By Ron Rotman
Devices are a reality in the continuity of care, from the consumerization of traditional medical devices, to the addition of webcams and video conferencing kits to support the delivery of virtual care.
However, these devices are quickly becoming security weak points for healthcare organizations. It’s nothing new that any device connected to a network is a risk, however, the recent explosion of devices in healthcare settings are making these organizations prime targets for ransomware activity — in fact, 40 per cent of manufacturers say hackers managed to gain access to their device.
More and more, it’s not just the financial toll of these attacks organizations are worried about, but the additional strain on clinical and administrative staff as ransomware-related outages disrupt workflows and put patients at risk.
As the proliferation of devices continues, there are more and more ways for attackers to get in. Here’s what healthcare organizations need to know about the changing security environment, and how they can rethink their approach to security.
Security challenges and increasing complexity in healthcare
In a typical patient room, there are anywhere from 15-20 devices connected at any one time. This includes everything from infusion pumps, ventilators and pulse oximeters, to a visitor’s mobile phone connecting to the guest Wi-Fi. When it comes to MIoT devices specifically, they are often designed with purpose — not security — in mind, making them difficult to patch and manage against vulnerabilities.
Add to this the huge volume of healthcare data now being transferred every day: telemedicine video; connected medical devices; EMR information traveling from a clinical facility to the cloud; smart facility applications, such as light bulbs and wayfinding; and patients, clinicians, and administrators driving the need for Wi-Fi everywhere.
This complexity is continuing to accelerate with mobile, security, IoT and Cloud, and so to are the number of security vendors on the market. The average enterprise has between 50 to 100 different security vendors in their environments. However, organizations are not getting any more secure, no matter how much money they spend on this technology.
Organizations need to go beyond security technologies and tools, and rethink their philosophy when it comes to their security approach. Enter: clinical zero trust.
Clinical zero trust
In a traditional zero-trust environment, no person, device or resource is considered secure. It’s assumed a network has been breached, and uses a series of verifications to grant access to a specific user, at a specific time, to use a specific resource or functionality. Zero trust is also built around three key principles: visibility, segmentation and containment.
Clinical zero trust (CZT) builds on these cornerstones, while also addressing healthcare’s multi-faceted needs, including patient privacy, connected – and unconnected – medical and IOT devices, and virtual care.
But implementing CZT is no small undertaking. Healthcare systems are reliant on legacy systems that may not provide this type of authentication – not to mention the plethora of medical devices that are either outdated, unconnected or unaccounted for in any given facility.
Getting started with CZT
CZT isn’t a one-size fits all solution, and successfully implementing a strategy requires collaboration between the organization’s business, clinical and security stakeholders.
With that said, the planning and roll out of a CZT strategy can be broken down into five phases:
- Identify everything operating in the clinical setting
- Map the use of entities to understand how they are involved in care and business protocols
- Engineer the environment to protect the integrity and flow of each protocol
- Monitor the environment to understand the impact of the policies you plan to enforce
- Automate the implementation wherever possible to maximize the benefits of a CZT stance
It can be a daunting task doing this on your own, which is why Cisco has partnered with Medigate to go beyond network visibility and provide actionable security insights for healthcare organizations. Combining Cisco’s comprehensive, end-to-end healthcare security portfolio with Medigate’s platform, organizations can gain greater insight into devices on the network, benefit from network analysis to detect threats, and implement clinically driven, rule-based policy enforcement mechanisms.
To learn more about how Cisco and Medigate can protect your organization, read more here.
Ron Rotman is a healthcare account manager at Cisco Canada.