Medical Device Security - Start With the Basics
Medical device security is something most HIT leaders don't want to deal with. Not only do IT leaders have enough to work on without adding another entire area of focus, but often they are not sure how to even approach the topic.
In a recent blog post on ISACA, I outline three steps anyone in HIT can take to begin securing medical devices. The post, found here, is a good starter for anyone interested in locking down access to medical devices. [For those of you who don't trust click links, here's the URL: http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1153]
Another great resource for medical device security can be found on the IEEE website at https://innovationatwork.ieee.org/medical-device-cyber-security/
The reality is this. The overall likelihood that a medical device will get infected or hijacked as an attack vector is relatively low in the scheme of things. The potential impact, if infected, is extremely high. If we take a LOW likelihood and mix it with a VERY HIGH impact, we come out with a HIGH or VERY HIGH or CRITICAL risk (depending on how your organization manages your risk matrix...and please don't tell me you don't have one....that's a 101 item, I'll cover it in a subsequent blog post).
So, medical devices that connect to the network are very likely:
A. Not able to run anti-virus software
B. Running some decrepit and out-of-support operating system (like embedded Windows, for example, or Window XP)
C. Not visible to the network monitoring tools (likely because they have not been profiled by the network monitoring tool)
If you have network-connected medical devices, you have to take some basic steps to protect them. There are vendors who have developed non-invasive, agent-less protective systems and those might be worth a look. However, many healthcare organizations are running on razor thin margins and adding yet another software tool might be cost prohibitive. In those cases, take basic precautions to protect your devices.
1. Know what you have - do you have an inventory of network-connected medical devices? If not, get one. Work with your counterpart in Clinical Engineering (sometimes referred to as Biomed or Tech Management or Biomed Engineering).
2. Know what can run anti-virus (or other end point security) and what can't. Some newer systems, such as those in ORs or Cath Labs, can run anti-virus systems without interfering with the medical function of the device. Understand what can and cannot be protected. Often you'll be required to use the anti-virus system approved by the manufacturer, not necessarily one you'd choose.
3. Segment your medical devices, fine-tune your firewalls. This is probably your best defense, but it takes time and effort. However, once set up, you 'simply' have to maintain it. Develop a policy and procedure to ensure all new network-connected medical devices are added to the secured segment.
4. Monitor your medical device network traffic, set up appropriate filters and alerts. If you're using some sort of network port security program or SIEM, you can train it to identify appropriate medical device traffic so you can then spot abnormal or unauthorized traffic.