The Challenge of Securing That Which Is Invisible
By Tomislav Mustac, Senior Director Cybersecurity, Mount Sinai Health System
Not that long ago, the cyber threat landscape of most health delivery organizations (HDOs) was much simpler than it is today. The general consensus on cybersecurity was that it was an IT issue and the core focus of our Biomedical Engineers was to keep our devices maintained and properly operating to the manufacturer’s specifications. However, there was a distinct organizational separation between the Biomedical team and the IT departments. There was a distinct view of what we refer to as “traditional IT devices” and biomedical devices. The interaction between our IT and Biomedical Departments was very siloed and transactional. Our IT security departments dealt with defending “computing assets” identified as IP addresses and VLANs from viruses and ransomware without much concern for what the devices were, with policies that were pretty promiscuous. In today’s rapidly evolving world, EVERYTHING is redefined. For the leadership of HDOs, these new challenges were enough to shake their foundations and keep them from a restful slumber.
We have learned, and many are still learning, that we must look at everything differently, we must challenge everything and it is incredible what you find when you shine the light on the darkest corners of your enterprise. Healthcare organizations are among the most complex operating environments in the world. Depending on the specialties at the organization, our technologists are learning that our organizations are among the most extremely diverse from a technology mix perspective on the planet. As you gain visibility, you will find that you have gaming systems (Nintendos, PlayStations, XBoxes, etc), interactive exercise equipment (Peloton, NordicTrack, etc). Further, our organizations were forced to find innovative approaches to operational efficiency in all areas. We adopted new approaches to physical security with broad networks of IP cameras and NVRs, card access systems, and a barrage of networked environmental sensors for occupancy, air, and water quality, etc. This is on top of the existing security systems, elevator/escalator controllers, HVAC, and plant equipment controllers.
Today the IT Security and Biomedical departments need to work hand in hand to ensure the cradle to grave management of the cyber posture of our connected medical devices.
Over the past couple of years, the exponential growth in cyberattacks has brought light to the fact that the number of unmanaged, nontraditional IT devices in most organizations dwarfs the number of managed devices by far. Additionally, the majority of these unmanaged IoT devices cannot host traditional IT controls such as virus scanners and vulnerability management agents. These combined facts should be enough for IT leadership to never sleep again. This newly found awareness has ushered in a lot of attention from cyber security companies driven by a sincere desire to protect the technology that is used by our organizations to save and improve lives every day. These new, rapidly evolving tools brought to the table new capabilities to identify and classify every device connected to our networks, whether it’s managed or not. These tools additionally evolved the capability to ingest MDS2 documents and vulnerability disclosure documents that can rapidly parse your equipment inventory and determine where your risks lie and where you should focus your attention.
While these new tools bring so much capability and greatly accelerate its time to remediate vulnerabilities, it is not without challenge. Like every new technology, there are challenges in adopting new tools and techniques. To properly address cyber risk, particularly with medical devices, you need to engage new stakeholders that IT security has not had to deal with in the past. One of the most important stakeholders is the device manufacturers. For the most part, device manufacturers continue to sit out of the cyber defense conversation and will not engage security teams beyond providing boilerplate responses and service documentation. However, a couple of key players have rolled up their sleeves and actively participating in the conversation.
Another key stakeholder is the IT Security Department. Traditionally the extent of the IT department’s engagement was to provide a connection for the device and then allow the biomedical team and the device manufacturer to complete the configuration and set up of the device. This is no longer an acceptable approach to ensure the proper defense and management of our connected medical devices. Today the IT Security and Biomedical departments need to work hand in hand to ensure the cradle to grave management of the cyber posture of our connected medical devices. The IT department needs to be a gatekeeper that ensures that we adopt a whitelist approach where only the required IPs, domains, ports and protocols are enabled for devices. This can be a difficult task without deploying one of the new technologies for identifying the devices on your network such as Medigate, Ordr, Armis or the like. Unfortunately, traditional IT network management tools do not provide insight into what the device actually is and what it is doing on your network. You will also find that these tools will identify many new device types residing on your networks that your teams had no idea were there.
One of the key challenges of introducing these new approaches and tools to managing your landscape is the resistance to change. The tools and techniques that our network defenders use are well established and they have progressively evolved to where they are today. The positive is that these teams share your frustration with the limitations and challenges that we all face with this diverse technological landscape. Another key challenge that most organizations face is that these technologies require significant financial investment and they need champions to usher them through the adoption phase. Once the commitment is made to introduce these new tools, you will quickly find that the new vision they provide is truly enlightening and empowering. You will be able to quickly assess where your biggest exposures are and you will be able to generate and implement network policies that will address them.
In conclusion, the bottom line is that you can no longer afford to ignore the new tools available for identifying and profiling the devices on your network. Failing to adopt these new tools is the equivalent of flying a plane blindfolded. You can not defend what you can not see and continuing to hold the status quo will not end well.