Hey, Information Security, how’s it going? You may remember me, Bob in IT. Thanks for meeting me over coffee. Did you order already? I did, too. While we’re waiting for them to bring it out, let me tell you about the conversation I had with our biomed colleagues.
They heard about the recent WannaCry ransomware attack and were asking me how bad it was for networking to handle. They were happy not to be the attack source and asked what we could do to help better secure them. Now, this is something you and I have discussed before: biomedical equipment is a huge attack surface. They’re well aware of this, but they’re not sure how to approach the problem.
I explained that one hurdle in protecting medical equipment is the lack of network security features built into their devices. For starters, supplicant support for strongly authenticating a connecting device is nearly nonexistent. Most wireless stuff is PSK’d (you know, pre-shared key)—and forget about wired. I asked them if they’d start soliciting their OEMs to add supplicants into their gear, and told them that they need to support stronger Extensible Authentication Protocol-types than just a PSK. Transport layer security, or TLS, being preferred, of course, for managing their credentials from our public key infrastructure (PKI). But, for now, we’re relegated to MAC authentication.
Still, it’s something, no? Sure, it’s weak, but it’s what we’ve got for now so we’d better make use of it. I don’t know about you, but I don’t want to be the one to explain to executive management that we could have used this for some measure of risk reduction but didn’t ‘cause it wasn’t effective enough. Building this of course doesn’t come free, but it beats the heck out of paying multimillion dollar HIPAA fines for exposing patient records.
Oh, good, coffee’s here. Whaddya think so far? Yeah, I agree. Managing a MAC database is a pain, and I concur that this still doesn’t help us with answering what is connecting so that we can apply security and assurance policies. I floated the idea we had about adapting BYOD principles to medical equipment—our so-called BYOMD, Bring Your Own Medical Device.
I explained the concept would be similar to how they securely on-boarded their personal phones onto the wireless LAN. When they try to connect, they’re redirected to a registration portal where they’re able to enroll their phones and install the company’s MDM software. Biomeds remembered doing this with their own phones.
I suggested we could build a similar registration portal for medical equipment, as you and I discussed. As part of biomedical engineering’s staging process, the tech preparing a new device would use the portal to register its MAC address so we can subsequently authenticate it. But they’d also tell us what device type this is when enrolling it. That way we’d automatically be able to apply the correct networking, security and quality of service policies for the attaching device.
What did they think of it? Well, they understood what we were trying to do but came up with a better idea.
Biomed maintains an asset management system. It’s for inventory, maintenance, and compliance purposes. When biomeds stage or service a device, they scan a barcode that enters or pulls up the equipment record in their inventory system. When they do, they could also scan the device’s MAC address, as that’s also usually printed on a label. Then, we could build a harvester that collects the MACs as they’re entered and replants them into our RADIUS server. This way, their process doesn’t change much and we gain a MAC authentication database built with minimal effort!
Well look, thanks again for the chat. I gotta’ get to my staff meeting. Next time, let me explain what biomed told me about the FDA’s UDI system and how it could solve our device profiling problem.
Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force.