As Internet of Medical Things devices continue to grow in variety and quantity, their ability to save lives and collect data poses an escalating challenge: Keep tabs on what’s happening with each one and determine whether any of their individual behaviors indicates a security threat.
Which is why healthcare systems using these intuitive yet vulnerable tools should conduct robust network monitoring to help identify abnormalities before they develop or spread.
Protecting a Wi-Fi enabled heart monitor or insulin pump, after all, requires a different approach than protecting a smartphone or laptop, as those latter tools are designed with built-in risk prevention to deter viruses and unauthorized users. And some legacy monitoring systems don’t have the aptitude to properly track the latest devices.
With a 3:1 ratio of devices to people in a healthcare setting, organizations must make network monitoring a priority to ensure patient safety and continuity of care, says Bryan McDowell, a vice president and CISO at University Hospitals of Cleveland.
“You can’t place a ton of controls on medical devices,” McDowell says. “Standard anti-virus software does not run on most of them. So, it’s important to protect everything on the perimeter, to have tight controls internally and maintain network segmentation — but you also have to have to place a high emphasis on monitoring.”
Eighty-seven percent of healthcare organizations will use IoT devices in some form this year, a 2018 Aruba Networks report found. But among those already doing so last year, 89 percent reported suffering an IoT-related security breach.
Likewise, a 2018 IDG report found that 69 percent of network professionals cited balancing network availability and security as their greatest challenge.
What Is Network Monitoring and Why Is It Important?
Network performance monitoring and diagnostic tools are designed to alert users, via alarms and reports, to a wide range of network abnormalities, allowing network administrators to quickly isolate specific issues, trends or potential trouble spots existing within a network, minimizing downtime.
“Most problems display warning signs of some sort before becoming critical issues,” Destiny Bertucci, a security content architect for SolarWinds, tells CDW in a company blog post. “If you can identify and correct small problems early, before they have a chance to develop into larger problems, your end users will have very few complaints about their systems.”
The systems, Bertucci adds, generate alerts and reports on issues that include denial-of-service attacks on key points in a network to rogue access points attempting to connect to the wireless infrastructure. Such foresight — and resulting workflows to fix an issue — is crucial for IT teams.
“Obviously, increased events are a concern, so we monitor for the types and volume of network requests going out,” Daniel Shuler, CISO of Phoenix Children’s Hospital, says. “We’re also looking for malicious things that impact the devices we know are on our networks. That comes in the form of intrusion detection and vulnerability monitoring systems to make sure that we have at least a knowledge of that type of data.”
Among systems Shuler has in use: Cisco’s Firepower, Identity Service Engine and Application Centric Infrastructure solutions. Phoenix Children’s also recently adopted Zingbox, a cloud-based service to discover, identify, secure and optimize devices using artificial intelligence and machine learning.
Such approaches are helping healthcare IT teams better understand the unique behavioral nuances of clinical devices and how they communicate with the network and other tools.
Notes Shuler: “The newer systems are able to say, ‘Nope, that’s exactly how that device is supposed to behave. And by the way, it’s this device. Oh, and you have 300 more of those devices and they’re working all the same way.’”
On a more general level, making sure a hospital’s network is running smoothly is also crucial to baseline functions such as hosting electronic health records, processing incoming data from remote patient monitoring tools and maintaining facility services such as thermostats and sprinklers, a blog post from HelpSystems notes.
How Network Monitoring in Healthcare Has Changed
As new devices have come into play, so have new risks.
In recent years, federal recalls have been issued for several models of insulin pumps, infusion pumps and pacemakers due to potential vulnerabilities that could be exploited by hackers.
Consider the ramifications of WannaCry, which in 2017 infected thousands of medical devices with ransomware and forced 80 British hospitals to divert patients. An Armis report released in May noted that healthcare systems were a prime WannaCry target due to “older or unmanaged devices,” and that many had yet to patch their tools more than two years after the attack.
But the need for network monitoring goes beyond anticipating a malicious incident.
“Some devices run embedded Windows — XP or otherwise — but they’re still running an operating system that could be vulnerable to a standard virus that you see hitting a computer,” McDowell says. “Although not necessarily targeted or intended, it could cause that device to behave incorrectly. Whether that's being not able to provide the right dosage or run a test correctly, these things need to be running so soundly that there is no deviation.”
Whether they’re the property of staff or visitors, a bevy of personal devices using the same network can also cause unintended trouble. According to a March 2019 report from Verizon, 25 percent of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.
The diversity of these risks should urge hospitals to thoroughly vet any vendor under consideration to help implement or improve monitoring practices. “Not all network monitoring systems are the same,” Shuler says. “A vendor might promise certain features or certain things, but it’s important to validate how they’re doing something better than the other guy.”
Best Practices for Network Monitoring in Healthcare
To help you launch or refine your network monitoring program, McDowell and Shuler shared strategies already in play at their own organizations:
Make a game plan: Phoenix Children’s revamped its network monitoring approach in 2016. “The monitoring tools that we had were not able to get into the nitty-gritty and understand the applicability of those malicious things to the devices on our network,” Shuler says. “We’ve been able to migrate to more sophisticated systems that understand that context a whole lot better.” One resulting perk: detecting a host of devices still operating with default passwords.
Conduct regular patching: McDowell likens the process to hand-washing as a means of halting the spread of germs. “In any operating system, there can be millions of lines of code and there could be backdoor — certainly not intentional — ways for people to make that code do things it wasn't intended to,” he says. Shuler adds that more clinical vendors are offering patches on a quarterly basis; keep watch for what’s available and apply them accordingly.
Monitor and update inventory: An incomplete manifest makes it hard to track and defend devices on the network. “You can only protect what you know about,” says Shuler. “These things are mobile, which means they can end up in a closet and forgotten about. But when a new case comes around, somebody is just expecting a device to work — but it needs to be on the network doing its job and the software is six months out of date.”
Keep networks segmented: This helps clarify what teams and software are looking for — excess traffic or unusual behavior, for instance — based on who and what is authorized to use a network. “It’s important to keep these medical devices on their own separate network apart from the normal population of devices that have a lot of end user interaction,” McDowell says. Beyond safeguarding sensitive data, it also helps reduce congestion and improve performance.
Know key dangers: To avoid alert fatigue, recognize indicators of compromise. “You want the alerts to be actionable,” says McDowell. “Indicators could be a virus on a device or something calling out to bad websites. That focus on the network monitoring side is detecting what’s attempting to go outbound.” Even if a device on the network gets an infection, the risk of a virus causing harm can be reduced if the command and control channel can be stopped, he adds.
Foster strong teamwork: Network monitoring can’t just be the focus of IT teams. Ensuring that all devices work safely and in harmony requires dialogue among multiple parties. That step was crucial for Phoenix Children’s. “I needed to talk to the clinical people, I needed to facilitate a networking discussion between vendor X and my network engineer, my biomedical engineer and my security engineer, and get them all to talk in the same way,” Shuler says.
Get outside assistance: To get a handle on their network activity, smaller hospitals might consider help from a consultant. McDowell experienced this firsthand while working for a hotline set up by the U.S. Department of Health and Human Services after WannaCry. “People were asking, ‘Do you have a good suggestion for a free or inexpensive firewall?’ It’s very rudimentary, and concerning because a lot of healthcare organizations don’t have dedicated security staff.”