It’s a classic case of the good, the bad and the ugly.
The good: hospitals have seen a vast development in the adoption of new technologies. The bad: as more things get connected, there is more room for security breaches. The ugly: we are seeing more and more instances of malware being written, with Ransomware being one of the hottest topics in healthcare right now.
From privacy violation to impacting a hospital’s ability to care for patients (with no access to patient records, one hospital had to close its doors for two days) these major security breaches have gotten the attention of the press and are making healthcare organizations very aware of the fact that they need to do more to ensure the security of their patients.
If you’re sitting there thinking, “But wait, this doesn’t apply to me… I have a firewall, I’m all set,” Think again.
In this ‘Ask the Experts Series’, our in-house healthcare security expert, Alex Swan, dispels several of the common myths surrounding firewalls.
Demystifying Hospital Security
Myth #1: We’re fine, we’ve got a firewall. This is one of the most common misconceptions surrounding security and I see it all the time. People think, we’re fine, we’ve got firewalls, were protected. But in reality, security is much more than implementing one type of technology. Don’t get me wrong, a firewall is still a required component of any network, but it should not be your first and last line of defense. We are seeing lots of products that push security as a point solution, but security needs to be a complete solution that goes beyond just securing the network edge. If we are going to have more secure hospitals, we need to get away from the concept that if we have firewalls, we are safe.
Myth #2: Devices are protected behind the boundary of my firewall. Firewalls are always placed on the boundary of the network or installed on a specific machine. However, lower level IoT devices can’t have a firewall installed on them, so they are placed inside the network, behind the boundary of the firewall, which is where vulnerabilities occur. Here, we have the Wi-Fi network with a mix of devices – guest, patient, clinician – connecting to it. If one of these devices is infected, we are exposing it to all of the life-critical medical devices that share the air. An example of how this is a recipe for disaster would be in the case of the two part medical device that monitors the blood sugar level of diabetes patients and injects the appropriate dosage of insulin. These two devices can communicate with each other, but other things can also communicate with them, leaving them open to vulnerabilities in a network where a mix of devices are simply placed behind the boundary of a firewall.
Myth #3: The best solution is to put all medical devices on a dedicated network protected by a firewall. When hospitals first realized medical devices were subject to risk, many pulled them out and isolated them on the network and put them behind the firewall. It’s true that this did mitigate a lot of risks, but now these hospitals are stuck with a huge operational overhead. Every time they need to move a device from one room to another room down the hall, a change request is required and a network engineer has to reconfigure the network manually and update the firewall. From what I have seen, in the best cases this takes a couple of days and in the worst cases it can take longer than a week! This is not sustainable for the highly dynamic nature of devices residing in a hospital environment.
Going forward hospitals need to be aware of these myths. Gone are the days of a firewall only security solution. As the hospital environment becomes more complex it behooves IT teams to develop complex security strategies with a multi-layer defense. Firewalls are still going to be a part of the solution, but they aren't the end all be all solution to cyber security defense. Hospital IT teams need cumbersome solutions with firewalls, antivirus software, network access control systems, built in policies, network analytics, network management, and governance engines to secure the entire hospital network. A complete security strategy that makes security inherent throughout the entire network is more important than a boundary security device, like a firewall device, that just sits at the edge.
Want to learn more about securing your hospital network. Read the Solution Brief, IoT and Medical Device Safety for Healthcare