The healthcare industry has seen a flood of new medical devices enter their facilities with the explosion of the Internet of Things (IoT). This innovation has created a huge opportunity to improve medical care and patient wellness. IoT devices include implantable technology, such as pacemakers, as well as external devices, such as infusion pumps, heart monitors, and scanning equipment. Hospitals and healthcare facilities have hundreds to thousands of these devices within their facility, often unmonitored or unmanaged.
Unfortunately, these IoT devices provide prime opportunities for hackers to do their worst, including theft of patient data, ransomware, and even potentially compromised patient safety. Healthcare IT leaders are faced with the predicament of safeguarding their network while providing the care their patients require through seamless interaction and uptime of all devices.
Scalability and Automation
In an average hospital, there are typically several networked medical devices for each bed. Multiply that times the number of beds and add in other pieces of equipment such as MRI, CRT, and X-ray systems, and you see that the number of IoT medical devices and systems can become quite large; much larger in fact than the number of actual laptops, PCs, and mobile devices used by caregivers and administrators.
Managing access to and monitoring these IoT devices requires a solution that can scale and automate network-based administrative and management tasks. With the sheer numbers of connected devices, the network must be smart enough to automate secure connectivity. Aruba, a Hewlett Packard Enterprise company, provides comprehensive network management solutions that deliver the robustness, intelligence, and automation to secure medical-grade IT networks.
Securing IoT Endpoints in Healthcare
One of the first steps to gain control of the IoT network in your healthcare facility is to secure the endpoints. This goes beyond traditional endpoint protection implementations for PCs, laptops, and tablets as unsecured medical IoT devices present a much bigger threat of exposure risk. Using comprehensive network device monitoring tools in combination with a sound network access policy management system, such as Aruba ClearPass, helps you get control of your IoT network and feel confident in its security. These are five critical steps in securing your IoT endpoints:
-
Simplify Device Management. Medical IoT devices can be onboarded in a variety of ways, including 802.1X authentication with RADIUS, MAC authentication, agents, and MAC plus 802.1X or captive portal. Making sure that your system supports tracking the entry points greatly simplifies your manual tracking and device onboarding process.
-
“Fingerprint” the Devices. In basic terms, this means collecting information from the IoT device such as IP address, MAC address, and any other characteristics to help network managers understand what normal behavior is for that device. This is a crucial step in discovery of breaches, as any aberration from normal behavior could indicate malicious activity.
-
Profile the Devices. After going through the discovery and fingerprinting process, a good practice is to profile the devices so they can be classified. Contextual data (device attributes — such as name, type of device, IP address, MAC address, etc.) is gathered using network-based collectors. Once all the contextual data is collected, a profile is created for the device, which is used as a basis for policy management. Device data is continuously checked against the profile so if deviations occur (e.g., a medical device looks like a printer), the device can be removed from the network.
-
Create a Policy. A policy is only as good as the data used to build it and the tool used to enforce it. Find a tool that provides policy automation to effectively manage the scale of workflows required in a high-volume IoT environment. Policies should be managed so that as new devices are added, they are profiled and added to the correct zone. This gives your organization tight control over how devices operate and communicate, resulting in better containment of threats when they emerge.
-
Monitor and Analyze Traffic. Make sure that you can automate information-gathering from several sources and then analyze that data for odd behavior. Why? You need to be able to quickly identify devices to be removed from the network or quarantined before they cause an issue. That would happen, for example, if a medical device attempts to communicate with an accounting server, which could indicate a breach. When unusual traffic is discovered, network management solutions like Aruba ClearPass can automate disconnection of the device from the network, minimizing the damage.
Secure Segmentation Is Crucial
A critical part of any plan to secure your IoT endpoints is segmentation:
-
Securely Partition Traffic. At a high level, to prevent intruders from moving laterally across the network once they breach it, applications and services should be securely isolated from each other. For example, the network that delivers MRI data to the patient EHR database should be isolated from the network that supports connectivity between the payment card system and the backend financial systems. Guest Wi-Fi should be securely segmented from the network caregivers use to administer and manage care.
-
Elastic Connectivity. The concept here is to provide access and services to devices only when specifically required and authorized. Network access will only be available for the duration of the session and then retracted from the edge, to reduce exposure.
IoT security in healthcare devices may seem daunting, but with these guidelines you’ll be well on your way to reducing the risk of compromised patient data or having life-supporting equipment locked down without proper controls in place.
To learn more about how American Digital and Aruba network policy management solutions can help you safeguard your healthcare network, contact us.
Hewlett Packard Enterprise specializations include Platinum: Converged Infrastructure, Networking, Storage; Gold: Cloud Builder.
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.