By Joseph E. Fishel, CBET, MBA
I have found that fact, logic, and common sense are frequently a strong basis for making good decisions. When I made decisions that weren’t good, I usually found that I didn’t have enough facts, or the right facts, which skewed my logic and common sense.
Facts:
Cybersecurity hacking is now a way of life.
You don’t know what you don’t know.
Logic:
Gather all of the information you can on what is capable with your network right now.
Talk to your IS/IT department about decisions already made for the future. Are they switching network vendors, increasing security levels, etc.
Common Sense:
Gather all the information you can on what you have available to you. Set up a meeting with your IS team. Some organizations only have 1 or 2 IS/IT staff and others may have over 1,000. Determine what you have. What you can do, and then develop a plan.
Having attended many cybersecurity lectures everyone seems to be on board about cybersecurity being a priority, but where to start seems to be vague. We are at a point similar to someone who is starting to put a Jigsaw puzzle together. Some people sort out all the corners and edges and complete the outline first. Others sort out piles of colors or parts of objects together and work from there.
Fact/Logic
With most cybersecurity attacks coming from the outside of your organization the logic is to build a wall or protect your devices from being seen or accessed from the Internet. If you can’t be seen from the Internet then it makes it harder to grab network information. You don’t want a hacker to get control of a surgical robot during a surgery.
Perimeter protection is the same as building a wall. This is why sitting down with your IS/IT team is important. They know their system and can help identify the means and methods needed to protect the medical equipment from being seen from the Internet. Because medical devices connect in different manners this can drive the Internet of Things (IoT), IoT protection to be different. Some networking systems can only protect using a MAC address, others an IP address. It is important to find out what your current system can do so that you can start utilizing its capabilities. Devices that connect wirelessly may need special attention.
The IS team may already have a perimeter protection plan in place. Remember this is their IS/IT equipment, but medical devices may not have been included. One of the ways is to use an Access Control List (ACL) which is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. This is used in a manner similar to parental control on your TV. Placing an ACL on an edge router can create the perimeter we are trying to create. An edge router is a specialized router residing at the edge or boundary of a network. This router ensures the connectivity of its network with external networks, a wide area network or the Internet. An edge router uses an External Border Gateway Protocol, which is used extensively over the Internet to provide connectivity with remote networks. By applying it to edge routers is a way of restricting access of a device to be queried from the Internet.
Some devices will still require Internet connection to function. You will have to identify if a device needs to connect to the Internet and include that connection in your ACL to allow the device to continue to operate. This is especially important for remote VPN and alert call outs such as CTs arcing or MRI helium levels. Monitoring for 30 days prior to lockdown can give you an indication of what devices actually communicate outside the hospital, but if no emergency callouts occur you won’t see them.
There is no one way to protect all devices. Because of how devices are used and how they connect, whether it be static, DHCP, wired or wireless. They all have special needs. Identifying how to do this within your network will require feedback from your IS/IT networking team and that should be the first step. Depending on the networking system it may require the MAC address, the IP address or a host name. If using an IP address this becomes difficult. When a device is set up on DHCP, the IP keeps changing so the protection can’t be done. In that case, other options need to be identified.
While working on this you should also be starting on your strategic plan. Identification for what information or fields for you CMMS to collect need to be identified. You can start with MAC addresses and IP addresses. Networking is based primarily on these two items and are important. You need to be verifying these on your devices and colleting them in your CMMS. Other data to consider collecting the operating system manufacturers, the version as well as what service patch and patch levels. When WannaCry was being released it was imperative to know this information to know what devices were and weren’t vulnerable.
Knowing this information made it quickly identifiable as to what devices are affected and a remediation plan can be developed. In some cases, knowing what service patch level or patch is on the device can make the difference in the number of vulnerable devices.
Constant updating of the data is imperative. Other things to consider are what devices use microprocessors and whose microprocessor it is. This was important to identify medical devices susceptible to Specter and Meltdown and if they were networked to identify the risk.
We can’t always protect, but we can identify what is vulnerable to prepare for the future. Identifying the manufacturer of your network card on a device can be important information for the future as well. The Boy Scout Motto is “Be prepared.” We must be prepared to keep our hospitals a safe place to treat and heal.
Joseph E. Fishel, CBET, MBA, is a Healthcare Technology Systems Manager for Sutter Health eQuip Services.