By David Clapp
The cybersecurity of healthcare needs intensive care. Against a backdrop of an ongoing pandemic and a volatile geopolitical landscape, healthcare systems must also adjust to the new normal of constant cyberattacks and data breaches. Digital transformation trends, such as the Internet of Things (IoT), the Internet of medical things (IoMT) and IT/operational technology (OT) convergence, have delivered on their promise to increase the efficacy of care, but they’ve also introduced new risks.
Healthcare organizations can remedy this situation with a modern network access control solution to deliver the benefits of network segmentation, zero-trust security, and a proactive vulnerability and risk management posture.
Healthcare breaches set a new record in 2021 and have been steadily increasing since 2015. Hacking is the primary type of these breaches. Likewise, a record-breaking number of software vulnerabilities are disclosed each year. Attackers exploit these vulnerabilities to enable remote code execution and denial of service attacks, so the correlation between an increase in vulnerabilities and an increase in healthcare breaches seems obvious.
Moreover, healthcare systems have become complex environments of a variety of Internet-connected medical devices, such as infusion pumps, patient monitors, and glucometers, as well as operational technologies, such as IP surveillance cameras, and heating and cooling systems. Cloud services, remote workers and third-party connections further complicate this environment.
The challenge here is multifaceted. Medical devices have become hyper-connected to IT networks, but IT tools were not designed for clinical networks, so most organizations lack visibility into these devices. Furthermore, medical devices tend to be the weakest link because they lack native security controls and frequently require insecure legacy systems to operate. And, to top it all off, there is a cybersecurity skills shortage that has left healthcare systems without experienced cybersecurity professionals to address these risks.
Both the Biden administration and the U.S. FDA are championing the use of a “software bill of materials,” or SBOM, to help illuminate vulnerability blind spots. Essentially, a SBOM provides an ingredients list of software components so that organizations can more easily identify vulnerabilities in IT systems. However, a SBOM is not a silver bullet—particularly in IoT, IoMT, and OT environments. You can’t secure what you can’t see. A SBOM is only effective if an organization can inventory their assets across all vendors, products, and versions to make meaningful decisions when new vulnerabilities are detected.
Ransomware Attacks Exploit a Lack of Insight
When it comes to defending against ransomware attacks, organizations need to prevent lateral movement. For example, a typical ransomware attack might begin by harvesting credentials from a phishing email or malware. From this initial access, the attacker will subsequently use a variety of automated tools to identify other vulnerable, unpatched, or unmanaged devices and users. Ultimately, attackers look for lateral movements toward critical systems and devices, so that they can take control of the network or steal sensitive information for ransom.
The harsh reality is that attackers frequently have greater visibility into vulnerable devices than the organizations that own and manage them. Therefore, healthcare organizations should take these three steps to even the playing field:
- Discover: Create an inventory of all assets on the network and identify their function and role within the business.
- Assess: Understand the compliance state of assets, such as missing or stopped antivirus or data loss prevention services. Understand the risk of your assets in a prioritized manner. This consists of elements like vulnerabilities, Indicators of Compromise, and known malicious communications.
- Govern: Prioritize remediations, access restrictions, and blocked devices to reduce your risk and limit any damage.
Of course, like much of preventative medicine, these best practices may be easier said than done. One gap that healthcare organizations should keep in mind is that if they’re only applying this process to their known and managed devices, then they’re still vulnerable and exposed to a variety of unmanaged devices that could be connected to their environment.
Modernize Your Network Access Control
Traditional network access control looks at assets from an on/off state, leveraging authentication as the critical decision point. This leaves unmanaged assets relinquished to a simple, one-dimensional allow list. Today’s problems require a more modern access control solution.
One technology that helps to reduce your risk and prepare for attacks by minimizing their impact is Forescout’s Modern NAC, or network access control. Specifically, Modern NAC enables organizations to identify gaps by building a comprehensive inventory with the context and insight to prioritize vulnerabilities on critical devices.
When organizations first deploy a network access control solution, their goals tend to focus on the simple “allow–deny” process, which is often linked to identity such as username and password or certificates. If devices do not have credentials or the ability to hold certificates, they are placed on an allow/block list. For example, IoT devices may be denied from connecting to the Internet.
Technologies such as Modern NAC allow organizations to approach problems in different ways, which can help reduce the user experience and business disruption. With the ability to discover and assess assets across all types, business can help segment their network. Moreover, technologies like Modern NAC can be used to visualize traffic flows, group devices by business context, and map ports and protocols to these device groups so that more granular rules can be applied. For example, if an IoT device exhibits potentially malicious behavior, then it can be quarantined. This can also be drilled down further into specific device types or vendors.
It Takes a Team
One final caveat for security professionals that are interested in addressing the newfound risks of digital transformation via network access control is that they cannot do it alone. The rise of IoT, IoMT and IT/OT convergence requires partnerships between chief security officers, chief information officers, and chief medical officers.
When vulnerable devices are exposed on a network, organizations leave themselves vulnerable to attack. Reducing this risk requires an inventory of devices, patching their vulnerabilities, detecting threats, and evolving into context driven segmentation. A modern network access control can provide the visibility, understanding, and control around these risks that organizations need to thwart a breach.
David Clapp is senior sales engineer at Forescout. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].