May 17, 2019

Jack Wagner • VP of Advisory Services

Cybersecurity for Medical Devices – Pitter Patter Let’s Get At ‘Er

Okay, maybe I watch too much of the Canadian sitcom Letterkenny, and while it may be considered inappropriate for younger viewing audiences, there is one saying in there that I have tried to apply to my everyday life and that is “Pitter patter, let’s get ‘er.” 

What exactly does that mean?  Basically, let’s do it already, get it done, chop chop, right now.

What do we need to get done, you ask?  Well, cybersecurity of our medical devices, of course. 

Some of you have been watching the trends for years.  Unfortunately, many more wait for a problem to occur elsewhere before taking action. Even worse, others standby and just let a problem grow until it turns into a catastrophe that was completely avoidable.

An automobile is a good example.   It requires basic maintenance to stay in top running condition.  Things like oil changes, tire rotation and other basic maintenance ensure that when you cross the 100,000-mile mark on the odometer, your car is there with you for the long haul.  If you ignore that maintenance, then you could end up with a burdensome towing and mechanical repair bill.

Ignoring medical device cybersecurity, is much worse.  If you never change the oil in your car, the engine will eventually seize, possibly leaving you stranded. 

When lack of security maintenance to medical devices occurs, well, everyone gets hurt. 

In healthcare, we care for patients.  That is what we do.  It is our entire mission.  When our healthcare networks get breached, our patients suffer the most.  After all, it is their health and personal information that are at greatest risk due to vulnerabilities that exist in the health care market.

Now, back to “Pitter patter, let’s get ‘er.” How should we proceed to remediate our vulnerabilities?

If you listen to many of the vendors in the burgeoning field of healthcare cybersecurity, the initial answer to your question is, “You need an assessment.  It will tell you everything that is wrong, and we are great at assessing stuff!” 

Okay, I paraphrased a little bit, but that is a popular answer.  Let me be clear, it is not necessarily the wrong answer.  Nevertheless, is it the best answer? 

Going back to the oil change — oversimplified, I get it — analogy.  Do you want a mechanic to spend two hours with your car to come back and tell you every single reason why you need an oil change?  Such as, the oil has broken down, seriously impacting your engine’s lubrication abilities.  If you do not change it, the friction in your engine will build up heat until the metal warps, which will surely destroy it. 

By the way, that information costs $200, because I interviewed you, ran diagnostics and performed in-depth analysis of the oil in your car.

That is all good information to have no doubt, but at this point has the mechanic told you anything that has actually fixed your problem, or have you just paid someone for a good reason to change your oil?

I would like to touch upon a different approach for Cybersecurity of your medical devices in the now buzz-worthy world known as the Internet of Medical Things (IoMT)

This approach is to fix the problems before they become bigger problems.

I get it.  Your next thought is, “how do I know what my problems are so I can fix them?”

The answer can be derived by answering some basic questions:

  1. Do you have medical devices, such as CT Scanners, X-Ray machines, MRIs, Infusion Pumps, etc. connected to your wired/wireless networks? 
  2. Are many of those vendor-maintained?
  3. Do you have a process in place that monitors the operating systems they are running, and the last time they’ve been updated for the latest patch releases? 
  4. Does this process not only identify vulnerabilities, but provide guidance to resolve them?
  5. Does the process work with the device vendors during the remediation process to ensure the gaps are mitigated or closed?

If the answer to the first two questions is yes — You’re in healthcare, right? — and the answers to the follow-up questions are closer to “Ummm, Meh,” then you do not need to pay someone to tell you that again in a 100+ page report with painstaking detail.

Is not that like the mechanic giving you a 10-page diagnostic report explaining the chemical breakdown of the oil in your car over time?

Instead, we should have a conversation on the top items that all healthcare entities need to be doing to protect themselves.  Afterward, you could use those valuable, and oft constrained, budget dollars to address those elements.

A typical assessment could cost anywhere from $20,000 to $100,000, depending on the size and complexity of your organization and the scope of the assessment.  I am sure some of you have seen them cost more.

Instead of paying for that assessment, you could apply those dollars to actual remediation of those devices, while also gaining an understanding of the weaknesses that exist.

Interested yet?  I hope so.  Please bear with me a little longer.

Another question: Do you have a Security Information and Event Management (SIEM) system in place?

Your answer is likely accompanied by an eye-roll and is similar to, “Yes, yes, we do.  Since the 90’s, in fact, or at least the turn of the 21st Century.”

The truth is, many of us do have them already.  They monitor networks, servers, workstations and numerous other things that have been the target of threats for years.  Also true is that many of them have done a good job of it. 

The concern is not around them protecting those devices they were made to monitor, but is around the blind spots they may have, especially in the medical device arena.

Next set of questions: Do you have any products that specifically monitor all the medical devices on your network, identifies when they are working out of the norms, and tells you how to remediate them? Do they perform all that passively, as to not impact the critical patient health traffic on the network?  Do they report all that information to your current SIEM, complementing your current environment rather than replacing it?

If most of the answers are, “No.”  Why not then use some of your budget dollars to remediate that situation now?  The right system could not only tell you everything an assessment could, but also help you track them real-time and give instructions for gap closure.

Final set of questions: What if you could get a pilot of this system, with the cybersecurity expertise to ascertain its best placement, set it up, monitor it and report out the findings, for less than the cost of the typical assessment? 

That would be much better than just a report.

There are several vendors with products in this field of expertise and they claim everything from signature-based vulnerability identification to machine-learning and Artificial Intelligence (AI) concepts.  The truth is, that some of these are much more mature than others and are no longer proof of concept (POC) exercises, but legitimate contenders to help you close the gaps in your medical device vulnerability area.

Additionally, you need a good partner.  Not one that provides an assessment and promises to come back in a year to see how you have done closing the gaps, but rather, one that works through the entire process of system selection, implementation, monitoring and remediation.  A partner that also provides education to your staff, works with them to mitigate gaps, and can also provide 24×7 Security Operations Center (SOC) services to spot, isolate and remediate any brand-new vulnerabilities that the malware community cooks up next. 

It all starts with an honest conversation around Cybersecurity and how best to protect the assets providing the most important tenet of all healthcare organizations, taking care of patients.

Pitter patter, let’s get at ‘er.

May 6, 2019

Carter Groome • Chief Executive Officer

Medical Device Risk Management – Provider Side Takeaways from the Joint Security Plan


The Health Sector Coordinating Council (HSCC) released the Joint Security Plan (JSP) in January with a goal of creating easy to follow guidance for increasing the security and resilience of medical devices and medical technologies.  While the report focus leans toward pre-market medical device themes such as design controls, complaint handling, and maturity evaluation, there are several areas that health delivery organizations (HDO’s) can and should leverage to bolster their risk management strategy.  

Rob Suarez and Kevin McDonald, Task Group Co-Chairs of the JSP, more recently highlighted the plan in an AEHIS webinar, curating the best practices that can be applied to gain more insights into your risk profile.  Here are key areas that stand out from the consumer, or HDO side of the JSP.

  1. Alignment of Expectations: Adopting common languages – CVSS and ISO 14971 for example –  and understanding of process between all stakeholders. Aligning the expectations of the manufacturers and the consumers in purchasing is a strong building block to effective collaboration. When considering the device lifecycle, utilization and decommissioning medical devices, understanding process and communication preferences up front is a powerful planning tool for managing devices in your organization.
  2. Procurement and Supply Chain Processes: As your organization looks to purchase and negotiate for new devices, are you incorporating key questions, RFP criteria and supply chain management into the process.  The JSP provides questions to ask prospective vendors that address structure, governance, risk registers and more (Section VIII) that you can pull right into your own process, facilitating quicker responses and information that will inform decisions through the entire lifecycle of your devices.  
  3. Medical Device Management Plan – The JSP provides the tools to incorporate a Medical Device Management Plan into a more comprehensive Cybersecurity Management Plan.  From vulnerability reporting and prioritization to patch management requirements, access controls and pen-testing documentation, communication and planning on how to deal with the risk is articulated in the JSP.  
  4. Incident Response Planning – Processes for notification, your vendor standards for getting incident information and timeliness in addressing vulnerabilities are all items that need to be addressed in advance.  These actions may lead to additional training and ultimately, more streamlined incident response. The JSP helps to incorporate medical device specifics into a more comprehensive IRP, building special use cases and decision trees for potential incidents throughout your device population.  Pulling in the right people by defining their roles and getting the necessary info to them and the vendor is ideal in assessing the impact of an incident.

The JSP is a great guide to help your team bridge the divide between device manufacturers and all of your stakeholders.  The JSP will be revised on a yearly basis and should be considered in your overall Enterprise Risk Assessment. If you are able to leverage what you currently have in place for assessments and Supply Chain Management Processes, you will be well on your way to improved communication and planning on how to more efficiently address medical device risks within your organization.

September 14, 2018

Carter Groome • Chief Executive Officer

Hurricane Phishing – Awareness of Disaster Scams

As we watch the news from Hurricane Florence (or experience it first hand), here is a timely, and timeless reminder from DHS to be careful in times that we are most inclined to give.  Phishing scams in times of disasters are some of the most lucrative for bad actors.  See the release from NCCIC below and share with those that may not be in the IT or Cyber world.

NCCIC warns users to remain vigilant for malicious cyber activity seeking to exploit interest in Hurricane Florence. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a subject line, attachments, or hyperlinks related to the hurricane, even if it appears to originate from a trusted source. NCCIC advises users to verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. Contact information for many charities is available on the BBB National Charity Report Index. User should also be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the hurricane.

NCCIC encourages users and administrators to review the following resources for more information on phishing scams and malware campaigns:

June 8, 2018

Toby Gouker • Vice President of Strategy

Medical Device Security Starts With An Accurate Inventory

You can’t protect what you don’t know. Getting a handle on the security of your medical and other connected devices in your healthcare facility starts with getting a handle on the inventory. Simple concept, yet why are so many healthcare organizations struggling to get a real accounting of what is being used to serve their enterprise? Many institutions feel they have a grasp on the inventory because they can point to accounting records for purchases. Once their project begins though, they are surprised to learn how inadequate accounting inventories tend to be. Historically, an organization decides to bring in a team of individuals to walk the facility and get an actual physical count of the equipment and its location along with age, operating parameters, and security features.

Today, the path forward to an accurate inventory count can be different. With the advent of big data analysis techniques and machine learning algorithms, vendors are taking advantage of the reams of data that network traffic sniffing tools can deliver and are discerning volumes of information from the data collected on their intranets. Working with small appliances placed on your network, typically at Layer 2, these appliances inspect large volumes of packet communications and run it through a deep machine learning algorithm to discern equipment type, manufacturer, model, operating system and many other factors of interest to clinical engineering and security professionals.

From AWS, BlueFlow and CloudPoint all the way to ZingBox, there are already many vendors who can provide you with an inventory discovery tool to include as part of you medical device security management program. Here are five quick questions you may want to ask to help you find your solution from this rapidly growing list of options:  1) How long have you been providing this solution? 2) How many healthcare deployments have you made? 3) Can you interface with my SIEM and other security management tools? 4) How many appliances will I need to install? 5) Can the solution augment network security architecture?

First is here to help you get answers to these questions and many more as you develop and/or improve your medical device security management program. We can even help you get answers to non-security aspects of these connected asset discovery tools. Given that they are always on and always monitoring device operations, many of these tools can also be put to use by your clinical engineering teams for resource leveling studies, new purchase planning and even reconfiguring maintenance schedules and equipment SLAs.

July 14, 2017

Toby Gouker • Vice President of Strategy

A Path Towards Medical Device Security – Dr. Toby Gouker

We don’t need a blog to tell us how vulnerable our medical devices are. We don’t need to be told how challenging it is to secure them. We also don’t need to be told how much sleep we are losing over this issue; we don’t sleep anyway. What we need is a path forward. There is no elegant solution to this issue, but it doesn’t mean we have a license to throw our hands up in disgust/frustration and walk away. Malicious actors know our healthcare system’s threat surfaces are like Swiss cheese because of this issue, and before they figure out ever more efficient ways to monetize their exploits of our vulnerability we have to move to close down their ability to successfully attack. While we wait for manufacturers to deliver devices with embedded security, we have to focus on the defense of our legacy equipment. This defense begins with learning what’s out there….

Taking a lead from the Center for Internet Security’s Critical Controls, we need to start with Control #1: create a list of authorized and unauthorized devices on our network. The goal of the control make the task sound so simple: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” While this activity can be automated in many industries, the sensitivity of medical devices makes automated inventory generation unattractive in healthcare. Many medical devices have a default which leads them to stop working when queried by something outside of their normal expected operations. This can cause significant patient safety issues if tools like ICMP, NMAP or other network traffic tools are used to query devices. There are a number of vendors who offer automated discovery tools, but experience has shown that they are only able to safely capture information on roughly 30-40% of devices located on the network.

The sensitivity to query leads many facilities to bring teams in to conduct a physical inventory. Beginning with an “accounting inventory” (items we purchased) teams look to confirm location and profile information of items listed on the accounting inventory and then move to discover new locations and new devices not listed on the books. Physical inventories will give you greater than 90% of the inventory on the network. Then it is time to deploy passive tools that identify hosts based on analyzing their traffic to take you to a full inventory count. If your healthcare system dynamically assigns addresses using DHCP, then you will want to deploy dynamic host configuration protocol (DHCP) server logging. Information gathered from DHCP can be used to improve your inventory count and can help detect rogue devices.

With inventory in hand, your next task is to conduct a risk assessment and develop a risk management plan for your authorized devices. (It goes without saying that your will first be removing all unauthorized devices from your network!) Many devices may not generate or store PHI so they can be classified at a low risk level, but the risk will never be zero, as these devices do possess computing power. Even though their computing power is low in capacity, multiplied across your network and the networks of others they are valuable to bot net builders and you will want to take these assets away from malicious actors by installing compensating controls at the router/switch level to deny access to these devices to the outside world.

For devices that are actively engaged in PHI delivery, you will want to turn to CIS control #2 and take stock of the software and versions running on your devices. CIS control #2 will task you to: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.” Once you know what software is running, you have to work with vendors to automate the delivery of security patches in a way that does not disrupt operations. Once again, many devices are sensitive to network/computer interactions outside of their normal operating mode, and vendors will have to work with you to ensure that security updates can be made in a reliable manner.

For high PHI profile devices that the vendor won’t help you manage, and the host PHI profile devices on your network, the installation of a network segmentation strategy is recommended as a risk management technique. Through segmentation, the network becomes the control point rather than attempting to manage so many individual endpoints. The newer switches and routers on the market can be the lock down point for these medical devices whether wired or wireless. The beauty of this technique is that through global communications with the routers/switches uniform policy can be distributed to direct exactly which ports and protocols each device can communicate on, which users can administer each device, and which other devices each medical device can communicate with.

In a perfect world, we would then move to establish real time visibility and control for the system’s medical devices. There are a number of organizations working on developing continuous monitoring tools, but at the moment most of these tools are either in the development or piloting stage of delivery, so discussions of further security risk management for medical devices will have to wait for another day.

First Cyber Health Solutions, a Risk Management and HIT services firm, advises covered entities on how best to mitigate risk to your patients, systems and data. Learn more by visiting our website www.fcp.com.

 

1 2 3