By Joseph E. Fishel, CBET, MBA
Sometimes you can’t use the normal set up and have to be creative to continue to keep medical equipment working/communicating and still protect it from vulnerabilities. Medical equipment lags the IS/IT industry by a minimum of three years. Mitigating controls are a type of control we can use when normal controls are unable to correct or prevent a problem. Recently we had BlueKeep with its Remote Desktop Protocol (RDP) issues appear. Some of the manufacturers wouldn’t support the Microsoft Patch nor would they provide one of their own. In addition VXWorks an embedded system has announced that they have some vulnerabilities. So, what can we do?
There are short-term solutions and long-term solutions. All of them come down to time and money. Which way you go is your institution’s decision. You can go in-house or hire a third-party organization such as GE Healthcare for its cyber solution. The other option is to create a program yourself. I previously discussed some options. I am going to try to put them all here in more detail.
A patch is a short-term solution. A vulnerability comes out and if the device is patchable you patch it. When the next vulnerability comes out you patch again and the cycle continues until the OS becomes obsolete and there are no more patches to be had. When this happens, a patchable device moves to mitigating controls solutions.
Long-term solutions are solutions that when put in place require minimal maintenance and provide ongoing protection.
Designated VLANS
A VLAN, or virtual area network, is a subnetwork that groups together a collection of devices from different physical LANs. We talked about putting medical devices on designated VLANS and assigning an ACL Access Control List to limit what talks to the device and what the device talks to. You can even limit how the access takes place. This protection is very labor intensive as settings have to be done manually and must be continuously maintained and monitored. An update of security protocols on the switch can possibly disable the VLAN for a while until corrected. Devices on a VLAN are also able to be scanned by vulnerability products as well as system scanning tools. These can often knock systems of the network.
Firewalls and Firewalling Devices
Firewalls are another form of protection. These have advanced from a simple device such as a Silex bridge to advanced systems where a small box is installed between the device and the network. This isolates the device from the network. These can be programed remotely to perform similar functions as the VLAN and ACL either singularly or in mass should the need arise. This requires a lot of upfront cost for the firewall boxes. It also requires work to install the devices which will require the creation of IPs and host names for each device. Once set up, it will allow remote access so that any changes needed due to vulnerabilities are done on the box eliminating anything being done on the device preventing the manufacturer’s OS and applications from being touched. This also firewalls devices so they can’t be seen on the network as only the box can be seen. It also isolates the device from scans.
Systems Control Engines
These are relatively new to the cyber scene. System Control Engines use machine learning to completely and continuously inspect and baseline the behavior of every device. It is able to provide security, ongoing management and optimization of all assets. It integrates with existing frameworks such as CMMS, ITSM, SIEM, NAC and firewalls. It eliminates the need to administer multiple, disparate systems. This includes identifying when new devices are put on the network and using artificial intelligence as well as what the devices could possibly be. The list of companies’ that provide this type of a system are growing. Some of the early developers for this technology are ORDR and Zingbox. Through the use of this technology you can gain remote isolation of the devices yet your devices can be seen on the network by your vulnerability scanning tool.
Using any three of the above will give you mitigating controls to protect devices on the network.