Medical Device Cybersecurity Regional Preparedness and Response Playbook and Microsegmentation

Healthcare organizations have made medical device cybersecurity an essential issue as they connect medical devices more and more to networks and the internet. Healthcare environments, like hospitals and clinics, collect and store large amounts of sensitive personal information, including medical records, financial information, and unique identification numbers. These environments store sensitive personal information, making them vulnerable to cybercrime such as identity theft, financial fraud, and ransom attacks.

Besides damaging finances and reputation, a cyber attack also risks hurting patients. For example, a ransomware attack on a hospital's computer systems could prevent doctors and nurses from accessing patient records, potentially delaying or even endangering care. Cybercriminals can also target third-party vendors or partners that provide healthcare organizations with software or devices, potentially gaining access to sensitive information through a single weak point in the supply chain. Healthcare organizations have begun to adopt microsegmentation strategies to respond to these increased risks. Also, with these increased risks has come a host of compliance regulations and publications that provide a framework for cybersecurity practices.

MITRE has published the Medical Device Cybersecurity Regional Preparedness and Response Playbook, which several Government agencies, including the HAA and the FDA, have sponsored. The primary focus of the publication is to assist in building an Emergency Operations Plan (EOP) for preparedness and response in the event of a cybersecurity incident. One of the primary advised methods for creating an EOP is implementing network segmentation, or microsegmentation, as a tool in the event of a cybersecurity incident.

So, what is microsegmentation?

A single network segment connects all systems and devices in a traditional network architecture. If a bad actor can gain access to one device on the network, they potentially have access to all devices on that network segment. Microsegmentation, on the other hand, involves dividing a network into smaller segments, or "microsegments," so that each segment only contains the devices and systems that need to communicate with each other. 

In a healthcare environment, this could mean creating separate microsegments for medical devices, electronic health records, and other related systems. This way, if a hacker can gain access to one device or system, they can only access that specific microsegment and not the entire network.

Additionally, microsegmentation allows for implementing more granular security controls and policies. For example, a medical device microsegment could have stricter access controls and monitoring than a segment for administrative systems. Modern microsegmentation solutions enable controlling access from one device to another within the same VLAN by treating each asset as an individual segment. Implementing microsegmentation using the identity-based policy solution from Elisity is simple, despite the complicated sound.

In this blog post, we will explore the role of microsegmentation in an EOP following the guidance found in the Medical Device Cybersecurity Regional Preparedness and Response Playbook, including preparedness, incident detection and validation, and incident response.

Building an Emergency Operations Plan Using Microsegmentation as a Tool

Building an Emergency Operations Plan (EOP) is essential in preparing for and responding to a cybersecurity incident. Below is a summary of the recommended steps in creating an EOP.

1. Identification of risks and hazards: In creating an EOP, the initial step is to recognize the dangers and threats that may impact medical devices. This involves determining the kinds of incidents that could happen, such as malware infections, unauthorized access, or data breaches, and the potential consequences these incidents may have on patient care.
2. Planning and Preparation: After identifying the risks and hazards, the next step is to plan and prepare for potential incidents. Preparing for potential incidents includes identifying the roles and responsibilities of the incident response team, developing procedures and protocols for incident response, and identifying the resources and equipment needed to respond to an incident.
3. Communication and Coordination: Building an EOP also involves establishing communication and coordination mechanisms to ensure that the incident response team can effectively communicate and coordinate their efforts during an incident. Critical stakeholders in an incident need to be identified and informed by the coordination, with communication channels established to share information and updates.
4. Training and Exercise: Training and exercising the incident response team is an essential step in building an EOP. Preparation includes providing training on the procedures and protocols developed for incident response and conducting drills and exercises to test and evaluate the incident response team's preparedness.
5. Deploy Microsegmentation: Elisity quickly deploys its identity-based microsegmentation solution to protect medical devices from cyber threats by dividing them into policy groups with varying access and security controls.
6. Monitor and Respond: Elisity's solution provides network visibility and real-time monitoring, allowing organizations to quickly detect and respond to incidents and minimize the impact on patient care.
7. Maintenance and Review: Building an EOP is an ongoing process and requires regular maintenance and review. Maintenance includes regularly updating the EOP to reflect changes in the organization's medical device inventory and reviewing and testing the EOP to ensure that it remains effective. 

By building their EOP around Elisity, organizations can effectively isolate medical devices, manage risks, improve incident response, and minimize the impact on patient care.

6.1 - Preparedness

This section outlines how organizations should prepare for potential cyber incidents. Preparation includes creating a detailed inventory of medical devices, conducting a thorough analysis of potential vulnerabilities and hazards, and developing an incident response plan.

6.1.2 - Medical Device Asset Inventory

Organizations can use network segmentation to create a detailed inventory of medical devices, isolate and identify devices on the network, and assign them to specific policy groups. Understanding the devices on their network and their usage helps organizations identify potential vulnerabilities and hazards, a critical step in preparedness.

Section 6.1.2 can be solved directly by these detailed inventories created by Elisity, which detects every device on your network without the need for active network scans and aggregates identifying data about these devices from all available sources into a single source of truth. 

6.1.3 - Hazard Vulnerability Analysis

Performing a Hazard Vulnerability Analysis as defined in Section 6.1.3 is only possible with the proper tools like comprehensive asset inventories and intelligent network segmentation. This section guides how to conduct a thorough assessment of potential cybersecurity risks associated with medical devices. Assessment includes identifying potential hazards, vulnerabilities, and threats and assessing the likelihood and impact of these risks. By identifying these risks, organizations can develop a risk management strategy that prioritizes the protection of critical assets and functions and focuses on mitigating the most significant risks.

6.1.3 - Building Asset Inventories

Section 6.1.3 guides how to conduct a comprehensive inventory of medical devices, including identifying devices, determining their location, and assigning them to policy groups. Organizations can understand their networked devices and identify potential vulnerabilities and hazards by creating a detailed inventory through network segmentation that isolates and identifies devices and assigns them to specific policy groups.

According to the guidance in this section, building asset inventories involves more than just creating a database of objects. Organizations must categorize medical devices, group them into policy groups, and analyze their vulnerability and potential impact in case of a breach. Elisity provides tools to meet these needs, including in-depth asset identification, policy group mappings, and device criticality ratings. Find specific guidance for building asset inventories below.

Medical Device Asset Inventory: Building an accurate and comprehensive inventory of medical devices is a critical first step in identifying and managing cybersecurity risks. This inventory should include information such as device type, manufacturer, model, location, and software version.

Identification and Assignment to Policy Groups: Organizations must build the inventory and classify each device according to its level of risk and criticality. Classification can be done by assigning devices to policy groups based on their risk level and by creating specific security policies to protect devices in each group.

Hazard Vulnerability Analysis: Conducting a hazard vulnerability analysis can help to identify potential cybersecurity risks associated with each device. This analysis should consider factors such as the device's age, software version, and connectivity to other systems and networks.

Impact Analysis: Analyzing the dependencies and interconnections between medical devices and the potential impact on patient care is vital to understand the potential impact of a cyber incident on medical devices.

Prioritization: Prioritizing the medical devices based on their level of risk and criticality can help to ensure that the most critical devices are protected first. Prioritization includes identifying which devices must be protected and maintained during an incident and which devices can be disconnected or isolated.

Network Segmentation

Section 6.1.3 guides how to use network segmentation to mitigate risks associated with medical devices. By breaking down the network into smaller segments, or "microsegments," organizations can individually secure and manage devices, which can help to limit the spread of malware or other malicious software, improve incident detection and validation, and minimize the impact of incidents on patient care. Elisity can provide the automated inventory management and segmentation capabilities required to carry out the guidance provided in section 6.1.3.

6.1.4 - Medical Device Cybersecurity Support to the Hospital Incident Management Team (HIMT)

Section 6.1.4 of the Medical Device Cybersecurity Regional Preparedness and Response Playbook is "Medical Device Cybersecurity Support to the Hospital Incident Management Team (HIMT) ."This section guides supporting the Hospital Incident Management Team (HIMT) in responding to incidents involving medical devices. 

This section emphasizes the importance of having a clear and effective incident response plan, including procedures for identifying and reporting incidents, collecting and analyzing data, and coordinating with internal and external teams. Additionally, it guides how to enable the HIMT to respond quickly to incidents involving medical devices by providing a clear and concise medical device policy and ensuring that the team has the necessary knowledge and skills to respond to incidents effectively. Elisity provides a simple and effective way to provide your HIMT with the tools to respond to these incidents with policy. Cloud Control Center, our central management point for all assets and policies, enables clear and decisive policy decisions. The policy is pushed from Cloud Control Center to distributed Policy Enforcement Points in seconds.

6.2 - Detection and Analysis

This section covers the procedures and techniques organizations should implement to identify and validate an incident, including reporting an incident, collecting and analyzing data, and determining the cause of the incident. Cyberattacks can be difficult to verify due to the nature of the software. Still, once a potential incident has been identified, it's crucial to begin the analysis of the cause of the incident and the potential resulting impacts.

Identifying the Impact of an Incident Using Collected Data

6.2.1 - Incident Detection and Validation

Having real-time visibility into the network traffic, devices, and systems connected to the network and those devices' behavior can help detect and identify cyber incidents quickly. Collecting data about traffic flows, the source and destination of those flows, the types and sizes of packets, and events taking place on the network can be used to identify anomalies and unusual behavior in network traffic. Analyzing user login events, device attachments, traffic flows, and a range of other data can validate an incident and help determine the impact on affected devices. This visibility allows security teams to see the full scope of an incident and to track the movement of malware or other malicious software through the network.

At this stage, you need to perform an analysis to devise a plan to contain any further impact, as the subsequent sections on Containment and Eradication rely on it.

6.2.6 – External Resource References

Section 6.2.6 of the Medical Device Cybersecurity Regional Preparedness and Response Playbook includes external references that can provide additional guidance for the detection and analysis phase of incident response. Elisity has a complete mapping of compliance subcategories met by our platform for the following publications. Request a Demo to understand better how we can help you meet compliance goals.

NIST Computer Security Incident Handling Guide (SP 800-61 rev 2): This guide, published by the National Institute of Standards and Technology (NIST), provides detailed guidance on incident handling, including incident detection and analysis. It covers topics such as incident preparation, incident response, incident recovery, and lessons learned. The guide is especially relevant for the sections on detection and analysis, as it guides how to detect incidents, identify the scope and impact of an incident, and analyze the data collected during an incident.

NIST Cyber Security Framework (CSF) v. 1.1: The CSF is a framework developed by NIST that provides a common language and a consistent approach to managing cybersecurity risks. It provides a set of core functions and categories that organizations can use to manage cybersecurity risks, and it maps those functions and classes to specific NIST controls. The CSF version 1.1 guides the detect function, which includes identifying the need for security information and event management, detecting, and responding to cybersecurity events. This mapping can help organizations align their incident detection and analysis activities with the CSF, and it can provide additional guidance on how to detect and analyze incidents and respond to them.

6.3 - Containment, Eradication, and Recovery

This section describes the steps required to contain and eliminate the incident, including isolating affected devices and networks, removing malware or other malicious software, and restoring normal operations. 

Containing an Incident

Containing an incident is a critical step in incident response because it limits the spread of an incident and reduces its impact on the organization. By quickly identifying and isolating affected devices and networks, organizations can prevent malware or other malicious software from spreading further, reducing the incident's overall impact. Containment also helps to prevent the incident from becoming more severe, which can minimize the damage and disruption caused by the incident. Containment allows organizations to maintain continuity of care and reduce the impact on patient care. By isolating affected devices and networks, organizations can minimize the impact on critical systems and sensitive data and reduce the potential risks to patient safety, which is the highest priority in any healthcare organization.

Eradicating an Incident

The second component of section 6.3 involves eradicating. To properly perform an impact analysis that results in the complete eradication and recovery of an incident, organizations must be aware of what assets were affected by the incident. Organizations often need help maintaining a comprehensive inventory of assets on their network due to the continual onboarding of new assets. Failure to properly inventory means that in a cybersecurity incident, some assets may be affected that the organization cannot identify. Even if attackers leave footholds for subsequent attacks, proper implementation of microsegmentation can prevent them from exploiting these footholds.

Recovering from an Incident

Containing an incident makes it easier for organizations to restore normal operations and minimize the impact on patient care. However, to completely recover from an incident, organizations must follow the guidance of section 6.3 in the Medical Device Cybersecurity Regional Preparedness and Response Playbook. However, the Medical Device Cybersecurity Regional Preparedness and Response Playbook's guidance (Section 6.3) requires full recovery from an incident, including containment of impacts, eradication of source and residuals, and restoring systems with confidence.

6.4 - Communications and Coordination

This section covers the importance of having effective and clear communication and coordination during an incident, including coordination with internal teams, external organizations and stakeholders, and the public. This section covers practices and guidance for procedures outside the scope of network segmentation, but Elisity's microsegmentation and associated tools can help in a few areas mentioned in this section.

Cloud Control Center

Elisity offers a unified control panel for traffic flow analytics, event logging, user and device inventories, policy creation, and policy management. Our cloud-hosted application features Single-Sign-On (SSO), meaning you can control user access based on the group, allowing your teams to collaborate on projects within CCC. For example, your security team can work together within CCC to respond to an incident with policies. You can also export traffic flow and event logs from Cloud Control Center to use during incident investigation. Cloud Control Center is the central repository for these analytics and policies, not the communication channel. However, we provide some tools that enable organizations to establish these practices.

Continuity of Operations (COOP)

The continuity of operations (COOP) is critical in incident response. The Medical Device Cybersecurity Regional Preparedness and Response Playbook include the 6.4 Communications and Coordination section. COOP refers to an organization's ability to maintain or quickly resume essential functions and services in the event of an incident, such as a cyber attack, natural disaster, or another disruptive event. The goal is to minimize the impact of the incident on patient care and healthcare delivery.

This section typically includes several essential elements, such as:

Identifying essential functions and services: You must identify the critical systems, services, and functions that must be maintained during an incident, including communication systems, power supply, and other critical infrastructure.

Establishing alternate plans and procedures: This includes developing alternate plans and procedures to maintain essential functions and services in the event of an incident, such as redundant power systems and communication channels.

Testing and training: This includes testing and training personnel on alternate plans and procedures to ensure readiness and continuity of operations.

Maintaining continuity of operations during an incident: This includes implementing alternate plans and procedures and maintaining essential functions and services.

Restoring normal operations includes restoring normal operations after an incident and returning to the pre-incident state.

Network administrators can quickly isolate and protect essential functions and services to maintain the continuity of operations by using a platform that allows microsegmentation policy to take effect in the network within minutes of the policy decision process. Rapid restoration is essential for providing essential health services to patients, even during a cyberattack or other uncontrollable situations like natural disasters. Just as important is the ability to quickly revert network policies after recovering from an incident, allowing the organization to return to normal functions.

Elisity provides identity-based microsegmentation on your existing switching infrastructure with unprecedented time-to-value. Our dedicated cloud-hosted control plane, Cloud Control Center, enables customers to identify assets on their network. They can connect to external identity providers, such as Active Directory, gather more data, and create detailed policies based on the identity that reaches the network's edge, where assets are located. Reach your compliance goals, secure unknown and unidentified assets on your network, and gain deeper visibility into what assets and traffic flows are taking place on your network.

Request a demo at https://www.elisity.com/request-demo to learn more about how Elisity can help you implement least privilege access in your organization's network.

Related Topics:

Why is cybersecurity critical in healthcare?

Healthcare organizations handle sensitive patient information, including personal identification data, medical history, and insurance information. These organizations heavily rely on technology like Electronic Health Record Servers to manage and store this sensitive data. This information is precious to attackers, making healthcare organizations a prime target for cyber attacks.

Additionally, healthcare organizations have a legal and ethical obligation to protect patient information. The Health Insurance Portability and Accountability Act (HIPAA) in the U.S. sets strict guidelines for protecting patient information, and failure to comply can result in significant fines and reputational damage.

In 2017, a ransomware attack occurred at the Hollywood Presbyterian Medical Center in Los Angeles. The attack, caused by the malware known as "WannaCry," encrypted the hospital's electronic medical records, making them inaccessible. The hospital paid a ransom of 40 Bitcoins, worth around $17,000 each, to regain access to records. The attack caused significant disruptions in patient care, as the staff could not access crucial medical information. Patients had to be redirected to other hospitals, and some elective surgeries got postponed.

This incident highlights the severe impact a cyberattack can have on a hospital and the importance of robust cybersecurity measures. It also shows how ransomware can particularly damage healthcare organizations, impeding care delivery and putting patients at risk. The attack also demonstrates the need for regular backups and disaster recovery plans to minimize the impact of cyberattacks.

What is the difference between segmentation and microsegmentation?

Segmentation and microsegmentation are both methods used to improve the security of a network, but they differ in terms of the granularity of the segments created.

Segmentation refers to dividing a network into more significant, less-secure segments. In a hospital network, for example, segmentation might involve creating separate VLANs (Virtual LANs) for different departments, such as radiology, surgery, and administration. Segmentation can help to limit the spread of a cyberattack within the network, but it does not provide the same level of security as microsegmentation.

Microsegmentation, however, is breaking down a network into smaller, more secure segments. In a hospital network, for example, microsegmentation might involve creating separate identity-based policies for different medical devices and systems within a department, such as MRI machines, patient monitors, and electronic medical records. This approach allows for a more granular level of security, making it much harder for a hacker to move laterally through the network and access sensitive information.

Elisity takes microsegmentation a step further by using policy constructs called Policy Groups to segment your network rather than traditional constructs like VLANs or ACLs. You can then create granular policies between each Policy Group, all within an easy-to-use User Interface. We have entirely de-coupled identity-based microsegmentation from the underlying network constructs, enabling simple, powerful policy creation workflows.

What is IoMT?

The Internet of Medical Things (IoMT) refers to the network of medical devices and equipment connected to the internet, allowing for data collection and sharing. These devices include a wide range of equipment, from wearable fitness trackers and home blood pressure monitors to advanced medical devices such as imaging equipment and surgical robots.

Examples of IoMT devices include:

Infusion pumps: These devices deliver precise amounts of medication to patients through an IV and can be connected to the internet to allow for remote monitoring and control.

Patient monitoring systems: These devices, also known as bedside monitors, are used to track vital signs such as heart rate, blood pressure, and oxygen levels in critically ill patients. They can be connected to the internet to allow for remote monitoring and alerting.

CT scanners and MRI machines: These advanced imaging devices are connected to the internet to transfer patient images and data to radiologists, as well as to enable remote monitoring and maintenance of the device.

Surgical robots: These robotic systems are used in minimally invasive surgeries and are connected to the internet to allow for remote monitoring and control.

Electronic medical record systems: These systems store and manage electronic medical records and are connected to the internet to allow for remote access and sharing of patient information.

While IoMT devices offer many benefits, including improved patient care and increased efficiency, they also present potential vulnerabilities. These devices often have limited security measures, making them vulnerable to hacking and cyber-attacks. Additionally, many IoMT devices collect and transmit sensitive patient information, making them a target for data breaches. Other potential vulnerabilities include a lack of software updates and patch management, weak or default passwords, and a lack of encryption.

Securing IoMT devices is important for keeping patients safe and maintaining the integrity of the healthcare system. These devices collect and transmit sensitive patient information so that a security breach could lead to privacy violations and harm to patients. A cyberattack on an IoMT device, such as a surgical robot or a CT scanner, could also cause disruptions in care, putting patients at risk. Hospitals and healthcare organizations must lock down these devices with least privilege access policies. 

What is Least Privilege Access?

Least privilege access is a security principle that states that every user, process, or system should only have the minimum access required to perform specific tasks or functions. Granting users only the access they need to complete their job tasks, known as "least privilege," limits access to resources, applications, and information. The goal of least privilege access is to reduce the risk of unauthorized access, data breaches, and other security incidents by limiting the potential attack surface.

For example, a nurse in a hospital should only have access to the patient records and systems relevant to their job responsibilities rather than to the financial records or administrative systems. Similarly, a system administrator should only have access to the methods and applications necessary to perform their job and not too sensitive patient information.

Implementing least privilege access can be challenging, as it requires identifying and controlling access to resources, applications, and information. Least privilege access is achieved through access controls, role-based access controls, and other security measures such as multi-factor authentication. 

Elisity is changing this by introducing a new approach to Least Privilege Access. Identifying resources happens automatically as devices and users attach to your Elisity-secured network. These assets then inherit pre-built policies no matter where they are in the network, without needing any agents or MFA. Devices and users attach to the network and immediately inherit policies restricting access to only required resources. And it's not merely denying or allowing access - you can choose strictly what protocols are allowed and deny all other traffic between assets on your network. The best part is that you can reach this level of LPA in weeks instead of years.

How can microsegmentation help organizations meet HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting the privacy and security of patient data. One of the most important requirements of HIPAA is the implementation of administrative, physical, and technical safeguards to preserve electronically protected health information (ePHI) from unauthorized access, use, disclosure, or destruction. Microsegmentation can be an effective tool for meeting these requirements and ensuring HIPAA compliance.

One of the critical benefits of microsegmentation is that it allows for a more granular level of security, which makes it much harder for a hacker to move laterally through a network and access sensitive information. Creating smaller, more certain segments can limit the spread of a cyber attack and reduce the risk of data breaches, which aligns with the HIPAA Security Rule requirements.

Additionally, microsegmentation can also help healthcare organizations meet HIPAA privacy rules' requirements by controlling access to ePHI. Using software-defined policies, microsegmentation can monitor and direct access to ePHI, ensuring that only authorized personnel have access. This can help to protect patient privacy and ensure that sensitive information is only accessible to those who need it.

Furthermore, microsegmentation can also help healthcare organizations respond to security incidents more quickly, which aligns with the Breach Notification Rule. By isolating different network segments, it can make identifying the source of a security incident easier, allowing organizations to respond more quickly and effectively.

What are the rules of HIPAA regarding the storage and transmission of patient data?

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting the privacy and security of patient data. Three primary rules of HIPAA are specifically related to the storage and transmission of patient data:

The Privacy Rule establishes national standards for protecting the privacy of individually identifiable health information, known as protected health information (PHI). It requires covered entities (such as healthcare providers, health plans, and clearinghouses) to implement administrative, physical, and technical safeguards to protect PHI's confidentiality, integrity, and availability. The Privacy Rule also sets standards for when and how PHI can be used and disclosed and gives individuals certain rights concerning their PHI.

The Security Rule: This rule sets standards for securing electronically protected health information (ePHI) that is stored or transmitted. It requires covered entities to implement administrative, physical, and technical safeguards to protect ePHI from unauthorized access, use, disclosure, or destruction. The Security Rule also establishes specific technical safeguards, such as encryption and decryption of ePHI, as well as physical safeguards, such as access controls and workstation security.

The Breach Notification Rule: This rule requires covered entities to notify individuals, the Department of Health and Human Services (HHS), and, in some cases, the media if there is a breach of unsecured PHI. Individuals should take steps to protect themselves from potential harm resulting from the unauthorized disclosure of their PHI, which this rule is designed to ensure. Covered entities are also required to document and report any breaches of unsecured PHI to the HHS.

Thank you for taking the time to read about how an organization can build its Emergency Operations Plan (EOP) around Elisity's microsegmentation solution. We hope that you understand the importance of network segmentation in managing cybersecurity risks associated with medical devices. Please feel free to request a demo if you would like to learn more about how Elisity can help protect your medical devices and improve your incident response capabilities. Our team would be happy to provide more information and answer any questions you may have.