By now, it's old news that advances in medical tech and the widespread use of Internet of Medical Things (IoMT) devices have revolutionized the healthcare industry. Everything from how we receive care to hospitals' organizational integrity has become indelibly linked with smart, connected medical devices.
Yet while IoMT devices propel us forward in terms of convenience, they complicate the ability to secure clinical environments and contain risk. Connected medical devices store and send PHI, increasingly connect to cloud services, and increase clinical networks’ attack surface.
In a webinar with HealthITSecurity, Cynerio gave a practical overview in 3 use cases demonstrating how hospitals can leverage emerging healthcare automation technologies to secure IoMT devices, safeguard patients, and ensure business continuity.
The Core Challenge: Keeping track of IoMT devices in real time.
Real-World Example: IV pumps in use during the COVID-19 crisis are the most popular devices on the network.
Keeping track of IoMT devices is crucial to securing clinical networks and ensuring patient safety. With a tool like Cynerio, inventory discovery is automatic, ongoing, and visualized via customizable, intuitive dashboards.
Granular breakdowns of information on IV pumps provide live updates on device utilization by department, along with device-specific vulnerabilities and risk level.
This automation tool also provides you with tailored mitigation plans and lets you know whether patches are available or not.
In the case of our IV pumps, no patch is available and the only viable mitigation option in this scenario is network segmentation.
The Solution: Virtual segmentation
Cynerio’s virtual segmentation capability automatically maps all device communications and enables hospitals to create policy and test it before enforcing it on the live network.
Even more importantly, virtual segmentation adds a validation step to the segmentation process that monitors for policy violations that interrupt proper pump functions. Violations are automatically flagged and can be updated before pushing the policy to NAC or firewall.
The ability to validate and test policies for violations and safety gives hospital IT security teams the ability to optimize policy. This level of compensating control reduces risk and enables hospitals to confidently achieve full network segmentation safely and quickly, bringing segmentation projects down to as few as two months.
The Core Challenge: Prioritizing critical devices running legacy OS that have a high impact on business goals
Real-World Example: Computed Radiography (DR) & Digital Radiography (DR) devices
These devices often run unsupported operating systems, have multiple vulnerabilities, and high risk scores.
The Solution: Mitigating and reducing risk via network segmentation
Prioritizing which devices to segment first depends on their risk score and hospital-specific criticality. Specialized dashboards with views into device data can help healthcare security teams quickly understand risk by device model, department, vendor, and OS distribution and support level.
Intuitive, live dashboards dive deep into inventory, device risk scores, and identify the most at-risk departments to give you a clear understanding of which devices to focus on segmenting first.
Asset dashboards let you drill down into which types of devices you have, which departments they’re in, their risk scores, operating systems, and whether they store and send PHI. Let's take a closer look at the high-risk CR/DR device.
The CR/DR device can directly impact patient safety. It's also running the unsupported Windows 7 operating system. Cynerio's Risk dashboard breaks down the specific risks associated with the CR/DR device and calculates its risk score according to its criticality and medical impact.
Now we can see that our CR/DR device has severe risk that needs to be mitigated. But how do we segment it safely? Cynerio’s Virtual Segmentation capability automatically generates a segmentation policy that takes your network’s unique needs and architecture into account.
The Virtual Segmentation capability also includes a validation step that lets you monitor for policy violations, tune up the policy, and optimize before pushing to NAC or firewall.
After you validate your policy, you can push to NAC or firewall and reduce your risk with just one click, confident that services will continue running smoothly, even when replacing or patching your devices.
The Core Challenge: Effectively implement and safely apply policies to IoMT ecosystems
3 Real-World Examples:
1. Devices that send PHI to external servers
To secure these devices, we first have to take a deep dive into communications behavior, gain visibility into which devices send PHI out through the internet, and understand the purpose of the communications.
With a clearer understanding of the communications, Cynerio's Connections dashboard can help you take an even deeper dive and create a policy that permits only communications essential to the device's normal functionality.
The Solution: A segmentation policy will be drafted that PHI communications are blocked but ensure that any communications needed to preserve normal device functionality are maintained.
2. Devices that conduct external Windows OS updates
We need visibility into all devices communicating with external sources to conduct their routine Windows updates. Cynerio automatically maps and profiles all internal and external communications.
The Solution: Create and enforce policies that ensure devices only communicate with internal Windows updates. These policies will reduce the attack surface, give hospitals control over the OS version running on the device, and prevent unscheduled and unwanted reboots.
3. Vendor access management
Vendors routinely access connected medical devices remotely to conduct routine updates and administer security patches. Cynerio identifies and maps all vendors connecting remotely to devices. It also identifies the protocols used by the vendors and how many devices each vendor connects to.
Visibility into vendor access gives hospitals control over connections and will help define how secure connections with vendors actually are.
Now that you’ve gained visibility into each device’s vendor connections and the vulnerabilities associated with them, you’re ready to set some policies that mitigate your risk!
The Solution: Enforce policies to ensure limited vendor access and secure connections.
As the IoMT footprint continues to expand across the healthcare space, many traditional IT solutions and best practices like key management, forensics, incident response, and cloud access security will need to be addressed.
IoMT security solutions like Cynerio are already adapting to this shift and developing medical-first solutions tailored to health care's unique needs.
To learn even more about automated healthcare solutions, watch the full webinar.
Cynerio is the world's premier medical-first IoT cybersecurity solution. We view cybersecurity as a standard part of patient care and provide healthcare delivery organizations with the insight and tools they need to secure clinical ecosystems and achieve long-term, scalable threat remediation without disrupting operations or the delivery of care.