There are a few significant challenges healthcare delivery organizations face in protecting their networks from security threats. The first is the trend of the escalating frequency of vulnerabilities found in networked medical devices.
The Cybersecurity and Infrastructure Security Agency recently released ICS Medical Advisory (ICSMA-21-084-01), which focuses on a specific vulnerability found in the Philips Gemini PET/CT family of scanners, which store patient data in detachable media without access control.
Legacy medical devices such as this particular line of PET/CT scanners layer further complications onto the problem of unsecured PHI storage; many of the vulnerabilities affecting these devices are difficult if not impossible to remediate, given their irregular and sometimes unsupported operating systems.
From a compliance perspective, the legacy medical device situation is also complicated further because un-patchable medical devices are not HIPAA compliant.
However, organizations cannot be expected to do a mass replacement of older devices. This would be exorbitantly capital intensive, so a different approach is needed to address both PHI availability and future potential remediation requirements.
Flat and minimally segmented networks increase the attack surface
On the network side of the spectrum, many healthcare networks are either flat or are only segmented by department. This creates issues when entire departments are taken down due to ransomware attacks in which malware spreads laterally, infecting all devices in the large segment.
The initial source of a ransomware attack is typically some foothold gained in the network by one of the vulnerabilities mentioned above or an exposed RDP service or vulnerable VPN server that was exploited from a scan on the internet.
The supply chain then becomes the issue’s focal point, because of the typical practice of opening and closing the perimeter on demand for third-party access to resources. In other words, “trusting them” adds risk to the entire healthcare delivery organization (HDO) network.
These two issues bring concerns to light about both security and access: HDOs need a solution that maintains the mandated levels of data privacy and security without exposing the network, while also ensuring that timely and efficient access to network assets is maintained. HDO operational constraints and cost-sensitive budgets demand finding an efficient approach to solving these problems.
The U.S. Food and Drug Administration (FDA) and Mitre have weighed in on evaluating risks with the Common Vulnerability Scoring System (CVSS). Helpful resources include a rubric for applying CVSS risk assessments to medical devices and the Cybersecurity Medical Device Development Tool (MDDT) – MITRE’s “Rubric For Applying the Cybersecurity Common Vulnerability Scoring System (CVSS) to Medical Devices”.
These risk assessment resources help illustrate how medical device vulnerabilities can be exploited and the technical – not clinical – harms an attacker can cause.
New approaches like the Zero Trust Model – where network assets are highly segmented and access is only granted to specific resources – give HDOs more security and control over the network, even as these vulnerabilities continue to arise.
A New Approach for Medical Device Security: Edge Micro-Segmentation
Edge micro-segmentation is a new network architecture design concept meant to address these problems. Instead of having networks broken down into a few large segments, they are filled with endpoints that are each on their own protected “micro-segment,” and security is applied to the traffic as it enters and exits this micro-segment.
This means that there is no direct exposure of any medical device within the network. Even if one does have a vulnerability or become infected, ransomware and malware cannot spread laterally because of the protective isolation that the micro-segment provides, without increasing network or deployment complexity.
New solutions add depth to a network by providing security at the edge while allowing administrators to have control over the medical devices inside of each micro-segment.
Edge micro-segmentation deploys non-invasively on the network and is legacy compatible, meaning it’s a suitable solution for those devices in healthcare networks that cannot be reasonably secured against current security threats. It also helps make remote management more efficient and secure, streamlining cross-facility service and maintenance scheduling for third-party technicians and integrators.
Edge micro-segmentation is a simple first step that HDO network owners can take in a broader zero trust deployment to immediately rectify the weak points that legacy medical devices represent. Granular control and visibility of sprawling medical device inventories will help HDOs move toward a more preventative approach to securing our critical healthcare delivery infrastructure.