Why Deep Packet Inspection Matters

Drew Ganther

Regional Director of Sales - West

07 Aug, 2020 • 6 minutes read

The difference DPI vs AI makes in Securing Medical and IoT Devices

Everyone is talking about artificial intelligence (AI), with AI adoption continuing to grow in all industries and regions of the world. But what is it about AI that is so attractive when it comes to cybersecurity? The quick answer is that AI has the potential to help organizations make sense of all their data, in real-time, to improve threat detection and decision-making.

Ultimately, AI offers the promise of being able to apply machine learning and predictive analytics to an organization’s data to better pinpoint risks and automate responses that can strengthen their overall security stance. The problem is that AI is only as good as the data it has to work with and learn from. Unfortunately, in healthcare environments, the data that is needed to make effective security decisions isn’t easily obtained.

The Challenges Medical and IoMT Devices Create

Most general-purpose discovery and security solutions simply don’t have the visibility and clinical context required to even start to think about using AI to automate and improve decision-making. Before AI can even be applied, a foundational level of understanding of the thousands of medical and Internet of Medical Things (IoMT) devices within a healthcare organization’s environment needs to be achieved.

Unfortunately, because most medical and IoMT devices are closed systems that require extensive knowledge of proprietary software, clinical workflows and protocols to accurately identify and understand, they remain a blackhole for most solutions. As a result, when these general-purpose solutions hype up their use of AI to enhance their device discovery and threat identification capabilities, there is very little value in the proposition for healthcare organizations. (It’s like building a high performance racecar without having anyone trained to drive it.) So let’s look at exactly why this is and what can be done about it.

It’s All About Deep Packet Inspection

For IT and biomed teams to adequately protect the medical and IoMT devices connecting to their networks, they need to know, at a very granular level, what they have in their environment and what it is doing. The only way to get this level of detail and context is to use deep packet inspection (DPI) techniques designed to address the specific needs of healthcare.

Just knowing a device is connecting to the network, without knowing what that device is, doesn’t help with planning or decision-making. Organizations need specifics – is the device a MRI machine, IV pump or patient monitor; what’s its manufacturer, model, OS, app and hardware versions, location, and dedicated device identifiers, among other things.

They also need to know whether the device poses a real risk to the organization to be able to make policies and decisions to best protect their data and operations. Getting an alert on a device that has made a new connection (or deviated from a statistical baseline), without clinical context of what that device is and whether or not the communication is expected, doesn’t help with figuring out how (or even if) to respond or act. Organizations need to know whether activity is anomalous (and risky) in the context of the device’s protocols, workflows and manufacturer-intended patterns. Today, this is only achievable with DPI purpose-built for clinical networks. The value that will ultimately be delivered through AI needs to start with readily accessible, quality data. This is what we, at Medigate, deliver.

Medigate’s DPI Difference

We invested in the research of medical devices, protocol documentation and manufacturer guidelines, to create the industry’s largest data repository for healthcare. As a result, we can provide healthcare organizations the visibility and context they need to better manage and secure the devices in their environment (and ultimately enable effective use of AI, when appropriate, to increase efficiencies and outcomes).

Our DPI:

  • Passively captures relevant medical device communication streams: The platform monitors the communications to comprehensively detect all the devices on the network, even those that only rarely communicate. Medigate avoids actively scanning medical devices, due to their sensitive nature, but upon the hospital’s request, Medigate can perform active collection, through SNMP, WMI, tailored OS scans, and banner grabbing, among other techniques, to obtain device attributes that were unavailable during the passive collection.
  • Generates insights: The platform draws from the Medigate database, which is the industry’s largest collection of detailed medical device, protocol and workflow information, to identify what’s in each and every part of the communication stream. Standard protocols, such as DICOM offer external documentation, but require specialized expertise to navigate, while many devices communicate using proprietary protocols for which no public documentation exists. In these cases, Medigate has to delineate the protocol based solely on the data or by reverse-engineering the device to extract the inner workings of the protocols it uses.
  • Analyzes the data: Finally, once every part of the communication traffic is identified, Medigate extracts the attributes of interest for analysis. Some attributes, like a unique device identifier, are easily obtained once the protocol is thoroughly parsed, but a complete identification often requires cross-referencing information from different communication streams, manufacturer guidelines, and protocol documentation, to derive features, such as model, OS, and location.

By unobtrusively inspecting the packets and looking into the contents of a device’s communication, we can extract more granular information than any other solution to give biomed and security teams the details they need. Since we have thoroughly researched devices and their intended behaviors, our reference point for a suspicious behavior is not relative to a baseline; it’s based on what the device was engineered and configured to do by the manufacturer. So, when we identify something as malicious, it’s because we know this device should not be communicating in such a way, so healthcare organizations have the confidence they need to act.

To learn more about the difference that Medigate’s DPI can make, you can read the white paper, “DPI vs AI: Certainty vs Probability: The Challenges with Security IoT Services with AI-based Solutions.”

Drew Ganther

Regional Director of Sales - West

07 Aug, 2020 • 6 minutes read

Threat Center

View the latest virus alerts and vulnerabilities and get tips on how to mitigate their risks