CIO offers a primer on using AI and machine learning to secure IoT devices
Credit: Freeman Health
Skip Rollins is CIO at Freeman Health, the largest health system in southwest Missouri, with 5,000 employees, including more than 350 physicians on staff. Like healthcare CIOs across the nation, Rollins has been fighting off the sharp rise in Internet of things attacks plaguing the industry.
IoT devices, including medical devices, are prime targets for hackers, because they can be easy back doors into primary healthcare networks, where the hackers can gain control over critical systems and data. Rollins carefully monitors and secures Freeman Health's extensive use of more than 17,000 IP-connected devices to run its facilities and care for patients.
To help readers with this daunting cybersecurity task, Healthcare IT News interviewed Rollins to discuss the ways he goes about keeping his IoT devices secure, including his use of artificial intelligence IT.
Q: Overall, what are the challenges of securing a healthcare organization's Internet of things devices?
A: We're seeing an increase in attack surface from the explosive growth of mission-critical IoT devices – including medical devices – that are actually outgrowing the number of traditional IT endpoints. These devices play a critical role in patient care and range widely, from expensive imaging equipment that scans for tumors and HVAC systems that maintain proper air quality, to video surveillance cameras that monitor parking garages.
But these devices also introduce some new security challenges. There are a myriad of them from very different manufacturers, making them harder to secure. These IoT devices aren't designed with security in mind, often run obsolete operating systems and cannot be patched easily. In addition, due to the small footprint of these devices, you cannot support traditional endpoint security agents on them.
As a result, any IT and cybersecurity strategy for a healthcare organization needs to include the security of connected devices such as IoT, including medical devices.
Q: How do you monitor and secure Freeman Health's extensive use of more than 17,000 IP-connected devices?
A: My job as a CIO has evolved so much over the years. My peers and I are much more focused on the business aspects of our role versus the technical side of operations, and that means ensuring that these devices stay in service to support our patients while mitigating the risks that they may bring.
Many of the devices we have are directly involved in patient monitoring. The remainder include facilities-management equipment like HVAC, environmental controls, door locks and security cameras, as well as administrative devices like IP phones, office systems, intercoms, mobile devices and laptop computers.
The first step with securing these devices is really to know what is actually in your network. You can't protect what you don't know about. That's foundational to security. Once you know what devices are in your network at a granular level – make, model, serial number and operating system they are running – then you can start to understand the risks associated with them, such as vulnerabilities or weak passwords.
The second step is to understand what these devices are doing. You cannot protect what you don't understand. Simply knowing a device is an infusion pump isn't enough. You must understand what it is doing in order to protect it. It's actually easier to understand devices, compared to users, because devices have very deterministic functions.
A camera should perform a certain function, regardless of what it is and where it is deployed. By baselining what's normal, you can identify communications to a malicious domain or an unknown country.
Once you know the device and what it's doing, you can then create appropriate policies to secure these devices. When you have tens of thousands or hundreds of thousands of devices that need to be secured, automation and AI [are] the key to do this at scale and without introducing any errors.
We are very aggressive in our use of technology, and we lean on cybersecurity solutions like Ordr that can help us do this – discover and classify devices, map their communications patterns, and secure them – in an automated fashion and at scale.
Q: How do you identify anomalous and suspicious device communications outside the organization?
A: To identify anomalous and suspicious device communications, we need to first establish a baseline of what's normal. To do this at scale, you must be able to apply machine learning to accurately classify each device and baseline its dynamic behavior along with the context of your network.
If you can do that, you can immediately identify potential "mutations" – devices that are not behaving the way they should – and mount an appropriate response to ensure business continuity and prevent catastrophic downstream consequences.
For example, an HVAC system should communicate with a trusted smart building controller using approved protocols and applications such as BACnet, but can be blocked from communicating to the Internet or to another HVAC system.
Q: How do you bridge holistic security of all Freeman Health campuses among non-IT affiliated teams such as biomedical and facilities?
A: Cybersecurity is a team sport. It requires close collaboration among all key stakeholders. Within a healthcare organization, it involves security teams, HTM/biomedical teams, and networking/IT teams working together. My security team may identify a vulnerability associated with a medical device and recommend a patch, but they aren't responsible for implementing the patch. The HTM/biomed teams are.
Perhaps the medical device is running an obsolete operating system and no patches are available. Then the IT and networking teams play a role in segmenting and isolating that device to keep it secure. Everyday users like our doctors and nurses also play a key role in cybersecurity by spotting a phishing attempt and reporting it.
My role as CIO is also to help the business optimize costs, so we also work with non-IT affiliated teams like finance. We use our connected-device security solution to provide device utilization insights. When our healthcare staff puts in a request for new devices, we help our finance teams make smart capital spend decisions with these utilization insights.
Now we can look at a requisition need for new medical devices, and if the current utilization is low, we can reallocate existing devices to meet the needs rather than spend money to buy new equipment.