Robert Sayle: Going with the (Analytics) Flow

Hey biomed! It’s me again, Bob in IT. What are you doing up here in labor and delivery? I’m here troubleshooting a problem the nurses are having with their wireless phones. I’m glad I ran into you—got a moment?

We’ve been talking a lot about on-boarding your equipment: authentication, profiling, and then securing the link. That’s all well and good (and necessary, even), but they don’t address what to do about monitoring a medical device after it’s connected to the network.

And as you know, this gives the information security (Infosec) team heartburn because they want to periodically assess your equipment’s security posture. That’s right—they keep asking to point their scanners at the biomed subnets in an effort to catch any problems and remediate the situation before it gets any worse. You know what that means: probing your equipment. Meaning, their security scanners will try to communicate with medical devices using any and all possible protocols to see which ones it responds to for assessment.

I know; the idea of letting Infosec probe active medical devices poses too great a risk to patient safety. Who knows how a respirator or pulse oximeter will respond to a shotgun of queries? We can’t risk a scan accidentally triggering a software defect that causes a patient monitor to crash.

What if I told you there’s a way to passively monitor your equipment’s security posture? The network can do this, and it’ll take no effort on your part.

It’s based on flow analytics. Whenever a machine makes a connection and transmits data, the network to which it connects notes the transaction in a flow record. The record contains all sorts of information on the exchange such as source and destination addressing, protocol used, and the amount of data sent, among other measures. Periodically, the network device performing flow monitoring pushes its records to a collector.

The collector, which is a software application, stores the records and then performs an analysis. This could include something as simple as showing a histogram of a station’s communication and utilization to more complex analysis such as the hop-by-hop path a flow takes through the network from a medical device to its controller.

Now, here’s the rub. You know how the medical research community has been using big data and analytics to work on unlocking the human genome and finding patterns in population health? Well, the IT world has been using machine learning techniques to reach root cause faster when a failure happens or to predict potential problems before they happen—in this case, to identify cybersecurity threats.

Security analytics tools now exist that use flow data to baseline nominal behavior, spot anomalies, and classify attacks with surprisingly good accuracy. This helps security operations teams triage events faster, contain active threats, remediate breaches, and perform post-attack forensics and auditing.

It even works on encrypted data. This is pretty powerful. Normally, we’d have to put a proxy in the middle of any encrypted flows in order to decrypt the session and inspect it before making a policy decision. It’s nearly impossible to do this across all the potential secured flows in a hospital’s network. It costs too much and adds latency to transactions making users wait for their data. But with flow analytics, no such proxy is required. There will be no impact to our staff’s normal workflow and no extra equipment for us to buy and manage.

But it gets even better. Using flow analytics, no agents need to be installed on any of your equipment or servers. You don’t need to run any anti-virus or malware software on your workstations or medical devices. Like I said before, there’s really nothing for you to do. Well, except help endorse this approach!

Why don’t we work on pulling together a planning meeting with Infosec and talk about flow analytics as an alternative to their request for scanning the biomed networks? I’ve got to run. Let’s talk again soon!

Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force.

3 thoughts on “Robert Sayle: Going with the (Analytics) Flow

  1. Sounds good, Bob. Draft that up in the form of a joint department policy my equipment management and environment of care committees might swallow and create service level agreement my boss might be tempted to sign off on, and I will be happy to carry it up ladder. Scot from Biomed

  2. At risk of being frivolous (again), maybe Bob from IT needs to figure out a way to address these issues besides dropping in on people–when they are busy–laying a bunch of stuff on them that they don’t understand, and then running off.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s