Armis for Healthcare, Part 2: Healthcare Device Risk Management

By Sumit Sehgal, Strategic Product Marketing Director

One of the reasons information security risk is difficult to articulate when aligning to healthcare organizational risk is that depending upon the audience, a qualitative vs quantitative metric has varied weighting criteria based on historical workflow, cost and organizational culture. To help baseline this process, a comprehensive standards-based device and asset management approach is needed which I outlined in Part 1 of this blog series.  

In my experience, using high confidence data to help illustrate device and identity context can help with the following relationships in healthcare risk management: 

Post pandemic, healthcare organizations both on the provider and the device manufacturer side have had to adapt to new ways for clinical care that challenge the existing architecture designs utilized by IT in order to enable the care delivery process. As a result, the need for, and reliance upon automated, scalable, cloud-based platforms and their associated device ecosystems has forced the industry to rethink how risk is calculated from a security perspective along with its impact on operations. 

Cybersecurity attacks that exploit these delicate and often complex integrations amongst digital clinical workflows have had significant impacts on operations, revenue, and safety regardless of the size and location of a healthcare organization. Collaborative efforts within this space over the past 4 years have improved how we detect these threats. Where we need to focus now is, how to align the response to an integrated methodology that takes into account:

• Device behavioral data
• Threat intelligence contextualized based on vulnerability data
• Network and cloud (IaaS/Integrated SaaS) utilization analytics
• Location & workflow-based device usage reporting
• Open standards-based interoperability for data sharing between analytical and orchestration platforms
• Aligning Security operations frameworks to their continuity of operations and emergency management counterparts. 

Utilizing this methodology can help to more closely link the security processes to operations, thereby increasing the effectiveness of the response strategy while also decreasing alert fatigue and responder burnout. 

The Risk Management Discipline of the Armis Platform

The Armis approach to help improve risk management for healthcare organizations starts with visibility into all devices, creating and maintaining a comprehensive inventory, and having insights into asset and device behaviors. Ongoing continuous analysis of every device touching the network to assess for risks and identify actual threats provides both a defensive position and the ability to initiate remediation action in response to deviations from baseline behavior.  

Our white paper, Armis Use Cases for Healthcare, offers a more comprehensive look at the broad array of use cases for healthcare, but at a high level, the value of our solution to help with device risk is as follows: 

• Risk assessment and segmentation for medical devices and assets
• Network Performance and analytics
• Risk scoring & visualization

These data elements are then collectively analyzed to provide a prioritized list of incidents that security & operations teams can triage and adjust their response workflows. Keeping in mind the integrated device ecosystems in use to support the delivery of care, the Armis platform performs these risk functions with an agentless and passive architecture. 

Our Approach to Risk Scoring

Armis generates a risk score and status for every device that touches the network. Scores are based on the assessment categories and device attributes as outlined earlier. Some examples include: 

• Attack surface exposure & boundary evasion
• Cloud service access & connection-level security posture
• Third-party application repository access
• Malicious domain access & user credential misuse
• Data-at-rest security & Certificate reuse 
• Manufacturer reputation, device model reputation, software version & vulnerability history

Value of Network Performance and Analytics

Networks ebb and flow in their behavior, and Armis detects and alerts to situations where network performance may be degraded that can manifest in service interruptions, which cause delays in the ability of devices to deliver critical treatment and services, potentially impacting care delivery. The cause of these network changes may come from a variety of sources, which the Armis platform assesses in order to determine if the issues are solely performance-based or if they are the result of an attack. 

Conclusion

In summary, healthcare device risk management, while being a complex exercise, has evolved with appropriately aligned security architecture.  The result of which is now able to be integrated to not only improve the security posture but also to have a material impact on reducing operating expenses and offer improvements to the delivery of care.  In the next blog in this series, I will be discussing how clinical engineering/facility operational workflows have an impact on security, especially when expanding the scope from just medical devices to other OT platforms as well. 

If you’d like to see a short demo of how the Armis platform can help you address your Medical Device Security, please click here.