Insights > Network Visibility + Security

Medical IoT Device Monitoring in the Healthcare Enterprise

2021-04-12  |  6 min read 

Enterprise networks in healthcare environments such as hospitals support traditional IT computing devices including computers and telecommunications. But increasingly the same healthcare IT network infrastructure is supporting devices that were not previously networked, including medical diagnostic, testing, and monitoring equipment.

Modern Healthcare delivery relies heavily on connected devices which increase productivity, efficiency, and accuracy, but at the same time, they enlarge healthcare’s attack surface. Adding Internet of Things (IoT) devices to a network offers attackers more targets, and many of those devices were never designed with security in mind. Others aren’t or can’t be patched or updated regularly. As a result, vulnerabilities that were remedied long ago by software providers in other industries can still be exploited in the medical device world.

Not to mention personal devices such as tablets, laptops, and phone are being connected to hospital Wi-Fi by patients, visitors, and staff. These devices may or may not have adequate security protections such as antivirus configured or may already be infected with malware when they connect to the network. But whether the asset is a traditional sanctioned IT device, unwittingly insecure medical IoT device, or rogue personal device, the risk is the same – all it takes is for one device to be compromised to open the possibility for threats such as ransomware to spread laterally through the healthcare enterprise.

All this leads to a logistical and practical nightmare for security administration teams trying to keep the healthcare enterprise network safe, and the devices running on them secure. Let’s set aside for a moment traditional endpoint protection techniques such as antivirus agents, which is certainly still required but is only effective for known enterprise assets and those which have an operating system that is capable of having an agent installed. But what to do about networked devices in a medical environment that are simply unknown or unmanageable? To address this challenge several strategies are key.

First, visibility into device activity is required.  Visibility which is not dependent on agents or other active monitoring techniques. This visibility is a pre-requisite to any other monitoring, analysis, remediation, or containment of threats. Network level packets is the most complete and reliable source of visibility available because it sees traffic regardless of the device in question, whether or not it is managed, sanctioned, malicious, vulnerable. To meet the visibility requirement, Keysight Visibility architecture passively collects, aggregates, grooms, and delivers packets from across the entire healthcare enterprise  - delivering them to monitoring and security tools.

Secondly, asset discovery is required to identify what specifically is on the network. You can’t safely secure something if you don’t know what it is, you might know that something is there, but you wouldn’t want to blindly cut off network access to a critical medical device (as opposed to a say a personal smartphone). Monitoring and security tools receiving the packets from Keysight Visibility need to have deep packet inspection and protocol analysis techniques that understand proprietary medical device IoT protocols, as well as IT protocols, so that a complete picture of all connected devices can be built. For example, Keysight’s technology partner, Medigate, specializes in discovering and securing assets in healthcare environments.

Finally, after assets have been fully discovered, analysis can begin allowing for remediation and containment of threats. Techniques such as comparing asset status and communication against threat intelligence feeds, risk scoring, behavioral and communications baselines, vulnerability databases and so forth can be used to highlight devices that present security concerns. Alerts to such concerns should be integrated with remediation tools such as network access control, network micro segmentation, firewalls, and clinical asset systems to ensure that vulnerable or compromised devices are contained quickly and effectively. Furthermore, extraction of device utilization into change management and maintenance systems can be used to enable proactive and preventative medical IoT device controls.

Protecting the modern healthcare enterprise is a complex task, heightened by the proliferation of medical IoT devices on these networks, and this blog just scratches the surface. But in short, the message is this: you can’t protect what you can’t see, you need visibility into all healthcare enterprise traffic as well as intelligence into the assets involved in order to have an opportunity to secure them.