Medical devices – how do you mitigate their cybersecurity dangers?

• Vulnerable medical devices can be detected by specialist tools.
• Visibility of the vulnerabilities is key to mitigation.
• Tools can save healthcare providers the worry of cyber-attack through medical devices.

Medical devices in healthcare settings are naturally among the most trusted, most widely-used pieces of medtech in the world.

As we learned when we spoke to Keith Christie-Smith, Strategic Accounts Director (Government, Healthcare & Defence) at Claroty, though, they’re also significant, and largely forgotten vectors for cyber-attack, as they frequently go a decade or more without security upgrades or patches, making them exactly the sort of weak spot that bad actors love.

In Part 1 of this article, we learned of the almost-Orwellian loop of logic that keeps medical devices in a healthcare setting from being upgraded, patched, or even largely scanned for vulnerabilities for large chunks of their lifetime.

In Part 2, we looked at the real vulnerability threats that unpatched medical devices can introduce – both in terms of ransomware of the medical devices themselves (potentially leading to misdiagnosis and deeply traumatizing consequences for patients) and of being an easy gateway for malware to get into hospital systems, and then move laterally, infecting more machines as it goes.

The potential for vulnerabilities and the upgrade trap where vendors are reluctant to upgrade their medical devices in situ and health trusts (in the UK, where Claroty has been operating) being increasingly resource-challenged lead to a situation that can be seen as an ouroboros cybersecurity time bomb for healthcare managers. Until they’re able to prove there’s a cybersecurity threat, they can’t justify the outlay to get them patched for vulnerabilities. But by the time the vulnerabilities make themselves felt, it’s frequently too late.

We asked Keith if there was any good news in the world of medical devices – ever.

THQ:

We’ve said that in order to get a real map of potential vulnerabilities in medical devices, we need complete visibility of the devices and device states across x-region (say, a health trust).

How do we get that visibility?

And what do we do with the visibility once we have it?

KC-S:

You need a particular type of tool-.

THQ:

You’re going to tell us Claroty has just the tool we need, aren’t you?

KC-S:

I am, yes.

THQ:

OK, just so long as we do it commercial style – “other tools are available.”

Medical devices and the visibility cloak.

KC-S:

You need a tool (like ours) that can deliver both visibility and mitigation options over all assets, even devices connected via serial connection. (That’s a key use case that is unique to our tool, Medigate, that none of our competitors offer).

THQ:

Alright, alright – why is serial connection so crucial?

KC-S:

Because of the age of many of these devices. We said in Part 1 that many of these devices are in service much longer than your standard laptop or desktop lifetime. So many of these devices are still connected to the network in ways that feel practically prehistoric now. That means they’re connected using serial connections.

Having end-to-end visibility of all those assets is key – but if you can’t have visibility of devices connected by serial connections, chances are you’re not doing anything like the whole job.

In the case of our system, you deploy the platform, and within days, it populates automatically with all the assets you have.

In terms of what we do with visibility once we have it, that’s a thing we work with our clients on.

There are ways of profiling which are the highest risk devices, so you get visibility of that, but also which vulnerabilities are most critical. So we show the vulnerabilities that have actually been used in compromises in other parts of the world.

Medical devices and the prioritization principle.

Because if you just get a list of vulnerabilities, that’s great, but how do you prioritize 100 or 200 vulnerabilities? The best way of doing that is finding out where they’ve been used to compromise other devices in the world. And then you go and spend your time on those 10 or 15 vulnerabilities, because that’s where the biggest risk exists across your network.

If you’re going to have your medical devices compromised, chances are it’ll be the devices with those vulnerabilities that will become the initial attack vector.

So ultimately, it’s the drilling down into the data that we provide within the platform that can show you where it’s best to spend your time – and that other highly-constrained resource in the UK’s NHS – your money.

Resource is always an issue within NHS trusts. Bottom line, it’s the public’s money, so trust managers have an absolute obligation to spend that resource as efficiently and effectively as possible.

We give them tools that can help them to do that. With our platform, it even shows if there are patches available that have been applied for the particular vulnerabilities their medical devised have – that’s an easy win for trust managers.

THQ:

Sure, being able to know which patch to use on what medical device would be an easy win for managers – but you have to have that visibility and that knowledge first.

KC-S:

Right. So with our platform, they can see “We’ve got 25 vulnerabilities, these 10 have been used in previous compromises, there are these patches available for those vulnerabilities.” Then they can export that information to the vendors, and get them to come and patch those particular medical devices with those particular patches.

That’s a huge chunk of managerial risk remediated, and it also saves the colossal cost impact of having to passively scan all medical devices in the trust first, then run a mitigation exercise.

The cost impacts of protecting medical devices.

THQ:

We were going to ask about cost impacts, but in another connection.

The UK’s NHS is national socialized healthcare, paid for on a model of payroll tax deduction. It’s literally, as well as sentimentally, “the people’s healthcare program.”

Right now, it’s had a year of nurses having to strike, having not had a pay rise in the best part of a decade. Paramedics have struck on a similar basis. Now “junior” doctors (everybody beneath the level of consultant” are having to strike to survive. That’s the level of resource-constraint we’re talking about.

So how do you go about persuading trusts that they need to commit resources to protecting the cybersecurity of their medical devices, when there are front-line care costs being consistently raised and questioned?

KC-S:

That’s an interesting question. From a mitigation perspective, we advocate to our NHS trusts by raising the fact that they’ll be using lots of disparate technologies. From an IT and cyber perspective, each of those technologies has an overhead. Each of those technologies and systems require management, a deployment configuration and the ongoing “feeding and watering” of these solutions.

By leveraging a single pane of glass solution that helps drive automation, and amalgamating lots of disparate solutions into that single pane of glass, you make things simpler and more effective.

That’s the key. That’s something we really need to drive home when we engage with trusts. A single pane of glass view, but we integrate with 66 different vendors today. We don’t just do that because we think it’s a good idea, we do that because it adds value. It adds value because we’re pulling in data feeds from those various different products that will be deployed across the trust.

But also, we’re driving automation through network access, control solutions, firewall solutions, endpoint detection and response, mobile device management, and other vulnerability management tools.

So again, pulling all the metrics from those different products into a single pane of glass view gives trust managers a true risk picture and risk score, so the entire organization can know about any infected devices, where they sit on the network, and where they shouldn’t be on certain VLANs if they are.

Ultimately, through those integrations, we can automate remediation of vulnerabilities and threats.

That means, for instance, you can run a DSPT (Data Security and Protection Toolkit) report about your connected devices in seconds, because we have that visibility, we have those devices on the platform.

THQ:

Unlike the current honor system approach to those reports?

KC-S:

Right. And it frees up resources, so people can go and do things that add value from a care perspective, which is what the NHS is there to do, right? To help healthcare professionals deliver value from a care perspective, while cybersecurity gets taken care of by those who have the expertise the service deserves.

Get the right protection, and your assets will be safe.