What is Vulnerability Management?

As healthcare technology advances, so do the many pervasive and complex threats for Healthcare Delivery Organizations (HDOs) and their patients.

Bad actors are increasingly interested in accessing Protected Health Information (PHI) , and it’s becoming challenging to safeguard patient data contained in Internet of Medical Things (IoMT) and other connected devices. Between 2009 and 2021, over 4,400 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services (HHS) and included the loss, theft, exposure, or impermissible disclosure of 314,063,186 healthcare records. So how can HDOs keep up with an ever-changing threat and risk landscape?

One of the key best practices is by addressing vulnerabilities associated with connected devices in the network. These vulnerabilities can be exploited by threat actors and used to gain unauthorized access, run malicious code, install malware, steal data, or even move laterally within a network. 

Proactively identifying vulnerabilities and assessing their severity level helps security teams prioritize and respond to issues before data loss occurs. A solid vulnerability management program enhances the overall security posture of the organization, protects patient data, prevents unauthorized access, and reduces risk. 

But implementing vulnerability management best practices is easier said than done. In this post, we’ll explain what vulnerability management is, how it works, and what you should look for in a solution.

What is Vulnerability Management?

Vulnerability management is the continuous process of identifying, analyzing, classifying, addressing, and reporting on vulnerabilities found across organizations, within operating systems, applications such as electronic medical records software and medical devices such as network connected infusion pumps, and MRI machines. 

Security teams constantly track vulnerabilities and the severity of these vulnerabilities (typically via common vulnerability scoring systems (CVVS)) to identify potential risks in real-time as part of the vulnerability management process. The best organizations identify and prioritize the highest priority vulnerabilities and close existing security gaps before they are exploited. Operating at that level requires robust tools and well defined techniques.

Agent-based solutions and vulnerability scanning software are some of the most frequently used tools for vulnerability management with the ability to identify known vulnerabilities across various systems in the environment. However, these tools have limitations when it comes to the connected devices such as IoMT, IoT and OT devices that nurses, doctors, caregivers, and patients depend on daily. Many of these devices cannot accept agents and cannot be scanned for fear of impacting operations. HDOs need special connected device security solutions to monitor those devices for vulnerabilities and protect them from threats and exploits.

Any vulnerable device connected to the network can put patient safety at risk or impact care with delays to services.

Protect Vulnerabilities from Exploitation

An exploit is an attack that takes advantage of a vulnerability within a system. Bad actors look for software vulnerabilities, exploit them to gain entry into a network, and then employ methods to steal, destroy, or encrypt data or disrupt services . For instance, a cyberattacker might exploit a vulnerability in a medical device to gain access, and then install a ransomware. A threat is something that will exploit a vulnerability. And risk is the likelihood that a threat can exploit a vulnerability.

Security professionals aspire to minimize risks, threats, and exploits at all costs. Vulnerability management is one way to mitigate the risks to an organization. But security teams can take several other measures, such as:

• Training employees: All healthcare workers should know their role in helping to keep the organization secure and understand cybersecurity best practices. They should always use strong passwords when logging into their electronic medical record (EMR) system, lock any computers or tablets between patients, and log out of any connected devices or machines after use. Organizations should also provide regular awareness training and keep their cybersecurity policies up-to-date as a resource for employees who aren’t sure what to do in a compromising situation.
• Implementing traffic filtering and scanning: Filtering and scanning web activity increases a security team’s visibility and gives them a chance to stop suspicious traffic from entering the organization’s site. 
• Segmentation: Through proper segmentation, infected networks can be closed off, effectively quarantining a risk within a system.

Translating these high-level best practices into actionable steps is an easy way to mitigate vulnerability risks.

The Vulnerability Management Process

There are five stages in the vulnerability management process. Below, we cover each one in detail.

1. Discover and classify devices

Every network connected device should be accounted for — from infusion pumps and imaging devices to tablets and smart speakers. The number of devices like these in a healthcare setting ranges in the thousands, and it can be difficult to see an organization’s entire connected footprint. Visibility of the number of devices, device type, operating system, where they’re located, and how they’re used are critical details needed for vulnerability management. Accurate classification of these devices, down to the make and model, exact operating system version, and other software details can help Healthcare Technology Management (HTM) professionals maintain a list of potential vulnerabilities.

Knowing where these devices are and how they are typically used can make locating and patching vulnerabilities easier. Knowing what devices are in your network also allows you to identify the scope of your vulnerability management program – for example, there may be specific types of devices that will not be scanned for fear of disrupting services, such as an MRI or imaging device . 

2. Identify vulnerabilities

Undetected vulnerabilities put organizations at risk of security breaches. There are a few techniques to identify vulnerabilities on a network, including active and passive scanning.

Active scanning can help you proactively identify and close any gaps with network connected, managed assets such as laptops. This type of scanning involves a software agent that is deployed on devices to test them and collect data on potential vulnerabilities. Agents cannot be deployed on many IoT, IoMT, and OT devices so you need specialized connected device security solutions to identify vulnerabilities on those devices.

Passive scanning reaches out from the server to network assets, and does not require the agents that active scanning does. This eliminates the need for additional software on devices. However, agentless scanning could impact device operations so it is not an option for many connected medical devices.

In order to prevent the impact to critical devices that could impact patient care, passive techniques are needed to gather device, operating system, and software details. This way, IoT, IoMT, and OT are not impacted while the make, model, OS, and patch level details of each is identified.

3. Prioritize vulnerabilities

The goal of an efficient vulnerability management process is to identify the most relevant, high-risk vulnerabilities in order to prioritize security efforts and address them. As part of the vulnerability identification step, each new vulnerability should be prioritized based on its potential risk to your organization and your patients. 

Thankfully, you won’t have to do this manually — there are many solutions that provide vulnerability risk rating capabilities. While this information is helpful, it’s much more valuable when combined with specifics about your organization and environment to understand the true priority.

The highest-risk vulnerabilities should be prioritized and tackled first. 

4. Ownership assignment 

Ownership across different device types can be complicated for HDOs: different teams may be responsible for medical, IT and facilities devices, including devices as varied as infusion pumps, nurse call stations, laptops, printers and HVAC systems. Organizations need clear ownership definitions and a process to identify owners which may be based on details such as region, location, cost center, department, and business criticality.

Make sure your vulnerability management system notifies device owners including IT personnel and security engineers whenever a new vulnerability is assigned, and consider creating reports to show what vulnerabilities each person is responsible for. Many vulnerability management platforms allow you to assign custom tags to each staff member, making it easy to assign and group vulnerabilities. Once vulnerabilities have been assigned to appropriate staff, they’re patched accordingly.

5. Verify remediation and compliance

The final stage of the process is verifying that vulnerabilities have been addressed through remediation or by applying the proper mitigations. Engineers should follow proper testing protocols to ensure remediation is completed successfully and track each vulnerability’s status over time to document their progress. You should also pull reports of vulnerabilities on devices that cannot be patched. For example, manufacturers may provide patches on a regular release schedule, and you may need to segment or quarantine these affected devices until that update is available. 

By adhering to these steps and adopting modern vulnerability management software, organizations can ensure that critical vulnerabilities don’t fall through the cracks during continuous monitoring. Make sure that your vulnerability management system can run organization-wide reports for governance, too. It’s critical that you adhere to reporting for regulatory bodies, and comply with frameworks such as ISO 27001 and HIPAA. Otherwise, your organization could face consequences like federal fines.   

Vulnerability Management Solutions

While modern technologies can revolutionize the way we work, they can also put our organizations and patients at tremendous risk. Comprehensive vulnerability management can maximize security and minimize the threat of exploitation. Establishing a thorough vulnerability management process and deploying extensive employee training are a good start. But what organizations really need is software like Ordr.

Ordr is an AI-powered platform to discover all connected devices, identify their vulnerabilities, assess risk, and provide capabilities to improve your security and ultimately the protection of your organization and patients. Unlike traditional vulnerability scanners or agent based tools, Ordr works passively to protect the IoT, IoMT, and OT devices connected to your network. This limits the potential impact and disruption to those devices while improving your security. 

Ordr works with your traditional vulnerability management solution to ensure that there is a seamless strategy to manage vulnerabilities in managed and unmanaged devices across the whole hospital. For example, healthcare organizations today may have parts of the network with medical devices that are not scanned at all. Ordr enables tools such as Tenable and Rapid7 to have visibility into parts of the network that were previously not included in scans, along with detailed inclusion and exclusion details. This enables comprehensive vulnerability coverage without risk of disruption.