At the Tipping Point – We Need to Transform Risk Rationalization and Response

The Wake Up Call

Two hours on the phone to reschedule your specialty appointment, three days delay in a procedure to relieve pain for mom, two weeks delay for MRI for a sibling, having to drive forty five min for a child to receive emergency care. This is the reality for people living in communities whose healthcare delivery organizations (HDOs) have had to endure information security incidents like ransomware.

83 incidents in 2021 is a number that is only going to increase. Sadly, we are now at a stage where 3 – 5 public reports per week of these types of incidents have become the norm. How many more of these do we have to go through before we realize our current method of risk management is not working?

Rooted in Tradition

There are four functions  that have historically influenced how healthcare organizations plan for and invest in information security as a function of enterprise risk:

• Regulatory exposure
• Financial impact
• Brand and reputation impact
•  Patient safety and clinical quality

While understanding the importance of these functions individually, organizations have yet to embrace the fact that most of these practices were designed more than twenty years ago along with understanding their impact on operational and clinical workflows.

In that time, information security design has gone from antivirus and intrusion detection to machine learning enhanced protection & behavioral profiling, zero-trust, privilege management and cloud security. Today, we are in a state of flux, whereby some of these security innovations have made their way into the organic risk analysis workflows.

Continuity of operations, often a function of emergency management, needs to be front and center when designing security risk management and response workflows.  When done correctly, this allows organizations to appropriately map data flows and process interdependencies that prevent entire sections of the organization to be impacted during the security incident. In our blog on risk management we illustrate how healthcare organizations can help move this needle in the right direction.

Effective Threat Modeling and its Benefits

Threat models are an essential part of security strategy today as they provide the following telemetry for efficiency of response:

• Dynamic view of the attack surface
• Vulnerability and Safety exposure across the ecosystem
• Identification of threat actors
• View of attack vectors
• Enumerating hospital assets (operations) vs patient assets (clinical)
• SecOps capability
• Metrics to bridge operational reality with academic data of perceived risk

These models not only allow security teams to design and test appropriate workflows for incident response, they also become a data feed for emergency management to test contingency processes and simulate operations in the event of an incident. While there has been significant progress within many organizations to do this, investment is still needed to design and implement proper testing infrastructure such that actual metrics can be used to determine operational risk as opposed to data derived from table top exercises.

A key element of threat modelling is understanding the role that vulnerability management plays not only for identifying security exposure, but also for potential safety and operational impacts in a hospital setting. Our blog on how to approach vulnerability management lays down steps organizations can follow to future proof this effort and stay aligned with changes in the healthcare device ecosystem.

Understanding the Ecosystem and its Utilization

Terms like Internet of Things (IoT), Internet of Medical Things (IoMT) and medical device security have dominated the security industry in terms of coverage. However, not all medical devices are equal in their risk profiles. Consider the following ecosystems:

• Devices used directly to provide patient care (e.g. infusion pumps, patient monitors)
• Ancillary devices used to support care (e.g. lab, radiology, sterile processing)
• Operating technologies with critical impact (e.g. p-tube systems, water and oxygen management, HVAC)
• Control systems with high impact to operations (e.g. physical security, alarms, elevator control systems)

All of these are an essential part of “securing the patient journey” and we need to come to terms with these devices having “non-baselined” internal and external  connectivity with each other and cloud solutions as healthcare organizations adopt new versions of patient centred care delivery models.

Furthermore, utilization management data can be leveraged not only to improve operational efficiency, it can also be a contextual lens to help analyse data for  threat impacts by specialty or revenue impacts by type of procedure, thereby, for the first time allowing security teams to have a truly objective view into operational impacts of security incidents.

Closing the Loop – Exercising the Theory

Risk frameworks, response tactics, threat models are only marginally effective in absence of an actual testing methodology. To reduce the impact of these attacks and improve response effectiveness, there is no substitute for actual simulations and testing of workflow disruptions or system outages. Organizations that prioritize these efforts as part of normal business operations are able to weigh their risk maps and take into account data such as how long it took systems to be recovered, what was the user impact to “degraded performance”, and did the partnerships for resources and technology work as intended. Practiced over time, the muscle memory and lessons learned from these drills and tests can serve as the bedrock upon which organizational resiliency transcends any attack on their environment.

We at Armis, are committed to helping our healthcare customers realize the vision where risk management and continuity of operations can exist symbiotically and that with proper investment and sense of urgency we can make information security an organic extension of the clinical risk management process. Our white papers Armis use cases for healthcare and Operational considerations to drive cyber resilience offer a view on how Armis can help you implement a cohesive medical device security strategy.

If you’d like to learn more about how the Armis platform can help address your Medical Device Security, sign up for a 30 minute live healthcare demo.