Security / May 30, 2019

Securing Vulnerable Medical Devices with Gigamon Insight

Healthcare delivery organizations (HDOs) have a tough row to hoe when it comes to cybersecurity. For example, consider the fact that HDOs are prevented from installing endpoint clients on many medical devices, due to guidelines from the U.S. Food and Drug Administration (FDA) and the U.S. National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF).

This leaves the network open and in need of a solution that can detect and provide response to active threats within the environment.

So, if it falls to people like me — seasoned IT veterans hip-deep in all things network security — to lend an assist with solutions like Gigamon Insight, so be it. HDOs and doctors can stick to what they’re best at, and I can help them not have to worry about the finer details of hardening insulin pumps. Win-win.

Late last year the MITRE Corporation, assisted by the FDA, made its own contribution to the struggle by releasing the “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook,” which delves into the nitty-gritty of how hospitals and other HDOs can develop a “cybersecurity preparedness and response framework” sufficient to safeguard their lifesaving work.

The playbook, which you can read in full at the link above, splits its incident response recommendations across several phases, the first two being 1) Preparation and 2) Detection and Analysis. I thought it’d be interesting to keep with that framework while exploring how our Gigamon Insight solution can shore up many of the weaknesses exposed by MITRE’s playbook.

Phase 1: Incident Preparation

Key challenges: HDOs need to gather and maintain information on the medical devices on their networks. They also need to perform hazard vulnerability analyses (HVAs) to gauge the impact of potential cybersecurity incidents, and then perform mitigations of identified risks.

How the Insight solution helps: Gigamon Insight sensors deployed within the HDO’s network can collect the network traffic to/from the medical devices and extract rich metadata, storing it in a centralized SaaS repository. This metadata helps build an inventory of medical devices and can be used to establish a baseline of normal network traffic.

Speaking to HVAs, the Insight solution’s network sensors are designed to be deployed rapidly and to scale up or down as needs shift. Sensors are fully managed and can be deployed in minutes across a variety of environments. This enables HDOs to arm their incident responders with the network visibility of medical devices necessary to effectively detect, respond and investigate cybersecurity incidents.

Phase 2: Detection and Analysis

Key challenges: It’s ever more difficult to detect cybersecurity incidents perpetrated by sophisticated attackers; for that reason, HDOs need help creating and maintaining methods for threat detection. It is further challenging to accurately determine the severity and scope (such as number of affected devices) of a given security incident, which is necessary to assign them priorities. And post-analysis forensic investigation may be necessary to determine the full extent of damages.

How the Insight solution helps: Insight solution provides HDOs with an automated detection engine that can immediately notify security teams when a cybersecurity incident is detected through the inspection of network event metadata. Gigamon Applied Threat Research (ATR) is continuously crafting and qualifying a set of high-fidelity managed detections designed to identify attacker behaviors and patterns, and HDOs can also create their own customized detections specific to their environment to monitor and detect unexpected or unwanted adversarial activity.

Gigamon ATR also provides category, severity level and confidence ratings on each detection, and when possible, maps them to the MITRE ATT&CK framework so incident responders can easily determine the type of incident that was detected. At the same time, the Insight solution’s entity enrichment provides incident responders with forensic information collected from a wide array of external and internal sources during the investigation. Investigators can also have Insight perform targeted packet capture of network traffic on the impacted devices.

The Bigger HDO Infosec Picture

Sounds impressive, right? I certainly think so. To wrap up, let’s pull this all together.

As the number of medical devices in HDOs’ networks increases each day, so too does the attack surface for threat actors. Security teams need a way to quickly and easily guard these medical devices from the onslaught of cybersecurity threats. A network security-monitoring solution like Gigamon Insight is an effective way for HDOs to cover not only existing medical devices in their networks, but also the new devices continually being added.

The Gigamon Insight solution can help HDOs quickly discern between sophisticated and unsophisticated attacks. It helps eliminate blind spots, providing real-time access to current and historical network activity for superior threat hunting. And it rapidly converts successful hunts to detection capabilities in one unified platform.

Lastly, as I outlined above, the Gigamon Insight solution is great at helping HDOs adhere to the recommendations put forth by MITRE and the FDA, by providing HDO security teams the visibility coverage they require to secure their medical devices and enabling them to effectively detect and respond to whatever cybersecurity threats emerge. And if I feel good knowing that my expertise and the company I work for is helping medical professionals keep doing what they do best, then hey — that’s a happy bonus.

Join the Gigamon Community for advice and tips on computer networks and cybersecurity.

Continue the Discussion

Start a conversation about securing medical devices in the Gigamon Community’s Healthcare Group. Share your thoughts today.

Back to top