Issue link: https://securitytechnologyexecutive.epubxp.com/i/956571
14 SECURIT Y TECHNOLOGY E XECUTIVE • Februar y/March 2018 • www. SecurityInfoWatch.com know how to introspect into. This is again where medical device-specific tools such as MedScan are powerful, because of its support of medical specific protocols. 4 Configuring for Security "Secure by default" is the notion that a system will come with the supported security features already enabled. While this is a great idea, in theory, most systems come in a "usable by default" configuration instead, with the easiest-to-set-up modes enabled. Usability almost always has an inverse security tradeoff: If it's easy to setup, it likely has its security features turned off. Many network-enabled medical devices support advanced security features, such as encryption, configurable session timeouts, or advanced wireless authentication modes such as WPA2 Enterprise with unique certificates per device. However, using the advanced security features, such as WPA2 Enterprise, requires a deliberate, non-trivial effort to deploy and configure. Healthcare facilities need to determine what security features a medical device supports, and then decide if enabling them is worth the tradeoffs. 5 Default Credentials Most connected medical devices are complex systems running different applica- tions and hosting several different levels of credentials and authentication. Devices are typically shipped having default credentials for all of the possible authentications, which are often published in the user manuals, easily found online. Changing all pos- sible default credentials on a system can greatly raise the cybersecurity posture of the system, but it can be difficult to determine what credentials exist and which can be changed. There are the more obvious logins, such as the main user login, but many devices also support behind-the-curtains services such as Telnet, FTP, or SSH, used for network communication and maintenance, which also leverage default credentials. Given the network-facing nature of these services, the urgency of addressing these credentials is often more paramount than the physical access logins. Often these behind- the-scenes credentials and services are not documented clearly in the manuals, or if they are, it is unclear whether changing the credentials will have an adverse effect on the system. Contacting the manufacturer for guidance, or reaching out to others who have already climbed this mountain, through healthcare information sharing and analysis organizations (ISAOs) such as NH-ISAC, are the best ways of tackling this challenge. 6 Fragility to Traditional Network Scanning Network port and vulnerability scanning is a common and recommended best practice for assessing the security posture of any organization's networked systems. However, when it comes to medical devices, most connected devices were not designed or tested to handle such network traffic. This can often leave them in an unexpected and undesirable state. Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, recently stated in an Ars Technica article that medical devices "have such interoperability issues—forget security issues—that they're so brittle, most hospitals will say that, even if you just do a port scan, you'll crash them—you don't even need to hack them." Because of this, hospitals need to take extra precautions to exclude connected medical devices from their traditional network scans for fear of putting the systems in an unsafe state and look into 'light touch' and passive scanners that were designed to work with sensitive systems, such as these devices. Conclusion There are few healthcare delivery organizations that are not wrestling with at least several of these challenges. Setting clear priorities, assigning resources, and deter- mining the status of each of these areas are the first steps to building a roadmap for addressing and maintaining the cybersecurity of connected medical devices, so healthcare delivery organizations can continue to deliver exceptional patient care in a safe and secure manner. to detect the shock wave from a bullet and computer analysis to "plot the bullet's path." Bullet Ears eventually evolved into the Boomerang system – said to be the most widely fielded gunshot technology in the world – with its proving ground coming in hot combat areas such as Iraq and Afghanistan According to Raytheon: " Whether vehi- cle-mounted or in a fixed position, Boo- merang detects small arms fire travelling toward it for bullets passing within approxi- mately 30 meters of the mast -mounted compact array of microphones, even when shooters are firing from maximum effective weapons ranges." The system is not triangulation-based, but rather employs complex and proprietary sig- nal processing that deals with the extreme challenges of environment, background noise, acoustic reflection, etc. Shooter Detection Systems spawned from Raytheon in 2013, as it purchased technol- ogy rights for the indoor market and is the exclusive licensee for U.S. outdoor sales applications. Indoor applications add IR sensing capability to detect the muzzle blast, and use that to help validate the acoustic- based detection. Christian Connors, Shooter Detection Systems CEO and a BBN alum, says their systems have more than 20 million hours of installed operation without a single false alarm, adding that "emptying buildings is not a joke, so we take FAR very seriously." Each POE-powered sensor is a point solu - tion and no human intervention is involved. Decision time is 750 msec. Connors does not believe that AI is required to enhance the performance of the system, given its proven accuracy; however, it may be helpful in dis- cerning other types of threats. A Growing Market My view is that the deployment of these systems can only increase in today's active shooter threat environment. While they cannot in themselves prevent an initial inci- dent, the systems' use in well-designed mass notification and incident response systems merits investigation. Clearly, there is a role for the system integra- tor. Additionally, consultants should note that gunshot detection systems have been added to CSI's forthcoming MasterFormat 2018 with the numerical designator 28 37 13. Continued from page 12 Continued from page 10 Top 6 Challenges in Tackling Cybersecurity of Medical Devices Hearing is Believing CYBERTECH TECH TRENDS