integration managing vulnerabilities in clinical networks · in many cases, vulnerability scanners...
TRANSCRIPT
In healthcare, Vulnerability Management (VM) platforms are used to minimize the vulnerabilities
posed by the medical (IoMT) and non-medical assets (IoT) that connect to clinical networks. These
solutions employ different types of device scanning capabilities to proactively assess connected asset
defense weaknesses. The best solutions not only stay up to date with the signatures of new exploits
(CVEs), but are capable of simulating the effects of potential vulnerabilities to constantly assess
connected landscapes for susceptibility to attack.
Rapid7 delivers such capabilities via InsightVM, a market leading platform. Importantly, InsightVM's
capabilities are distinguished, as they overcome the well-known risks associated with scanning both
medical and non-medical devices in a clinical setting.
For example:
1. Medical devices involved in delivering patient care that are scanned could have their operations disrupted. Historically, there hasn't been a definitive way to assess the true
status of the device (connected to the network versus currently in-use/connected to a patient).
Determining the location of increasingly mobile medical devices confounds this problem, as
"eyeballing" a device or group of devices, as a solution, is next to impossible.
2. Medical devices are generally more fragile than standard IT equipment. Scanning requires interrogating devices in ways that can stress already fragile processing units (e.g.,
multiple login queries or simultaneously communicating on ports that aren't designed for such
purposes). Put simply, IoMT and IoT devices generally have less robust computational power
as their specialized designs are built for highly specialized use-cases. That means, non-
standard communications can trigger a reset or even cause damage.
Managing Vulnerabilities in Clinical Networks
Solution Brief
More About the Problem First, in many cases VM systems cannot discern whether the device targeted for scanning is
medical or non-medical. This problem is even more severe when the device's manufacturer, model,
or app version requires a tailored scanning plan as part of its warranty provisions.
Second, the results of vulnerability scans cannot drive appropriate security action if they lack the
right clinical context. Essential information is often missing. For example: the device’s full identity is
probably not known (i.e., type, model, and specifications, such as OS version, app version, and
serial number). As stated, its current status, location and maintenance records may not be readily
available. This level of context is required, as it informs a range of potential security decisions. Is a
patch the right thing to do? What are my options for compensating controls? If I want to segment
the device, what should the security policy be and what are my best options for enforcement?
Third, vulnerability scanners do not comprehensively cover CVEs specific to medical devices. VMs
are designed to scan and manage common connected devices and work across industries.
However, as stated, medical devices differ from their counterparts. They often run embedded
operating systems and communicate over proprietary protocols. This means it is harder for VM
platforms to provide the same level of coverage to medical devices in their vulnerability databases
and scanning procedures.
The Solution Rapid7 and Medigate have partnered to provide hospitals a way to effectively address these
challenges and eliminate security tradeoffs. The solution integrates Medigate with existing Rapid7
InsightVM and Nexpose vulnerability management systems. It provides an "identity-based"
scanning solution that truly changes the game for scanning administrators, as they gain fingertip
access to a fully profiled, dynamically risk-scored inventory of all assets, inclusive of each device's
security posture, status and location. The underlying data are delivered in context to InsightVM,
enabling both passive and active, instantly correlated vulnerability assessments.
The integration is bi-directional, as in turn, Medigate imports the results of scans performed by
Rapid7 and incorporates the updates into the clinical risk score it calculates and manages for each
device held in its inventory. This allows scanning data to be orchestrated for the benefit of the entire
ecosystem.
How It Works
1. Medigate leverages Deep Packet Inspection (DPI) techniques to passively fingerprint all
connected medical devices. Each device is fully profiled. Details include Make, Model,
Firmware, OS and app versions, serial numbers, location, status and security posture.
2. Medigate exports these device profiles to InsightVM, using custom tags and custom attributes
for each asset.
3. Medigate then maintains these asset groups within InsightVM so that default inclusion and
explicit exclusion lists (i.e., medical devices that should not be scanned) are always available
and up to date. Among other benefits, this enables the safe scanning of mixed network
segments, as well as highly targeted scanning (e.g., to scan Windows-based radiology
devices for a certain vulnerability).
Medigate’s Scan Orchestration Page: defines scan target groups and their scan policies.
Scans sites as defined above, which were created via the integration with Rapid7’s InsightVM
4. Medigate imports vulnerabilities and exposures from InsightVM from all discovered devices.
Medigate then incorporates the CVEs into the Clinical Risk Score its platform dynamically
calculates/maintains for each device. While this allows Medigate to serve as a single pane
of glass for cybersecurity risk assessment and management of all connected devices, it also
means that the same data can be orchestrated to other benefitting systems.
The Result: Superior Clinical Risk and Vulnerability Management The bi-directional integration delivers unprecedented asset coverage, dramatically improving how
asset risks are assessed and managed.
1. Informed risk management: Medigate’s visibility data combined with Rapid7’s vulnerability
findings allow security teams to identify all IoT and medical devices, their network location,
and their organizational owners to clearly map the distribution of risk across departments
and manufacturers.
2. Safe and comprehensive scanning: the detailed device identifications provided by
Medigate, allow InsightVM’s scanning process to be configured to minimize patient and
asset risks while efficiently testing for all relevant vulnerabilities.
3. Drive action from insights: the insights delivered via the integration can be directly
translated to remediation activities such as coordinating patching with the device
manufacturer, segmenting the device on the hospital's network, and establishing
appropriate security policies (for example, port and protocol restrictions) through Medigate’s
NAC and firewall integrations.
About Medigate
Medigate provides award-winning cybersecurity for
connected devices in hospitals. The platform combines a
deep understanding of manufacturers’ protocols and clinical
workflows with cybersecurity expertise to deliver comprehensive
and accurate identification, contextual anomaly detection,
and clinical policy enforcement. The resulting automated,
rule-based clinically-driven security policies keep patients,
networks, and PHI safe.
Email: [email protected] Visit: medigate.io