.
Limiting what gets onto your network is one way of protecting the network. There are primarily three different ways to do this and each has its own level of protection. The lowest level is using a MAC/NAC server. The MAC address is collected from all known devices and entered onto a Network Access Controller. When a device is turned on, the MAC address is compared against a known list and if the device is found it is allowed on the hospital network. If someone gains access to the MAC address of a device they could use it to imitate the device and access your network.
The second way is a bit more secure and requires PEAP and a Root Certificate to authenticate.
The final way is to use PEAP and a Certified Certificate – which usually has a license fee attached to it.
Another way to protect from within is to restrict what a device talks to and what talks to it. This is done through the use of virtual LANs (VLAN) and Access Control Lists (ACL). A VLAN is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is an abbreviation of Local Area Network. To subdivide a network into virtual LANs, one configures a network switch or router.
The IS/IT team knows how to create these and can create these for you. Some thought needs to go into how you want to segregate your VLANS. Do you divide by manufacturer or by departments? Each has its benefits. By manufacturer makes it easier to push patches out to the devices. Putting a department on a VLAN makes it easier to apply ACL as much of the communication is between the devices in the department. When an ACL is applied at this level, you can restrict it to two-way traffic, from the device to the app server and back. This prevents what is referred to as East/West traffic. If a hacker gets inside the wall to a workstation they can only talk to other devices on the VLAN that the workstation is allowed to talk to. This limits an intrusion. With virus protection on the server, you can get immediate notification should an intrusion occur and isolate the device until it can be remediated. These are electronic or network options that protect at several levels.
Another way of protecting a device is the use of a firewall or a bridge. These can be between $350 to $1,000 each. Many of us don’t have $3 million to replace a linear accelerator that has XP on it. So, how can you protect this at a reasonable cost? This can be done with the use of a bridge. The linear accelerator talks to the bridge and the bridge talks to the network creating a firewall. A search of the network for the linear accelerator only reveals the bridge not the linear accelerator so it is isolated from the network. There are a lot of lab analyzers that are in a similar situation and can be protected in this manner. The device is still vulnerable to thumb drives and cellphones being plugged into the HDMI port, but it is isolated from the network. When looking at this option, make sure the bridge can handle the bandwidth of the traffic to and from the device. The IS/IT team may have already identified a standard for these.
Each of these different approaches has some nuances when being applied to Wireless, Static IP or DHCP devices. These need to be looked into to determine what and how this can be done with your IS/IT team. Knowing what makes up your inventory is important and how it connects will make it easier.
Joseph E. Fishel, CBET, MBA, is a Healthcare Technology Systems Manager for Sutter Health eQuip Services.