Security

How Healthcare Organizations Handle Endpoint Management

A range of robust strategies help IT pros keep track of vulnerable devices on their networks.

Tommy Peterson is a freelance journalist who specializes in business and technology and is a frequent contributor to the CDW family of technology magazines.

Blood pressure monitors, electrocardiogram and MRI machines, IV pumps, and implanted defibrillators: These are just a sample of the growing number and types of endpoints on the already complex networks of healthcare organizations.

As their inventory expands, IT professionals face two challenges: optimizing access to the lifesaving devices and shielding their critical data and functionalities from harm, says Lee Cullivan, CISO at Boston Medical Center.

“We can’t prohibit availability for the sake of security. We have to find a balance that is pretty delicate,” Cullivan says, noting that technology use in other industries such as financial services is often more segmented. “In healthcare, many different devices and applications have to talk to each other for the sake of patient care, which makes data harder to secure.”

In recent years, federal recalls have been issued for several models of insulin pumps, infusion pumps and pacemakers due to potential vulnerabilities that could be exploited by hackers.

A bevy of personal devices using the same network can also cause unintended trouble. According to a March 2019 report from Verizon, 25 percent of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.

Those concerns are prompting IT leaders to take a robust, wide-ranging approach to endpoint management — not only to prevent hacking but to increase vigilance for any signs of malicious activity demanding swift action.

SUBSCRIBE: Become an Insider for access to exclusive HealthTech videos, white papers and articles.

Users Pose a Big Risk for Most Security Strategies

Endpoints are high-risk locations on any network because they’re the place where important data is collected and delivered, says Phil Hochmuth, a program vice president at IDC.

Moreover, “they’re the point of contact with users, who are always the weakest link in any security strategy,” Hochmuth says. “Healthcare has all the endpoint issues of organizations in other sectors, plus the added complication of the Internet of Things devices that do more and more in medicine.”

Lee Cullivan, CISO of Boston Medical Center, says a strong endpoint security strategy in healthcare requires “a balance that is pretty delicate."

Manufacturers of smart medical devices are only beginning to engineer security and privacy controls into their products, says security consultant Rebecca Herold.

And that’s a big problem. “Medical devices present a really insidious threat because a virus or intrusion could hurt or even kill a patient as a result of how they impact the device,” says Herold, CEO of The Privacy Professor consultancy in Des Moines, Iowa. A constant flow of patients, visitors, physicians and contractors marks a major challenge.

Many security measures can offer defense. Two-factor authentication, access logging, scanning for open access points, encryption, anti-virus and anti-malware tools all help mitigate risks, as do strong policies that require personal device authorization and maintaining up-to-date inventories, Herold says.

Some healthcare organizations deploy technologies such as virtual desktop infrastructure to simplify endpoint management, says Hochmuth.

He notes that unified endpoint management solutions, in which all devices on the network run on one software platform with integrated mobile device management capabilities, are making inroads in IT shops across industries but aren’t yet common in medical settings.

“For now, healthcare providers have many decisions about where and how devices are connected to their networks and what tools they want to use to keep track of them,” Hochmuth says.

Boston Medical Center Builds a Strong Defense

Boston Medical Center, a 514-bed teaching hospital, employs a multilayered approach to endpoint management.

A McAfee Endpoint Security agent is installed on all client devices to block viruses and malware. Cloud-based secure gateway Cisco Umbrella monitors and filters any requests made from an endpoint to the internet. VMware AirWatch provides unified endpoint management for mobile devices on the network. The hospital also utilizes VMware’s NSX virtualization and security platform.

Passwords, of course, are mandatory. “We have a zero-trust policy on the wireless network, where most of the medical devices transmit data,” Cullivan says. “Those endpoints are blocked from communicating with any others on the wireless network to ensure that they’re not compromised.”

A more basic security step at Boston Medical Center: staying current on all patches and updates for every device on the hospital’s network.

But the task is easier said than done. “The medical devices bring nonstandard operating systems into the picture, and it can be difficult to keep up with the latest updates,” Cullivan says. “The devices represent a lot of variants in the environment. That makes security harder.”

Luckily, the practice itself draws little resistance from employees.

“We used to get pushback when we wanted to install patches, because it can be inconvenient for users,” he says. “Now, people are aware of the importance of securing their data in their personal lives and expect to do it at work as well.”

Beebe Healthcare Stays Ahead of Trouble

Timely software security patching is also a foundation of endpoint management at Beebe Healthcare, a 210-bed system serving Sussex County in southern Delaware.

“We’re primarily a Microsoft Windows and Office shop, and those systems are patched on a 30-day cycle,” says Clint Perkinson, Beebe’s director of information systems. “We stay above a 95 percent completion rate on more than 3,000 computers.”

But that’s just the beginning. The organization contracts with a network monitoring provider that flags any activity that could indicate a risk, allowing in-house IT staffers to focus on any trouble spots that surface, says Perkinson. Beebe also runs an agent on computers within its facilities and uses anti-virus and anti-malware software from McAfee, Norton and other vendors.

We continually monitor for any activity that’s abnormal, and if we see it, the device involved gets locked down to protect the network and patients.”

Clint Perkinson Director of Information Systems, Beebe Healthcare

Beebe deploys IBM MaaS360 as its mobile endpoint management platform, and public Wi-Fi runs on a dedicated wireless network to keep extra traffic and the associated risks of outside devices from affecting the hospital’s main network, says Perkinson. Traffic from approved medical devices is isolated on a separate network segment that runs on the Cisco Identity Services Engine platform.

“We continually monitor for any activity that’s abnormal, and if we see it, the device involved gets locked down to protect the network and patients,” Perkinson says.

Endpoint Visibility Remains a Top Security Challenge

Beebe Healthcare recently completed a three-and-a-half-year project to segment its networking infrastructure, which is built on Cisco technologies for both its wired and wireless networks. The healthcare provider worked with Cisco to develop an integrated view of the network while reaping the security benefits of segmentation.

“Anytime you move to an integrated platform with one dashboard to look at, you’re going to improve your response efficiency and security, from your endpoints into the center of the networking infrastructure,” Perkinson says.

From waiting areas to operating rooms, countless endpoints represent a new and unique security threat. Boston Medical Center deploys a number of strategies to keep devices segmented and safe.

Visibility is the biggest challenge in endpoint management, says Chris Wilkins, IT security director at Arkansas Children’s Hospital, a 370-bed pediatric hospital with a Level I trauma center in Little Rock, Ark.

“In order to manage them, we need to know what devices are on the network, where they are and what’s on them,” Wilkins says. “It’s becoming harder as more people bring consumer-based devices into the hospital.”

This is why the hospital deploys IBM QRadar security information and event management to provide a view into all the devices and applications on its network, using log events and network traffic data to identify potential threats. The hospital also uses AirWatch to manage mobile devices.

Traditional endpoints such as desktops, laptops and tablets require consistent vigilance on the network, but their challenges are manageable with good practices and existing technology, says Wilkins.

DISCOVER: Learn why basic security compliance isn’t enough for healthcare organizations.

Organizations Take a Balanced Approach to Security

When it comes to medical devices, most institutions face similar challenges.

“These devices are not designed to be integrated into enterprise networks, and they don’t have the security built in at the level of most enterprise or even consumer devices and applications,” says Wilkins. “Many of them don’t offer free upgrades, so patching is a bigger issue.”

Smart medical devices are often expensive, and it can take years to find the funds to purchase upgraded models, says Wilkins.

In the meantime, Arkansas Children’s isolates devices on a separate network segment to minimize the risks they pose. As an added measure, the hospital has ramped up user education programs, uses multifactor authentication and limits application access to users who need it for their work.

The efforts continue to evolve.

“We never achieve the perfect balance between usability and security at our endpoints, but we’re always adjusting it,” Wilkins says. “Our instinct is to mitigate risk, but sometimes we turn the wrench too far and lock down too much. Then, we work with users so they have what they need to do their jobs for patients.”

Boston Medical Center/Photography by Jason Grow (Cullivan)