It’s one of the best ways to protect healthcare networks and medical devices from a widespread and devastating cyberattack, but most organizations aren’t doing it yet.
It’s not that IT security professionals don’t know about the effectiveness of segmentation; it’s the complexity and cost that cause many to put thoughts of segmenting on permanent pause.
“People will also say that they’re worried that segmenting will slow or interfere with different networks and systems communicating with each other,” says John Gomez, CEO of cybersecurity firm Sensato. “That’s a myth.
Deployed properly, segmentation actually makes communication more reliable.”
Most importantly, segmentation is a healthcare organization’s best chance of containing a cyberattack and preventing any serious impact on the health and safety of patients. “Our highest concern is patient safety,” says Gomez. “Another side of that is the potential liability. You don’t want to be the executive who is getting deposed in a law suit and have to admit that you chose not to segment your networks though you are aware that it is a recommended industry best practice.”
Read about the known and potential threats to healthcare information and medical device security.
Gomez and his team at Sensato understand the pain points that keep healthcare IT security teams and hospital administrations from segmenting networks. That’s why they recommend a “crawl, walk, run” approach to tackling the job.
“You don’t have to boil the ocean,” says Gomez. “Like any big project, it’s easier to manage—and to budget—if you break it into smaller tasks, starting with life-critical devices.”
For healthcare organizations, segmenting devices that could impact patient health or cause loss of life is both the most logical place to start and one of the easiest—because they’re generally the smallest percentage of a healthcare organization’s total number of devices.
Why segment life-critical devices? Because until you do, they’re vulnerable to a direct attack that could spread to every device connected to the same network. They’re also open to becoming infected as a “side effect” of any type of phishing virus, malware, or cybermunition that might infect any other part of your entire network of connected devices: servers, routers, laptops, desktops, tablets, patient monitors, printers, even diagnostic tools like CT scanners.
MD-COP will secure your data, devices, and network from targeted and “side effect” attacks. Act quickly.
When the average hospital now has 10 to 15 connected devices per bed, and, on average, each device has 6.2 points of vulnerability, that’s a lot of vulnerabilities.
“If you can only segregate those devices that, if attacked, could end someone’s life or seriously impact their health, then you’ve gone a long way,” says Gomez.
After segregating life-critical devices, he recommends that the next target be diagnostic devices, which comprise a much higher percentage of a hospital’s devices. Because the “walk” stage involves devices and networks throughout the organization, Gomez advises IT security teams to devise a multi-phase approach, breaking the work down floor by floor or department by department.
So far, no cybersecurity breach has resulted in any reports of patient death.
However, there have been a variety of breaches that should give any healthcare IT security executive nightmares.
Rainbow Children's Clinic in Texas, Hollywood Presbyterian Medical Center, The Erie County Medical Center (ECMC) in New York, and even the UK’s National Health Service (NHS) were crippled by ransomware attacks. In the case of the NHS, CT and MRI machines were among the devices taken down by the virus. ECMC’s network was down for six weeks.
Bayer Medrad, radiology equipment that injects contrast agents to aid in MRI scans, and Siemens Healthineers medical imaging products were infected by ransomware.
As far back as 2012, fetal monitors used on women with high-risk pregnancies were slowed down by malware.
The final phase is to segment everything else related to medical devices that connect to the hospital network.
“If you can complete these phases, that’s an amazing step forward, an amazing evolution in the level of security and maturity that you have in your IT security,” says Gomez. “It does take time, but with a focused effort, it’s possible.”
Gomez and his team at Sensato thought that protecting healthcare networks, and specifically the highly vulnerable medical devices connected to those networks, is so important that they created MD-COP.
A single solution that addresses the administrative, technical, and operational requirements of HIPAA, NIST 800-53, and FDA Post-Market Guidance for Medical Device Cybersecurity, MD-COP includes consulting for segmentation of medical devices. MD-COP also includes monitoring of segmented networks, along with incident response planning, medical device risk assessments, medical device manufacturer risk assessment, shared threat intelligence, the Sensato Nightingale honeypot, and security strategy and tactics.
“We’ve seen how vicious a cyberattack can be in terms of destroying not only data but actually destroying equipment,” says Gomez. “That’s why it is our mission to do everything we can to help healthcare organizations protect their patients’ health and safety from the type of damage a cyberattack can inflict.”
