Robert Sayle: A Conversation Worth Having for Network Security

Hey, Information Security, how’s it going? You may remember me, Bob in IT. Thanks for meeting me over coffee. Did you order already? I did, too. While we’re waiting for them to bring it out, let me tell you about the conversation I had with our biomed colleagues.

They heard about the recent WannaCry ransomware attack and were asking me how bad it was for networking to handle. They were happy not to be the attack source and asked what we could do to help better secure them. Now, this is something you and I have discussed before: biomedical equipment is a huge attack surface. They’re well aware of this, but they’re not sure how to approach the problem.

I explained that one hurdle in protecting medical equipment is the lack of network security features built into their devices. For starters, supplicant support for strongly authenticating a connecting device is nearly nonexistent. Most wireless stuff is PSK’d (you know, pre-shared key)—and forget about wired. I asked them if they’d start soliciting their OEMs to add supplicants into their gear, and told them that they need to support stronger Extensible Authentication Protocol-types than just a PSK. Transport layer security, or TLS, being preferred, of course, for managing their credentials from our public key infrastructure (PKI). But, for now, we’re relegated to MAC authentication.

Still, it’s something, no? Sure, it’s weak, but it’s what we’ve got for now so we’d better make use of it. I don’t know about you, but I don’t want to be the one to explain to executive management that we could have used this for some measure of risk reduction but didn’t ‘cause it wasn’t effective enough. Building this of course doesn’t come free, but it beats the heck out of paying multimillion dollar HIPAA fines for exposing patient records.

Oh, good, coffee’s here. Whaddya think so far? Yeah, I agree. Managing a MAC database is a pain, and I concur that this still doesn’t help us with answering what is connecting so that we can apply security and assurance policies. I floated the idea we had about adapting BYOD principles to medical equipment—our so-called BYOMD, Bring Your Own Medical Device.

I explained the concept would be similar to how they securely on-boarded their personal phones onto the wireless LAN. When they try to connect, they’re redirected to a registration portal where they’re able to enroll their phones and install the company’s MDM software. Biomeds remembered doing this with their own phones.

I suggested we could build a similar registration portal for medical equipment, as you and I discussed. As part of biomedical engineering’s staging process, the tech preparing a new device would use the portal to register its MAC address so we can subsequently authenticate it. But they’d also tell us what device type this is when enrolling it. That way we’d automatically be able to apply the correct networking, security and quality of service policies for the attaching device.

What did they think of it? Well, they understood what we were trying to do but came up with a better idea.

Biomed maintains an asset management system. It’s for inventory, maintenance, and compliance purposes. When biomeds stage or service a device, they scan a barcode that enters or pulls up the equipment record in their inventory system. When they do, they could also scan the device’s MAC address, as that’s also usually printed on a label. Then, we could build a harvester that collects the MACs as they’re entered and replants them into our RADIUS server. This way, their process doesn’t change much and we gain a MAC authentication database built with minimal effort!

Well look, thanks again for the chat. I gotta’ get to my staff meeting. Next time, let me explain what biomed told me about the FDA’s UDI system and how it could solve our device profiling problem.

Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force.

, , ,

Connect

Subscribe to our RSS feed and social profiles to receive updates.

Trackbacks/Pingbacks

  1. Robert Sayle: HTM Must Work with Manufacturers to Improve Wireless Security | AAMIBlog - September 19, 2017

    […] let’s get back to MACs. I was talking with Information Security about this, and we both agree that using MACs to authenticate your equipment isn’t ideal. We’re not […]

  2. Robert Sayle: What Does Cybersecurity Need? Supplicants | AAMIBlog - July 18, 2017

    […] I was talking with Infosec about this. We both agree that using MACs to authenticate your equipment isn’t ideal. We’re not […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: