On the heels of a record-breaking year for reported healthcare data breaches in the U.S., last week’s return to HIMMS, the world’s largest healthcare conference, came at a pivotal time for the industry.
The center of the show was dominated by the usual mix of high-tech, high-value booths showing the latest aids to patient care, from image management to PACS and automated patient workflow systems. The transition to Industry 4.0 technologies in the healthcare market is becoming mainstream as systems are more interconnected and access to those systems is required in more places.
At one end of the cavernous hall was the Cybersecurity Command Center, a focal point for security practitioners in healthcare, featuring cutting-edge vendors and education sessions examining the latest security topics and trends.
Conversations with conference attendees made one thing clear: the pace of change in deploying new systems was not being matched by the required investment in cybersecurity.
Common challenges we heard the most were:
- The pace of implementation of new technology
- Protection for medical equipment
- Maintaining system availability
- Technology sprawl
- Ransomware attacks
On the positive side, the sensible choice that many teams are taking is to build a Zero Trust strategy. In the education theaters, any session on Zero Trust was well attended.
The great thing about a Zero Trust approach to security is that it can be independent of any infrastructure — which addresses a major challenge of implementing new technology. The process of identifying key assets and then compartmentalizing the resources that make up that system will work regardless of whether it is a finance application or bedside cart. Equally, Zero Trust is independent of location, so it does not matter if what you are protecting is in a patient’s room or in the cloud.
Here are some simple steps that any healthcare organization can take to easily begin adopting Zero Trust:
- Identify the systems and assets that you need to protect. Identify the systems that need to communicate and those that don’t. Even though the current trend is hyper-connectivity, it is unlikely that an MRI scanner needs direct communication with the HR system. Mapping the connections between applications, data and medical assets will help to visualize which components make up each system. Seeing communications will help you identify which scanners, terminals, databases and applications make up the image management system. From here, you can highlight where any restrictions need to be introduced to control the flow of data and, by default, the lateral movement of any ransomware.
- Identify potential risks that exist within your infrastructure. All systems carry some vulnerabilities which could be due to patches yet to be applied or undiscovered security holes. Knowing what other resources your systems are connected to is key to understanding the risk that these vulnerabilities represent. Using a combination of vulnerability scanning, threat information and connectivity data, a contextual view can be created highlighting where restrictions must be applied.
- Apply the optimal security policies. Once you have identified which components make up a system and determined the risk, now is the time to compartmentalize the systems from each other to stop the potential spread of an attack. One of the roadblocks in trying to compartmentalize or segment any environment is the need to re-engineer the network. Applying segmentation at the system level where it is decoupled from any underlying infrastructure removes any need for changes in the network. By easily segmenting applications, medical devices and other systems, the availability of key assets can be maintained even while under attack.
While these steps make Zero Trust practical and achievable, securing the whole healthcare infrastructure is becoming increasingly difficult as many new medical devices do not act the same way as an IT device. If an asset, like a bedside cart, is powered by a Windows-based system, it is relatively easy to gather information on how it is working and the ways it can communicate. However, if the device is a pump, it will work in a slightly different way. It will not respond to the same commands and will not respond in the same way.
This challenge makes it difficult to visualize the interaction between traditional IT systems and medical IoT. To address this issue, Illumio has partnered with Cylera to bring the two environments together in a simple way. One of the many things that Cylera does is to gather information and metadata on medical IoT devices. This data can be imported into Illumio Core and all assets are displayed on a map in a single view.
This provides a very simple view of the entire medical system and shows the interaction between various medical systems. Using this process, you will be able to determine which communication should be allowed and what should be stopped.
From the map, Zero Trust policies can be easily applied with a single click of the mouse — making the process of deploying a Zero Trust strategy across the entire healthcare infrastructure, regardless of asset type or location, much simpler.
Learn more about how Illumio can help your healthcare organization in its Zero Trust journey: