Zero Trust for Hospital Devices
NCSAM Week 3 – Securing Internet-Connected Devices in Healthcare
I was pondering the NCSAM Week 3 directive – “The third week of Cybersecurity Awareness Month will delve into the industry (hospitals, care facilities) and consumer (telemedicine patients) implications of internet-connected device use and what steps both can take own their part and #BeCyberSmart.”
Modern healthcare involves a lot of devices and identities throughout the care facility and patient flow. Hospitals have a ton of smart devices as well as the network they connect to. From surgical robots, imaging and diagnostic tools, scheduling programs that connect to widgets and apps on smartphones, you can’t get away from the need for Zero Trust to both keep quality care flowing and avoid breaches that require OGR notification.
A challenge I mentioned in a previous post for smart houses and smart devices is the same in healthcare; who in the hospital knows how to update all the software, firmware, apps, and program interfaces for all the smart devices in use? Are all the privileged users, as well as service accounts (the accounts that run the automated parts, or even the patient portal and servers), locked down and unable to explore the rest of the network via RDP or other standard protocol?
A smart IT or IS leader will have a way of operationalizing their smart systems, from managing identities and securing authentication via segmentation to automatically preventing lateral movement and shutting down attacks and hacks before they get going. Remember – staff may have a learning curve to understand which legacy protocols for authentication (LDAP and RDP relays) may be vulnerable.
I understand the push back – there can be a lot of legacy systems in a hospital that cannot just be shut down and updated. But there are protections which can be put in place to head off attacks against these legacy systems, from segmentation and blocking to step-up authentication.
Hospital IT staff may be fantastic at keeping the systems up and running, encrypting patient files, and generally responding to traditional network perimeter attacks. But what do they do if a laptop goes missing, or an iPad gets swiped off the nursing station? Hopefully, they’ll have good endpoint security, but if the device has the doctor’s login and an IT Administrator’s login, can a compromise launch a lateral movement attack that can take down a system, or worse encrypt it with Ransomware.
My advice for Healthcare:
- Get a handle on how many identities are active in your environment. Remember – a single device can have multiple users present on it, all with different levels of authorization.
- Try to get a census of all the smart devices functioning in your environment. Then map out what belongs in each location and consider what kind of micro-segmentation needs Unit or group lockdowns. Break the map into segments to plan for security:
- Physical properties of each smart device (type, interface, function)
- Logical properties (who owns it, who controls it, what systems or departments use it)
- Risk properties (Location, times of expected operation, immediate patient risk (e.g. surgery vs records)
- Prioritize your key systems with active lateral movement protection – Medical records. Uninterruptible power supplies (UPS). Physical access controls. Even HVAC. Automated pharmacy systems. If it would stop you from providing patient care, prioritize it.
- Lockdown WiFi and Guest access. Even the Administration of these systems should prevent users that log on from performing attacks, RDP, or Rlogins anywhere into your care portal, scheduling, etc. (This may be particularly important for smaller satellite clinics, who don’t have IT staff monitoring issues as they arise.)
- Refresh your emergency response plan with Active Ransomware drills, and make sure your staff education plan includes everyone knowing how to see something, say something, report phishing or other anomalies, and stolen smart devices. If someone unauthorized is touching your crash cart, right? It must be the same for all the portable devices in your network. And if someone’s scheduling screen comes up with a Ransomware message, make sure that person – at any level of your organization – knows precisely who to call and what to do.
- Make a communication plan for when things go wrong. What constitutes a catastrophic event that requires shut doors vs limiting service? Who gets to make decisions to go/no go on surgeries? What happens if things go pear-shaped at 8:00 am? Midnight?
I know it must sound like a broken record from security vendors, but it is true that planning for disasters and incident response is much cheaper to do in advance than during the disaster itself. Know your state laws for breach reporting, as well as the HITECH scope requirements. And finally – be excruciatingly aware of the current Ransomware Advisory from the Treasury Department. This last link contains contact information that your IT department and patient privacy office should have physically written somewhere in case of a Ransomware attack that takes down your network.
Keep it safe out there! We need good healthcare more than ever in these challenging times!
Posted by Jeannie Warner on October 23, 2020 5:33 PM