Security researchers estimate there are between 10 and 15 million network connected medical devices in US hospitals today – an average of 10 to 15 connected devices per patient bed. What does this mean for healthcare security teams?
When it comes to protecting their IT ecosystem, the sheer number of these devices makes device discovery — and maintaining ongoing visibility into their status — a challenge for healthcare security teams.
Plus, compliance regulations like HIPAA mandates healthcare organizations to maintain an accurate inventory of all software applications, devices, and cloud environments through which protected health information flows.
Recently, our own director of commercial and channel sales engineering Andrew Senko, and Rick Doten, VP of information security at Centene and CISO at Carolina Complete Health — and the lead author on the newest version of the CIS Controls, sat down with the team at Healthcare Dive to discuss the importance of healthcare asset management.
In this excerpt from the webinar, they explored healthcare asset management challenges and how healthcare security teams can attain comprehensive asset visibility across their increasingly complex, diverse, and distributed IT environments.
Editor’s note: The following transcript has been edited for brevity and length.
Healthcare Dive: Why is comprehensive asset visibility such a necessary foundation for securing healthcare organizations?
Andrew Senko: Put simply, you need to know everything that you have if you're ever going to hope to secure it. Going deeper on the topic, I would say that security programs are built on a foundation of risk assessments, followed by creation of policies and processes in an effort to cover the security needs of the business. This is as true in healthcare as it’s in any other industry. Once you've identified the risks and created the processes, you need to know your environment to ensure that you're securing every asset. That's where visibility comes into play.
Rick Doten: The foundation of any cybersecurity program is knowing what you have to protect. I used to tell this story that if I were a shepherd, I couldn't do my job if I didn't know how many animals were in the field, which ones belong to me, and which ones were sheep.
I need to be able to define what is my infrastructure and what are my boundaries.
In a healthcare organization, there may be different things from an application, mobile, medical device, or cloud standpoint. These are often run by different groups and these groups may know what they have. But if we're doing security operations – and especially doing incident response on those – then we need to make sure that we have a consolidated place to know exactly what's there.
Healthcare Dive: What is cybersecurity asset management? How does improving asset management translate into enhancing cyber resiliency?
Andrew: First, I would like to distinguish between traditional asset inventories and asset management for cybersecurity. Traditional asset inventories are focused on cataloging what you have, so they can easily tell you how many things they know about.
An inventory, which is manually populated, is probably never going to be current enough to meet the needs of the cybersecurity team. In asset management for cybersecurity, you have tasks to worry about, such as looking at the inventory of known devices and then uncovering the devices that do not adhere to security policies.
Asset management for cybersecurity means having an up-to-date reliable inventory, which can be used to answer questions about what you have and where coverage gaps might exist.Asset management for cybersecurity means knowing your environment. That in turn lowers your risk and improves your resiliency.
Rick: There are multiple teams that might have an idea about what they have, but when doing an incident response, I would want to have a central place to know and then confirm. To get the necessary level of comprehensiveness, crowdsourcing data from agents on different systems, sensors, vulnerability scanners, etc., is helpful as they all see a different piece of the puzzle. Putting these together with data from active directory and configuration management tools helps you to respond quickly.
Healthcare Dive: What strategies are most important when managing IT assets for cybersecurity purposes and what's needed in a solution?
Rick: You can't protect what you don't know. That’s the core. Unfortunately, most organizations don't appreciate that and that's why asset management is not as comprehensive. Like I said, there might be appropriate asset management within the group that manages the endpoints, the servers, the cloud environment, IoT, non-computing devices, and more, but not all together.
Being able to know about all the sheep that are in my field and I need to protect is a valuable thing. What we would want is something that would crowdsource things together to be able to give us a single source of truth, an authoritative source of truth, that we can leverage when doing incident response or security operations.
Interested in learning more about the importance of healthcare asset management and how Axonius can help healthcare security and IT teams to confidently solve their asset management challenges? Watch the full webinar on demand.