Securing Medical Devices Means Securing Networks

As the CEO of Technical Support International, I'm well aware of the increased presence of Internet of Things (IOT) technology within the healthcare and medical device industries where approximately  60% of such organizations have already introduced IoT devices into their facilities and by the end of the year, are predicted to climb to 89%. 73% of the businesses that already use these devices, are doing so for patient monitoring for devices like IoT-connected pacemakers and are about to become the new norm.

During a transition as notable as this, it's easy to forget the idea that you should focus just as much of your attention on securing the actual medical devices you produce as the network your organization depends on, as failing to do so will undoubtedly compromise the accomplishments achieved to this point and potentially harm the patients dependent upon that technology

Consider what would happen if a hacker was able to breach any other part of your network. In a matter of minutes, and by exploiting the vulnerabilities of your IOT technologies, they can gain access to all the most sensitive areas of your network environment and theoretically, use them to gain access IOT  medical devices - regardless of how "secure" the other part of your network seemingly are.

The challenges of (poor) network security

The most important thing to understand about all of this is that any device on a network is a potential vulnerability waiting to be taken advantage of by someone who knows what they're doing, especially if the latest security updates for that IOT device are overlooked.

When medical technology companies run outdated software or unsupported legacy apps, they're essentially leaving an open door for anybody to walk through, especially today when nearly one million new malware threats emerge every single day. When older apps are no longer receiving patches and updates from their original vendor, they are easy, wide-open target for a breach, which in turn renders your network exposed as well.

The inconvenient truth is that it is far less expensive to upgrade that legacy software than it is to recover from something like the theft of patient data or the compromise of the medical device they rely upon, such as a pacemaker. Disregarding the average two-weeks’ worth of revenue to recovery from breaches, these breaches not only present a risk to medical technology companies but, even more concerningly, to their patients as well. This is before you begin to realize the more significant costs associated with these breaches - the damage to their brand's reputation and the increased risk they have of going out of business entirely.

Also complicating things is the fact that the cyber security landscape is rapidly growing more dangerous and complex, particularly for healthcare and medical device companies as 88% of all ransomware attacks in the United States targeted the healthcare industry in 2016.  All told, this is a roughly $6.2 billion problem for this industry, with very little signs indicating a slowing-down of this pace.

Failing to secure your medical devices on the otherwise "secure" network they're connected to is an all-too-easy way to become a statistic and for this reason above all others, when it comes to securing your medical devices, the process needs to begin by securing your devices as well as your network.

Best practices for securing a network for medical devices

One of the most immediate and overlooked steps that organizations can take to secure their IOT medical devices is the enforcement of more stringent password sophistication rules for frequency and complexity, which is also a requirement for compliance guidelines such as HIPAA, which requires that covered entities implement necessary administrative, physical and technical safeguards. The advent of the IOT not only requires the enforcement of password best practices but, beyond that, one of the basic things that organizations should immediately do is implement a password management tool across their organizational infrastructure. Not only will this securely store strong passwords in a way that doesn't require users to remember a slew of different credentials, but it can also generate new ones in accordance to any internal (or compliance) driven requirements that may be in place, especially since users already repeat passwords across multiple platforms far too often. As the number of devices in a person's work and personal life increases due to IoT, these types of issues will only compound and worsen. Using a password manager removes the dependence upon the end user to create unique, strong passwords for each account and is a regulatory ‘must-have’ under most compliance requirements. 

The importance of log monitoring and auditing

Organizations that are subject to compliance-notably healthcare and medical organizations-and those with an internal preference to maintain their cyber vigilance should invest in a log monitoring and auditing solution. Unfortunately, many organizations make the mistake of assuming many log monitoring features are included with a basic, security tools and solutions-such as anti-virus and firewall-when in fact this could not be further from the truth.

Log monitoring and auditing are far more sophisticated than anything a standard firewall offers and can provide real-time notifications, alerting and auditing of all network activity, 24x7x265. These logs can also include critical information like destination and source addresses, time stamps, user information and most importantly, alerts indicating to any anamolous behaviors.

Not only will system administrators be instantly alerted to any atypical behavior in the event of a network breach or intrusion, they'll also have immediate access to the information they need to solve the problem, document its resolution and if required, report the issue to the regulatory authority to make sure it doesn't happen again.

Keep in mind, that similar to every aspect of your security strategy, medical technology companies should routinely review all of their logs so that finer, more business-specific controls can be applied and any unanticipated issues proactively addressed This will also give administrators an opportunity to update those logs and rules in accordance with any new cyber threats that emerge and provide a true proactive security solution addressing those threats.

Addressing vulnerabilities with vulnerability management scanning

It is equally important for medical technology companies to implement vulnerability management scanning in conjunction to log monitoring and auditing in order to address today’s more common cyber threats. These are tools used to not only identify but also report upon and ultimately help remediate vulnerabilities, both on the network and the software residing on it.

These vulnerabilities are often exploits used by hackers to breach an environment and compromise your system’s most critical data stores. It is imperative for organizational leaders understand that you are ultimately only as protected as your last patch/critical system update and if any of those patches/updates are missing, vulnerability management scanning tools would identify that gap immediately, allowing those in charge to address the issue hopefully before a hacker has a chance to take advantage of it.

Vulnerability management scanning is both something that happens on a pre-scheduled, regimented basis with more in-depth, internal scan conducted quarterly basis. Before introducing VM scanning to your environment, it’s of the utmost importance to both your security and investment in the solution, to refine and have complete control of your patching and update methodology.

Why SIEM matters

Security Information and Event Management (SIEM) is a necessity to secure a network to the point where IOT medical devices can be used without cause for major concern. The term SIEM refers to a collection of security services and tools that both collect and aggregate the log data generated throughout a network infrastructure to proactively identify anomalous behaviors. That information is then properly categorized so that an appropriate response plan can be created immediately to account for these types of specific issues.

SIEM solutions use pattern detection, alerting, baselines and dashboards to identify certain anomalies that can lead to performance or security issues and is sophisticated enough tol continually search for common attributes that can link different types of cyber events together. To put it another way, it's a viable opportunity to take the raw data being generated by various sources and turn it into actionable, useful and informed security action plan.

SIEM is particularly common in organizations who have compliance regulations like HIPAA, as it is a complete solution that allows them to effectively manage processes in a way that enables them to address the various cyber security issues they might encounter.

Looking forward

The Internet of Things has ushered in a revolution in terms of medical device possibilities in today’s world of connected healthcare. Unfortunately, it's about to bring with it a slew of potentially catastrophic threats too, which must be addressed at equal costs

Securing the medical devices that store important health information or that rely upon your IOT infrastructure to work will be of increasing importance, but if you have yet to secure the underlying IOT network they reside upon, your efforts are for naught. You're still just as exposed as you ever were, with no limit to the amount of damage that a cyber-criminal can do. Because these IOT devices have become so critical to people’s everyday lives, the question needs to become how to bring cyber security and readiness to the forefront of these medical technology companies’ priorities for the sake of their success and the patients depending on them.
 

Chris Souza is the CEO for Massachusetts-based managed IT services provider, Technical Support International. Chris can be reached at csouza@tsisupport.com or through the TSI website.