Issue link: https://securitytechnologyexecutive.epubxp.com/i/956571
12 SECURIT Y TECHNOLOGY E XECUTIVE • Februar y/March 2018 • www. SecurityInfoWatch.com CYBERTECH By Stephanie Domas C ybersecurity teams at hospitals have a lot on their plates. Not only do they have to worry about the traditional cybersecurity challenge of maintaining an enterprise network and traditional corporate soft- ware, they have the growing challenge of an increas- ing number of connected medical devices attached to their networks. As an example, the Mayo Clinic, based in Rochester, Minn., has about 25,000 network-con- nected medical devices, comprised of 6,000 unique makes and models. There are six primary challenges unique to most healthcare facilities when trying to maintain the cybersecurity of these connected medical devices. 1 Asset Identification The first challenge, figuring out what medical devices are on a hospital's network, is more difficult than it would seem. The big question is how hospitals identify what on their networks are medical devices. For example, how do they differentiate between the Windows box a nurse uses to check email, versus a Windows-based drug dispensing cart? One approach is the manual route, physically locating every con- nected medical device in the hospital, assigning it a unique asset number, and then associating that with something unique, such as its MAC address. This can be a long process, and it's difficult for hospital cyber- security teams to ever know if they've reached full coverage, since medical devices are often mobile, and can be hard to track down. The second approach is using tools specifically built for medical device net- work identification, such as MedScan, by MedSec. 2 Software Maintenance and Updates Once medical devices have been identified on a hos- pital's network, their software requires maintenance in the form of updates. But how does a hospital's IT staff know if a medical device's software is out of date? Some systems are capable of alerting a user, but if nurses see such a prompt about an update, there is no guarantee they will tell the IT team. For systems that can't provide alerts, the IT team needs to know if it will receive notifications from the manufacturer, or if they are required to periodically check the manufac- turer's website. If healthcare and/or IT staff are made aware of updates, there needs to be a documented process for how it gets applied to these devices. Will it be done over the air? Via USB stick? Does a technician need to come out from the manufacturer? When going through the asset identification exercise, it can be beneficial to simultaneously determine the answers to each of these questions. Recall that the Mayo Clinic has 6,000 unique makes and models of connected medical devices on its network. Most likely, there will likely be little uniformity in the answers regarding software updates, creating the need for a small team to maintain the software. 3 Asset Communications Any organization with a strong security posture wants to understand what information is being sent around its network, what information is leaving its network, and who is sending it. With medical devices, it's more vital to know due to the sensitive patient data medical devices may share. While typical network traf- fic monitoring tools can help, many medical devices use specific protocols such as DICOM, HL7, and ASTM, which traditional network monitoring tools will not Top 6 Challenges in Tackling Cybersecurity of Medical Devices in Hospitals About the Author: Stephanie Domas is V ice President of Research at MedSec (w w w. medsec.com), where she leads the development of ser v ices and products aimed toward addressing cybersecurit y of medical dev ices in healthcare. She partners with medical dev ice manufact urers and healthcare delivery organizations, and is a member of several medical dev ice cybersecurit y standard working groups, contributing to securit y guidance and standards for medical dev ices, a registered professional engineer (PE), and a certified ethical hacker (CEH) Continued on page 14 Despite the fact that many healthcare institutions have implemented the latest operating systems of their main user devices and services in the network, many fail to ensure that medical devices have the most up-to-date operating system and/or they fail to change the default settings that come with these devices. These minor maintenance lapses leave the door wide open for attackers to exploit these existing vulnerabilities and security gaps. Photo courtesy bigstockphoto.com/sudok1