Hey, biomed! It’s me, Bob in IT. I’m from the networking team. I know we haven’t spoken much, but I think we should. You see, we’ve got some problems we need to solve. I have ideas on what to do, but I don’t totally understand your systems, so I need your input.
Let’s take security for instance. The security guy was just in my office asking what I’m doing to secure biomed devices. The answer is, honestly, not much. I just give you some ports on a switch or access to a wireless network and let you go, because I don’t want to stand in your way. But I’m not so sure that approach is going to fly anymore.
You see, the last breach has this place all spooked, and they’re looking at every possible attack vector, including biomed devices. Another intrusion could cost our hospital millions more in fines and bad PR. Look, the last thing I want is the security bosses breathing down my neck, your neck, or worst of all our bosses’ necks, and asking why we didn’t take better steps when we could have. Let’s not mention what would happen if The Joint Commission was in the middle of an inspection during a cyberattack.
Well, listen. Remember last fall you were telling me about the FDA’s unique device identification (UDI) system, and I had mentioned that it would be useful to snoop the UDI on the network so we could identify what device type was connecting? The network could then automatically install some security controls to protect the device as well as assure its data transmissions? The problem was that UDIs are printed on devices as opposed to embedded in their firmware for electronic use. Even if they were available, then we’d need to get manufacturers to transmit them. I’d suggested what is called a link-layer discovery protocol or LLDP, as detailed in my recent article in Horizons. Anyway, I think I have a simpler approach to get us by for now.
What if I built a device registration portal for you? Suppose I created a website where you can select the machine you’re putting on the network and then you just filled out one field I need? I just need the device’s MAC address. It’s used to direct traffic on the network, but it’s uniqueness gives me a rudimentary way to authenticate the device, which, by the way, is not a terribly secure method, but we can talk about alternatives another day. For now, I can use the MAC address as a way to at least say, “This is a device I trust because biomed said so,” and then I can use it to look up the device type that’s connecting in order to secure its link.
Here’s another idea: You have an asset management system, right? Tell me about it. How do you get your equipment registered into it? Do you think you could start tracking MAC addresses if you don’t already? Maybe the asset management system has an API? If so, I could just write a connector between my network authentication database and your asset management system. Anytime you add a new device, it gets added to mine. And when you decommission something, it would be removed from mine, too. In other words, let’s automate this and take it off both our plates.
What do you think? Got any other ideas?
Next time, let’s talk more about alternative authentication methods to MAC addresses. Good talk.
Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force.