Federal Health Care Organizations Seek New Prescription for Managing Device Vulnerability 


The threat landscape in the medical sector is massive and expanding daily with exponential growth in connected medical devices.

After 2020’s performance as the worst year on record for data breaches, data protection is a huge concern for IT leaders. Data protection is also becoming a matter of public safety, as ransomware attacks frequently disrupt operations at hospitals, pipelines, food processing plants and other critical enterprises for profit. 

It’s not just the private health care system that’s at risk. The Military Health System, Veterans Affairs, Centers for Medicare and Medicaid Services and Indian Health Service are attractive targets for attacks due to their massive scale, valuable data assets, and vital role in national security. 

And ransomware is only one threat vector. This summer, for example, Armis researchers identified a set of nine critical vulnerabilities in the leading solution for pneumatic tube systems (PTS) in North America—the Translogic PTS system that is used in over 80% of hospitals in North America. PTS devices play a crucial role in patient care.

Complicated Threat Landscape

The threat landscape in the medical sector is massive and expanding daily with exponential growth in connected medical devices—which can make up as much as three-quarters of the devices connected to a hospital’s network. They are also an attractive entry point into a health care organization’s network. 

Traditional health care networks lack security controls such as segmentation, resulting in virtually all devices being on a relatively flat network including vulnerable medical devices. Because vendors certify devices with very specific configuration and operational parameters, it’s very difficult for teams to secure these devices, whether by upgrading end-of-life operating systems, installing critical security patches, or installing agents such as asset management or endpoint security agents. 

For example, let’s consider a patient monitoring system, a critical system that tracks and reports vitals and cannot experience performance issues. A typical patient monitoring system includes patient monitors, central workstations, multiple tiers of servers, and network equipment provided by the vendor. A delay, disruption or downtime of these devices can directly impact patient care if nurses have reduced or no visibility into monitoring of patient vitals or there is a lag in updating the vitals shown in the central workstations.

To account for this, vendors often place monitoring systems on their own dedicated networks behind vendor-provided gateways. This segments traffic into near real-time critical traffic and completely segregates from the patient monitor traffic from the production traffic of the hospital in order to minimize any sort of disruption that may arise from things such as production network changes or latency issues. This segmentation, however, can completely isolate such devices from the hospital network and thus create an additional blind spot.

Operational Disruption 

Traditional device vulnerability management programs use a scanner that actively and aggressively probes the network for assets and executes dated scanning methodology. While traditional scanners perform well against standard non-clinical endpoints, such as laptops and servers, these types of devices only account for a subset of the devices on a health care organization network. 

As security teams try to expand the scope of existing vulnerability scanners to include medical devices, they face several challenges, including personnel resources. The resource implications go beyond the IT security and biomed teams to include clinical staff and can interrupt the clinical workflow and impeded patient care delivery. For medical devices that have a regular cadence for being scanned, information security personnel, biomed and clinical staff must coordinate each time a scan is conducted to ensure the devices are online and not in clinical use for the duration of the scan—a process that is not sustainable for a successful vulnerability management program. 

New Threats Call for New Approach to Device Vulnerability Management

Health care organizations, including federal health care agencies and facilities, require a new approach to ensure the ability to assess risk continuously and unobtrusively in order to transition from the legacy approach to a continuous monitoring style methodology of vulnerability management. They need to leverage capabilities that exist in legacy platforms and add innovations with new approaches that enable:

  • Network behavior visibility: Health care organizations require visibility into everything in the enterprise airspace, including devices that communicate via Wi-Fi and many other peer-to-peer protocols that are invisible to traditional security tools. This capability enables visibility into potential network intrusion and data exfiltration points in the environment. 
  • Real-time passive event-based vs. scheduled scanning: Health care organizations require real-time monitoring that does not impact device performance. An agentless passive architecture can create a foundation to automatically discover and support visibility into the behavior of every connected device in an environment—managed and unmanaged, medical and IT, wired and wireless, on or off the network, including IaaS environments and vendor managed network segments. 
  • Baselined device behavioral telemetry: To effectively manage vulnerabilities, health care organizations need to monitor a wide range of device characteristics. These metrics include manufacturer name, model, OS version, serial number, location, connections, FDA classification, and more. When organizations correlate valuable baseline data with real-time event-based scanning data, they can identify anomalous device behaviors that deviate from the normal profile of the device, such as MRI machines connecting to social media sites. 

Utilizing these approaches allows for the creation of an architecture that considers not only the technology footprint but also how workflow impacts an operational setting. It also provides security and operations teams with appropriate, prioritized, contextualized data. The end result is significant improvements in security and team efficiency for incident response and recovery operations.

Oscar Miranda is a field chief technology officer for medical at Armis.