Why Clinical Context is so Important for Clinical Networks
Today’s clinical networks are starting to look very different from the clinical networks of the past. A move to more distributed, connected care has healthcare delivery organizations rethinking the way they think about, deliver, and even charge for care. An explosion of new IoMT and IoT devices and telehealth applications is making it easier than ever to take care of patients whenever and wherever needed. IoMT spending is growing at a CAGR of 20%+ because these networked medical assets are integral to value-based care delivery.
All these connected devices are also forcing health systems to rethink how they need to secure their environment and manage their risks. The things that make these medical and IoMT devices great for care – the fact that they are purpose-built and mobile – can make them hard to protect. These devices are unlike general IT devices. Often, they:
- Are closed systems: and thus, can’t download AV or security agents to protect them.
- Use proprietary operating systems (OSes): often you have to work with the medical device manufacturer to approve and authorize patches/fixes, otherwise the warranty may be voided. This can leave the organization open to exploitation.
- Communicate with proprietary, clinical protocols: These protocols aren’t understood by most security solutions, making it virtually impossible to determine what the communications are or discern whether the activity is normal or suspicious.
- Deliver (or are involved in) patient care: As a result, the devices can’t be disrupted or blocked because that could compromise care and impact patient outcomes.
To effectively protect the ongoing integrity, availability, and reliability of all these connected medical and IoMT devices, you must first understand what you have and then figure out what level of risk each of these devices pose to your operations. Only then can you start to figure out what to do about these risks to maintain a posture that appropriately balances your security against your current and future ability to deliver high value connected care.
Visibility is Foundational
This may sound like a broken record, but we can’t emphasize enough how important it is to understand, at a granular level, what devices you are dealing with. It is not enough to simply know if a device is connecting, you need to know:
- Modality – type, make, and model
- Version – OS type and version
- Software – embedded software and protocols used
- Unique Identifiers – serial number, hostname, MAC address
- Location – SSID, access point (AP), AP location
All of this information, which the Medigate Device Security Platform (MDSP) delivers, will be used to improve the accuracy and relevancy of any subsequent risk assessment.
Medigate’s Risk Scoring Framework
There are any number of risks that any number of devices pose to your environment. Being able to understand and prioritize the ones that really matter means the devices need to be considered in the clinical context in which they are operating. You need to look at the likelihood and impact a specific device compromise could have on patients and your health system at large. What kind of exposure would an attack on your MRI machines open you up to? What about your IV pumps?
At Medigate, we have come up with a healthcare-specific risk scoring framework that enables you to accurately understand the variety of risks that different devices within your network pose. This risk scoring enables you to focus on the highest priority remediation and mitigation activities that will improve the resiliency of your operations and keep patient data and care safe.
The Medigate Risk Scoring Framework marries extensive clinical AND cybersecurity expertise to pinpoint the concrete factors that indicate the likelihood of a breach in a device on the clinical network and the severity of its impacts. You can then create a logical, continual process for measuring, weighing, and aggregating these risk scores so they can be acted upon. Specifically, it looks at:
- Likelihood: the probability that a given threat is capable of exploiting a given vulnerability. It encompasses the probability of a threat event being initiated, as well as the probability it will cause adverse impacts. The framework is also strongly affected by the vulnerabilities of the system and any security controls that are in place to mitigate them. This is possible due to Medigate’s deep packet inspection (DPI) technology that identifies and analyzes device OSes, protocols, embedded software, and communication flows, among other things.
- Severity of Impact: the magnitude of harm to individuals, systems, operations, and the organization resulting from a compromise to the device. Medigate considers a number of parameters for all the medical, IoMT and IoT devices in the network, including whether the device stores and transmits personal health information (PHI) (medical devices) and personally identifiable information (PII) (IoT devices); its FDA medical device classification (I/II/III); the expected patient harm as a result of a device failure; and the monetary cost of replacing the device. Note, the monetary cost also considers how lucrative the act of compromising a device could be from the perspective of a ransomware threat, since more expensive devices may have stronger leverage points in such attacks.
Since the functional, financial, and reputational damages resulting from a data leak or downtime may vary by organization, Medigate allows you to adjust and customize the scoring to reflect your environment and meet your particular needs.
Not all risks are created equal – you want to know which are the most critical, so you can prioritize your efforts and actions. Medigate ensures security teams are not drowning in an endless sea of alerts, with no way to discriminate between them. We do this by weighting the risk scores. Each medical, IoMT and IoT device in the health system starts with a risk score of 0 and accumulates points for each risky device property, such as Ethernet or Wireless connections. Points are subtracted for properties that reduce the probability of a compromise, such as serial or gateway connections. Parameters with greater influence on a device’s vulnerability, such as published CVEs, can be weighted more heavily, resulting in the addition of more points than other parameters.
The relative points range of each parameter is based on cybersecurity and clinical best practices, as well as guidelines from existing standards and external metrics. You can look at the risk category that Medigate has assigned each device – Very Low, Low, Medium, High, and Critical – to quickly know what you should focus on first.
Medigate also provides recommended actions for each device alongside its assessment, so you can tie risks to actions and determine how best to maintain acceptable risk levels throughout your operations.
To learn more about Medigate’s Risk Scoring Framework, please read our white paper.