Watching the Fireside Chat: Medical Device Security is a Joint Effort webinar from American College of Clinical Engineering (ACCE), with Michael Brilling of Dartmouth Hitchcock and Benjamin Stock of Ordr, I found the following information about Dartmouth Hitchcock’s IoT security journey helpful.
The Healthcare Challenge: IoMT, OT and IoT
Internet of Medical Things (IoMT), Operational Technology (OT), and Internet of Things (IoT) can all be challenging to secure. Organizations have thousands of devices, each with unique systems, and limited ability to patch.
Dartmouth Hitchcock's key drivers for developing their security plan were gaining knowledge of what was on their network, accurately identifying what each of those devices is doing and what is on those devices. Collaboration is key to protecting IoMT devices, see how Dartmouth Hitchcock used it to develop their security strategy.
Medical device security planning requires collaboration between network, security, HTM Biomed, and leadership teams. Leadership must ensure all connected devices are secure, and make financial decisions when it comes to security solution and device procurement. Security and IT teams need to gain visibility into devices, understand how devices communicate, create segmentation and security policies to properly secure every device. HTM Biomed teams should focus on IoMT devices, keeping track of devices, their vulnerabilities, and any recalls or updates from vendors.
Collaboration is necessary to secure all the different types of devices and mitigate their vulnerabilities. Organization should decide which teams should own each device and what security product best addresses all of their needs, and how to leverage their security tools, The Information Security team, Networking team, and Clinical Engineering (CE) teams at Dartmouth Hitchcock were all involved in the creation of an IoT and IoMT security plan, overseen by a Health Information Technology Officer. Clinical Engineering and HTM Biomed personnel at Dartmouth Hitchcock influenced the creation and implementation of connected device security policies, but allowed security personnel to be the subject matter experts for device vulnerabilities.
By involving multiple teams in creating their security program they made future security endeavors easier. Now if something comes up in the grey area they can direct those issues to the right team.
Choosing a Security Solution
Procuring and implementing a security solution is a team effort. Ensure leadership is involved and sponsoring the project, lay out what problems each team needs to solve and what they want to gain. All stakeholders should evaluate security solutions to decide if all their needs are met by vendors.
Different teams at Dartmouth Hitchcock have different use cases for security tools. They found that Ordr supported their collaboration efforts. For Dartmouth Hitchcock, bringing in Ordr was adding to a stack of collaborative tools. Having previously invested in Cisco tools, Ordr’s familiarity with Cisco was a differentiator. Ordr was able technologically support their existing infrastructure without needing them to change firewall tools or protocols.
In implementing their IoMT security program they were surprised by the amount of communication their medical devices required and the amount of personal devices on their network. They had not expected to find as many unique smart speakers. These devices have a lot of network traffic and could potentially compromise HIPPA with their recording capabilities. With device visibility from Ordr, Dartmouth Hitchcock was able to find these issues and create a policy to segment smart speakers onto a guest network where they will not be able to communicate out.
As a part of their security process, they have encrypted generic passwords that they cannot further protect and are getting more involved in the supply chain process to ensure device purchases have password policies that work for them.
Dartmouth Hitchcock has benefited from Ordr and now that they have completed their immediate security plans, they plan to expand their use of Ordr. Ordr aides in Dartmouth Hitchcock’s micro segmentation efforts, and gives them insight into devices so they can see how often devices are used and how many are needed. They plan to use this information for future procurement decisions.
Ready to try Ordr for yourself? Try the Hands-On Lab to see how Ordr will discover and classify all connected devices, profile device behavior, and automate segmentation policies.