Federal Health Care Organizations Seek New Prescription for Managing Device Vulnerability 

gorodenkoff/istockphoto.com

The threat landscape in the medical sector is massive and expanding daily with exponential growth in connected medical devices.

After 2020’s performance as the worst year on record for data breaches, data protection is a huge concern for IT leaders. Data protection is also becoming a matter of public safety, as ransomware attacks frequently disrupt operations at hospitals, pipelines, food processing plants and other critical enterprises for profit. 

It’s not just the private health care system that’s at risk. The Military Health System, Veterans Affairs, Centers for Medicare and Medicaid Services and Indian Health Service are attractive targets for attacks due to their massive scale, valuable data assets, and vital role in national security. 

And ransomware is only one threat vector. This summer, for example, Armis researchers identified a set of nine critical vulnerabilities in the leading solution for pneumatic tube systems (PTS) in North America—the Translogic PTS system that is used in over 80% of hospitals in North America. PTS devices play a crucial role in patient care.

Complicated Threat Landscape

The threat landscape in the medical sector is massive and expanding daily with exponential growth in connected medical devices—which can make up as much as three-quarters of the devices connected to a hospital’s network. They are also an attractive entry point into a health care organization’s network. 

Traditional health care networks lack security controls such as segmentation, resulting in virtually all devices being on a relatively flat network including vulnerable medical devices. Because vendors certify devices with very specific configuration and operational parameters, it’s very difficult for teams to secure these devices, whether by upgrading end-of-life operating systems, installing critical security patches, or installing agents such as asset management or endpoint security agents. 

For example, let’s consider a patient monitoring system, a critical system that tracks and reports vitals and cannot experience performance issues. A typical patient monitoring system includes patient monitors, central workstations, multiple tiers of servers, and network equipment provided by the vendor. A delay, disruption or downtime of these devices can directly impact patient care if nurses have reduced or no visibility into monitoring of patient vitals or there is a lag in updating the vitals shown in the central workstations.

To account for this, vendors often place monitoring systems on their own dedicated networks behind vendor-provided gateways. This segments traffic into near real-time critical traffic and completely segregates from the patient monitor traffic from the production traffic of the hospital in order to minimize any sort of disruption that may arise from things such as production network changes or latency issues. This segmentation, however, can completely isolate such devices from the hospital network and thus create an additional blind spot.

Operational Disruption 

Traditional device vulnerability management programs use a scanner that actively and aggressively probes the network for assets and executes dated scanning methodology. While traditional scanners perform well against standard non-clinical endpoints, such as laptops and servers, these types of devices only account for a subset of the devices on a health care organization network. 

As security teams try to expand the scope of existing vulnerability scanners to include medical devices, they face several challenges, including personnel resources. The resource implications go beyond the IT security and biomed teams to include clinical staff and can interrupt the clinical workflow and impeded patient care delivery. For medical devices that have a regular cadence for being scanned, information security personnel, biomed and clinical staff must coordinate each time a scan is conducted to ensure the devices are online and not in clinical use for the duration of the scan—a process that is not sustainable for a successful vulnerability management program. 

New Threats Call for New Approach to Device Vulnerability Management

Health care organizations, including federal health care agencies and facilities, require a new approach to ensure the ability to assess risk continuously and unobtrusively in order to transition from the legacy approach to a continuous monitoring style methodology of vulnerability management. They need to leverage capabilities that exist in legacy platforms and add innovations with new approaches that enable:

  • Network behavior visibility: Health care organizations require visibility into everything in the enterprise airspace, including devices that communicate via Wi-Fi and many other peer-to-peer protocols that are invisible to traditional security tools. This capability enables visibility into potential network intrusion and data exfiltration points in the environment. 
  • Real-time passive event-based vs. scheduled scanning: Health care organizations require real-time monitoring that does not impact device performance. An agentless passive architecture can create a foundation to automatically discover and support visibility into the behavior of every connected device in an environment—managed and unmanaged, medical and IT, wired and wireless, on or off the network, including IaaS environments and vendor managed network segments. 
  • Baselined device behavioral telemetry: To effectively manage vulnerabilities, health care organizations need to monitor a wide range of device characteristics. These metrics include manufacturer name, model, OS version, serial number, location, connections, FDA classification, and more. When organizations correlate valuable baseline data with real-time event-based scanning data, they can identify anomalous device behaviors that deviate from the normal profile of the device, such as MRI machines connecting to social media sites. 

Utilizing these approaches allows for the creation of an architecture that considers not only the technology footprint but also how workflow impacts an operational setting. It also provides security and operations teams with appropriate, prioritized, contextualized data. The end result is significant improvements in security and team efficiency for incident response and recovery operations.

Oscar Miranda is a field chief technology officer for medical at Armis.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.