Security Leaders Share Steps to Building a “Defensible Posture” Against IoMT Vulnerabilities
By Kate Gamble
Like many advances in technology, connected medical devices come with both benefits and risks. “They’re a critical component of how we provide care and how we serve our patients,” said Sanjeev Sah, CISO at Centura Health, during a recent webinar. “But these devices also present unprecedented challenges,” particularly given the complexity involved.
“We’re connecting more and more devices to the network in different ways,” said Paul Curylo, CISO at Inova Health System, who also participated in the discussion, along with Shankar Somasundaram (founder and CEO, Asimily). “Just about anything could be considered a medical device and will probably be connected at some point.”
For leaders, that means taking a closer look at “the vast array of different operating systems, communication protocols, and purposes for these devices,” Somasundaram added, and using that information to figure out how to keep data safe. Doing so requires a holistic approach that focuses on vulnerability management and incorporates input from leaders across the organization, the panelists said.
“A system of systems”
According to Somasundaram, it starts by acknowledging one very simple but important concept: “Healthcare is not a set of devices,” he said. “It’s a system of systems, with different devices that interoperate and work with each other.” The Internet of Medical Things (IoMT), therefore, should be viewed as an ecosystem of systems and applications. The challenge is that much of the time, “we don’t have all the information we need about those devices,” he noted. Manual collections, which are often utilized, “are prone to gaps and errors, and inventories are incomplete. It’s a problem across the industry.”
What organizations need is better visibility into the devices that are on the network, the types of vulnerabilities they may have, and how serious they may be, according to Curylo, noting that “not every vulnerability should be a concern. You’ll drive yourself crazy trying to stamp out every vulnerability.” Instead, it’s important to characterize vulnerabilities with respect to the environment in which they reside. Doing so requires strong “partnerships with various system owners and custodians” who know the devices well.
The next step is to develop a set of criteria for evaluating new and existing vulnerabilities based on their potential to reveal sensitive information, said Curylo, and to treat the process as an ongoing cycle — not a static event. “It’s not a single step that gets done and then you go on autopilot.”
In fact, one of the most common mistakes organizations he made, he noted, is to wait until the entire inventory has been identified before moving forward. “That’s where things can go off the rails.”
Detecting Anomalies
And although inventories are certainly important, the greater value is in “understanding the pattern of life of the machines running in our environment,” in terms of “the relationships they create and the dependencies that exist and being able to see what that map looks like,” Curylo noted. Armed with that information, leaders can then confer with subject matter experts to detect anomalies, which is a critical step.
“Whether it’s an outlier or a change in the pattern, that’s particularly important, because it’s something new,” Curylo said. And while it could be normal operations, or a change that didn’t flow to the cybersecurity team, it could also indicate a threat actor. “We won’t know until we address it. Inventories are static and sometimes have holes. The relationship between devices is more important in an environment like that.”
With all of this considered, the prospect of managing IoMT vulnerabilities can seem extremely daunting. But there are best practices that can move organizations closer to the ultimate goal, including the following:
- Set limits. One step leaders can implement? “Eliminate services that don’t absolutely need to run on devices,” said Somasundaram. “We can’t get to perfect, but we can make them less of a target.”
- Take rounds. Walking through clinical areas can be very beneficial — but not for the most obvious reasons, according to Curylo. By talking with nurses, nurse managers, directors and others in the care space, he’s able to “get feedback and have discussions from a human perspective about the challenges they’re facing,” he said. “It’s about bridging the gap and learning.”
- Make it a team effort. At Inova, risk management is very much a team effort, according to Sah. As part of its multipronged approach, “We have an operations-focused security council that brings together not just the technical minds, but also operational leaders into that conversation,” he said. Security risks are discussed at various levels of depth and angles to ensure input from as many stakeholders as possible. “It’s a collaboration with clinical leaders and our technical partners to make the right decision every time for our organization. When we do it collaboratively, we end up achieving better outcomes.”
Similarly, risk discussions at Inova routinely involve business and clinical partners, and are often quite comprehensive, noted Curylo. “We need to understand what a particular piece of equipment does and what value it brings to patient care, because we might adopt a riskier position (to accommodate that), even if we can’t apply appropriate countermeasures.”
Finally, both Sah and Curylo emphasized the importance of patience and persistence. As with so many other aspects of healthcare, vulnerability management is a journey that requires “a deliberate effort” and “intentional collaboration” among key stakeholders.
“There’s no silver bullet,” noted Sah. “But having a defensible posture gives us an opportunity to protect operations, protect our people, and most importantly, safeguard our patients.”
Category: Uncategorized