Sep 21, 2020
By Sarah Czarnowski

IT Is Not OT—The Divergence of Medical Device Security

According to the Verizon Data Breach Investigations Report, the healthcare industry experiences more data breaches than any other sector, possibly because personal health information (PHI) is more valuable on the black market than credit card credentials. 

Beyond attacks on laptops, servers, and other IT devices, another source of healthcare security vulnerabilities might be harder to mitigate 

Operational technology (OT) medical devices include network-connected non-IT devices such as infusion pumps, ECG sensors, heart rate monitors, temperature sensors, respiratory rate sensors, MRI, and CT machines.

Many of these medical devices can be used as attack vectors into a hospital’s network. For example, about 70% of OT devices are running an unsupported version of the Windows operating system.  

But OT device owners and IT security teams often don’t even sit at the same table or have the same priorities. OT medical devices are highly regulated by the FDA in the United States and by similar organizations elsewhere, such as the European Medicines Agency (EMA). This often means only authorized clinical engineering personnel can maintain an OT device. 

In contrast to IT’s focus on protecting data, the OT device teams are focused on device safety, reliability, and availability. If the operation or alarms of an infusion pump are disrupted or altered by a security event, for example, this could possibly cause serious injury and even death to the patientThus, when an IP and MAC address is under attack, and the IT teams are scratching their heads trying to figure out who to call, corrective action can take way too long.  

This divergence of OT and IT is a challenge with many conflicting priorities, like limited resources and the sheer number of medical devices. According to the American Hospital Association (AHA), there are a total of 931,203 hospital beds in the United States.  If an average hospital room has between 15-20 medical devices, millions of medical devices are connected to the network. 

Sometimes healthcare technology management (HTM) or IT teams get misinformed, and they implement an OT device discovery and monitoring tool and call it a day. The problem with this approach is that while these tools do an excellent job identifying and assessing OT device security vulnerabilities, what’s missing is the more important step of an orchestrated, automated remediation.  

But remember: OT and IT aren’t speaking the same language 

Nuvolo OT Security has cracked the problem. First, we make sure all OT device information gets stored in one, cloud-based inventory, often replacing multiple maintenance management systems. Then Nuvolo integrates with device discovery and monitoring tools, creating an intelligence hub of security events and detailed device information.

When a security event occurs, Nuvolo provides a shared view to OT and IT teams, showing the device(s) affected, the device owner and the device location, and the latest software and firmware versions. We use a rules-based identification algorithm that identifies the device or devices that are affected by the event or vulnerability and information on whether the device generates PHI data or stores PHI data. 

Then Nuvolo kicks off an automated orchestration of work orders, prioritizing what devices to correct first, identifying the remediation steps required, and tracking the status of the work. 

Even if the OT device and IT security teams aren’t always on the same page, this shared view makes it easy to quickly remediate OT device security events. 

It’s an approach to enhancing device security maturity with the orchestration of an automated response that can help OT and IT to converge.