How Healthcare Organizations Are Looking at the Big Picture of Device Security

Yale New Haven Health Takes Inventory of Medical Devices

Yale New Haven Health, which serves communities from New York’s Westchester County to Westerly, Rhode Island, has expanded in recent years through acquisitions of visiting nurse associations and hospitals. As the healthcare organization combined its resources into one system, a key challenge was creating an inventory of all the types of medical devices.

Health systems must track desktops and laptops for clinicians as well as biomedical devices, security cameras and temperature monitors, says Yale New Haven Health Vice President and CISO Glynn Stanton.

“It really does require a multilayered approach to get that database of connected equipment together,” Stanton says. That consists of active scanning, passive monitoring of the network and using tools to help identify the devices that need protection.

Yale New Haven Health used a Medigate collection server to track the inventory of devices. The job is never straightforward, says Christopher Parchinski, the organization’s technical information security officer.

“As much as you get a piece of paper that says, here's what you have, there's always a discrepancy,” Parchinski says.

Yale New Haven Health uses security risk scores to determine threat levels for its network. The scores factor in the network type, whether the network is connected to the internet and a VPN, and whether it has operating system vulnerabilities, Parchinski says. Other score factors include whether a device has personal health information and the degree of data sensitivity.

The health system receives threat intel feeds to notify it of critical risks, Parchinski adds. Then, the IT security team takes steps to address the vulnerabilities.

By using Medigate, Yale New Haven Health reduced the time required to receive notifications of infusion pump vulnerabilities. Previously, it would take a couple of weeks to receive a notification; now, they come the same day, according to Stanton.

In addition, Medigate provides a centrally managed view into critical vulnerabilities to help with the IT security team’s decision-making. In the past, Yale New Haven Health would shut down a port and take two days to find where a vulnerability was connected. That time has been reduced to within an hour, according to Parchinski.

To view the big picture of threats, Yale New Haven Health IT leaders prefer a multiscreen setup to tracking threats on their mobile devices. The 24/7 security and network operations center uses large HP screens. “It would be tough to manipulate what you need to do on a mobile screen,” Parchinski says.

Stanton does receive text alerts from his security and network operations center on an Apple mobile device. Although he prefers Android’s open platform, Apple mobile devices have worked out better from a security perspective, he says.

EXAMINE: How to approach connected-device security from a zero-trust perspective.

Franciscan Alliance Maintains Awareness Through Passive Scanning

Similar to Yale New Haven Health, Indiana-based Franciscan Alliance also finds tracking medical devices challenging. Information Security Officer Jay Bhat is responsible for securing about 13,000 medical devices.

“We spend a lot of time partnering with our clinical engineering teams to make sure that we understand the devices on our network, the different versions that we have,” Bhat says.

The IT team works with clinical engineering and, in many cases, the device manufacturers to patch and upgrade them.

To manage device inventory and maintain situational awareness of its network, Franciscan Alliance uses the Ordr Connected Device Security platform. Ordr’s sensors attach to network ports at Franciscan Alliance, and the platform’s dashboard provides visibility into the categories of devices on the network.

For example, Bhat can opt to view IoT devices as well as subcategories, such as types of mobile phones and operating systems. Bhat can also view the versions of medical devices and data related to them.

Although medical device manufacturers usually disclose vulnerabilities, Ordr provides this information as part of a “single pane of glass for all devices on our network,” Bhat says.

Ordr also offers a risk rating to let health systems prioritize vulnerabilities. Franciscan Alliance uses machine learning to spot unusual data patterns, Bhat says.

When Ordr recently alerted customers to a vulnerability in the Apache Log4j logging utility, Franciscan Alliance was able to identify which of its medical devices could have been impacted and segment them until a patch was released, Bhat says.

The health system also places a unified threat management firewall in front of the devices to protect them further. UTMs combine multiple security features into a single device on a network.

“We’ve locked those down in terms of preventing users or anybody else from connecting USB sticks or other portable media to those devices,” Bhat says.

Franciscan Alliance’s device ecosystem includes smart TVs, MRI machines, portable lab testing equipment and remotely monitored refrigerators for storing medication.

“My team spends a significant amount of time trying to understand what the organization is trying to bring in, what is the best way to secure those devices and also what the right network is for those devices,” Bhat says.

In addition to Ordr, Franciscan Alliance uses ServiceNow as its asset management system to maintain a rich data set of all resources on its network, Bhat says. It tells the health system which vendors support a particular device and identifies its purpose.

Going forward, Bhat says, he expects to see more investment by medical device manufacturers in patching devices.

“I think many healthcare organizations have struggled recently, because medical devices did not play nicely with traditional security products,” Bhat says. Medical vendors would ask for security scanning to be turned off, he adds.

But medical device integration is improving, he says. “That behavior is changing, and so we’re seeing much better partnership and change from the medical device community.”

Harris Health System Tracks the Footprint of Medical Devices

To maintain situational awareness of medical devices, Bellaire, Texas-based Harris Health System turned to an Internet of Medical Things monitoring solution that not only tracks devices but neutralizes them if configured improperly. A simple vulnerability scan is insufficient, according to Jeffrey M. Vinson Sr., Harris Health’s senior vice president and chief cyber and information security officer.

“You just can’t monitor these devices without having an IoT or IoMT solution in place,” he says.

Tech tools provide Harris Health with information on which software versions are running and whether the devices have been recalled by the Food and Drug Administration, Vinson says. Segmentation is also a key strategy for Harris in dealing with potential threats to devices.

“That allows you to fingerprint these medical devices and also understand how those devices can be quarantined and cut off from the rest of the network if there was a ransomware outbreak,” Vinson says.

EXPLORE: How managed detection and response can improve your organization's security posture.

By examining the fingerprint of a device such as an infusion pump, security professionals can track what ports or protocols the device is operating on and whether bad actors are exploiting vulnerabilities, he says.

“If you don't have the visibility into what’s communicating on your network, you don’t have that situational awareness,” Vinson says. He warns that the threat of a patient’s medical device being hacked is real as long as it has Wi-Fi and Bluetooth connectivity.

Vinson recommends studying the Manufacturer Disclosure Statement for Medical Device Security, which details the security features of devices. IT security should always come back to the main goal, which is protecting patients, he adds.

“We’re all about positive patient outcomes, and we need to have those positive interactions,” Vinson says. “We never want to have those devices that are used for life safety to be compromised in any shape or form.”