Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

While watching Keith Whitby, Section Head of Healthcare Technology Management Cybersecurity and Operations at Mayo Clinic, and Pandian Gnanaprakasam, Chief Product Officer at Ordr, discuss strategies for securing connected devices and HIoT in a recent webinar, I found the following to be insightful information that you can apply to your organization’s cybersecurity efforts.

Gaps in Medical Device Security

One of the first steps in securing IoMT and HIoT devices is accounting for the gaps in medical device security. Evaluating equipment coming in, understanding the security risks related to those, and building a plan of mitigating controls that should be applied to equipment are all important aspects of device security, but they must be operationalized.

At Mayo Clinic, previous security assessments were done on an asset by asset basis. This lack of operational framework limited the implementation of device security procedures. Once Mayo Clinic created a standardized process across the organization, the framework could be followed for all medical equipment and new IoT and OT devices.

The Unique Nature of Medical Devices and HIoT

Medical equipment, systems and HIoT are different from standard IoT and IT systems. Hospitals must follow regulatory guidelines from the U.S. Food and Drug Administration (FDA), College of American Pathologists (CAP) and Joint Commission on Accreditation of Healthcare Organizations (JCAHO), while medical devices in physicians’ offices do not have to follow the same rules. HloT devices come with their own unique challenges, from unsupported devices to service keys being required.

Security Challenges: Size and Scope

Medical organizations can span large geographical areas, including multiple states and hundreds of buildings. They can also have tens of thousands of connected medical devices, hundreds of vendors and thousands of models. The magnitude of medical device networks challenges IT teams to efficiently secure many devices at once. Networks of devices can have inventory discrepancies, and mismatched data from their CMMS and NAC.

Medical devices have complex systems that require intensive work to patch and manage vulnerabilities. Part of the process of setting a framework for securing HIoT devices involves figuring out who will be implementing security standards and applications. HIot devices need both specially trained IT technicians and unique applications to deploy security solutions.

Mayo Clinic: HTM Role in Cybersecurity

At Mayo Clinic, the cybersecurity team in Healthcare Technology Management is the operational arm of IT. The team has developed a structured system and standardized approach to securing medical equipment and HIoT systems. They ensure equipment meets organizational and cybersecurity requirements throughout its lifecycle.

  • Core Team: Mayo Clinic’s Core Team of HTM Cybersecurity developed a security framework for IoT and HIoT based on National Institute of Standards and Technology (NIST) and Association for the Advancement of Medical Instrumentation (AAMI) standards. They also developed a HTM vulnerability management program guide, so that when a vulnerability is found, there is a clear process for remediation.
  • Information Security Engineers: Besides technicians, the HTM team also has HTM associate infosec engineers, who create vulnerability management procedures, apply controls to medical devices and add new equipment to Mayo’s network.
  • SPAD: The Security, Privacy, Architecture, Data team, or Security Assessment Team manages medical device purchases, device intake assessments, and helps to construct security lifecycle profiles at Mayo Clinic.

Cybersecurity Execution

Over the past two years, the HTM Cybersecurity Program has added significant security value, improving intake process efficiency, establishing an algorithm to calculate and track security risks, and more.

Mayo Clinic developed their IoT/HIoT device security through proactive security, building upon multiple areas of cybersecurity, including:

  • Policy & Process: Setting device security standards and leveraging known security incidents, regulatory compliance as well as internal audit observations
  • Lifecycle Profile: Addressing security issues within the equipment lifecycle, creating Security Lifecycle Profiles that provide a roadmap for device security and management from the pre-purchase stage to decommissioning
  • Tools Deployment: Creating a security specific manual for devices, documenting what tools need to be deployed for different device types and models
  • Fleet Risk Assessment: Adopting a fleet approach rather than device by device security
  • Vulnerability Management: Maintaining device security, tracking vulnerabilities and prioritizing remediation
  • SPAD: Initial intake triage and categorization of hardware and software, and routing those devices to the appropriate review groups
  • Patch Management: Deploying a medical device patch installation automation utility tool
  • Training & Industry workgroups: Participating in industry workgroups to contribute medical device security knowledge

How Ordr Can Help

Mayo Clinic identified Ordr as a key tool to execute and automate security operations. Ordr is able to improve data quality for asset inventory, detect networked devices, classify devices, provide insights into connected device actions and help micro-segmentation efforts.

The Ordr Systems Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a demo.

Watch the full Ordr and Mayo Clinic webinar here:

Mayo Clinic Efforts to Secure Connected Devices and HIoT

Hospitals see patients with viral infections on a regular basis. Most of the time, however, doctors can only treat the symptoms of the virus, and not the virus itself – that’s a job for the patient’s immune system to handle.

Similar to biological viruses, computer viruses that infect medical devices often cannot be treated directly. Once a virus creeps into the hospital system, it’s up to the system itself to fight it off. Due to the outdated nature of many of these healthcare devices, these exploits or infections are often catastrophic – causing healthcare IT and clinical/bio-meds departments to lose millions of dollars annually and putting patient care in jeopardy.

Below, we have listed a few common questions we’ve heard from our customers about the plague that is currently sweeping through healthcare IT.

Why is this even happening?

Let’s say your credit card gets stolen. You can call your bank, request a new credit card, and get whatever loss you sustained refunded, all within the same day.

If your healthcare records are stolen, you can’t deal with it as easily. A person’s health record contains highly private and sensitive information that provides a lifetime of opportunity for target exploitation. Healthcare records are up to 10 times as valuable as credit card records, making them a juicy target for opportunistic hackers.

Why can’t we sit back and let it run its course?

Every single day there are press articles on how WannaCry devastated a hospital, or a new ransomware caused operational disruption resulted in hospital rerouting ambulances to the nearby hospitals. The symptoms of these viruses can result in the loss of millions to the healthcare industry, and be causing widespread confusion and slow down of processes in areas where quick thinking and careful treatment is necessary.

Why can’t we make our IT immune system stronger?

To bolster the “immune system” in hospital systems, IT professionals can upgrade and patch vulnerable systems and fend off the attacks and give these devices better protection. However, upgrading and patching are incredibly difficult.

Unlike the auto-upgrades you may see on your laptop, medical device upgrades require a lot more individual attention. Manufacturers have a hard time rolling out patches for millions of units in the field because medical devices are embedded systems with a multitude of software components with potential security vulnerabilities and also have to go through an usually long FDA approval process.

Bringing equipment back to its original operating condition and guaranteeing that it is ready for patient usage is an arduous, expensive, and time-consuming process that has no guarantee of actually working. Protecting precious medical devices is a never-ending race. They will always lag behind the computer industry for a good reason and be always vulnerable to hacking if left unattended.

Why can’t we go into full quarantine?

We live in a connected world where each and every device needs to record and report vital patient data to the healthcare management system without manual intervention. Hospitals rely on cloud-based offerings, from enhanced radiology services to thermostats that monitor and preserve medical specimens stored in freezers.

In addition, because of the high costs of equipment, many hospitals lease or rent on a regular basis. Even the people employed by a hospital are often hired contractually, and hospitals have countless visitors that cannot be screened.

With remote clinic or telemedicine-based delivery, and countless mergers and acquisitions, healthcare IT staff are always challenged to offer the best patient care.

The Vaccine or Preventive Cure:

The recommendation from the manufacturing community calls for

a) segregating network access (segmentation)

b) block internet connectivity

c) go back to standalone mode.

This is no different than what NIST recommends, or HIPAA imposes on hospitals.

We at Ordr are trying to help on all the recommendation here on this issue. We call our technology a “virtual-patch”. A virtual-patch provides compensating controls for the medical devices by simply programming the installed base of switches, routers, and wireless access points to

a) reduce the exposure of devices spreading malware inside the corporate IT networks

b) to control the type and amount of external traffic from/to this medical devices and

c) protect the precious medical devices in real time as soon as an issue arises.

Even better, as the word goes “prevention is better than cure” Ordr allows IT to put preemptive controls that prevent malware and ransomware gaining control of these medical devices.

It all starts with simple diligent everyday hygiene. Having accurate inventory and visibility on what is connecting to the network day in and day out is the key. Continuously monitoring for malware exposure or vulnerability exploits and apply preventive measures is an absolute must. Watching internet communication and restricting it to a narrow set is even more critical.

Please stop by our booth at HIMSS 2018 to get a demo of our product that could help you along this journey. Together, we can make a change in the current landscape, much desired and way overdue. Let us stop this hacking trend once and for all and we are excited to be part of this great mission.