TRIMEDX Senior Vice President of Cybersecurity Scott Trevino recently contributed to 24x7 Magazine’s 2024 cybersecurity roundtable. Trevino discussed cybersecurity standards, medical device monitoring & protection, and how TRIMEDX proactively addresses vulnerabilities. The full article, as it appeared on July 15, 2024, is below.
Four medical device cybersecurity experts—Leon Lerman, CEO and co-founder of Cynerio; Scott Trevino is senior vice president of cybersecurity at TRIMEDX; Shankar Somasundaram, CEO of Asimily; and Ty Greenhalgh, industry principal of healthcare at Claroty—discuss how their platforms comply with various frameworks, offering real-time monitoring, encryption, and incident response to protect medical devices from emerging threats. Don’t miss out.
24×7: Which specific cybersecurity frameworks and standards does your software follow?
Shankar Somasundaram: Our hospital and other healthcare delivery system customers cite a wide variety of cybersecurity frameworks and standards that they comply with using Asimily. The broad availability of data, customized reports, dashboards, and integrations makes it easy to provide the evidence required for audit or compliance. Some of the frameworks and standards most cited by customers are HIPAA, ISO 27001, NIS2, Digital Operational Resilience Act (DORA), and NIST. In addition, the environment Asimily operates in has SOC 2 compliance and HIPAA compliance.
Leon Lerman: Cynerio’s Healthcare Cybersecurity Platform is designed to comply with a wide range of global standards relevant to healthcare organizations, both for cloud and on-premises deployments. This includes industry standards like ISO 27001 and regional regulations regarding patient data privacy, such as HIPAA and General Data Protection Regulation. However, our focus goes beyond just meeting the minimum requirements.
We actively educate the healthcare community on emerging best practices and frameworks that push beyond these standards. This includes regular sessions on topics like the HHS Cybersecurity Performance Goals, 405(d) Program, and the Cybersecurity Act of 2021, all of which aim to improve healthcare cybersecurity protections.
Scott Trevino: TRIMEDX provides a managed service for medical device cybersecurity as well as customized informatics and cyber-service platforms that are developed under our ISO 13485:2016 quality management system, ISO 27001:2013 information security management system processes and procedures, and SOC 2 Type 2 standard.
Ty Greenhalgh: The medical device sector needs to adhere to a wide range of standards to have an effective cybersecurity practice. This is a main challenge for healthcare organizations with limited resources, which is why we built compliance into Claroty’s Medigate platform. Medigate by Claroty adheres to a handful of essential cybersecurity frameworks, the primary one being the NIST framework. We use this framework to help organizations bolster their defenses and mitigate risks by building out the cybersecurity practices and capabilities they need to keep their operations safe. Medigate also supports NIS2, the Network and Information Security Directive version 2, a European Union legislative framework that aims to help organizations maintain compliance and improve critical infrastructure cybersecurity. Our portfolio simplifies NIS2 compliance by focusing on two core directives: cybersecurity risk management and incident reporting. Claroty aligns and supports the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition) framework by offering advanced cybersecurity solutions tailored to healthcare environments. Their platform provides essential visibility, continuous monitoring, and threat detection for medical devices and IoT systems.
24×7: How do you ensure continuous monitoring and protection against emerging cybersecurity threats to medical devices?
Greenhalgh: Exposure management is key to protecting hospital medical devices from emerging threats.Hospital networks host a range of connected medical devices, but over 75% of these are unknown to healthcare organizations themselves. And with 23% of medical devices—including imaging devices, clinical IoT devices, and surgery devices—having at least one known exploited vulnerability (KEV), it has become more critical than ever for HDOs to apply limited resources to mitigate the vulnerabilities that are most likely to be exploited and cause the most damage. Medigate by Claroty automates the discovery and identification of devices with KEVs that are Internet-facing. These devices may, in fact, have a Common Vulnerability Scoring System ranking that would not gain the attention of the security team, but contain a KEV and be internet-facing, which exposes the organization to higher risk.
Enabling secure access, continuous exposure management, and network segmentation are primary focuses for Claroty when it comes to safeguarding medical devices against threats. By combining Claroty’s secure access capabilities with its continuous exposure management, hospitals can gain visibility into the devices on their network, allowing them to effectively monitor and proactively protect as new patches become available and known vulnerabilities arise. Network segmentation further limits these threats by shutting them down before they spread to other connected devices.
Trevino: With the unique cyber challenges that health systems face, TRIMEDX integrates people, processes, and technology for a closed-loop process on device remediation, continuous monitoring, and protection against emerging threats. The people provide the expertise between HTM, IT, cyber training, and 24/7 responsiveness. The process is in place to help enable and empower teams around inventory, disposition, patching, 24/7 monitoring, and HTM and IT processes/procedures. And finally, the technology helps drive efficiency with monitoring and response time, process automation, and analysis, insights, and action.
Greenhalgh: Claroty Secure Remote Access (SRA) logs all remote user activity performed during a remote session, employing multiple encryption techniques to ensure all user access and asset data are encrypted in the Claroty database. SRA employs password vaulting that ensures all user access and asset data at rest are encrypted in the Claroty DB using AES-256 and hashed as SHA 256-bit. In addition to this, SRA encrypts its data in transit using SSL to encrypt user data and activities via TLS v1.2+ and SSH2 encryption with RSA 4096-bit authentication keys.
Lerman: Balancing long-term best practices with short-term protections is crucial in healthcare cybersecurity. For example, Cynerio offers industry-leading microsegmentation solutions that can significantly enhance network security through the automated generation and testing of network policies. While this is the gold standard, resource limitations and training gaps in some healthcare organizations can make large-scale rollouts challenging. To address this, Cynerio also offers practical, day-one protections like Network Detection and Response (NDR). NDR continuously monitors network traffic to detect and respond to common healthcare cyberattacks, including ransomware and data breaches. This provides immediate protection while giving hospitals time to invest in more comprehensive, long-term solutions.
Somasundaram: Asimily operates with a real-time understanding of what exists in our customers’ medical device environments. By monitoring all network traffic from those devices and equipment, Asimily keeps an up-to-date inventory of devices and potential threats (vulnerabilities and anomalous behavior). That continuous monitoring leads to protection against new vulnerabilities, old-but-newly-exploitable vulnerabilities, and anomalous behavior that could be an indicator of compromise. Rules can be set to trigger alerts or actions based on that behavior. Also, Asimily can record the traffic from any suspicious device using packet-capture. This helps incident responders analyze any anomalies with less time, cost, and effort.
24×7: Can you describe the encryption techniques your software uses to protect data at rest and in transit?
Lerman: Cynerio adheres to industry-standard encryption practices for data at rest and in transit. All communication between our platform and customer environments utilizes TLS 1.2 encryption. However, focusing solely on data security vendors is not the most pressing issue for hospitals.
Most of the data exchange between medical devices and other hospital systems remains unencrypted. This lack of encryption is a major contributing factor to the hundreds of healthcare data breaches reported each year, with millions of compromised patient records, increased patient mortality rates during attacks, and billions of dollars in recovery costs. While ensuring vendors follow best practices is essential, prioritizing encryption implementation for medical devices, IT systems, and other internal technologies would yield a far greater security improvement for most hospitals.
Somasundaram: All data is encrypted in transit using TLS 1.2. For encryption at rest for sensitive data, Asimily uses PostgreSQL’s inbuilt database encryption options to encrypt the data. Minimal data is stored. For example, [personally identifiable information] is not transmitted or saved.
Greenhalgh: Claroty’s Exposure Management capability empowers organizations to effectively identify and manage vulnerabilities in their medical and IoT devices. This feature allows users to specify the types of vulnerabilities they are concerned with, such as devices with outdated operating systems, KEVs, or those that are internet-facing. With these criteria, Claroty’s platform generates custom reports that list all devices meeting these vulnerability parameters, providing a comprehensive overview of potential risks. This targeted approach enables healthcare organizations to prioritize and address critical vulnerabilities, enhancing their overall cybersecurity posture and protecting patient safety.
Trevino: Unprotected data, whether in transit or at rest, presents a security risk for health systems. We apply encryption and data security techniques to protect data in both states consistent with our [information security management system] and [quality management system] policies and procedures and risk assessment. Given the sensitive nature of our clients’ data, including [electronic protected health information], we also ensure compliance with applicable requirements and regulations for privacy and data protection. It’s critical for health systems to take proactive steps to identify and protect at-risk data. Reactive cybersecurity programs will struggle to keep pace with quickly evolving cyberthreats.
24×7: Do you provide real-time security analytics and reporting features? How can these tools help HTM professionals proactively address potential vulnerabilities?
Trevino: Through the seamless integration of people, processes, and technology, along with TRIMEDX’s best-in-class cybersecurity ecosystem integrated with our proprietary CMMS and content library, we are able to deliver faster detection, identification, and response for medical devices around vulnerabilities, FDA safety alerts and recalls, compensating controls, and OEM-validated patches—all of which impact patient safety.
Lerman: Cynerio provides a comprehensive suite of analytics and reporting tools that offer a wealth of data, from detailed inventories of connected devices (IoT, IoMT, OT, and IT) to forensic details on stopped cyberattacks. The reactive value is clear: attacks are stopped swiftly, and HTM professionals receive actionable information to restore impacted devices. Proactively, this data empowers HTM teams to prioritize tasks based on risk, likelihood, and potential patient impact. This ultimately translates to a safer environment for patients, facilities, and finances.
This data is equally important for proactive data, which can help HTM teams prioritize efforts based on risk, likelihood, and patient impact, which in turn ultimately provides a safer environment with lower risk to patients, facilities, and finances.
Greenhalgh: Claroty’s Exposure Management capability empowers organizations to effectively identify and manage vulnerabilities in their medical and IoT devices. This feature allows users to specify the types of vulnerabilities they are concerned with, such as devices with outdated operating systems, KEVs, or those that are internet-facing. With these criteria, Claroty’s platform generates custom reports that list all devices meeting these vulnerability parameters, providing a comprehensive overview of potential risks. This targeted approach enables healthcare organizations to prioritize and address critical vulnerabilities, enhancing their overall cybersecurity posture and protecting patient safety.
Somasundaram: Asimily provides a full set of security analytics and reporting throughout the entire platform. Security analytics includes dashboards, graphs, and tabular data on assets, vulnerabilities, devices, and other associated data—including recalls, risk trends, and newly discovered vulnerabilities.
24×7: In the event of a security breach, what incident response procedures do you have in place?
Greenhalgh: Claroty’s Advanced Threat Detection (ATD) significantly enhances organizations’ incident response capabilities, particularly in the areas of response, restoration, and recovery from security breaches. Integrated with the MITRE ATT&CK framework, specifically the ATT&CK for ICS, Claroty provides a comprehensive taxonomy of attack techniques and methods used by adversaries targeting operational technology (OT) environments. By leveraging five distinct detection engines—anomaly detection, security behaviors, known threats, operational behaviors, and custom rules—Claroty’s platform delivers exceptional visibility into potential threats.
In the event of a security breach, Claroty’s ATD facilitates a swift and effective response by accurately identifying the scope and nature of the threat. The platform’s network-based detection capabilities, purpose-built for OT environments, allow for the quick isolation and containment of compromised devices, minimizing operational disruptions. Restoration and recovery are further streamlined by the platform’s ability to provide detailed reports on the vulnerabilities exploited, which aids in patching and remediation efforts. Complementing these capabilities with a leading endpoint detection and response solution, such as CrowdStrike, provides enterprises with comprehensive detection for both known and unknown attacks. This integration ensures that organizations not only respond effectively to breaches but also restore normal operations quickly and recover fully, thereby maintaining a robust cybersecurity posture.
Trevino: TRIMEDX has robust incident response, continuity of service, and business continuity plans in place that are regularly reviewed, updated, and audited. We also conduct regular tabletop and similar exercises to test these processes and procedures.
Somasundaram: Asimily customers typically use the Asimily Incident Response capabilities to reduce costs, accelerate response times, and ensure comprehensive coverage in their procedures. For a typical healthcare delivery organization, they will learn about anomalous behavior from Asimily’s broad detection capabilities. With access to real-time network data from all connected devices—typically via a SPAN port—Asimily’s scalable edge devices harness that information to yield security insights.
These insights include identifying new devices transmitting on the network and correlating devices to their vulnerabilities. Asimily assesses the severity (risk) of the vulnerabilities relative to the devices, including the impact of the loss of function of the device in its own network and usage context. This means highly used devices are prioritized over little-used devices, and low-quantity devices are prioritized over those with multiple backups.The system watches for anomalous behavior from devices that could be indicators of compromise. It uses built-in and/or custom rules to detect and act on anomalies, triggering actions ranging from alerting to network quarantining. Asimily allows automatic or manual packet capture for device anomalous behavior, lowering the cost of incident response and speeding up their resolution. Users receive regular updates from Asimily for new or newly active threats, better protecting against ever-evolving threats from adversaries. Post-event, robust reporting and device activity timelines provide the structure needed to improve processes, satisfy regulators and auditors, and enhance overall cybersecurity posture. In a worst-case scenario of compromised devices, Asimily helps return them to a known good state using configuration snapshots.
Lerman: Cynerio’s NDR solution continuously analyzes network traffic for anomalies that might indicate an attack or breach. If a security event is detected, NDR provides real-time, in-depth details about the compromised devices, locations, and remediation steps. Our Cynerio Live team also offers additional human expertise to deploy microsegmentation policies, guide hospitals through the remediation process, and quickly automate the remediation process.
24×7: How does your software handle security updates and patches for medical devices it interacts with or manages?
Somasundaram: If a patch is available from the device manufacturer, it is highlighted alongside the device with instructions on how to obtain and install it. Asimily regularly checks major device manufacturers for their latest patches, so they can be added to the Asimily platform.
Trevino: Our cyber team manages over 70 sources of intelligence on vulnerabilities and related remediations and mitigations, as well as active OEM management, to precisely identify affected devices, validated patches, and/or compensating controls. These, along with our proprietary content library of patches, remediations, and mitigating compensating controls for all identified vulnerabilities, help manage medical devices within the hospital network. Again, technology alone is just a piece, as it’s important that our people and processes are fully integrated to provide cyber service excellence, ensuring quick detection and response.
Lerman: By analyzing network traffic, Cynerio can identify medical devices and their current patch status. This allows us to quickly pinpoint outdated devices and provide specific patch details, including clear instructions for implementation. This targeted approach empowers HTM teams to resolve these issues efficiently, often closing tickets within minutes instead of wasting time searching for patch information and procedures.
Greenhalgh: Patching medical devices is a time-consuming and complex process for both medical device manufacturers and healthcare delivery organizations. Often, patches are not immediately available, or there are significant delays in testing and updating devices. During these intervals, vulnerable devices must be protected with compensating controls to mitigate risk. Claroty supports this need by offering comprehensive recommendations for hardening these devices, including automating the network segmentation process. This approach ensures that vulnerable devices are isolated and shielded from potential threats, maintaining security and operational integrity until patches can be effectively implemented.