CIO offers a primer on using AI and machine learning to secure IoT devices


2021-05-04 04:30:09 Healthcare IT News


Skip Rollins is CIO at Freeman Health, the largest health system in southwest Missouri, with 5,000 employees, including more than 350 physicians on staff. Like healthcare CIOs across the nation, Rollins has been fighting off the sharp rise in Internet of things attacks plaguing the industry. IoT devices, including medical devices, are prime targets for hackers, because they can be easy back doors into primary healthcare networks, where the hackers can gain control over critical systems and data. Rollins carefully monitors and secures Freeman Health's extensive use of more than 17,000 IP-connected devices to run its facilities and care for patients. To help readers with this daunting cybersecurity task, Healthcare IT News interviewed Rollins to discuss the ways he goes about keeping his IoT devices secure, including his use of artificial intelligence IT. Q: Overall, what are the challenges of securing a healthcare organization's Internet of things devices? A: We're seeing an increase in attack surface from the explosive growth of mission-critical IoT devices – including medical devices – that are actually outgrowing the number of traditional IT endpoints. These devices play a critical role in patient care and range widely, from expensive imaging equipment that scans for tumors and HVAC systems that maintain proper air quality, to video surveillance cameras that monitor parking garages. But these devices also introduce some new security challenges. There are a myriad of them from very different manufacturers, making them harder to secure. These IoT devices aren't designed with security in mind, often run obsolete operating systems and cannot be patched easily. In addition, due to the small footprint of these devices, you cannot support traditional endpoint security agents on them. As a result, any IT and cybersecurity strategy for a healthcare organization needs to include the security of connected devices such as IoT, including medical devices. Q: How do you monitor and secure Freeman Health's extensive use of more than 17,000 IP-connected devices? A: My job as a CIO has evolved so much over the years. My peers and I are much more focused on the business aspects of our role versus the technical side of operations, and that means ensuring that these devices stay in service to support our patients while mitigating the risks that they may bring. Many of the devices we have are directly involved in patient monitoring. The remainder include facilities-management equipment like HVAC, environmental controls, door locks and security cameras, as well as administrative devices like IP phones, office systems, intercoms, mobile devices and laptop computers. The first step with securing these devices is really to know what is actually in your network. You can't protect what you don't know about. That's foundational to security. Once you know what devices are in your network at a granular level – make, model, serial number and operating system they are running – then you can start to understand the risks associated with them, such as vulnerabilities or weak passwords. The second step is to understand what these devices are doing. You cannot protect what you don't understand. Simply knowing a device is an infusion pump isn't enough. You must understand what it is doing in order to protect it. It's actually easier to understand devices, compared to users, because devices have very deterministic functions. A camera should perform a certain function, regardless of what it is and where it is deployed. By baselining what's normal, you can identify communications to a malicious domain or an unknown country. Once you know the device and what it's doing, you can then create appropriate policies to secure these devices. When you have tens of thousands or hundreds of thousands of devices that need to be secured, automation and AI [are] the key to do this at scale and without introducing any errors. We are very aggressive in our use of technology, and we lean on cybersecurity solutions like Ordr that can help us do this – discover and classify devices, map their communications patterns, and secure them – in an automated fashion and at scale. Q: How do you identify anomalous and suspicious device communications outside the organization? A: To identify anomalous and suspicious device communications, we need to first establish a baseline of what's normal. To do this at scale, you must be able to apply machine learning to accurately classify each device and baseline its dynamic behavior along with the context of your network. If you can do that, you can immediately identify potential "mutations" – devices that are not behaving the way they should – and mount an appropriate response to ensure business continuity and prevent catastrophic downstream consequences. For example, an HVAC system should communicate with a trusted smart building controller using approved protocols and applications such as BACnet, but can be blocked from communicating to the Internet or to another HVAC system. Q: How do you bridge holistic security of all Freeman Health campuses among non-IT affiliated teams such as biomedical and facilities? A: Cybersecurity is a team sport. It requires close collaboration among all key stakeholders. Within a healthcare organization, it involves security teams, HTM/biomedical teams, and networking/IT teams working together. My security team may identify a vulnerability associated with a medical device and recommend a patch, but they aren't responsible for implementing the patch. The HTM/biomed teams are. Perhaps the medical device is running an obsolete operating system and no patches are available. Then the IT and networking teams play a role in segmenting and isolating that device to keep it secure. Everyday users like our doctors and nurses also play a key role in cybersecurity by spotting a phishing attempt and reporting it. My role as CIO is also to help the business optimize costs, so we also work with non-IT affiliated teams like finance. We use our connected-device security solution to provide device utilization insights. When our healthcare staff puts in a request for new devices, we help our finance teams make smart capital spend decisions with these utilization insights. Now we can look at a requisition need for new medical devices, and if the current utilization is low, we can reallocate existing devices to meet the needs rather than spend money to buy new equipment. Twitter: @SiwickiHealthIT Email the writer: Healthcare IT News is a HIMSS Media publication.
Skip Rollins是Freeman Health的首席信息官。Freeman Health是密苏里州西南部最大的卫生系统,拥有5000名员工,其中包括350多名医生。与全国各地的医疗保健首席信息官一样,罗林斯一直在抗击困扰该行业的物联网攻击急剧上升的情况。 包括医疗设备在内的物联网设备是黑客的首要目标,因为它们很容易成为进入初级医疗保健网络的后门,黑客可以在这些网络中获得对关键系统和数据的控制。罗林斯仔细监视并确保弗里曼健康公司广泛使用17,000多个IP连接设备来运行其设施和护理病人。 为了帮助读者完成这一艰巨的网络安全任务,Healthcare IT新闻采访了罗林斯,讨论他如何确保自己的IoT设备安全,包括他对人工智能IT的使用。 问:总体而言,保障医疗机构物联网设备安全的挑战是什么? 答:我们看到,关键任务物联网设备--包括医疗设备--的爆炸式增长使攻击面增加,这些设备的数量实际上超过了传统IT端点的数量。这些设备在病人护理中发挥着关键作用,范围广泛,从昂贵的扫描肿瘤的成像设备和保持适当空气质量的HVAC系统,到监控停车场的视频监控摄像机。 但这些设备也引入了一些新的安全挑战。它们来自不同的制造商,数量不计其数,这使得它们更难获得。这些物联网设备在设计时没有考虑到安全性,通常运行的是过时的操作系统,而且不容易打补丁。此外,由于这些设备的占用空间较小,您无法在其上支持传统端点安全代理。 因此,医疗保健组织的任何IT和网络安全战略都需要包括IoT等连接设备的安全,包括医疗设备。 问:对于弗里曼健康公司广泛使用的17,000多台IP连接设备,您是如何监控并确保其安全的? 答:这些年来,我作为首席信息官的工作发生了很大的变化。我和我的同事们更关注我们的业务方面,而不是操作的技术方面,这意味着确保这些设备继续使用,以支持我们的患者,同时减轻它们可能带来的风险。 我们拥有的许多设备直接参与病人监护。其余包括设施--管理设备,如暖通空调、环境控制、门锁和安全摄像头,以及管理设备,如IP电话、办公系统、对讲机、移动设备和笔记本电脑。 保护这些设备的第一步是真正了解网络中的实际内容。你不能保护你不知道的东西。这是安全的基础。一旦你在颗粒级上知道了你的网络中有什么设备--制造、型号、序列号和它们正在运行的操作系统--那么你就可以开始了解与它们相关联的风险,比如漏洞或弱密码。 第二步是了解这些设备在做什么。你不能保护你不懂的东西。仅仅知道一个设备是输液泵是不够的。你必须了解它在做什么,以便保护它。与用户相比,实际上更容易理解设备,因为设备具有非常确定的功能。 相机应该执行某种功能,而不管它是什么,部署在哪里。通过确定正常情况的基线,您可以识别到恶意域或未知国家的通信。 一旦您了解了设备及其正在执行的操作,就可以创建适当的策略来保护这些设备。当你有数万或数十万个设备需要安全保护时,自动化和人工智能是实现这一目标的关键,而不引入任何错误。 我们在使用技术方面非常积极,我们依赖像Ordr这样的网络安全解决方案,这些解决方案可以帮助我们做到这一点--发现和分类设备,绘制它们的通信模式,并确保它们的安全--以自动化的方式和规模。 问:如何识别组织外的异常和可疑设备通信? 答:要识别异常和可疑的设备通信,我们首先需要建立一个正常的基线。要在规模上做到这一点,您必须能够应用机器学习来精确地分类每个设备,并将其动态行为与您的网络上下文一起作为基线。 如果您能够做到这一点,您就可以立即识别潜在的“突变”--没有按照其应有的方式进行操作的设备--并安装适当的响应,以确保业务连续性并防止灾难性的下游后果。 例如,HVAC系统应该使用批准的协议和应用程序(如BACnet)与可信的智能建筑控制器通信,但可能会被阻止与Internet或另一个HVAC系统通信。 问:你们如何在非IT附属团队(如生物医学和设施)之间架起整个弗里曼健康校园的安全桥梁? 答:网络安全是一项团队运动。它需要所有关键利益攸关方之间的密切合作。在医疗保健组织中,它涉及安全团队、HTM/生物医学团队和网络/it团队协同工作。我的安全团队可能会识别与医疗设备相关的漏洞并推荐补丁程序,但他们不负责实施补丁程序。HTM/Biomed团队是。 也许医疗设备正在运行一个过时的操作系统,并且没有可用的补丁。然后IT和网络团队在分割和隔离该设备以确保其安全方面发挥作用。像我们的医生和护士这样的日常用户也在网络安全中发挥着关键作用,他们发现并报告网络钓鱼企图。 我作为CIO的角色也是帮助业务优化成本,所以我们也和像财务这样的非IT附属团队一起工作。我们使用我们的连接设备安全解决方案提供设备使用洞察。当我们的医疗保健人员提出新设备的要求时,我们帮助我们的财务团队根据这些利用洞察力做出明智的资本支出决策。 现在我们可以看看对新医疗设备的一个征用需求,如果当前利用率低,我们可以重新分配现有设备来满足需求,而不是花钱购买新设备。 推特:@siwickihealthit 电邮作者 Healthcare IT News是HIMSS的媒体出版物。