SageSECURE, Penetration Testing

If You Can’t See Your Medical Devices, You Can’t Secure Them

April 2020
Securing Medical Devices Blog Photo
By James Pratt

Hospitals are complex, rapidly changing environments with a lot of moving parts. While large capital equipment such as CTs, MRIs and lab equipment are fairly stable and often with fixed IP addresses, other devices such as infusion pumps and even ultrasounds are much more mobile. They can plug into a network port in one floor and, 15 minutes later, plug into a network jack on another floor. In a wireless environment, these devices may roam across your network, hitting various APs as they travel throughout the hospital.

To properly manage and monitor your medical devices, you need to “see” them on the network first.

Many hospitals track their medical devices based on the physical location, network port and IP address. Some may record the MAC address of the network port. But is this secure? How do you know a hacker isn’t spoofing the MAC and IP address? It isn’t that hard to discover them. If you use 802.1x to control access, the hacker could spoof the device and easily gain access to your network.

NAC to the Rescue

Network access control (NAC) systems such as FortiNAC are designed to sit on your network, discover and search for devices, then either allow or deny access and, in many cases, assign those devices to a VLAN. Advanced products such as FortiNAC can also assign these devices to categories and provide those categories to a network management and orchestration tool such as FortiManager. The categories can then be used to automate network access, security policies and traffic pattern alerts.

Products such as FortiNAC not only scan your network for IP packet traffic, they also query your switches, routers and APs for traffic information. FortiNAC can gather information about devices using SNMP, CLI, Radius, Syslog, API and DHCP in addition to passively monitoring your network to discover devices. This means you can find devices quicker and more accurately than with just scanning alone.

As devices are discovered on your network, FortiNAC classifies those devices based on a variety of factors such as MAC address, operating system, IP address, etc. FortiNAC has a huge database of device types, including many medical devices, so it can usually classify each device according to function, such as ultrasound or infusion pump. FortiNAC can then place each device into logical groups, which are then shared with other systems using Fortinet’s Security Fabric. For example, infusion pumps can be tagged and placed into the infusion pump security group and placed into the infusion pump VLAN. This saves time and allows automation when adding new devices to the network.

The Fortinet Security Fabric is a set of published security APIs that allow various devices and software to share information about your network. Many third-party vendors support Fortinet’s Security Fabric. When FortiNAC discovers and classifies a device on the network, it can share that information not only with Fortinet firewalls and security management software, but also with third-party systems such as intrusion prevention software, antimalware software and others. This provides users with a seamless view of the network and allows automation of network security based on the information in the Security Fabric.

Example: Adding a New Infusion Pump

Adding a new infusion pump is as simple as plugging it into the network or connecting it to your wireless network. FortiNAC will detect the device, know that it is an infusion pump and place the pump on the proper VLAN. It will provide this information upstream to FortiManager so that the security team will see the device and know what VLAN it is on, what IP address is assigned to the device, which switch port or wireless access point it is connected to. A security policy will be assigned to the device, and FortiGate firewalls will use this information to control access into and out of this infusion pump.

Your security team creates a rule one time stating that infusion pumps can only be reached by your medical information system, IT tech support and the infusion pump manufacturer’s tech support. When the new pump is attached to the network, these rules are in place and security is already set. If you need to make an exception for a particular device,  such as a pump for the CT contrast, you can quickly create a custom rule that will allow this particular pump to access the CT console as well as the other devices listed. These rules protect the infusion pump from attack and, if one does get infected, it keeps the attack contained.

Example: Moving an Ultrasound to a New Floor

If your ultrasound supports Wi-Fi, it can move about your building and be detected by FortiNAC as it moves from floor to floor. FortiNAC will automatically assign the device to the correct ultrasound VLAN, which will have rules in place to control what traffic can ingress and egress the ultrasound network. If a particular ultrasound needs special rules, FortiNAC will recognize this device, place it on the VLAN, and notify FortiManager of its location so that access rules can be adjusted on the fly.

More Information on Medical Device Security

For more information on how to secure your medical devices, contact your SageNet account rep.

James Pratt

James Pratt

Account Executive

As every industry develops ways to connect equipment to the Internet, you also have to find ways to safeguard the information they provide. Medical devices are regulated by the FDA, so you can’t make changes to devices without approval – a process that can take months or years. You also can’t patch the software without approval. As a result, these devices are on your network and not secure, so you need to find other ways to secure them. That’s why it’s important to work with a company like SageNet that understands how to develop smart solutions.

Get to know James

More Insights

Interested in what our experts had to say?

Learn more about our services - all driven by the changing technology landscape.