Armis for Healthcare: Pivoting the Approach to Vulnerability Management

By Sumit Sehgal, Strategic Product Marketing Director

The Fundamentals

Ever since the inception of information security as a technical discipline over 2 decades ago, there has been a constant focus on the importance of asset management and device identification. Vulnerability management as a practice has since been used as a method of mapping the output of information security technology to define the risk priorities for organizations. Fast forward to today where risk frameworks, elastic computing, software defined innovations to enterprise IT and integrated consumer technology are creating a disruption in the way we have traditionally sought to deal with this topic.

In the healthcare industry, we are faced with a situation where the vulnerability of a device not only influences the security risk, it can have an impact on continuity of operations, clinical decision support and ultimately the safety of care delivery. The ecosystem utilized to support the care a person receives extends far beyond the integrated medical devices for e.g. smart cameras with thermal imaging icu’s, microphones for automated voice transcriptions into the electronic Health Records, robotics used for environmental services and meal delivery etc. These examples showcase the need for vulnerability management as a practice to extend beyond the traditional IT workflows and pull in data that can be helpful for operations teams such as biomed / clinical engineering, clinical informatics, facilities management etc.

The resulting confluence of innovations to care practices together with our reliance on high fidelity data to make appropriate clinical decisions has had implications for how we architect the processes and technology for vulnerability management. Traditional approaches to identify vulnerabilities such as active scanning, operating system fingerprinting and application payloads are no longer enough as they are largely focussed towards standard enterprise IT architectures. The device landscape extends far beyond that and presents the following challenges that existing technologies do not address:

Pivoting Our Approach

In order to transition from the legacy approach to a continuous monitoring style methodology of vulnerability management, we need to understand how we can take advantage of the capabilities that exist in legacy platforms such as:

• Device Identification
• Operating System and Software profiling
• Threat and vulnerability data

Along with innovations with new approaches that take into account:

• Network Behavior
• Communication methodology (peer to peer/airspace eg. z-wave)
• Real time passive event based vs scheduled scanning
• Utilization data
• Baselined device behavioral telemetry

Utilizing these approaches allows for creation of an architecture that takes into account not only the technology footprint but also the workflow impacts in an operational setting. This is critical in the healthcare industry, as operational environments such as biomed / clinical engineering often consist of devices ranging from 30 year old lab monitoring equipment all the way to latest imaging modalities. As the next step, when you take into account the role that building management systems play in an healthcare environment (such as water management systems), it becomes clear that vulnerability management is no longer just a security tool kit, but an essential component of continuity of operations.

In order to improve continuity of operations, the success criteria of a next generation vulnerability management process looks like this:

Advancements in security technology now provide the ability to be able to articulate not only what the threat profile is for a particular device that is present in the environment, it also provides:

• View into upstream and downstream data flows
• Context for transient devices that dont connect to the enterprise network
• Device telemetry when utilizing airspace technologies 
• View into customized data protocols to as part of behavioral mapping

These pieces are important as they often translate to important workflow and clinical context needed when prioritizing incidents as they help to articulate risk to patient safety, device availability and the ability to deliver the right care at the right time.

Another tangible effect this approach has is on the operational efficiency and cost. As the data involved in the risk prioritization has already been contextualized with the appropriate relevance in terms of organizational nuances (both from a technology & workflow perspective), the confidence of identified priorities is high and that leads to significant decrease in incident response times and efficiencies in cost management in terms of device and asset inventories.

Conclusion

Risk management is a complex topic for healthcare organizations. In order to achieve better cohesion between Information Security Risk and Clinical Risk, we as an industry need to move towards adopting the recommendations and practices outlined here. As a result of which, start to gain momentum to eventually reduce the impact of a security incident that manifests itself as an undesired outcome to clinical safety.

We at Armis, believe in this mission and are committed to helping our healthcare customers realize the vision where information security is an organic extension of the clinical risk management process. Our whitepaper Vaccinating Vulnerabilities for Medical Devices offers a deeper view on how organizations can avoid pitfalls of traditional vulnerability management processes as they innovate their Health IT practices for the future.

If you’d like to see a short demo of how the Armis platform can help you address your Medical Device Security, please click here.