Key Takeaways

• Main Line Health employs a real-time risk management platform to secure new medical devices.
• Michigan Medicine enhances device visibility through automated inventory management and network segmentation.
• Luminis Health faces challenges with legacy devices, stressing the importance of timely updates and certifications.

Enhancing Device Security in Healthcare

Main Line Health has partnered with technology providers to implement a real-time risk management platform aimed at improving the security of medical devices. This innovative system enables the isolation of any device that may present a risk, preventing it from communicating with the internal network while still allowing internet access. Weismann’s team is also focusing on authenticating devices that connect to open ports to mitigate local attack risks. “We were very focused on remote attacks with the strategy we’ve taken, and now we’re pivoting to look more locally as well,” says Weismann.

Meanwhile, Michigan Medicine, which has expanded through mergers with Metro Health and Sparrow Health, is grappling with the challenge of managing visibility across tens of thousands of devices. The organization employs various tools that assign vulnerability scores to medical devices like MRI machines and smart TVs. According to Greg Sieg, Chief Information Security Officer (CISO), threat intelligence aids in assessing vulnerabilities, which helps prioritize their remediation. The ServiceNow platform manages device inventory, while segmented networks separate medical devices from consumer-grade technologies.

A significant component in their strategy is Cisco’s Identity Services Engine (ISE), which automates network segmentation and ensures that devices are correctly categorized on the network. For example, if an infusion pump is unplugged and replaced with an Xbox console, the port will automatically shut down to ensure security. Sieg emphasizes the importance of regularly moving and segmenting legacy devices as they become identified, stating, “As we find devices, we get them moved over to where they need to be.”

On the other hand, Luminis Health, based in Maryland, manages a substantial network comprising over 100,000 devices. Virtual CISO Jason Taule highlights the permissive nature of hospital environments, which complicates the management of vulnerable endpoints. The organization prioritizes preventing prolonged outages that could hinder patient care. For example, when acquiring a blood chemical analyzer, Luminis Health discovered that it operated on an outdated Windows CE system, which presented further risks. Taule critiques the U.S. Food and Drug Administration’s approval process, noting that outdated devices remaining on the market pose significant security challenges: “The process is flawed…giving companies no incentive to update an old, unpatched, vulnerable thing.”

In summary, as healthcare organizations evolve, enhancing device security remains a critical focus. Efforts from Main Line Health, Michigan Medicine, and Luminis Health illustrate the ongoing challenges and solutions in managing an ever-growing ecosystem of medical technologies, emphasizing the need for robust risk management, automated inventory systems, and timely updates on legacy devices.

The content above is a summary. For more details, see the source article.