Since the beginning of 2020, cyber-attacks have spiked by 300%. As members of the world’s most targeted industry, healthcare organizations like hospitals, clinics, pharmacies, and distributors of medical equipment are more at risk now than ever.
Even if an attack isn’t directly targeted at connected medical (or, Internet of Medical Things: IoMT) devices, it can spread through a hospital’s internal network and infect equipment used to diagnose and treat patients such as IV pumps, patient monitors, ventilators, and X-Ray machines.
As John Riggi, the American Hospital Association’s (AHA) senior adviser for cybersecurity and risk put it: “Worst-case scenario, life-saving medical devices may be rendered inoperable.”
The best way for hospitals to prevent cyber attacks and safeguard IoMT devices from infection is by separating or virtually distancing, the most vulnerable and critical devices from each other. This is called network segmentation.
Here are some practical steps hospitals can take to segment their clinical networks, decrease the attack surface, and safeguard patients from cyber attacks:
1. Define who is responsible
Traditionally, medical device security has been the responsibility of biomedical engineering equipment specialists. However, with the increasing prevalence of IoMT devices and the rise in healthcare-targeted cyber attacks, hospital IT teams have had to take a more active role in medical device security. As a result, close alignment between the IT and biomed teams is needed to devise and enforce safe and effective security policies for clinical networks.
Securing medical devices and aligning IT and biomed teams have given rise to the need for a single, final decision maker on IoMT cybersecurity policy. Some larger institutions have gone as far as to create the role of Medical Device Security Officer (MDSO) to take direct responsibility for medical device security across a hospital’s entire clinical network.
2. Create a reliable equipment inventory
It’s impossible to set a network segmentation policy without an up-to-date inventory of a hospital’s connected medical devices, profiles on each device, and a deep understanding of communications and utilization patterns.
Automated inventory tools must also be able to conduct ongoing inventory and profiling of devices with an understanding of IoMT-device behavior, device criticality, and medical device vulnerabilities.
3. Assess the relative risk for each device
Risk scores should be calculated according to device criticality and medical impact. Risk assessment should be ongoing and continuously monitor the network for anomalous behavior. In order to assess the risk, the following factors must be taken into account:
– Communications with external servers required for normal device functionality (i.e. vendor communications)
– If the device stores and sends ePHI: Does the device need to store and send ePHI, and for what purpose?
– Device utilization patterns
– Does the device run an unsupported OS or have any known vulnerabilities? If so, are patches available or is segmentation the only way to secure the device?
4. Check industry guidelines and regulations
Hospitals could face millions in fines if they fail to comply with federal and state regulatory standards. Fiscal damage aside, failing to follow cybersecurity guidelines places medical devices at risk and could compromise patient safety, business integrity, and a hospital’s reputation.
Guidelines and regulations involving healthcare and medical devices are routinely updated. In order to remain compliant, hospitals must keep a close eye on regulatory standards and updates released by state federal institutions, including:
– The Food and Drug Administration (FDA)
– The Medical Device Information Sharing and Analysis (MDISS) Initiative
– The Health Insurance Portability and Accountability Act (HIPAA)
5. Devise, validate, and enforce segmentation policies
Segmentation policies should be put in place to reduce the attack surface and stop potential threats. Network segmentation can also help networks run more smoothly by limiting traffic to designated areas and reducing the network load.
However, before any segmentation policy is enforced on the clinical network, it should be tested for safety and efficacy. Hospital security teams should always validate segmentation policies before enforcing them on the live network to ensure the continuity of medical services and clinical operations.
Clinical Network Segmentation As a Mainstay of Healthcare Business Integrity
Network segmentation can secure critical medical devices, improve clinical network capacity and avoid network overload, and ensure patient safety as long hospitals maintain a disciplined and consistent approach to device discovery, risk assessment, and preventive action. Beginning a network segmentation project as soon as possible will help to fortify the healthcare industry against present and future cyber threats, safeguard patients and business integrity and help prepare for unforeseen crises to come.
About Leon Lerman Co-Founder and CEO – Cynerio
Leon brings over a decade of experience in cybersecurity enterprise sales, channel sales, and business development to establish Cynerio as a leading vendor in the healthcare cybersecurity space. Prior to Cynerio, Leon was director of sales at Metapacket, where he led go-to-market strategy and execution. Prior to that, Leon held sales and sales engineering positions at RSA security, helping the largest enterprises in the region to solve their security problems. Leon served as an expert intelligence officer at 8200 in the Israel Defense Forces.