Healthcare Information Security Policy: Mitigating Medical Device Risks

There’s a great Monty Python sketch where John Cleese plays a pompous surgeon who berates a patient for being ungrateful for being treated by “the machine that goes ping!”  It’s funny, of course, but the scene does underscore how much modern healthcare relies on digital devices to deliver care. The machine that “goes ping” does save lives. Unfortunately, the vast majority of medical devices also expose the healthcare provider to risks of network penetration and theft of Personal Health Information (PHI).

A Gap in Healthcare Information Security Policy

Leon Lerman, CEO of Cynerio

Medical devices like ventilators and MRI machines present an inviting attack surface for malicious actors. They are especially attractive because they represent, usually, one of the least-defended pivot points for theft of PHI and related data such as credit card numbers, addresses and so forth. Medical devices are gateways into Electronic Health Records (EHR) databases. Having spoken with Leon Lerman, CEO of Cynerio, whom we have covered recently, I now have a much better understanding of why this is the case:

• Most medical devices do not support encryption of PHI
• They tend to run older operating systems, are difficult (or impossible) to patch and sometimes even using protocols from the 1970s which are not compatible with modern data security standards.
• They are often cannot be protected by traditional IT security solutions (like anti-virus software)

This is not a criticism of IT departments and security operations at healthcare providers. It’s a vulnerability that has long existed, but for which there have not been many good solutions. Certainly, few solutions were at all economical to implement. Now, Cynerio is offering a solution, currently being proven in use at major hospitals in Israel.

A Passive Approach to Medical Device Security

Using a passive network based approach to medical device security, Cynerio enables healthcare information security policy compliance. Their solution is based on network visibility. Using Artificial Intelligence (AI) and machine learning, Cynerio develops a deep understanding of the data exchanges between the different entities and their associated medical contexts. From this foundation, Cynerio can then detect suspicious activities and stop attacks. It incorporates three essential capabilities:

• Full visibility into what devices are doing on the network and the associated risks,including  continuous and automated device discovery and classification.
• Accurate real time anomaly detection, driven by medical context consideration, e.g. an MRI should follow a predictable pattern of data exchange with an EMR system. If it is trying to exfiltrate data, for instance, that would be flagged as a suspicious use case.
• Stopping malicious communications without disrupting patient safety.

Cynerio is experiencing strong interest in its solutions as medical device security becomes an increasing concern in the industry. The FDA, for example, recently issue guidance on securing medical devices. “This is an encouraging sign,” said Lerman, “But, enforcement is limited and it isn’t very useful for older devices that are already in use.”

Cynerio, which recently completed a multi-million dollar funding round from Elron & Accelmed, was founded by Leon Lerman and Daniel Brodie, who serves as the firm’s CTO. Lerman has over a decade of experience in cybersecurity. Brodie was VP R&D at Metapacket and led the research team at Lacoon Mobile Security, which was acquired by Checkpoint. Both Lerman and Brodie served in Unit 8200 of the IDF.

Now, when the machine “goes ping,” we won’t have to work about it stealing our private information.