Okay, maybe I watch too much of the Canadian sitcom Letterkenny, and while it may be
considered inappropriate for younger viewing audiences, there is one saying in
there that I have tried to apply to my everyday life and that is “Pitter
patter, let’s get ‘er.”
What exactly does that mean?
Basically, let’s do it already, get it done, chop chop, right now.
What do we need to get done, you ask? Well, cybersecurity of our medical devices,
of course.
Some of you have been watching the trends for years. Unfortunately, many more wait for a problem
to occur elsewhere before taking action. Even worse, others standby and just
let a problem grow until it turns into a catastrophe that was completely
avoidable.
An automobile is a good example. It requires basic maintenance to stay in top
running condition. Things like oil
changes, tire rotation and other basic maintenance ensure that when you cross
the 100,000-mile mark on the odometer, your car is there with you for the long
haul. If you ignore that maintenance,
then you could end up with a burdensome towing and mechanical repair bill.
Ignoring medical device cybersecurity, is much worse. If you never change the oil in your car, the
engine will eventually seize, possibly leaving you stranded.
When lack of security maintenance to medical devices occurs,
well, everyone gets hurt.
In healthcare, we care for patients. That is what we do. It is our entire mission. When our healthcare networks get breached,
our patients suffer the most. After all,
it is their health and personal information that are at greatest risk due to
vulnerabilities that exist in the health care market.
Now, back to “Pitter patter, let’s get ‘er.” How should we
proceed to remediate our vulnerabilities?
If you listen to many of the vendors in the burgeoning field
of healthcare cybersecurity, the initial answer to your question is, “You need
an assessment. It will tell you
everything that is wrong, and we are great at assessing stuff!”
Okay, I paraphrased a little bit, but that is a popular
answer. Let me be clear, it is not
necessarily the wrong answer.
Nevertheless, is it the best answer?
Going back to the oil change — oversimplified, I get it — analogy. Do you want a mechanic to spend two hours
with your car to come back and tell you every single reason why you need an oil
change? Such as, the oil has broken down,
seriously impacting your engine’s lubrication abilities. If you do not change it, the friction in your
engine will build up heat until the metal warps, which will surely destroy it.
By the way, that information costs $200, because I
interviewed you, ran diagnostics and performed in-depth analysis of the oil in
your car.
That is all good information to have no doubt, but at this
point has the mechanic told you anything that has actually fixed your problem,
or have you just paid someone for a good reason to change your oil?
I would like to touch upon a different approach for
Cybersecurity of your medical devices in the now buzz-worthy world known as the
Internet of Medical Things (IoMT).
This approach is to fix the problems before they become
bigger problems.
I get it. Your next
thought is, “how do I know what my problems are so I can fix them?”
The answer can be derived by answering some basic questions:
- Do you have medical devices, such as CT
Scanners, X-Ray machines, MRIs, Infusion Pumps, etc. connected to your wired/wireless
networks?
- Are many of those vendor-maintained?
- Do you have a process in place that monitors the
operating systems they are running, and the last time they’ve been updated for
the latest patch releases?
- Does this process not only identify
vulnerabilities, but provide guidance to resolve them?
- Does the process work with the device vendors
during the remediation process to ensure the gaps are mitigated or closed?
If the answer to the first two questions is yes — You’re in
healthcare, right? — and the answers to the follow-up questions are closer to
“Ummm, Meh,” then you do not need to pay someone to tell you that again in a
100+ page report with painstaking detail.
Is not that like the mechanic giving you a 10-page
diagnostic report explaining the chemical breakdown of the oil in your car over
time?
Instead, we should have a conversation on the top items that
all healthcare entities need to be doing to protect themselves. Afterward, you could use those valuable, and
oft constrained, budget dollars to address those elements.
A typical assessment could cost anywhere from $20,000 to
$100,000, depending on the size and complexity of your organization and the
scope of the assessment. I am sure some
of you have seen them cost more.
Instead of paying for that assessment, you could apply those
dollars to actual remediation of those devices, while also gaining an
understanding of the weaknesses that exist.
Interested yet? I
hope so. Please bear with me a little
longer.
Another question: Do you have a Security Information and
Event Management (SIEM) system in place?
Your answer is likely accompanied by an eye-roll and is
similar to, “Yes, yes, we do. Since the
90’s, in fact, or at least the turn of the 21st Century.”
The truth is, many of us do have them already. They monitor networks, servers, workstations
and numerous other things that have been the target of threats for years. Also true is that many of them have done a
good job of it.
The concern is not around them protecting those devices they
were made to monitor, but is around the blind spots they may have, especially
in the medical device arena.
Next set of questions: Do you have any products that
specifically monitor all the medical devices on your network, identifies when
they are working out of the norms, and tells you how to remediate them? Do they
perform all that passively, as to not impact the critical patient health
traffic on the network? Do they report
all that information to your current SIEM, complementing your current
environment rather than replacing it?
If most of the answers are, “No.” Why not then use some of your budget dollars
to remediate that situation now? The
right system could not only tell you everything an assessment could, but also
help you track them real-time and give instructions for gap closure.
Final set of questions: What if you could get a pilot of
this system, with the cybersecurity expertise to ascertain its best placement,
set it up, monitor it and report out the findings, for less than the cost of
the typical assessment?
That would be much better than just a report.
There are several vendors with products in this field of
expertise and they claim everything from signature-based vulnerability
identification to machine-learning and Artificial Intelligence (AI)
concepts. The truth is, that some of
these are much more mature than others and are no longer proof of concept (POC)
exercises, but legitimate contenders to help you close the gaps in your medical
device vulnerability area.
Additionally, you need a good partner. Not one that provides an assessment and promises
to come back in a year to see how you have done closing the gaps, but rather,
one that works through the entire process of system selection, implementation,
monitoring and remediation. A partner
that also provides education to your staff, works with them to mitigate gaps,
and can also provide 24×7 Security Operations Center (SOC) services to spot,
isolate and remediate any brand-new vulnerabilities that the malware community cooks
up next.
It all starts with an honest conversation around Cybersecurity
and how best to protect the assets providing the most important tenet of all
healthcare organizations, taking care of patients.
Pitter patter, let’s get at ‘er.