In practice, healthcare networks have wide-ranging equipment and devices often running on old operating systems such as Windows XP and Linux. These systems are exposed to dozens of vulnerabilities that have been identified and reported on extensively. This is the warning shot to HDOs that their medical equipment is even more vulnerable to a breach. With so many devices, communication protocols and varying patching cycle, it’s imperative that the solution can carry out the following best practices:
• Keep an updated inventory of all connected medical devices and other IOT assets
• Introduce a viable risk assessment process that outlines the most important assets in the environment
• Segment critical assets to significantly decrease the attack surface
Not all security solutions are created equal Discovery of medical devices and clinical policy enforcement requires a very granular understanding of each individual medical device and its unique behaviors. To reach that level of granularity requires decoding the different proprietary protocols that the multitude of manufacturers use. Deep packet inspection is the only technique that provides that capability; machine learning and artificial intelligence can’t.
Most organizations have state-of-the-art and powerful enforcement solutions such as NGFWs and NACs. But it’s not clear to them which policies are to be enforced or the best practices. Those questions are usually pushed to professional services vendors and clients from the manufacturers. In a general IoT setting, those answers are already defined and generally accepted. In a clinical setting, it’s almost non-existent. A security vendor has to be able to understand the device protocols and clinical workflows, which come from deep packet inspection, in order to set clinically-based based policies. With those, HDOs know what is allowed on the network, which policies should be enforced and which devices are vulnerable and therefore should be prohibited from going on the network.
Having the visibility data and policy profiles based on clinical workflows also drives network segmentation enforcement. For instance, a NAC can now be leveraged to segment different clinical devices of different device types to disallow communication with each other. A firewall can be leveraged to allow some internet communications to certain web domains and disallow others.
Understanding the details about a device security solution will ensure it can support all of your security initiatives from an IT, IS and clinical engineering perspective, and will make the existing infrastructure far more effective in a clinical setting.
