No sector is safe from cyber attacks, especially healthcare. So how should organisations be protecting their medical devices? Jennifer Trueland spoke to Greg Murphy from Ordr about the risks involved.
Is your MRI talking to Facebook? Or has an infusion pump on bay two started communicating regularly with a malicious actor in the Ukraine? Or perhaps the CEO’s Tesla is getting software updates via the hospital’s network while sitting, apparently innocently, in the car park?
Any organisation with connected devices is at risk from cyber criminals looking to steal or extort by exploiting weaknesses in security. The stakes are particularly high in a hyper-connected environment like healthcare, where it’s not just money, but people’s lives that can be lost. Yet too often, healthcare organisations simply don’t know what’s connected to their network – let alone what it’s doing and who it’s talking to.
That’s where Greg Murphy comes in. The chief executive officer with Ordr, a leader in security for connected devices (often called the Internet of Things – IoT), realised some years ago that these could be the weak point that could allow potentially devastating attacks to damage an organisation’s network, and by extension, to damage the organisation itself.
“Traditionally in the networking world, we were used to having laptops, tablets, mobile phones and these kinds of devices connected to our networks – that was the traditional IT estate,” he says.
“But as we started to monitor what was getting connected to networks, we saw the number of non-traditional devices was actually overwhelming the number of traditional devices. These included facilities systems, communicating systems, desktop phones, media systems – and in healthcare, of course, medical devices.
“It really struck us talking to many organisations, that almost none of them had any idea what these devices really were, let alone what they did when connected to a network, so they didn’t really have a strategy in place to secure those devices. That was obviously both a huge challenge and problem for the organisation because the attack surface was getting bigger every day – but it also looked to me as one of the biggest business opportunities in IT in the next decades.”
Murphy joined Ordr as CEO in December 2018, having previously been VP business operations for the HPE Aruba Group, the networking and IoT business unit of Hewlett Packard Enterprise. Previously he was CEO and co-founder of a wireless start-up acquired by Aruba, and held a number of posts with Aruba after the acquisition before it was acquired by HPE in 2015.
Speaking to Digital Health from Northern California, he explains that while many organisations are now very aware of the risks from cyberattacks – especially since Wannacry – many still aren’t always sure how to address this. And one of the big issues is that they simply don’t know what devices they have, and where.
“Healthcare was very hard hit by Wannacry, which meant that a lot of organisations had to take devices offline and revert back to paper,” he says.
“When they heard about Wannacry, the immediate question that came down from the top of the organisation was: ‘can you tell me what devices on our network might be vulnerable to this?’ And the answer came back was often, ‘no, we don’t know what’s connected to our network, and we don’t have any way of telling you the extent of this problem.’ You literally had people unplugging and disconnecting devices while they were doing a risk assessment of them. The immediacy and urgency was galvanising.”
Murphy believes that things are different post-Wannacry.
“I do think healthcare organisations are taking this problem seriously,” he says.
“They’re aware of the extent of their exposure, and certainly over the course of the last year, when you look at the number of ransomware incidents that have impacted healthcare organisations, cybersecurity has moved far up the priority list from a technology perspective. The challenge for most healthcare organisations is not that they do not understand or recognise there is a problem; it can sometimes be that the challenge or the problem looks so overwhelming that they don’t know where to start.”
So what can organisations do about it? Number one is finding out what they actually have connected to their network, then finding out what each device is doing – work out its pattern of behaviour, so you can recognise if anything is out of the ordinary. Then you need to use this intelligence to develop a strategy to protect your network, but also to ensure that the whole system is working as efficiently as possible.
Fortunately, Ordr’s Systems Control Engine (SCE) will do much of this for you, discovering and securing every connected device, identifying vulnerabilities (such as out-of-date software) and also flagging up active threats and suspicious behaviours.
“Number one is your organisation’s need to get visibility to what’s connected to their network,” says Murphy.
“If you don’t know what’s connected, it’s hard to put in place a strategy to protect those devices and the network. You have to understand exactly what devices are connected to the network at a very granular level. You need to be able to tell the difference between a Phillips imaging system and a lightbulb for a building management system. You need to know the make, the model, the serial number, the software version that all of these devices are running so you truly can understand what they are – and from there you can marry that with an understanding of where they are connected.
“If I have a network-connected surgical robot, I want to make sure that’s on a very secure segment of my network; I don’t want it to be sitting next to a vending machine that’s dispensing chocolate bars, because that’s something we’ve actually found in a healthcare environment.”
This is not only confined to medical devices. “If you’re the CISO [chief information security officer] of a large hospital, you need to know everything that’s connected to your network,” says Murphy.
“Of course your mind is going to go first to the MRI and the infusion pumps, your connected medical devices. But it’s equally important to know your security systems, your car park– anything that’s connected to your network is a potential attack surface.
“At the end of the day, whether the malware comes in through a medical device or a video security camera doesn’t matter so much as how quickly it can spread across your network. So you need to defend everything in a healthcare environment.”
Once you know what you’ve got, and where it is, the next thing is to understand its behaviour patterns, says Mr Murphy. For example, what does an infusion pump communicate with inside the network and beyond – does it go outside the network for security patches, for example, and if so, how often? This level of detail for every device in the network isn’t possible for a human to remember – so the application of machine learning is critical, he adds.
“Once you have that understanding, you can start to detect anomalous behaviour – for example, if you have an infusion pump that is behaving in a way that an infusion pump never has before, if it’s talking to a destination that it never has before – that’s something that you should be aware of,” Murphy says.
Sometimes there can be human involvement in this anomalous behaviour, according to Murphy.
“You have a work station that front-ends an MRI and you find it has been communicating with TikTok or Facebook,” he says.
“You have technicians who are spending hours and hours with this equipment and in their downtime, they might go to destinations that are not business-related, and they may be bringing malware back into the environment. So it’s important to understand what normal looks like, then you can detect and alert organisations to anomalous behaviour so they can take corrective action.”
These capabilities, all available on a single platform, are what attracted University of Southampton Hospital NHS Trust to Ordr.
“By delivering real-time device inventory, monitoring east-to-west communications and providing invaluable utilisation data, Ordr is proving to be a valuable asset to the trust and is a critical component of our cybersecurity strategy,” says trust IT director Adrian Byrne, IT director.
One of the problems is that in a large healthcare organisation, there will be multiple procurement routes and multiple people connecting things to the network, potentially with no oversight.
“One of our hospital customers found a car park security gate that they had absolutely no idea was on the network and it was actually spreading malware,” says Murphy.
“This sort of thing happens because the physical security team connected the device and didn’t let anyone know, so there weren’t any alarm bells going off.”
It’s rare, he adds, for any healthcare organisation to have one inventory of devices – different groups have their own inventories, but they rarely come together.
“One of the big values we provide is to watch the network and tell you what’s connected in your environment – you have one source of the truth for all your different devices,” Murphy says.
Inevitably, the pandemic has only intensified these risks.
“What Covid did was accelerate very dramatically the rate at which new types of devices were coming into the healthcare environments and the rate at which those devices were moving,” Murphy says.
“So that creates even more of a challenge for organisations to track and understand their inventory and to ensure those devices are being properly protected wherever they are.”
Patients, visitors and staff using their own devices can also be a threat unless the network is properly protected, adds Murphy.
This can be anything from a patient’s iPad or a doctor’s Tesla getting software updates in the car park. You might also see clinicians bringing their own medical technologies and starting to use them at work.
“We’re not saying this is a good or bad thing, but the hospital needs to know what these devices are, so they can assess what risk they might pose and ensure they are properly protected,” Murphy concludes.
“The enemy is lack of visibility, the lack of knowledge, and that’s what we are here to solve.”
You can hear more from Ordr at an upcoming Digital Health Best Practice Webinar which is taking place on May 7.
Bob Vickers, head of Ordr UK and Ireland and Adrian Byrne, CIO University Hospital Southampton NHS Foundation Trust, will be discussing how medical devices can be protected from cyber attacks.