Microsegmentation: Keeping IoT expansion risks at bay
Hospitals making use of myriad connected medical devices stand to gain tremendous gains in care, productivity and sometimes cost savings. They also are entering a totally new realm of security challenges, where everything from patient data to the very life-critical functions of a connected machine could be put in jeopardy.
"Inherently many of these devices are hard to patch," said Jonathan Langer, CEO of device security and IoT management vendor Medigate.
A device that needs a firmware update has to go through lengthy validation and quality assurance, Langer explained. While it is important to update software as best as possible, he said proactively controlling what parts of a network IoT devices can access, and with which devices they are able to communicate, is a vital element of protecting devices – and patients.
Called "microsegmentation," it is offers a more granular way to manage these hard to secure devices, he said.
"In essence, microsegmentation is all about creating small restricted segments of network," said Langer. Defined groups are "only able to communicate with one another."
To begin with, network administrators need to identify their device segments. Langer said to keep segments "as small as they can get," for them to all have similar security policies. The challenges associated with this are reflected in the number of IoT devices a hospital might have.
"Devices come and go," Langer explained. "It's a dynamic environment. Identifying segments is going to take you ages unless you have a big staff."
There are tools which can simplify the process. Analyzing network traffic of devices and gaining visibility into what they do (an infusion pump compared to a fitness tracker) is easy to do in a largely automated fashion.
It is important as well to balance the creation of these segments against having the right security policy, one which "won't restrict critical communication and won't disrupt patient care," said Langer.
"In my opinion, an influx of connectivity of unstandardized devices is undeniable," he added. "It's going to happen more and more."
This surge will bring more life-critical machines – as well as new wearables and personal devices that cross the boundaries between medical device and "cool new app."
Langer said segmentation needs to be identity based where a network can automatically assign an IoT device to a certain set of restrictions based on what functionality it needs.
"There has to be an automation tool that understands what the device actually is," he explained. "If it's a pacemaker I need to know it's a pacemaker, regardless of IP address."
As the IoT world in hospitals comes to be better understood, Langer said automation will improve. The best way to adapt to an increasing number of hyper-mobile devices jumping onto a network is to develop tools to direct and control traffic with minimal work.
"I don't foresee there being zero manual work soon, it's not practical right away," he said. "But we can significantly reduce the workload."
Twitter: @BenzoHarris.
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.