Ever since the inception of information security as a technical discipline over 2 decades ago, there has been a constant focus on the importance of asset management and device identification. Vulnerability management as a practice has since been used as a method of mapping the output of information security technology to define the risk priorities for organisations. Fast forward to today where risk frameworks, elastic computing, software defined innovations to enterprise IT and integrated consumer technology are creating a disruption in the way we have traditionally sought to deal with this topic.
In the healthcare industry, we are faced with a situation where the vulnerability of a device not only influences the security risk, it can have an impact on continuity of operations, clinical decision support and ultimately the safety of care delivery. The ecosystem utilised to support the care a person receives extends far beyond the integrated medical devices; for example, smart cameras with thermal imaging ICUs, microphones for automated voice transcriptions into the electronic Health Records, robotics used for environmental services and meal delivery etc. These examples showcase the need for vulnerability management as a practice to extend beyond the traditional IT workflows and pull in data that can be helpful for operations teams such as biomed / clinical engineering, clinical informatics, facilities management etc.
The resulting confluence of innovations to care practices, together with our reliance on high fidelity data to make appropriate clinical decisions has had implications for how we architect the processes and technology for vulnerability management. Traditional approaches to identify vulnerabilities such as active scanning, operating system fingerprinting and application payloads are no longer enough as they are largely focussed toward standard enterprise IT architectures. The device landscape extends far beyond that and presents the following challenges that existing technologies do not address:
Pivoting the Approach
In order to transition from the legacy approach to a continuous monitoring style methodology of vulnerability management, we need to understand how we can take advantage of the capabilities that exist in legacy platforms such as device identification, Operating System and software profiling as well as threat and vulnerability data. And we also need to consider these in tandem with innovations in new approaches that take into account network behaviour, communication methodology (peer to peer/airspace eg. z-wave), real-time passive event based vs scheduled scanning, utiliaation data and baselined device behavioural telemetry.
Using these approaches allows for creation of an architecture that takes into account not only the technology footprint but also the workflow impacts in an operational setting. This is critical in the healthcare industry, as operational environments such as biomed / clinical engineering often consist of devices ranging from 30 year old lab monitoring equipment all the way to latest imaging modalities. As the next step, when you take into account the role that building management systems play in a healthcare environment (such as water management systems), it becomes clear that vulnerability management is no longer just a security tool kit, but an essential component of continuity of operations.
In order to improve continuity of operations, the success criteria of a next generation vulnerability management process looks like this:
Advancements in security technology now provide the ability to be able to articulate not only what the threat profile is for a particular device that is present in the environment, it also provides a view into upstream and downstream data flows, context for transient devices that don’t connect to the enterprise network, device telemetry when utilising airspace technologies and a view into customised data protocols as part of behavioural mapping.
These pieces are important as they often translate to important workflow and clinical context needed when prioritising incidents as they help to articulate risk to patient safety, device availability and the ability to deliver the right care at the right time.
Another tangible effect this approach has is on the operational efficiency and cost. As the data involved in the risk prioritisation has already been contextualised with the appropriate relevance in terms of organisational nuances (both from a technology & workflow perspective), the confidence of identified priorities is high and that leads to significant decrease in incident response times and efficiencies in cost management in terms of device and asset inventories.
Risk management is a complex topic for healthcare organisations. In order to achieve better cohesion between Information Security Risk and Clinical Risk, we as an industry need to move towards adopting the recommendations and practices outlined here. Only then can we start to gain momentum to eventually reduce the impact of a security incident that manifests itself as an undesired outcome to clinical safety.
Author: Sumit Sehgal from Armis.