Who’s Watching Your Crash Carts? Armis Is.

Armis is an enterprise-class security platform specifically designed to give security managers better visibility over the various kinds of compute resources and “smart” devices that exist in their environment. Our unique ability to understand the context of each device lets us detect problems that other security products miss.

Such as when crash carts are being misused. 

In a recent hospital environment, Armis found that computers on medical crash carts were being used to access Facebook and a number of other social media and non-work related web sites, including phishing web sites. This type of activity is rather common in healthcare environments and poses a risk to any PHI stored on or processed by those computers. Furthermore, the web surfing increases the chance that the computer could be compromised by a web attack and used as a staging ground for further infiltration of the hospital network.

The typical crash cart changes hands—a lot. Between central supply staff, pharmacy technicians, pharmacists, nurses, emergency physicians, and environmental services personnel, a crash cart can change hands several times in a single rotation. We often find that the computer on the crash cart is configured with a shared account so that it is immediately available to anyone who needs to use it. This anonymity may have encouraged users to browse Facebook and other non-work-related web sites.

No other security products alerted on this behavior because web browsing is considered “normal” behavior for a computer. Additionally, what the hospital’s other security products did not know is that this computer was associated with the crash cart and that it therefore processed PHI. Armis knew this because we understand the context of each device on the network and know how each device is supposed to be used. Non-work related web browsing has led to HIPAA violations and to compromise of the computer by malware downloads.

Our recommendations for all healthcare delivery organizations are the following:

• Monitor the behavior of all medical devices in your environment, and look for behaviors that are unexpected for each type of device based on their role.
• Ensure that FDA classified devices are not communicating to unauthorized destinations.