Artwork for podcast This Week Health: Conference
Challenges and Solutions to Unmanaged Devices in Healthcare: Securing OT Assets
Episode 5336th September 2022 • This Week Health: Conference • This Week Health
00:00:00 00:12:44

Share Episode


This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Thanks for joining us. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a channel dedicated to keeping health it staff current and engaged. Welcome to our device security briefing. This is such a gnarly problem for healthcare leaders, and I'm excited to get into this topic today.

We're joined today by Samuel Hill director for healthcare for Medigate by Claroty. This podcast series is gonna culminate in an excellent webinar on September 8th at one o'clock Eastern time, we're gonna have two experts from leading healthcare systems. We're gonna have Intermountain and children's of LA Eric Decker is gonna join us and Andrew Sutherland.

And they're gonna talk about the challenges and solutions to unmanaged devices. In healthcare, check out more for more information, just check out the description box flow and the registration link. You could also just go to our website this week. in the upper right hand corner. We will have a link to this upcoming webinar.

Love to have you join us. We wanna thank Medigate for giving us some time with Samuel today and for making this content possible. Now onto 📍 the show.

All right. Today, we are joined by Samuel Hill director for healthcare, for Medigate by Claroty. And before working in technology, he spent seven years as an emergency room tech for two different health systems lived through EHR transitions in both of them, Samuel as a husband to one father to four and lives on a rural island near Seattle, Washington. And he has been acting as our guide and our expert on device security within health systems, Samuel. Welcome back.

Hey, it's good to be back, bill. Thank you for having me,

man. We've covered so much. If this is the first time you're tuning in, we've done four episodes already. We did visibility and transparency as the foundation for zero trust.

We talked about holistic assessments of your system to improve security strategy. We talked about the M and a event and really having an, a, an understanding of what you have in terms of your inventory prior to that event and even post that event and how that helps. And then the last one, we talked about device utilization.

I learned a ton in that. One of just how how to effectively manage the devices we have in the system. Today we're gonna talk about OT. What is it and how to secure it, and we're gonna start with OT. What is it? Samuel help us out.

OT is it's short for operational technology. And so we think about it as all the devices and things that help to operate or run or keep moving either systems or things.

Obviously we have a lot of OT environments in our world, whether it's their manufacturing plant or pharmacological stuff, or oil, gas, water, some of the critical things there, but OT and healthcare in my mind, it's really the systems that keep the hospital running. Obviously patient care is primary of focus, but really that can't happen inside of, or outside of.

The hospital environment in many cases. And so having the right heating and cooling and fire alarm controls and badge reader access, and camera systems and pneumatic tubes, and you name there's a wide wide list of operational technology that keep hospitals operating.

Yeah. So that campus is loaded with that kind of device. And typically when we're talking about monitoring that and seeing, and having a good inventory of that equipment and whatnot , we're looking at a different set of tools altogether. Are you saying essentially that monitoring the medical device tools, monitoring these tools that they can come under one umbrella?

Well, if they're connected into the same network, I know historically these environments were kind of air gap where they had no physical connection into other types of networks. That's not happening as much anymore. And so there can be either a logical separation or they're just connected into the same network infrastructure.

And so, yeah, tools that I can see the network traffic will identify that this is a building automation system that's communicating on the network. And the next packet shows that it's a medical device communicating on the network. And then the one after that, as a, as an apple iPhone, that a nurse is using for a nurse call and things like that, they're all visible within the network traffic.

And these can be targets for cyber attacks. Can't.

scariest thing about operational technology is that the, the TTPs, the tactics, techniques and procedures that people will use against them are really simple. And they're really easy to execute, unfortunately. So in a lot of cases we're seeing the risk is significant.

You could think about other different industries. The colonial pipeline we saw a couple years ago in the United States where the gas was shut down to the Eastern seaboard was an operational technology attack, if you will. So the significant impact of that now imagine in your hospital, if these devices were compromised and all of a sudden the the air conditioning failed and, and room temperatures started to go up 80, 90 degrees to Fahrenheit how, how difficult would patient care be, or if the elevator systems no longer functioned, and we're not able to get patients or staff or people up to the multiple floors on your campus what kind of impact would that have to the delivery of care at your hospital?

Yeah, that that really could be a ransomware level attack. Couldn't it?

Well, I've had some CISOs, they describe it. Like our board would notice that a lot faster than if a medical device was compromised.

That is so true. Turn off the air conditioning. The next time the board comes together in your hospital. I'm pretty sure they would notice

it's either gonna be the shortest meeting of their tenure, or it's gonna be the most contentious. And I'm not sure which way it would go, but either way, I mean, it's not good.

Yeah. There, there, there might be some CEOs now considering this as a strategy and it's not a good strategy, I would imagine. It's interesting. So I would assume we treat these devices differently, right? So we look at 'em differently and those kinds of things do we look at 'em differently?

well, I don't know that we should. I mean, there's, there's certain, I think there's certain maturities that we've come to understand in healthcare security your it assets, you're probably fairly mature on your, it asset security.

Like you can put all the agents on them, you can do all the things. IoT devices, maybe you're a little further along in security. I hope you're really secure in your medical device journey. Like you've got a lot of maturity there perhaps, but these building management systems know, they're typically procured and operated by your facilities teams or real estate group, or

again, they wouldn't report into me. Somebody else would have as the CIO, I wouldn't necessarily have the building management systems. They would be somewhere else.

But those devices are connected to your network. So yes, inferentially, they, they kind of do in a way, right? So their traffic and their communication is a concern for you. So you may not say like, okay, no, you cannot buy that specific type of device, but you might say here's how that device will communicate on my network within these parameters. The key to it though, is you gotta know, it's actually communicating on your network. You have to understand that it is there and that it's doing something in your environment.

Well we used to, we used to air gap, these things. Why don't we air gap 'em today? Why is the strategy changed?

I've talked to some people that still do that or, they, they still, they built a new building a few years ago and they said, no, it's a completely isolated network. It is not touching our production it or gas networks at all. Great. Congratulations. If that's something you wanna spend your money on and have the resource and budget to do, that's great.

But with today's security technology, to the ability to segment networks, to enforce policy across a wide variety of things, it has become more cost effective to build a single network backbone, and then make sure you got the right policies. Now, the, the challenge was, I don't know that there was a lot of accounting for the multitude of device classes and families that now connect to these converged networks.

So the benefit is we got a single it platform to run and operate and manage the, the downside is there's now more things connected to it that have unique risk.

So we went from air gap. I assume we, we landed off today for the most part.

Try to right. You wanna, you ought be able to have it only communicate and segment it and V L or whatever that is, that your strategy is for that to its own kinda safe space, if you will.

Interesting. what do leaders need to know about these building management systems? I mean, we've talked about some of em at this point. I think the first thing is that they exist and they're on your network and they could potentially be at risk. Is there anything else they really need to.

Well then what vulner, these they're all software based devices as well. So what vulnerabilities do be associated with these devices? Does your elevator controls have a known and published vulnerability that you like your medical devices? You may not be able to get a patch for, for the next three or four years.

So how would you then build your strategy around securing that device in your environment with the known vulnerability that, what would you do there? So that's kind of the next step that leaders would take again, knowing it's there, knowing what risks are associated with it, and then making the decisions about how will we then what shall we now do?

can we talk about the Medicaid solution here for a second? So you've talked about monitoring my medical devices now building management system devices and whatnot, and I assume you can get me an accurate inventory. We keep talking about the software versions and those kind of things on it.

Do you track that from the, the vendor side and then help us to, to see what our gaps are in that area?

In fact, we can look at the specific software versions and then obviously all vulnerabilities that are published, they're all published. And so we, we scroll the internet and all the sites to make sure we're producing all those vulnerability reports inside of the mitigate tool.

So you can look at specific Mai ransomware is a good example right now, right? The Maui ransomware came out. We wanna be able to identify and it's still. In investigation, everybody's trying to figure this whole thing out. But when that is fully populated, we can say here's all the devices affected by it.

That's useful, including if it's a building system, including if it's a IoT device or even your it assets in addition to your medical devices. And so then yeah, working with the manufacturers as well to kind of confirm and validate, which is what hospitals have to do anyway. So if the vulnerability comes out, they gotta call their manufacturer and say, Hey, how real is this?

What's my risk. How, what do we do? What's your guidance? There's a lot of back and forth with a tool like mitigate, having really accurate details about each and every connected device. It helps to speed that conversation up fairly significantly.

So you're monitoring new vulnerabilities that are out there in general to IoT devices. You're monitoring vulnerabilities specifically to a set of medical devices, I assume. Oh, how many of those medical devices do you think you guys cover at this point?

Well, I. it's a much smaller list than ones that we don't. So if the device is in your environment, we're going to have a profile for it, including the vulnerabilities that would be associated with that specific device.

I mean, it's one thing to read a vulnerability announcement and say, oh, that looks really scary, but it's another thing to say. Here are the 15 devices that are in my environment somewhere that are impacted by this vulnerability that you can now take and prioritize the action on.

Yeah, that's fantastic. Where can people go for more information?

Go to and you can go to forward slash demo. We'd love to get a chance to kind of show this to you and ultimately like show the real data that's in your network, including your building management systems, your medical devices, and also your it and IoT devices, really anything that's connected and communicating on your network, providing you the visibility to it. So you can make decisions that are appropriate.

Fantastic. Samuel. This has been a great series of conversations. Number five in our series. I really appreciate your time and we've got a webinar coming up, so we're gonna get together one more time, looking forward to it.

I'm looking forward to that 📍 as well.

What a great discussion. I wanna thank our sponsor for today. Medigate by Claroty for investing in our mission to develop the next generation of health leaders. Don't forget that this whole series ends culminates with a great webinar that we are going to have, and we have two great healthcare leaders. We're gonna join us. Intermountain, Eric Decker children's of LA Andrew Sutherland. And we are going to talk about the challenges and solutions to unmanaged devices in healthcare. You can check out the description box flow for more information and the registration link. You can also go to our website this week, and look for a link to it in the top right hand corner of the page.

Love to have you join us again September 8th at one o'clock Eastern time. Thanks for listening. That's all for now.