Lee Cullivan, CISO of Boston Medical Center, says a strong endpoint security strategy in healthcare requires “a balance that is pretty delicate."
Manufacturers of smart medical devices are only beginning to engineer security and privacy controls into their products, says security consultant Rebecca Herold.
And that’s a big problem. “Medical devices present a really insidious threat because a virus or intrusion could hurt or even kill a patient as a result of how they impact the device,” says Herold, CEO of The Privacy Professor consultancy in Des Moines, Iowa. A constant flow of patients, visitors, physicians and contractors marks a major challenge.
Many security measures can offer defense. Two-factor authentication, access logging, scanning for open access points, encryption, anti-virus and anti-malware tools all help mitigate risks, as do strong policies that require personal device authorization and maintaining up-to-date inventories, Herold says.
Some healthcare organizations deploy technologies such as virtual desktop infrastructure to simplify endpoint management, says Hochmuth.
He notes that unified endpoint management solutions, in which all devices on the network run on one software platform with integrated mobile device management capabilities, are making inroads in IT shops across industries but aren’t yet common in medical settings.
“For now, healthcare providers have many decisions about where and how devices are connected to their networks and what tools they want to use to keep track of them,” Hochmuth says.
Boston Medical Center Builds a Strong Defense
Boston Medical Center, a 514-bed teaching hospital, employs a multilayered approach to endpoint management.
A McAfee Endpoint Security agent is installed on all client devices to block viruses and malware. Cloud-based secure gateway Cisco Umbrella monitors and filters any requests made from an endpoint to the internet. VMware AirWatch provides unified endpoint management for mobile devices on the network. The hospital also utilizes VMware’s NSX virtualization and security platform.
Passwords, of course, are mandatory. “We have a zero-trust policy on the wireless network, where most of the medical devices transmit data,” Cullivan says. “Those endpoints are blocked from communicating with any others on the wireless network to ensure that they’re not compromised.”
A more basic security step at Boston Medical Center: staying current on all patches and updates for every device on the hospital’s network.
But the task is easier said than done. “The medical devices bring nonstandard operating systems into the picture, and it can be difficult to keep up with the latest updates,” Cullivan says. “The devices represent a lot of variants in the environment. That makes security harder.”
Luckily, the practice itself draws little resistance from employees.
“We used to get pushback when we wanted to install patches, because it can be inconvenient for users,” he says. “Now, people are aware of the importance of securing their data in their personal lives and expect to do it at work as well.”