“We’ve moved beyond protecting the perimeter to employ multiple tools and technologies across our network,” Pearson says, including a network access control solution to manage endpoints as well as user and device access to network resources.
“This solution helps with fingerprinting for IoT devices. It helps us identify and gain visibility into what devices are on our network and what resources they can access, and allows us to proactively limit network traffic for unauthorized and unknown devices,” she says.
VA also uses a data protection strategy that relies on encryption at rest and in transit, she adds. That data, in turn, supports other defensive tools.
“We look at integrating IoT device data with vulnerability assessments, endpoint security and device compliance, as well as with organizational policies” to not only identify vulnerabilities but also understand what can be detected, Pearson says.
Evolving Security by Mixing Technologies
Large healthcare organizations typically turn a range of technologies available to secure connected medical devices. For example, Palo Alto Networks Medical IoT Security is specifically designed to protect critical connected medical devices, while integration with Palo Alto Networks’ Next-Generation Firewalls and Prisma Access offers highly granular policy enforcement. Cisco offers several solutions that can secure medical devices by identifying all devices entering a network and then segmenting the network to protect those devices — and medical records — from threats. Cisco’s Medical Network Access Control helps hospitals detect threats through behavior monitoring.
VA looks to a broad mix of technologies and evolving approaches to security while also relying on tried-and-true protections such as next-generation firewalls and cloud access security brokers, “things that help align to zero trust and more granular access controls,” Pearson says. “When we provide that secure access to specific applications, we leverage that at a granular level for device authentication and authorization. That allows us to minimize that blast radius for our fragile devices.”
EXPLORE: Zero trust supports cyber resilience for healthcare organizations.
Threat Modeling Helps Pinpoint Security Objectives
The FDA encourages an all-hands approach to medical device security.
“The healthcare environment is complex, and manufacturers, hospitals and facilities must work together to manage cybersecurity risks,” Wilkerson says.
Manufacturers should complete a threat model that identifies security objectives, risks and vulnerabilities across the medical device system before they define countermeasures to prevent, mitigate, monitor or respond to the effects of threats to the medical device system, she says.
The FDA has taken regulatory steps to clarify the role of device manufacturers. In spring 2024, the agency proposed updates to its guidance to medical device makers, in part to provide the FDA’s recommendations and interpretations of recent, explicit cybersecurity regulatory authority that the agency received.
Meanwhile, healthcare providers can take their own steps to build a more secure IoT environment, starting by exploring available commercial solutions, Gartner Senior Research Director Ruggero Contu says. “There is a well-established marketplace of medical device security solutions that are specifically geared toward improving that visibility through asset discovery and monitoring healthcare networks to detect those devices,” he says.
Based on the asset data discovered, health systems can assess all risks before determining the best way to secure them; for instance, through segregation or configuration improvements, Contu says.
