June 8, 2018

Toby Gouker • VP and CISO

Medical Device Security Starts With An Accurate Inventory

You can’t protect what you don’t know. Getting a handle on the security of your medical and other connected devices in your healthcare facility starts with getting a handle on the inventory. Simple concept, yet why are so many healthcare organizations struggling to get a real accounting of what is being used to serve their enterprise? Many institutions feel they have a grasp on the inventory because they can point to accounting records for purchases. Once their project begins though, they are surprised to learn how inadequate accounting inventories tend to be. Historically, an organization decides to bring in a team of individuals to walk the facility and get an actual physical count of the equipment and its location along with age, operating parameters, and security features.

Today, the path forward to an accurate inventory count can be different. With the advent of big data analysis techniques and machine learning algorithms, vendors are taking advantage of the reams of data that network traffic sniffing tools can deliver and are discerning volumes of information from the data collected on their intranets. Working with small appliances placed on your network, typically at Layer 2, these appliances inspect large volumes of packet communications and run it through a deep machine learning algorithm to discern equipment type, manufacturer, model, operating system and many other factors of interest to clinical engineering and security professionals.

From AWS, BlueFlow and CloudPoint all the way to ZingBox, there are already many vendors who can provide you with an inventory discovery tool to include as part of you medical device security management program. Here are five quick questions you may want to ask to help you find your solution from this rapidly growing list of options:  1) How long have you been providing this solution? 2) How many healthcare deployments have you made? 3) Can you interface with my SIEM and other security management tools? 4) How many appliances will I need to install? 5) Can the solution augment network security architecture?

First is here to help you get answers to these questions and many more as you develop and/or improve your medical device security management program. We can even help you get answers to non-security aspects of these connected asset discovery tools. Given that they are always on and always monitoring device operations, many of these tools can also be put to use by your clinical engineering teams for resource leveling studies, new purchase planning and even reconfiguring maintenance schedules and equipment SLAs.

July 14, 2017

Toby Gouker • VP and CISO

A Path Towards Medical Device Security – Dr. Toby Gouker

We don’t need a blog to tell us how vulnerable our medical devices are. We don’t need to be told how challenging it is to secure them. We also don’t need to be told how much sleep we are losing over this issue; we don’t sleep anyway. What we need is a path forward. There is no elegant solution to this issue, but it doesn’t mean we have a license to throw our hands up in disgust/frustration and walk away. Malicious actors know our healthcare system’s threat surfaces are like Swiss cheese because of this issue, and before they figure out ever more efficient ways to monetize their exploits of our vulnerability we have to move to close down their ability to successfully attack. While we wait for manufacturers to deliver devices with embedded security, we have to focus on the defense of our legacy equipment. This defense begins with learning what’s out there….

Taking a lead from the Center for Internet Security’s Critical Controls, we need to start with Control #1: create a list of authorized and unauthorized devices on our network. The goal of the control make the task sound so simple: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” While this activity can be automated in many industries, the sensitivity of medical devices makes automated inventory generation unattractive in healthcare. Many medical devices have a default which leads them to stop working when queried by something outside of their normal expected operations. This can cause significant patient safety issues if tools like ICMP, NMAP or other network traffic tools are used to query devices. There are a number of vendors who offer automated discovery tools, but experience has shown that they are only able to safely capture information on roughly 30-40% of devices located on the network.

The sensitivity to query leads many facilities to bring teams in to conduct a physical inventory. Beginning with an “accounting inventory” (items we purchased) teams look to confirm location and profile information of items listed on the accounting inventory and then move to discover new locations and new devices not listed on the books. Physical inventories will give you greater than 90% of the inventory on the network. Then it is time to deploy passive tools that identify hosts based on analyzing their traffic to take you to a full inventory count. If your healthcare system dynamically assigns addresses using DHCP, then you will want to deploy dynamic host configuration protocol (DHCP) server logging. Information gathered from DHCP can be used to improve your inventory count and can help detect rogue devices.

With inventory in hand, your next task is to conduct a risk assessment and develop a risk management plan for your authorized devices. (It goes without saying that your will first be removing all unauthorized devices from your network!) Many devices may not generate or store PHI so they can be classified at a low risk level, but the risk will never be zero, as these devices do possess computing power. Even though their computing power is low in capacity, multiplied across your network and the networks of others they are valuable to bot net builders and you will want to take these assets away from malicious actors by installing compensating controls at the router/switch level to deny access to these devices to the outside world.

For devices that are actively engaged in PHI delivery, you will want to turn to CIS control #2 and take stock of the software and versions running on your devices. CIS control #2 will task you to: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.” Once you know what software is running, you have to work with vendors to automate the delivery of security patches in a way that does not disrupt operations. Once again, many devices are sensitive to network/computer interactions outside of their normal operating mode, and vendors will have to work with you to ensure that security updates can be made in a reliable manner.

For high PHI profile devices that the vendor won’t help you manage, and the host PHI profile devices on your network, the installation of a network segmentation strategy is recommended as a risk management technique. Through segmentation, the network becomes the control point rather than attempting to manage so many individual endpoints. The newer switches and routers on the market can be the lock down point for these medical devices whether wired or wireless. The beauty of this technique is that through global communications with the routers/switches uniform policy can be distributed to direct exactly which ports and protocols each device can communicate on, which users can administer each device, and which other devices each medical device can communicate with.

In a perfect world, we would then move to establish real time visibility and control for the system’s medical devices. There are a number of organizations working on developing continuous monitoring tools, but at the moment most of these tools are either in the development or piloting stage of delivery, so discussions of further security risk management for medical devices will have to wait for another day.

First Cyber Health Solutions, a Risk Management and HIT services firm, advises covered entities on how best to mitigate risk to your patients, systems and data. Learn more by visiting our website www.fcp.com.


June 19, 2017

Carter Groome • Chief Executive Officer

Patient Trust in the Age of Cyber Terrorism

Terrorism comes in many forms, all with somber outcomes.  Healthcare delivery organizations must realize that they too, are a potential target.  The trust and confidence that patients (customers) have in their care providers is under assault.  Covered entities must recognize that brand and reputation damage is real when it comes to breaches, med-jacking, and obstruction of care.  Your security posture is already shaping patient safety and will soon factor into competitive advantage, or disadvantage, if you are not effectively communicating your cyber attentiveness with your customers.

Read More

April 27, 2017

Carter Groome • Chief Executive Officer

In 2017, Healthcare Boards Still Detached When It Comes to Cyber Awareness

8 approaches to building a more cyber savvy healthcare board

The 2017 KLAS-CHIME Healthcare Provider Security Assessment notes that only 16% of healthcare organizations feel they have a fully functional security program and more than half of the organizations that are still developing their security program are spending less than 3% of their total IT budget on security.

The year of healthcare ransom attacks, 2016, was sure to awaken healthcare board’s to the possibilities, risks and organizational impact of being another victim of ever present malicious acts carried out on our industry. Information Risk Management funding is increasing at a sluggish clip, as evidenced by the recent KLAS-CHIME survey. To expedite an understanding of where additional budget allocations will have measurable impact, boards must first take the mantle of leadership by engaging both personally and strategically in cyber security. Read More

March 30, 2017

Toby Gouker • VP and CISO

Best Practices of the Nation’s Top Systems 

First Cyber Health Solutions was fortunate to have the opportunity to learn recently what some of the nation’s leading healthcare systems are focused on in order to reduce their organization’s risk of incurring a security breach. We all know how daunting the task is of protecting our organization’s infrastructure from attack. It can be so overwhelming and complex that you don’t even know where to start. Why not follow the lead of some of our nation’s leading providers and focus first on the four areas listed below. Read More

1 2 3