Main

A Stronger Future with Legacy Technology - Building a Strategy by Ty Greenhalgh & Skip Sorrels.

If you missed the live session, don't miss the session recording as it covers: The Healthcare Sector Coordinating Council (HSCC) has recently released Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) which defines the shared responsibilities and tasks for mitigating risk for currently installed devices, and those in development. Developed over 2 years by a team of 67 experts, it provides Insights, Challenges and Recommendations for how MDMs and HDOs can develop their own strategies while increasing effective communication between themselves. - In this session you will learn: o What is HIC-MaLTS? o Who should use it? o The 4 Core Pillars. o How to address the common legacy cyber risk management challenges? o What is the “Responsibility Transfer Framework”? o Recommendations for Patching and Lifecycle Management

A C C E

10 months ago
we are one minute past uh 12 so let's get started again thank you everybody for joining uh today's ACC educational webinar series Edition focused on uh cyber security risk with Legacy Technologies the title of today's session is a stronger future with Legacy Technology Building a strategy a great team uh sharing here insights and information uh to you today next slide yeah uh ACC greatly acknowledges the sponsorship of this webinar by medicate and my name is yuso leinon I will be your moderator
for today's session I'm a principal project engineer at equity and represent acce education committee just a couple Logistics items before I turn it over to our presenters today and everybody have their has their microphones neutered for the duration of the presentation but we definitely want to hear from you please do add your questions and comments in the Q a uh function on Zoom uh our team would reserve some time at the end of the presentation to address uh those questions if you have any oth
er thoughts or comments please feel free to use the chat feature especially if you have any issues with audio Etc and and finally I definitely do uh rate and provide an evaluation uh of your thoughts about this webinar at the end of the presentation we'll provide uh you a link to do this but without further Ado I'm going to pass it on to our team of speakers today again hi and Skip thank you so much for joining us and sharing our insights with ACC community thank you thank you thank you very muc
h we're uh we're delighted to be here um so my background real brief I mean this is way too much here but I am the industry principal for uh for clarity I've been in healthcare technology for about 30 years and um I participate on the 405d uh task group that has produced the healthcare industry cyber security practices as well as uh the the document we're going to be covering today I was a uh very honored to uh to even be a part of of that group some great people we'll talk a little bit more abo
ut that in just a second uh but uh uh skip um you know I think that we're really going to be uh leveraging uh The Real World Experience from from you and the journey you've been on today can you can you just take a little bit more time and uh before we jump into the document and and and and how the different sections apply to real world activities rubber meets the road stuff let people understand uh what your Journey's been so they can appreciate the uh the answers that you're going to be provid
ing sure Todd thank you thanks for having us uh I'll go all the way back my degree is actually in nursing and I was uh you know an ICU Trauma Nurse for many years and uh got the bug on the.com craze came around and and jumped over and Technology went to work for Dell um spent many a year uh working on accounts for the dod and the state and local government as a Solutions architect and that afforded me an opportunity ultimately to to work um as a vendor to Ascension and ultimately join the Ascens
ion team five years ago as a director one of the directors of cyber security so I'm back in healthcare which I love I get to draw on upon that experience and uh when I joined this team we did not have a a medical or biomedical security practice and that was one of the charters I was given was to create and develop and build that and so this Journey's been about five years and in the making so a lot has changed Lots will continue to change and we've been right in the middle of it it's actually ex
citing times and things appear to be progressing in a a much better fashion our space Healthcare has lagged behind all of the other industry sectors um by quite a bit in terms of cyber security posture controls and and a focus on that discipline that's uh you got you have you have quite a resume there there Skip and um the I think the one of the things that I always think is uh is wonderful is when you when you start talking about um when you started this journey that you were looking for soluti
ons to help you with the medical devices and uh you ran you ran across the the company clarity yeah that was the first company that I I found in my research that had deep packet inspection capabilities albeit at the time per um primarily focused on Industrial controls which is what a lot of us now refer to as operational technology so HVAC systems power plants power grids elevators water supply all of those things that control the infrastructure of this United States is where their focus was and
at the same time the the scene started happening in in the fact that there were other technology companies coming um coming out and had developed deep pack and inspection capabilities that could identify assets fingerprint them on the network and provide visibility that we hadn't had before long and the short of it we we ended up on the medigate platform and uh and have been involved with medigate prior to their acquisition so when I I learned that this acquisition and partnership was being cre
ated I was very excited because now I had the best of both worlds in my mind knowing what I knew about Clarity and Following over the years and being engaged with medigate and helping focus on their product development as well as you know our our own environments development so it's been it's been a really interesting Journey yeah I think it's it's been it's been a great marriage for us um so we we have the uh the session description here you can you can read that online the agenda real quick we
've got uh you know what is what is hick malts and uh what is this new publication managing Legacy technology security for Health Care uh well it's got four pillars in it we're going to review those a little bit uh into the Cyber risk management challenges what is a responsibility transfer framework what does that really even mean and then the patching life cycle management and this is only a portion of the document so ultimately we want you to get this document and download it and read it there
's a lot of good information but this is probably as much as we can cover from a a Content perspective in one session we talked about Clarity just kind of the uh uh you know the Shameless plug on on on who we are and what we do we'll do that I'll do that real real quick but basically um you know we've been best in class three years in a row and a lot of that is but basically what skip was talking about was deep packet inspection where we're actually uh uh come in and and do device Discovery and
that device Discovery is is a passive network monitoring type of Discovery and uh we're reading the packets of information a lot of vendors out there try to use machine learning and AI to to do that and while they you know that's okay it's really that technology is best suited for uh natural language processing uh like uh chat GPT what we use is deep packet inspection where we actually have to write the parsers to go in and read the entire packet which gives us a ton more data and visibility is
everything hopefully you'll you'll understand that by the time uh this presentation is done but so we get a great deal of visibility on the devices and then and pink those are really the what we do with them we're able to to tell what devices have risk the critical criticality of what them what the vulnerabilities are to those devices and help you manage those uh managing the network monitoring segmentation how do you protect those devices in a segment uh from from other devices uh talking to th
em on the network uh threat detection as an early detection device management just maybe passing the information over to a cmms so you get a all this all this data on not only the security but also the utilization information which is important when you start getting into cap uh Capital uh planning which is a lot of people don't even understand that we we support that and then life cycle management for whether you're procuring the device or disposing it and then just a a Intelligence on the you
know overall uh device in its life cycle but down at the bottom you'll see that we do all all the different device types as skip was saying Clarity was great at building management systems where we focused medigate always focused on health care and so we are uh you know three years running the best in the industry on health care for this technology so uh well but with that kind of jumping in here there's a a lot of Regulation and legislation going on just to kind of frame from a high level what'
s going on and and how how that even applies to uh to mitigate you can see I made a column there for our functions but then here you know across the uh the top there there's a number of different initiatives at a uh at a national level where the the 405 D is really uh if you think about it is a best practice for cyber security for hospitals if you haven't looked up that document you can just look up uh healthcare industry cyber security practices or hiccup as we like to call it hicp and it's got
a whole section in there on medical device security there's a new update coming out in uh on March the 28th the bad guys keep on advancing their techniques and um uh and and tricks and so we need to to update that document as well March 28th is a new version of that coming out a whole lot to be said about medical device security and that now Warner Senator Warner came out with something a document basically uh talking about uh what's what's what's what's probably uh going to be legislation comi
ng soon called cyber security is patient safety and so we aligned to you know a lot of those sections so he has a lot to say about medical devices maybe in incentive program coming out hick Moss is the document we're going to talk about today the FDA has post Market guidance but with the the patch of value the patch act being passed in the Omnibus Bill that gave the FDA new powers uh back in uh in December the FDA is now going to be talking about uh talking about uh you know requiring from medic
al manufacturers uh and s-bomb they're also going to be requiring updating and patching and better life cycle management and the idea is probably you know the guidance that they've been putting out on on that is really what the the rules the rulemaking is going to end up looking like so we play in all those areas and uh so you know Skip I'll uh I'll turn it over to you here so what how do you see this environment and and how is this affecting your business and how are you paying attention to it
what does it mean to you well I think first of all I I like to try to dissuade people from from grouping medical device into and into its own category and to think that it's it's a foreign scary thing it's it's still technology it serves a specific purpose no different than a server or workstation so looking at it through that lens you then say what are the traditional cyber security Frameworks and controls that you want to apply to those systems um to that ecosystem and then when you start to l
ook at each of the various documents here and where they're going they all reaffirm that approach um speaking specifically again to the med device space and and more to the accountability not only of the the healthcare delivery organizations which we're going to talk about in uh hick malts and probably we're going to see a lot of it Warner uh coming up but also for the med device manufacturers and that's where that patch Act is really going to be interest interesting when we start to understand
the the amount of rigor or accountability that the FDA will actually apply to the manufacturers and what it will mean in the long term uh for us and them in terms of improving that methodology which in some cases is quite lacks and in others there's vendors that do a great job at it already but all the categories down the left are are everything that we have to understand if we if we think about our CIS controls which is a function of the nist framework control number one is inventory asset inve
ntory everything starts with understanding what you have and being able to evaluate it from there you can build software inventory and ultimately you get to vulnerability management which is CIS control three the network protection and all of the other categories fall within the life cycle of that device and if we're not cognizant of versions of firmware versions of operating systems we're not patching those things we're leaving those systems vulnerable a very large environment most of the time
interconnected in that environment it poses an additional threat surface or vector to the overall Hospital clinic or whatever the you know call the the building or organization some really really great points awesome so the the hitmalts document jumping into it uh it's it's been two years in development and uh it's part of a an ongoing uh series of documents that the health care sector coordinating Council has put out we'll have Resource page at the end with some links so make sure you get this
uh get this presentation you have a lot of links in here uh but but you can you can just search hickmall so I'm not sure there's a lot of other Google searches that are gonna hit there uh with that name but um the the individuals running this group uh just some Stellar Stellar uh people uh just brilliant uh people like uh Jessica Wilkerson from the FDA uh Samantha jocks uh the VP of clinical engineering at McLaren and Mike powers of Intermountain and just a whole list I'm sorry if I'm not you kn
ow uh I could I could sit here and spend the whole the whole hour listing off the great people on that team but but um you know there's uh there's just there's so many reasons there uh skip I mean what you're you're obviously a difference between new devices and the the Legacy devices kind of how how would you okay how do you categorize them from a security perspective in your mind um I often refer to as the as is and 2B I want to make conversation inside so there's what we already have that's t
he as is and historically medical devices have been um invented and built with the intent of having a very long life uh what's been lacking in that lifespan however is the ability to update software components through patching as we understand more about their vulnerabilities that was never a consideration quite frankly in some of those you know 10 to 20 year old assets and so they they pose a different threat and it's not one that you can patch typically so you have to look to compensating cont
rols and the way that you run your network you isolate it from others you don't allow it to talk to anything except what it should talk to or be talked to from um and so it's uh it's interesting when you look at the as is because pretty much all of the healthcare organizations out there have that in their environment it's the nature of the product and its life cycle when you talk about the 2B that's the new stuff that's coming in and you know taking uh measures to protect from risk introduction
you know stop stop the inflow of risk is about the best that you can but ultimately if you're not performing risk reduction in the environment for the old and the new uh entropy sets in and uh normal hygiene doesn't take place and when I say security hygiene I'm talking about compensating controls patching doing the things necessary through the life cycle of those devices to ensure that they remain secure um overall that's that's what Med device security or biomedical device security really shou
ld be it's a life cycle approach around good fundamental hygiene awesome and the the Legacy devices themselves the imdrf uh has a definition of you know Legacy Medical devices being the devices that can't be reasonably protected against uh current cyber security threats and is is this document is constructed uh we really went through a an approach that we we want to take a look at it not just from the HDO but also from the MDM and so you know they have they have very different ways of of looking
at you know what is uh what is a legacy device and and how they're managing the devices within um uh their control so the you know where the uh the end of life uh end of guaranteed support end of support are very important uh the the components and then you know are those components um uh supported or not supported you know and being defined as as the s-bomb that we're we're gonna which is soon to be mandated uh uh by the FDA from the mdms and then you know mdms have a totally different way of
of uh of looking at this the structure of the publication is it's modular again both for HDO and MDM as it's as it's pertinent it's 114 pages so it's a substantial read uh so if you've got an insomnia problem this is just ideal for you but actually you know if if you're watching this video this is probably going to be a pretty interesting document for you uh it's just the way it's written it makes sense it's real world rubber meets the road it's not you know like high you know I'll just you know
comply in the sky Concepts it's practical and then uh yeah we've got uh uh again kind of the overview of what the uh the agenda said we're going to be going through uh some of those so with uh just jumping right in on the the core pillar one is is we uh uh jump into this we're going to talk about governance is the first first core pillar and here's some of the concepts that you can read about in the uh in the document but uh skip what uh you know what do you think what do you think governance i
s governance is the big picture view of how you build build your program and set your foundation for the outcomes that you you want to accomplish so when it talks about defining goals and objectives that's really what I'm saying um who's responsible so what's your racing who who sits within that racy with all the different roles and responsibilities and ultimately who's accountable and and all of that's not accomplished without good communication so the information and flow and monitoring that's
not just a data flow that's that's how do we communicate as an organization within that racy and ultimately it's it has to have an overarching concern for the compliance patient safety and the ultimate lifecycle management of those assets nicely said so when they go when they they kind of drill into the the HDO considerations and of governance and as they describe them you know I uh selfishly put this this first section there uh defining the Legacy Tech risk management strategy and if you look
at that list that's so much of what uh medigate has to offer if you go back to the you know the initial uh what do we do slide um and and and so I think that we have a the in in the in the document they call it a passive network monitoring solution uh they can address a number of these these issues just because of the the sheer scale and size uh even the uh the best practices from HHS on the the hiccup document we were talking about it's even calling out in the update the the need for they calle
d an automated Discovery and security tool but it's basically the same thing that the the the number of medical devices and the amount of tasks that are required really needs you you need some help and um uh on uh in the document they also make a we make a point to uh talk about probability and Impact versus exploitability and I'm interested uh skip you're uh your your exploitability is kind of a uh not everybody knows about that that concept and why that's important can you can you kind of help
uh some of the listeners that might not understand that why it's important sure in in vulnerability management one of the things that we we really try to hone in on for four years ago well we we were going through our own standards and and policies and our our program for vulnerability management as a whole um you know not just medical device and there are millions of vulnerabilities out there and we just kept banging our head going well there's no way we'll ever get all of them remediated it's
impossible mathematically impossible so how do we put the right focus and effort in place and so we we my team did some research came across some articles and we landed on what vulnerabilities are actually being exploited and started to combine that into our vulnerability knowledge so that when I look at risk tolerance and the criteria there's there's three things that are most important in my mind it's um patient safety so if if a medical device is is going to go down and result in patient saf
ety issues either delayed care death or otherwise that's a pretty big deal now you couple the vulnerability that can take out a medical device and you start looking at is it exploited out in the world in the world are we using our threat intelligence to provide us insight to those vulnerabilities that are actually being used taking advantage of in a in a detrimental way so now patient safety exploitability and then footprint how many of these things do we have I call it the blast radius and so a
combination of those three factors are used to guide our practice around which vulnerabilities we go after first if we have to decide upon one or two you know let's just say five out of five thousand how do you do that and that's that's really the Criterion Focus we put to it yeah that's uh that's beautifully said that's uh some great Insight the uh the last one there the developing the life cycle management plan I think uh you know tracking inventory and managing the technology again it goes b
ack to your earlier comments of you know steps one and two basically you gotta you gotta know what it is you have before you can you can even manage it and and so many uh organizations don't you know they have a visibility issue and you don't see what you don't see so you don't know that you're not you know you know that it's it's you don't know that you don't know and until you know so it's uh it it's it's it's it's it's a it's a stumbling block from the beginning but if you get visibility if y
ou get the right visibility with deep packet inspection uh it it makes everything down the road so much so much easier uh like uh implementing uh and remediating the the risks and uh and planning so core pillar 2 is Communications and I I I'm really glad that this was included in the document because you know you it seems to be missing and so some of some of what's in the document is uh what should be not necessarily what always is uh but uh it's it's what you can expect and I think that the the
the the hdos can drive a lot of of these uh to to come to fruition if they're not but but basically here uh first of all there's a diverse stakeholder group on both sides and so as you start lining up your conversations and you know what you're talking about then who who should be talking to whom uh uh with respect to the individual topics uh for instance when an MDM is communicating with the HDO uh and uh you know who should they be giving the uh alerts and recalls to and maybe uh the the vuln
erability conversations maybe with uh with somebody else but kind of Vice Versa there when the hdos are communicating with the mdms who should they be talking to and uh the the topics of discussions uh that uh that that should be going on and uh so you know Skip again back to what you're yeah this is what's in the document there's a lot of uh Insight in there but you know from a real world perspective what do you do you do you find uh that challenging some vendors better than others uh any any r
ecommendations or comments on on the material that that we're putting forward here absolutely um yeah there are some better than others and um one of the things that we we've done is we've established uh relationships with some of the vendors that we do you know we have the most of and have even gotten to a point with a few where we've had some stand-up weekly calls and and the opportunity for their security team that completes our risk assessments before we buy something communicate back and fo
rth and understand the finer details of some of the explanations or answers given to you know particular risk questions so I absolutely encourage communication um in my mind you can't solve a problem in in two emails or less you need to get on the phone and you need to you know talk it through um it's just kind of a simple principle I try to use it don't often do it you know always do it because I'll get caught up in the threads but um big recommendation reach out to your manufacturers establish
a relationship demand it quite frankly they're trying to sell you something so you might as well leverage them to get the most that you can and to build a better relationship understand their product and their security posture where they're going with it more importantly you know are they sitting stagnant are they embracing it and again some are better than others but ultimately have a conversation figure out how to communicate and get the documentation or support you need and provide them the
feedback be honest yeah that's gonna and I think that's also really helps when the uh the proverbial poop hits the fan and you really need you know uh to to get in touch with them and you you know you you know who you need to talk to you have a relationship uh and and it's uh it's it's much more efficient if you have those lines of communications established the uh core pillar 3 revolves around cyber risk management and so in this one it was very clear to to kind of call out some HDO considerati
ons and some MDM considerations but again here uh there uh so the recommendations are around having some sort of automated tool like a metagate uh to to help with the many of the the functions that are are just daunting at scale but also I would say that there's a lot you know they talk everybody talks about doing more with less right well I I think it's probably more doing more with what you got and and and so some of these tasks are net new and so for for the clinical engineering department it
's uh you know the security stuff is new vulnerabilities and risks and things and so there's there's there's additional uh workload that that comes with trying to address the cyber security and so if if you're either going to take on you know more staff or we're going to automate some of the the functions that you currently uh are required to do and so that you have more time to take on these new tasks basically you know you're growing you're you're growing your knowledge you're growing your uh
your your your skill set it's a challenge there's a lot of great parts to that too but you really do need you can't be overloaded so many of the functions that you know from an inventory management perspective uh anything that can be streamlined needs to be streamlined in that passive network monitoring tool is a is a is a great way to accomplish that and then the second one there is you know stages of of risk management uh throughout the uh throughout the life cycle uh any comments on comments
on uh anything here jump out at you skip I was just sitting there thinking that I think one of the things that I'd like to call out in in a way of an encouragement is we realized that we did not have the resources the people to actually perform patching so we embraced our clinical engineering team and we developed a methodology for patch management where we're able to identify a vulnerability we have an approved patch from the vendor and we often incorporate the patching the act of packed patchi
ng into a printed preventative maintenance plan so we try to we try to leverage existing work that's already happening and just throw in the additional patch this thing when you go touch that device um make sure the database is up to date with its location make sure all of the the key fields are filled in what's its you know asset tag number serial number if that's a requirement you know whatever those elements are of identification to make sure that your asset inventory stays up to date and cur
rent as best possible those are ways that we've tried to incorporate the in so we can cover we we can be a force multiplier through the clinical engineering organization otherwise I've got a very small team there's no way we we would ever begin to touch or scratch the surface on that that effort yeah so smart so smart I remember talking with um Mayo Clinic and that was one of the things is they were designing their their their their uh their their system is is you want to touch the device once t
o have to go I mean and that's like a it's an epiphany for everybody that's like so easy to understand uh so if you're gonna go out there and touch it touch it once get it all done uh but the Opera operationalization of that and the coordination of it easier said than done so uh hats off and and and absolutely uh uh two tools can help help that but you you know everything is a kind of a people process technology right right and then the mdm's considerations is they they uh they mentioned there's
another document out there called the medical device and health joint security plan uh as a another is it one of the earlier releases uh just updated for the uh Healthcare sector coordinating Council well kind of more on the uh the MDM side really kind of heavy leaning there on on um uh threat detection and and life cycle management uh so that's a an area that you can you can go for more information if you want to know more about the kind of what the HDO HD uh sorry the mdms are looking at and
uh but um kind of the from a security risk and patient safety um you know we talk a lot about that uh skip is is how how does your organization view uh security risk and patient safety if they've made the the correlation there I don't I don't think completely I mean we're a fairly large organization but that's that's one of the things that I've been um shouting from the rooftop so to speak for four four years now is one day the light bulb went off for me and I'm like well I'm a clinician if I lo
se this thing then I have a patient issue and it dawned on me quite brightly that patient safety was was the number one thing and yet at the time when you thought or talked about or heard about cyber security and breaches and it was all about the exposure of data and it hadn't trans transcended or moved into that exposure risk could equal patient safety concern and so since then I've been using patient safety before a conversation around ephi or pii you know personal in information versus health
information and the exposure of that data that we we hear about in the news all the time and unfortunately the first documented death due to malware happened in an Alabama neonatal Intensive Care Unit so we've we've seen it yeah and and even if it's not death you know you think about it if you're if you're if a nurse is taking care of 15 patients because of Technology uh when the technology goes away there they can't deliver the same level of of service which means different outcomes and uh or
a CT scanner is uh is is not available and and someone's coming in and with a stroke and you need to know whether it's a it's a it's a bleed or a clot it's you know it there's there's so many ways that uh it can impact uh adversely uh patient patient care I also say that it was a pone him on uh in Cincinnati study that was done I think last year and uh the the uh you know 500 hospitals were asked they 21 thought that uh the the root cause of the the breach was either a iot device or a medical de
vice and I think uh uh in the uh 20 felt there was um you know mortality was affected so it's you know it's it's more and more on the on the uh in the in the government they're having this conversation they're realizing that you know this is a patient safety issue um albeit I think the two are tied together because you have to fix the you have to fix the Cyber problem to protect the patients so it's the the two are not mutually exclusive and then the uh the the responsibility transfer framework
this is really um the the concept of you know are you gonna take on the device and and Skip do you want to talk to this slide a little bit sure um it this is probably the most challenging part of you know what do you do about it right and you know you've got the little grid there on the right I just kind of walk through that this is the scenario that we see today in our environment and in most all Healthcare environments quite frankly you've got the hardware that's supported but the software's s
o long in the tooth it's not supported um or the software is not supported and the hardware is unsupported or worst case neither um and and I refer to those those devices as cyber dead they they can't be cleaned up patched you know there's very little that you can do with them so they pose the greatest risk uh and create the most work for remediation or or um uh mitigation I should say so when when we're looking at this there's a balance that has to be found between the the risk and the cost bec
ause that's the first thing that comes to mind if well if I replace all these things that don't have any support at all that could be Millions upon millions of dollars and so where do we find the balance and now we're back to what I said earlier how do you look at the risk you know the risk criteria and then the prioritization to determine what you can live with except or what you can't live with and how you build the business case to get the support necessary to get it out of the environment or
replaced yeah and it's uh there's a substantial section in here it's really kind of a how-to and a help document so make sure you um you check this area out and the and the and the the fourth core pillar is is future proofing and and Skip you really liked this one didn't you I think it's important yes uh you know we we can't live today as and not look forward um and quite frankly history repeats itself so we have to learn from the past but the future proofing is really looking at the advancemen
t of technology and um what what does that mean for us in this in this space how do we take advantage of it how do we prepare to take advantage of it it's probably a better way to say it because there's a lot of unknowns yet we're still trying to figure things out you know Med devices can't have agents on them like traditional infrastructure Technologies um they can't always run antivirus that you know there's all sorts of things they can and can't do and you have to assess that and and take adv
antage where you can and then figure out how to compensate where you can so very important to look forward yeah I think uh the phrase I always use is uh past performance doesn't dictate future earnings but it's all you've got to go on right now there's a huge section in in patch management so we can't we can't even cover we could probably do a whole hour on on just this section you look at all the different stages it's broken down into but um just we're going to pull out a pull out a couple here
and um start with the signal identification and Signal evaluation but uh in general you know uh uh skip can you kind of talk a little bit about uh to you what what is a signal and um and and why are they important I think at a real high level quickly it's it's any element of data information knowledge or awareness that leads you to believe you might be at risk and there's there's those things are listed here on the screen but then the awareness part is understanding your own environment um and
the assets within it and where do they sit on the network what are they exposed to yeah great and uh patch development uh patch development for the most part that's that's definitely on the metadvice manufacturers in their life cycle and planning um their release process so it that that burden sits on their shoulders in in our case we we currently don't patch medical devices that don't have a vendor approved patch because we don't have the resources to conduct our own tests so that's to say that
there may be patches out there that have been released by say Microsoft or some organization that's um part of that system and even though that patch is not there we still have to ask ourselves should we go ahead and Patch it because the vendor hadn't said it's okay or do we have to get on the path of testing in ourselves to feel comfortable with it and and so again it's it's a balancing act risk versus more risk or risk versus reward yeah and then and in the in that interim when you're you're
waiting for this patch because it it does take does take a while you need to um to figure out what other kind of compensating controls would even work uh to to try to reduce the risk as much as you you can before that that patch comes out and so you know that's why the the subtitle not a silver bullet uh this is this is a you know it's it's a complicated um it's a complicated issue and as far as uh the the testing goes you know I I think you know best practices again not everybody does it every
time I guess but uh are you just gonna take a take a patch and I like uh like skip skip is saying if it's if it's you know certified by the manufacturer that's one thing but if it's not certified by the manufacturer I would imagine that you're there's going to be a time uh uh resource involvement and and putting this in testing it ideally if you have some sort of sandbox but then there's additional expenses there so there's again this document goes into all of these different uh these different
sections about patching and life cycle management so I encourage you if you're you're interested in in patching to to take a look at that another area that uh is is mentioned here as well as the new upgrade to hiccup is software bill of materials and obviously with the FDA having new powers and requiring them from the medical device manufacturers uh we're we're this these will become more and more important and just kind of the for those of you who don't know what a a software bill of materials
is this this diagram uh is it's a nice it's a nice way to describe you want to know the components within the medical device because even they can be susceptible to uh vulnerability and being exploited so they've come out they've come out with some standards um what what do you have General thoughts on the and by the way this is called the s-bomb so unless you spell it wrong which I did in this presentation earlier and it's an S boom which hopefully hopefully that's not what's going to happen um
but uh skip was nice enough to edit my work uh so uh skip what you know your general thoughts on the s-bomb I I think overall it's it's a it's it's a good step in the right direction there there are some there's been some pretty heated arguments that I've been witness to around not having this information disclosed because then it might give the hackers a leg up well unfortunately if they kind of already know this stuff if they're coming after you so here here's here's its purpose it's to to in
form those of us of the components that make up the overall software package those are often different parts and pieces that the developers borrow from other organizations so if anyone's familiar with log4j and that big scare around that vulnerability um that's a perfect example where a software bill of materials would be an extremely powerful with that if you if we had had that across the Enterprise for all of our application and software we could have used computers to find it and to know whet
her or not it was truly vulnerable to that form of attack and not spent over a month going through our systems and our information to try to determine if it was vulnerable so that's the intent to be able to stress to look at the code and know whether a vulnerability applies or not based on the entire makeup of that software bill of materials right and everybody's everybody's throwing around the word resiliency oh we need to be resilient we need to be you know and and I think this kind of goes to
that which is you want to be able to assess your environment see what the risk is see how though that risk partic impacts your environment the devices in your environment and the way that you're currently defending and then pivot and make changes so you can protect yourself because uh you know kind of building on everything skip was talking about he had he knows that these vulnerabilities are being exploited and he has that vulnerability in his his environment what can he do to make changes wel
l again the passive network monitoring tools like Medicaid help you uh change your your structure because they can see all the devices and and help with the network segmentation quickly um but there's a there's a another um um but I'm not sure that I the um I think we've already we've already covered most of this I think we went to Vex now we didn't so there's another uh component in that I'm jumping ahead but there's a something called Vex vulnerability exploitability exchange which goes to uh
Skip's earlier comment this this looks looking like it's going to be a a support tool to the s-bomb where again knowing what's being exploited uh the components that are being exploited versus they just have vulnerabilities because I ultimately the the one thing that we don't want to happen to uh the the the the the teams within the hdos is just being overwhelmed with oh here are all the vulnerabilities go figure out what you want to do with them you want to kind of weed through those um how do
you all uh do you do you all have methods for uh you know defining criticality or which which ones you need to go after which one which vulnerabilities uh you know are just noise uh yeah so you know I'm gonna I'm gonna try to answer that and a question on one of the um guest posts and that was you know how do you get all the identified signals and fully understand your issues exist for a particular device um I don't think you can ever get to Perfection sometimes probably more often now than than
before when we had no visibility but it's uh it's looking at all things um what does your mds2 say what do you know about it from the manufacturer what do you know about it from um vulnerabilities and the vulnerability and whether or not they're exploitable that's coming from your threat intelligence so it's it's really a combination of multiple factors that have to be taken into consideration to prioritize the risk to understand what to go after and patch and hope that you have a patch for it
so hopefully that answers the question time yeah it's a great answer the additional topics that are in we haven't had time to cover here but uh go in uh you know a a great bit of detail on considerations and recommendations and challenges around these these additional topics the one of the last things we'll we'll we'll end with here is you know Gartner is is is got their eyes on this too they call it you know side they call the Cyber physical system Journey and the the six phase is down below is
where most organizations are uh when they when they're they're they're they're they're talking about the devices on their Network and protecting him one is kind of the awareness of uh oh I should probably do something about this I there's a potential security problem here the second phase is visibility where you're trying to determine exactly what is on your network not only what's on your network but what's the operating system what's the version number what's the make model manufacturer IP ad
dress Mac address I mean those are all the things that you need to know to really be able to manage the device and then once you see them it's the oh wow I didn't know I had all those things I didn't know Dr Johnson's Tesla was on the network but but realist really the it's there's also a a oh no moment because now you've got to do something I didn't know I had those 10 000 devices or those 5 000 devices I didn't even know they were on my network let alone I got to do something about them now wh
ich gets you into firefighting then you integrate into the existing it security stack where the the vulnerability management tools the network software the uh the uh endpoint protection the asset management they're already currently being used for your it devices you want to you know integrate in your medical device everything you're doing from a security perspective in there but you you kind of need to have a additional solution to help with that and then integrate it in so as we we talk about
where everybody is on the journey uh here it devices are are you know on phase six iot devices uh at uh you know in the phase four the medical devices are are really for the most part everybody's invisibility they're trying to get visibility and and when they go try to use machine learning and AI tools they don't get them all and and so there's becomes this struggle where I've gotta I I can't start doing baselining I can't start restricting devices I can't start putting Network segmentation is b
ecause I'm not really sure what all these devices are it makes it really kind of stalls you there and then the building management systems they're just they're just getting started the HVAC units and the um uh air Handling Systems uh skip I mean what what would you say that those are important for a cyber security perspective as well I think they're very important um those systems are if you really want to talk about Legacy those systems tend to be Legacy in the sense that there are advancements
that they've made technologically but again security was never a function of thought and so if you think about a hospital you might as well call it a small City because it has all of the infrastructure that a small city has you know electricity water filtration systems elevators you know all of the things that go into moving people's sustaining life and and controlling the environment and if you look at some of the biggest breaches that have happened um Target being one of them the hackers came
in through the AC unit got on the network made their way through and ended up on their point of sale systems and extracted all the credit card information same thing applies to hospitals it's it's definitely a threat surface and one that we're paying very close attention to yeah you can I mean think about taking a a health system or a region down in Arizona just take out the the air conditioning and the elevators in the summertime and you're you're you're going into emergency triage pretty quic
k so it's that affects a whole lot of people and not just you know not just one medical device so um so everybody needs to kind of determine where they are on their Journey here so don't feel bad if you're you know you're still working on visibility um you know there's you're you're in you're in good company I uh skip is uh skip is an outlier he's a he's thinking ahead and and Skip is is much further down the the pathway and I I would you know I'd like to think a lot of it is because well one yo
u have the wisdom to get Medicaid early uh but it's it's definitely helped you uh move down that that Journey path would you say uh absolutely without exception I I knew you know no matter what for you know didn't matter who the vendor was going to end up being we had to have the ability to fingerprint to to understand very quickly what was in our environment because at the time I could only estimate about 30 of it based on the Telemetry we had from our I.T Technologies and yet I knew Network tr
affic and the number of IP addresses issued you know on a on a daily basis where I I mean just unbelievable um so it's like well I know about this many but what about all these other things what is this um so very very important to gain visibility everything starts there and then it turns into an inventory and moves along that that pathway of maturity yeah great point so we've got in the document we've got the the Technical Resources if you want to just know more about the health sector coordina
ting Council here's a link to the hick malts The Joint security plan which is more about cyber risk for mdms Senator Warner's uh 17 policy considerations I mean he's talking about uh changing uh updating HIPAA Cash for Clunkers maybe an incentive program maybe something like meaningful use for uh uh for for legacy devices they're talking about basic cyber hygiene you know what what what does basic cyber hygiene look like and uh um then the White House just put out a document that's really puttin
g more responsibility on uh manufacturers for creating secure devices before the the hospitals or really generally in all areas uh get them so strengthening the cyber security posture if you want to know more about the best practices you can see Hiccup and then there's a new document out as well uh maybe we'll do a podcast on that at some point but it's it's the nist cyber security framework specifically for healthcare so I don't know if we have if there are any questions out there uh Ty there's
a there's a good question in chat that I'd like to address sure super the the question is how are you implementing automated micro segmentation and policy enforcement at the edge to ensure both your cyber dead and unpatchable devices and future devices are will be cyber secure do you have LPA or zero trust fully deployed I don't think anyone will ever have zero trust deployed until people are eliminated from the in question uh equation that's just my personal opinion um how do we address it med
igate has some very powerful tools already built in that provide um through its understanding of traffic patterns um apples ACLS and and policy enforcement capabilities through Integrations of network access control systems so you can Leverage The Power of Medicaid in conjunction with um your your Cisco ice your forescouts your fortigates through your firewalls and your switches and use it to inform or provide the right code if you will to eliminate any Communications Pathways and in essence vir
tualize your micro segmentation Without Really re-iping any of your assets that's the fundamental biggest challenge in an environment of size well in each any environment quite frankly is going from no segmentation to a segmentation model when you have to re-ip give a new IP address to a system to get it into the right segment it's very expensive it's extremely disruptive and often impossible to complete so we're looking toward that future right and the sense of what technologies are becoming av
ailable that will allow us to create a force multiplier where through that Automation and those system Integrations we can we can create that policy enforcement through all of our switch and network and in essence virtualize our segmentation and prevent communication where we're unnecessary so I think hopefully that answers that question that was very comprehensive yeah a huge thank you to Ty and Skip again it was really really great content throughout out the presentation very interesting and a
gain a reminder for everybody we have a couple more minutes left if you have additional questions please feel free to use the Q a function and we have at least one more and I think again both uh I and Skip feel free to jump in on that as as you sit see fit so the question is how many people in Ascension clinical engineering do you have working on medical device security tasks that are identified by Skip's department and how many Network medical devices does ascension identified in clarity uh I'm
gonna try to answer this the best that I can I have to be careful with disclosures um the the clinical engineering department is is quite large we have over 2 600 locations in in the United States so hopefully that kind of gives you the magnitude and scale um having said that uh in terms of our visibility we we went from zero visibility of most medical devices to you know north of north of 80 000 medical devices and what we what we do is we look at a 90-day window because devices aren't always
online so they come in and they come off IV pumps are notorious um and so we kind of picked that window we started out with 12 months We Shrunk it down to the to the 90-day time frame to get a more realistic View and feel pretty confident in what we're seeing um I would say that one of the key factors in knowing that you're seeing all things and we we learned this through trial and Air there is in the configuration of your flow from your core switches to to any deep packet inspection technology
if you don't get it all you won't you you won't see it and so you've got to work very closely with your your uh Network engineers and setting up your spans and and the methods that you have to use to get that traffic into a medigate technology thanks Skip and it does look like we're a little bit past the top of the hour I wanted to uh give a huge thanks for tying skit for sharing your insights with uh the community today and again thanks for everybody uh attending just final reminder please do u
se the link uh in uh uh to to submit your survey responses regarding this session we would love to hear uh hear from you again uh thanks everybody for attending and uh looking forward to have you attend a upcoming ACC educational webinar in the near future thanks all thank you appreciate it

Related articles

Comments

@rossanarivas9527

Nice presentations!