TechNation Digital Supplement: Healthcare Security by MD Publishing

1technation.com

Vol. 13

ADVANCING THE BIOMEDICAL / HTM PROFESSIONAL

DIGITAL SUPPLEMENT

Healthcare Security Under the Microscope PAGE 2

Automating Cybersecurity for HTM Lifecycle Managers PAGE 6

IPSOS Medical Device Security Research: What Biomedical Teams Said PAGE 10

DIGITAL SUPPLEMENT

SPONSORED BY FORESCOUT

UNDER THE MICROSCOPE supplies, backup generators and other OT

prioritize the best course of action. Security and

concentrate on securing building automation

systems and devices that are increasingly joining

risk management teams that attempt to mitigate

systems. Given these siloed priorities, who is

IT networks.

every risk will realize marginal results. By fully

responsible for looking at security holistically?

understanding threats on the network and

At the most basic level, healthcare organizations

pinpointing the devices that are harboring the

need to be aware of the Clinical, IT, IoT and

most risk, it’s possible to maximize productivity,

OT devices connecting to their networks. This

increase ROI and reduce risk across the network.

awareness helps to break down security silos,

UNDERSTANDING AND PRIORITIZING RISK The convergence of the clinical, IT and OT networks creates a new class of security risks. Cybercriminals can now move laterally

brings the right groups together to discuss

CLASSES OF DEVICES ON MEDICAL VLANS

across any of them. The increase in mergers

security strategies, and provides the foundation for a holistic approach to security. The classes of

and acquisitions, which are prevalent in the

Many networks still operate in organizational

devices will likely shift in size as more medical

healthcare sector, further amplifies these security

silos, leaving gaps in security. Clinical engineers

devices connect to networks, making it critical to

challenges. Much like clinical diagnosis and

often focus on securing connected medical

regularly review and adapt security strategies.

treatment, CISOs must detect risks early and

devices while facilities and operations teams

SPONSORED BY FORESCOUT

FORESCOUT | DIGITAL SUPPLEMENT

IT devices: Personal computers, laptops, purpose-built workstations, servers, thick and thin clients, virtualization hypervisors and enterprise

Devices in Health Delivery IT

networking gear.

IoT

IoMT and OT

IoMT and OT devices: Medical devices, critical care systems, building

automation/HVAC systems, power generators, badging and other facilities-related devices as well as IP-enabled security cameras and physical security systems. IoT devices: VoIP phones, network printers, mobile devices, tablets, controllers and converters, video conferencing devices, presentation

53%

39%

systems, smart TVs, entertainment consoles, various accessories.

THE MOST COMMON CONNECTED MEDICAL DEVICES Inpatient medical facilities tend to see a higher percentage of devices that are “connected” to a patient. Per-patient devices such as patient identification and tracking systems, infusion pumps, and patient monitors represent the majority of healthcare devices on clinical networks. This makes sense as they are the devices tracking and monitoring patients on a 1:1 ratio. Devices such as those used

Most Common Connected Medical Devices

in laboratory diagnostics or medical imaging represent a smaller number because they are shared devices. These more expensive systems tend to become long-lived legacy devices that are challenging to patch and keep updated.

DIVERSITY OF DEVICE OPERATING SYSTEMS 5%

The diversity of device operating systems can make managing security increasingly challenging. When looking at the different types of operating systems found on medical VLANs, more than half

(59%) were Windows operating systems and 41% were a mix of other variants, including mobile, embedded firmware and network

12%

infrastructure. Patching and updating operating systems in healthcare environments— especially acute care facilities—can be challenging and require devices to remain online and available. Some medical

32%

devices cannot be patched, may require vendor approval or need patches to be manually implemented.

DIGITAL SUPPLEMENT | FORESCOUT

38%

SPONSORED BY FORESCOUT

DEVICE VENDOR COMPLEXITY ON THE RISE

KEY TAKEAWAYS FROM THIS RESEARCH

Today’s healthcare organizations are technology-saturated environments.

It’s critical for healthcare organization clinical, security, and risk management

Device vendors have historically not designed products with security as

leaders to work together to secure all devices across the extended HDO. Solely

a top priority, making it more challenging to manage and secure them. In

focusing on securing medical devices rather than securing all device classes can

addition, vendors approach clinicians with devices that end up connected

cause significant gaps in your security posture. A holistic approach to security

to the network, bypassing security and risk protocols. IT and security

requires continuous visibility and control over the entire connected-device

teams may detect these unauthorized connected devices, but typically are

ecosystem—including understanding the role a device visibility and control

unable to classify or easily locate them. Multi-site healthcare campuses

platform can play in orchestrating actions among heterogeneous security and IT

are not technically homogeneous by any means—more than 30% of

management tools. As stated previously, the costs of inaction can be staggering.

organizations’ medical VLANs support more than a hundred distinct

Every second that a device remains noncompliant extends your window

device vendors—and that diversity doesn’t include the vendor tally from

of vulnerability and increases your risk factor—exposing your healthcare

the other functional networks, such as back office, front office, and more.

organization to significant patient safety, financial and business consequences.

In many instances, the vendors themselves are responsible for patching and

Healthcare organizations have a choice: invest in proactive risk planning and

maintaining specialized clinical systems.

mitigation efforts now or pay later and face the wrath of security-conscious regulatory agencies, patients and legislators.

The study revealed that: 40% of deployments had more than 20 different operating systems on their medical VLANs.

Diversity of Operating Systems on Medical VLANs Number of OS Variants on Medical VLANs

36%

Windows OS vs. All Other OS Variants

35 29%

30 25 20

Number of Device Vendors on Medical VLANs

33%

20%

2% <5

13%

5-10 11-20 21-30 31-49

50+

Windows OS 59% Other OS Variants 41%

10 5 0

<20

20 15

11%

25%

13%

20-49

50-99

100-199

Number of Device Vendors

SPONSORED BY FORESCOUT

200+

34% of organizations’ medical VLANs support more than 100 distinct device vendors.

FORESCOUT | DIGITAL SUPPLEMENT

Automating Cybersecurity for HTM Lifecycle Managers

DIGITAL SUPPLEMENT | FORESCOUT

SPONSORED BY FORESCOUT

Integrating with CMMS and MDS2 to inventory your entire fleet must be “automatic”. Clinical engineers, as well as their IT Security

synergies between the departments.

counterparts, face many challenges to ensure

to understand the role and function of that device to properly monitor and secure it. With medical device

“always on” operations. They don’t want to rely

Even if all of your medical devices are successfully

security, however, you would supplement that with

on manufacturer support for patches, nor do they

cataloged and inventoried, without enhanced

the needed visibility to intelligently define endpoint

have the time or bandwidth to piece together data

network visibility, it will be difficult to identify

trust relationships, restrict lateral communications,

trails to figure out what happened, where it began,

and oversee the device configuration and network

and generate best practice segmentation regimens for

or how to respond. Often, there is little time to

calibrations needed to maintain security. Adding

healthcare networks.

act, and a breach or ransomware attack can shut

to the complexities of IoMT, medical devices tend

down the entire hospital for hours, days, or weeks.

to employ communications protocols unique to

To get an accurate, granular view of your network

What’s more, the attack surface continues to widen

the industry or proprietary to manufacturers that

endpoints and workflows along with an appropriately

so it’s critical that both clinical and IT teams see it

traditional security solutions do not understand and

nuanced topological perspective you can now expand

all and can effectively manage and mitigate all the

therefore cannot protect.

on what your NAC does and achieve simplified

associated risks.

automation with no need for boots on the ground to The numbers speak for themselves – the healthcare

bridge any gaps. Now you can get answers to any of

MEDICAL DEVICES IN THE DIGITAL TERRAIN

industry is one of the most targeted by cyber

these questions and ensure continuous updates with

attackers hitting an all-time high in 2021. With 82

choices for how to mitigate any of the identified and

A hospital’s digital terrain is often comprised of IT

global ransomware incidents logged by May 25,

prioritized medical device risks.

or Information Technology (e.g., servers, firewalls,

20211, and a total of 45 million PHI breaches by

workstations), OT or Operations Technology

year-end2, there’s no sign of this letting up.

(e.g., elevators, HVAC), IoT or Internet of Things (e.g., security cameras, Alexa device in a hospital kitchen), and IoMT or Internet of Medical Things (e.g., hospital beds, imaging, ventilators, etc.).

terrain are connected to their network. You can’t

What will determine the membership of each group?

1 HHS – HC3 Healthcare Industry Victimization for Global Ransomware Incidents 2021

•

What type of traffic is necessary for the constituent devices to function as designed?

2 Critical Insights Healthcare breach report 2021

Every health delivery organization needs to know exactly how many assets across their digital

•

EVOLVING YOUR NAC TO MEET THE NEEDS OF THE DIGITAL TERRAIN

•

What should be blocked?

•

What type of traffic flow is expected for each group?

afford to have blind spots. There are approximately 17,000 hospitals around •

Where exactly are the bounds placed – from

One comprehensive source of truth for all

the world. With an estimated 20,000 devices

connected assets is critical. Clinical operations

in each that’s more than 340 million connected

a security point of view – for deviations from

and IT security teams must work together to

medical devices. Devices can take a wide range of

normal behavior?

arrive at one source of truth, which can be difficult

forms, serving a variety of different purposes, and

when working with different data sets that

come from many different vendors – each device

potentially overlap or leave gaps. Continuously

type, clinical applications, and vendor having its

assessing compliance and risk posture without

own security implications. With such a large and

requiring SPAN/TAP across all cyber assets is

diverse network to secure, the challenge is to achieve

another aspect of security that clinical operations

simultaneously granular and panoramic visibility

must automate. You should expect that in your

as needed to survey your inventory, plot out smart

day-to-day operations, your assets integrate with

access control policies, and empower context-aware

dozens of third-party cybersecurity products to

flow monitoring.

bolster native assessment capabilities. You will

CYBERMDX – A FORESCOUT COMPANY With more than 300 healthcare provider customers, Forescout has long been dedicated to the mission of healthcare delivery. Earlier this year, we solidified that commitment by acquiring Medical Device Security leader CyberMDX. With its holistic solution focused on IoMT and clinical networks, we have added a unique capability to our Forescout

want to decide how to assess your assets and then

NAC or Network Access Control is the way that

Continuum platform. This empowers you to access a

adapt the assessments over time to address your

most organizations monitor the devices and users

much broader set of data insights and capabilities, as

changing needs.

-- authorized and unauthorized -- trying to access the

well as specifically developed technology to address

network. For hospitals, the digitalization of medical

the distinctive IT needs and challenges for medical

devices and processes has now added many, if not

devices, including benefits like:

CRITICAL TIME FOR HEALTHCARE PROVIDERS

most, clinical assets to the connected world. This is As connected medical devices become perhaps

the central reason why the clinical and IT networks

the most critical component of the digital terrain,

need to be considered together.

biomedical engineers have a clear responsibility to keep cyber security in mind, from procurement

Today, your NAC portal might show that a CT

and implementation to the regular monitoring and

scanner may appear as a “Windows 7” endpoint, and

updating of such devices. The sooner every hospital

while the machine may indeed be running Windows

realizes the overlap between clinical operations

7, reporting it only as such is not enough to address

and cyber security, the sooner it can leverage the

the nature of your digital ecosystem. You really need

SPONSORED BY FORESCOUT

•

Highly granular, real-time visibility of IoT / IoMT / connected medical devices

•

Organization-wide, departmental, and device group-based risk analysis

•

Rapid anomaly detection, identifying attacks at the point of impact

FORESCOUT | DIGITAL SUPPLEMENT

The Forescout and CyberMDX Advantage The CyberMDX Healthcare Security

return that feed with other devices

high-fidelity clinical information (e.g.,

Suite is now part of the Forescout

on your network not normally

physical location, recalls, MDS2,

Continuum platform. While other

captured, ensuring enrichment and

serial numbers, vulnerabilities,

medical device security solutions

comprehensive visibility.

etc.) delivering unique levels

provide some level of integration with NAC providers, none can deliver either the depth or breath of integration and capabilities as Forescout Continuum. CyberMDX software was built to integrate with all the major NAC (Network Access Controls) solutions, but only through Forescout Continuum can you achieve the highest level of visibility and asset intelligence bidirectionally. Don’t settle for solutions that stop after medical device data feeds the external systems. With Forescout, you can automatically

•

Yes, that’s right. With Forescout Continuum, your hospital network will effortlessly secure your medical network assets, as well as the IT, OT, and IoT ones. Why should you care about assets outside of medical ones? Because infiltrations traverse networks and anything that can get in and cause a hospital shutdown impacts you no matter what part of the network you are managing. In addition, CyberMDX enriches the

of protection. We provide the 360-degree monitoring and network parameters to intelligently trigger quarantine processes, while Continuum carries out the actual quarantine. We ensure your medical devices are automatically segmented to their own separate VLAN. The pairing with Continuum enforcement yields a 100% scalable end-to-end solution tailored and continuously evolving according to your HDO’s needs.

Forescout Continuum data with

AI context-aware micro-segmentation policy

trust relationships and access policies

empowers better decision making and

generation

risk-reward analyses •

•

Superior network visibility, monitoring, and

Actionable analytics and best practice

device classification across attack surfaces –

reporting

Medical, OT, IoT and IT assets

•

Provides insights into smarter resource allocation, procurement, and maintenance planning

•

Original HIT vulnerability research and zero-

•

Not simply relying on MAC OUI identification but focusing on the device itself

day protection

RISK ANALYSIS AND ATTACK DETECTION

with layers of security

NEW VALUE IN THE NEW NORMAL

Ensures a constantly up-to-date security •

Gleaning insight into the network context of

posture of the individual devices as well as the

The digital terrain generated vastly more entry

each device, commonly used for access policies

entire fleet / operation

points to infiltrate the network. It’s a key driver

and incident response processes

for the constant cat and mouse game played by hackers and defenders. It’s why Forescout is

Improved IT ecosystem security, empowers rapid

ASSET MANAGEMENT AND ANALYTICS

response to a potential incident

•

Integrates with FDA databases

Each device is assigned a risk score, based on not

•

Asset utilization tracking can be leveraged to

and detected threats but also the criticality of the

determine ideal (low disruption) scheduling

device and its impact on the business

always working to help you stay ahead. As the only provider who can protect your hospital across this entire terrain, we are also working hard to deepen our capabilities within each

only known vulnerabilities, network positioning,

area. The technology stack from CyberMDX

windows for maintenance

will deliver operational efficiencies for your inventory management, your asset management

Holistic, multi-level view of the cyber risks facing •

Leveraging device flow visibility

and analytics, your risk analysis and attack

the organizations (on top of device profile and

and domain expertise to detect and

detection capabilities, and your threat prevention

ecosystem level risk scoring)

automatically alert the relevant manager

preparedness. Below are some of the ways.

of anomalies such as misconfiguration,

Simplifies compliance efforts with HIPAA focused

connectivity issues, recalls, etc.

reporting, reflecting compliance posture and

INVENTORY MANAGEMENT

documenting actions taken to improve it. •

•

Greater insights achieved per device

Faster and more comprehensive delivery of endpoint impacting information

functionality and safe use factors to define

DIGITAL SUPPLEMENT | FORESCOUT

SPONSORED BY FORESCOUT

THREAT PREVENTION •

Delivers superior device flows and visibility and facilitates network micro segmentation

•

Provides the policies for NACs to enforce – streamlining, accelerating, and strengthening the process

•

Makes available details for incident response, including quarantine procedures, device context, attack impact, etc.

•

Identifies risk factors still unknown to the broader cyber security community, perpetually fortifying network policies and device management accordingly

WHY THIS IS ESSENTIAL TECH IN YOUR HOSPITAL’S TECH NATION Many generic IT or IoT security tools introduce valuable controls to your IT ecosystem. However, a cyber security solution built for a general environment will lack the necessary intelligence to empower and protect a healthcare operation. Firewalls, SIEMs, and NACs are long-standing technologies we have relied on to enforce well-defined security policies through what are essentially binary switches throughout your network. The digital terrain requires us to augment these tools with new ones that provide the insights needed to build smart rules and refine security policies for your specific needs. IT standards and universally maintained blocklists can go a long way toward hiding these limitations; but there is nothing generic about a hospital’s connected environment. Strong security demands context-aware intelligence to match its controls. Whether you have Forescout eyeSight, or a different NAC product installed, Forescout Continuum will integrate with our purpose-built IoMT intelligence solution. Deep visibility and insights are needed to find and solve for hidden problems. Some medical device vulnerabilities can go undetected for years until they are uncovered by a technician or researcher armed with the appropriate knowledge and experience. If you can’t deliver that type of expertise and focus from your staff, you’ll want to outsource it – and it won’t be from providers of general IT solutions. Whether it’s medical device security, context-aware network visibility, risk assessment, OT or IoT security, threat intelligence and protection, or business-enhancing operational analytics, Forescout Continuum has everything you need to automate cybersecurity in your complex healthcare environment.

SPONSORED BY FORESCOUT

FORESCOUT | DIGITAL SUPPLEMENT

IPSOS Research – What Biomedical leaders said about Medical Device Security

Perception of how Ransomware impacts the clinical team’s “Personal Reputation”

In 2021, CyberMDX and Philips worked with global research leader IPSOS on an industry report that examined attitudes, concerns, and impacts on medical device security as well as

No impact at all 17%

cybersecurity across large and midsize healthcare delivery organizations. This study surveyed 130 hospital executives in Information Technology (IT) and Information Security (IS) roles, as well BioMed technicians and engineers. The respondents, who averaged 15 years of experience in their fields, provided insight into the current state of medical device security within hospitals as well as highlighted the challenges their organizations face. We extracted the responses from the biomedical technicians so you can see their

Low to Moderate Impact 30%

specific views.

Average Ransomware Cost

$2,000,000

Severe Impact 53%

Biomedical Response

Perception of what Ransomware is most likely to impact Source: IPSOS study by CyberMDX and Philips - “Perspectives in Healthcare Security” August 2021

63% 50% 47% 27% 23% 17% 10% 10% 10% 7%

Axis Title 10

DIGITAL SUPPLEMENT | FORESCOUT

SPONSORED BY FORESCOUT

Extremely Concerned Medical and IoT devices as a vector for cyber attacks Cyber attacks in your hospital

70% 67%

Cyber attacks in the healthcare industry

77%

Medical Devices Not Protected Bluekeep

50%

Apache Struts

57%

Wannacry

63%

Ryuk

83%

MDHex or MDHexRay

67%

Notpetya

77%

Device Inventory Knowledge Don’t know and don’t have a way to know

23%

Cyber Insurance Don’t Know

Don’t know but have a dashboard that can tell me

67%

No longer have it No, we don’t have it Yes, we have it

Know the exact number

7% 3% 20% 70%

10% ROI from Cybersecurity

Device Inventory Mechanics Alerts in time to act Don’t Know

Fully Manual

1% 13% 43%

Mix of manual and automated Limited visibility

Full visibility all automated

SPONSORED BY FORESCOUT

53%

Time Saved

67%

Critical Vulnerabilities found

53%

Log of major attacks

80%

23% 20%

FORESCOUT | DIGITAL SUPPLEMENT

presents

9 1:1 The

9 questions in a 1:1 with industry experts

Listen in Now Episode 1: Explores the healthcare delivery challenges that clinical and IT security teams face from hackers seeking to disrupt them, shut them down, or hold them ransom. Our special guest:

The 9 1:1 was created to help us explore and better understand how to navigate the urgent cybersecurity needs and imperatives challenging leaders today.

Automated Cybersecurity Across Your Digital Terrain

Forescout leads the industry in providing complete coverage of any network (Clinical, IT, OT, or IoT). More than 3,000 global organizations (300+ in healthcare alone) rely on Forescout – and our more than 20 years experience – to effectively secure their facilities, assets, and users. Shouldn’t yours?

Learn more at Forescout.com