Securing Medical Devices: Where Do We Start?
By Jon Benedict
There is no hotter topic in health care today than securing medical devices. With an electronic health record often fetching prices 10 times that of a credit card number, the motivation is easy enough to understand; it’s money!
As information security professionals, we understand this threat is not a scare tactic for our customers in health care. Unfortunately, the threat is as real as it gets and with patient lives literally on the line, the stakes couldn’t be any higher.
The question I am asked most often is, “Where do we start?” I’m not surprised; there is so much information out there in terms of sets of controls, like NIST, HIPAA and the Center for Internet Security (CIS). Defensive strategies like defense-in-depth and protected enclaves use tools like IDS, IPS, next-gen firewalls, etc. It’s a ton of information for even the most seasoned information security professional to digest. Imagine how overwhelming it can be to the health care professionals who are primarily focused on the treatment of patients.
The one thing we know for certain is that “security through obscurity” is no longer a valid defensive strategy. It won’t protect patients, or their private ePHI, and it won’t help reduce the impact or fines in the event of a breach.
So where do we start? In order to build an effective defensive strategy, I need to know what we’re attempting to protect. I would suggest our goal is to defend ePHI. With that in mind, I want to start with devices that generate, store or transmit ePHI. Once we know what we’re trying to defend, where it lives in the network, and what it should be connecting and communicating with; we can then start to develop a defensive strategy for these “crown jewels” of the clinical network.
Translation: Let’s start with an accurate inventory of the medical devices that includes both physical and logical metadata. Until recently, when we mentioned an accurate inventory for medical devices it typically included fields like make, model, serial number, department, PM dates, etc., but rarely included MAC address, IP address, operating system, software, firmware, and other more critical data fields needed to fully integrate with the larger enterprise network and leverage its defensive tools and capabilities. The collection of these data fields is more commonly known as “device profiling.”
I feel the best place to start is to ensure we have an accurate inventory and the device profiling information necessary to integrate with the IDS and IPS systems that are likely already in place in the rest of the enterprise network. However, this may be easier said than done with medical devices, because they are quite often more like operational technology (OT) devices that are purpose-built to perform a specific set of functions, (like taking an X-ray image or performing a CT scan) than a more traditional information technology (IT) device like a laptop computer.
The best results I have seen in obtaining an accurate inventory for medical device profiling is a combination of automated scanning tools with the good old-fashioned boots-on-the-ground concept with experienced service engineers.