A ‘Paradigm Shift’ in Security Collaboration
During a panel, UNC Health CISO Dee Young said her organization has about 350,000 connected devices at any one time, and about 35,000 to 40,000 are some kind of medical device. The North Carolina health system also has taken on some rural healthcare organizations, bringing more legacy devices onto the network that must be secured.
The Software Bill of Materials has been a good starting point to provide more information about what’s baked into a device, Young said. The Log4j vulnerability is just one example of the need for a methodical approach to score devices on the likelihood of vulnerabilities.
Young added that UNC Health is the second organization she’s worked at where the biomed or clinical engineering team is under the IT department. “That’s been an interesting paradigm shift because of the skills and the shortage. We’ve found that that really is helpful, especially with trying to patch. Of course, we have the biomed gurus, but we also then have a lot more of the IT-savvy people to help us try to bridge the gap of patching,” she said.
Collaboration is also necessary when developing effective enterprise risk management. If a security team doesn’t collaborate across departments, it’s going to have a harder time getting risk management off the ground or cross-identifying key risks, said Donald Lodge, compliance officer at Advocate Health, during another session.
“Once you have everyone at the table, it’s really important to start talking about what you’re trying to get out of your risk management program,” Lodge said. “What’s really important is trying to figure out what your goals outside of just communicating risks are.”
It’s crucial to communicate with your teams and across the enterprise so everybody understands why risk management is important. “How can we better work together as an organization, eliminate the silos that we have, and help better identify, remediate and find risks overall?” said Elissa McKinley, director of cybersecurity, governance, risk and compliance at Advocate Health.
WATCH: Hear what CISA’s deputy director has to say about healthcare cybersecurity.
Keep Your Connected Environment Secure with Zero Trust
Zero trust is an approach that’s finding increasing favor in healthcare security. Organizations that have yet to incorporate any part of the zero-trust framework shouldn’t do everything at once, however. Start small: Consider tackling one of the pillars that covers devices.
“If you’re able to apply zero trust and baseline ‘Here’s what’s normal behavior from my devices in the network,’ you can ensure patient safety, prevent and contain attacks, reduce your attack surface, and really limit, when an attack happens, that scope of that particular attack,” said Danelle Au, chief marketing officer at Ordr.
In a separate session, Ordr CEO Jim Hyman emphasized the need for healthcare organizations to know what’s on their networks and what devices do. That’s why gaining visibility is an important first step.
“We should stop thinking about the differentiation between Internet of Things, Internet of Medical Things, operational technology and IT,” Hyman said. “You have to look at this across the board.”
Medical devices pose a unique challenge in healthcare since they have many regulatory requirements and guidelines that IT companies don’t traditionally handle, said Keith Whitby.