"Closing Network Pathways to Sensitive Data to Help Secure Medical Devices"
The Cybersecurity and Infrastructure Security Agency (CISA) released ICS Medical Advisory (ICSMA-21-084-01) that covers a specific vulnerability discovered in the Philips Gemini PET/CT family of scanners. These scanners store patient data in detachable media without access control. Legacy medical devices like this line of PET/CT scanners heighten the problem of unsecured Protected Health Information (PHI) storage. Due to the irregularity and, in some cases, lack of support for operating systems, many of the vulnerabilities impacting these devices are difficult or impossible to remediate. However, it would be significantly capital intensive for organizations to do a mass replacement of older devices. Therefore, a different approach must be taken to address PHI availability and future remediation requirements. Many healthcare networks are flat or segmented by department, creating issues when entire departments are hit with ransomware attacks in which malware is spread laterally and infects all devices in a large segment. Edge micro-segmentation is the recommended approach for medical device security, which fills healthcare networks with endpoints that are each on their own protected segment. This new network architecture design also applies security to traffic as it enters and exits a micro-segment. The adoption of this approach would prevent the direct exposure of medical devices within a network and the lateral spread of malware. This article continues to discuss the challenges faced in protecting healthcare networks from security threats, the expansion of the attack surface by flat and minimally segmented networks, and how edge micro-segmentation improves medical device security.