Armis Use Cases for Healthcare, Part 1

By Sumit Sehgal, Strategic Product Marketing Director

The Importance of Device and Asset Visibility

“What is our risk threshold?” That is a question that leaders of Information Security, IT, Compliance, and Operations in a healthcare organization need to answer frequently every month. To be able to qualitatively answer that question, a baseline context needs to be established. A grounded and introspective approach to Asset Management, Visibility into Data flows and Identity are the foundational elements needed to generate that elusive “context.”  If done well, this leads to a cohesive approach to continuity of operations that is powered by resiliency, derived from a strong information security strategy.  

As a former healthcare CISO, I have seen organizations use a variety of connected assets and devices that are critical not only in the care delivery / clinical decision support process but also used to provide much-needed patient engagement and satisfaction. These devices are known collectively in the industry as the Internet of Medical Things (IoMT). Analytics and data produced by this ecosystem are incredibly valuable, but it’s exposed to the same cybersecurity threats that affect any existing IT infrastructure that connects to organizations intranet or the Internet itself. 

As we usher into 2021, I have seen healthcare organizations adapt by accepting and implementing 8 - 10 years of innovation in a span of 8 - 10 months. That innovation was not only in areas of remote care and telemedicine, it was also in the use of automation technologies to help remote workers, improve logistics, tie consumer devices with enterprise workflows. This has compounded the device visibility problem by creating a complex ecosystem of legacy devices, hybrid IT systems, cloud-integrated consumer health devices, all of which are in a constant state of flux related to their operating system versions, firmware, and software updates. 

This is where we begin.  Using existing security frameworks for IT and security, we can extend visibility not only to IoMT but to the ecosystem that maps the devices to “the patient journey.” The breadth of coverage, in this case, is as important as understanding the nuances of specialized medical devices. This allows for effective threat modeling which underpins the design of an effective security strategy.

In the world of healthcare today, I have seen nanotechnology, smart implantables, and augmented reality-based procedures coexist with legacy devices like integrated infusion pumps and dialysis machines. When you factor in other technologies like smart building automation, robotics, and supply chain systems, a list of challenges can be articulated for which the visibility process is key in addressing:

  1. Correlating device configuration and vulnerabilities with operating risk
  2. Mapping utilization with data from a security risk to prioritize incident response actions
  3. Identifying areas for improvements in clinical quality and risk
  4. Increasing data confidence for IT governance will help improve operational tasks (e.g. patch management, inventory, etc) which result in operational cost savings. 
  5. Qualitative and quantitative improvements in analytics for compliance reporting

Armis provides healthcare IT and Operations professionals with solutions that help address these challenges. Let’s take a closer look at these to better understand how they create a more secure environment for healthcare organizations:

Device Visibility

A key friction point is balancing approaches as it pertains to managed vs unmanaged devices. To help reduce that, Armis uses an automated approach that discovers every connected device in an environment. This includes managed, unmanaged, medical and IT, wired and wireless, and everything both on and off the organization’s network. This approach helps baseline the onslaught of new/unknown devices and helps categorize them in alignment with the appropriate clinical care or support function. 

For healthcare organizations, this means that in addition to employees’ smartphones, tablets, and printers, it can discover security cameras, temperature control systems, and even kiosks that are used in a clinical environment. Details such as manufacturer, model, operating system, serial number, and a wide range of identifying data points are also included.

In addition, Armis also delivers activity and behavioral data. This gives IT and security teams information like DNS queries, TCP sessions, HTTP requests, as well as device utilization, and application usage. This information can be used to secure medical devices, as it identifies the different services and systems these devices communicate with to segment the network or identify all devices that do not have endpoint protection software deployed. The data is then analyzed against activity from hundreds of millions of device behaviors in the Armis Device Knowledgebase to determine what may be anomalous. A device behavioral profile is then created which IT teams are able to use for operational tasks to maintain a secure, compliant environment. 

Device Location and Usage

In addition to discovery, the Armis platform ingests data about how devices are being used, where they’re being used, and who is accessing them. These insights give IT leaders the ability to plan maintenance, schedule downtimes, increase or downsize inventory, upgrade systems, or migrate to new systems as needed. 

With this information, device downtime is reduced and scheduling of medical equipment can be done efficiently based on usage patterns. For healthcare delivery organizations, these benefits translate into both cost savings and improved care delivery. Visibility from the Armis platform ensures optimal uptime and operations of critical medical devices and enables the following:

  • Compare usage across facilities for better equipment distribution
  • Identify offline devices and bring them back into service
  • Identify where end-of-life medical devices are still being used
  • Identify recalled devices and schedule maintenance windows
  • Make better-informed purchasing decisions
  • Improve operating costs by avoiding purchasing additional inventory to replace “lost” items

Airspace Device Discovery and Risk Management

From a security operations perspective, asset identification often occurs through scanning tools that only detect physical or logical network-level telemetry. This isn’t enough to keep devices secure, as attacks can be obfuscated,, and relying only on the physical or logical network data can lead to blind spots as intrusion points to an organization’s network and resources. 

Armis can identify everything within the entirety of the organizational environment, including devices in the airspace that use WiFi, Bluetooth, and any other types of peer-to-peer connection (e.g Zigbee) points that might evade older security tools. This is especially helpful in mapping devices to the care continuum and utilization/location mapping to support that effort. 

Rogue / Third-Party Device Discovery 

Armis also detects devices that are impersonating legitimate assets and get access through an existing network access control (NAC) system. Applying Armis' innovation in behavioral analytics,  the efficacy of the NAC strategy can be extended to identify advanced evasion techniques. This capability, additionally, helps to secure unmanaged third-party devices such as those used by patients, visitors, and staff who are connecting to a guest network. This can be used to support patient and family support use cases. (eg. securing tablets for patient communication, game consoles for kids, smart TV inpatient rooms for long-term patients, etc.)

Conclusion

Continuous visibility, context, and alignment of security analytics to enterprise risk is the beacon to which we need to move to improve how we view device and asset management. This helps improve the confidence of the data that powers most of the “information security decision support” as well as provide much-needed context to help healthcare organizations align their processes to help continuity of care, manage effective security and improve the the allocation of operating spend. Be sure to look out for my next blog in this series, where I’ll highlight how to effectively manage device risk based on high confidence device and asset data.

If you’d like to see a short demo of how the Armis platform can help you address your Medical Device Security, please click here.

Have our blog posts sent to your inbox.