It’s one of
the best ways to protect healthcare networks and medical devices from a
widespread and devastating cyberattack, but most organizations aren’t doing it
that IT security professionals don’t know about the effectiveness of
segmentation; it’s the complexity and cost that cause many to put thoughts of
segmenting on permanent pause.
also say that they’re worried that segmenting will slow or interfere with
different networks and systems communicating with each other,” says John Gomez,
CEO of cybersecurity firm Sensato. “That’s a myth.
segmentation actually makes communication more reliable.”
importantly, segmentation is a healthcare organization’s best chance of
containing a cyberattack and preventing any serious impact on the health and
safety of patients. “Our highest concern is patient safety,” says Gomez.
“Another side of that is the potential liability. You don’t want to be the
executive who is getting deposed in a law suit and have to admit that you chose
not to segment your networks though you are aware that it is a recommended
industry best practice.”
Read about the known and potential threats to
healthcare information and medical device security.
his team at Sensato understand the pain points that keep healthcare IT security
teams and hospital administrations from segmenting networks. That’s why they
recommend a “crawl, walk, run” approach to tackling the job.
have to boil the ocean,” says Gomez. “Like any big project, it’s easier to
manage—and to budget—if you break it into smaller tasks, starting with
healthcare organizations, segmenting devices that could impact patient health
or cause loss of life is both the most logical place to start and one of the
easiest—because they’re generally the smallest percentage of a healthcare
organization’s total number of devices.
life-critical devices? Because until you do, they’re vulnerable to a direct
attack that could spread to every device connected to the same network. They’re
also open to becoming infected as a “side effect” of any type of phishing
virus, malware, or cybermunition that might infect any other part of your
entire network of connected devices: servers, routers, laptops, desktops, tablets,
patient monitors, printers, even diagnostic tools like CT scanners.
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.
average hospital now has 10 to 15 connected devices per bed, and, on average,
each device has 6.2 points of vulnerability, that’s a lot of vulnerabilities.
“If you can
only segregate those devices that, if attacked, could end someone’s life or
seriously impact their health, then you’ve gone a long way,” says Gomez.
life-critical devices, he recommends that the next target be diagnostic
devices, which comprise a much higher percentage of a hospital’s devices.
Because the “walk” stage involves devices and networks throughout the
organization, Gomez advises IT security teams to devise a multi-phase approach,
breaking the work down floor by floor or department by department.
So far, no
cybersecurity breach has resulted in any reports of patient death.
there have been a variety of breaches that should give any healthcare IT
security executive nightmares.
Children's Clinic in Texas, Hollywood
Presbyterian Medical Center, The Erie County
Medical Center (ECMC) in New York, and even the UK’s National
Health Service (NHS) were crippled by ransomware attacks. In
the case of the NHS, CT and MRI machines were among the devices taken down by
the virus. ECMC’s network was down for six weeks.
Medrad, radiology equipment that injects contrast agents to aid in
MRI scans, and Siemens Healthineers medical imaging products were infected by
As far back
as 2012, fetal monitors used on women with high-risk pregnancies were slowed
down by malware.
phase is to segment everything else related to medical devices that connect to
the hospital network.
“If you can
complete these phases, that’s an amazing step forward, an amazing evolution
in the level of security and maturity that you have in your IT security,” says
Gomez. “It does take time, but with a focused effort, it’s possible.”
Gomez and his team at Sensato thought that protecting
healthcare networks, and specifically the highly vulnerable medical devices
connected to those networks, is so important that they created MD-COP.
A single solution that addresses the administrative, technical, and
operational requirements of HIPAA, NIST 800-53, and FDA Post-Market Guidance
for Medical Device Cybersecurity, MD-COP includes consulting for segmentation
of medical devices. MD-COP also includes monitoring of segmented networks,
along with incident response planning, medical device risk assessments, medical
device manufacturer risk assessment, shared threat intelligence, the Sensato
Nightingale honeypot, and security strategy and tactics.
seen how vicious a cyberattack can be in terms of destroying not only data but
actually destroying equipment,” says Gomez. “That’s why it is our mission to do
everything we can to help healthcare organizations protect their patients’
health and safety from the type of damage a cyberattack can inflict.”
healthcare-specific cybersecurity solution protects you from hackers and your
own security shortcomings. Learn more