Virta Blabs

bac.jpg

Be the Hero of Your Weekly Ransomware Staff Meeting

Posted by Ben Ransford on May 15, 2017 6:25:00 AM

(This post is part 1 of 2.  Tomorrow we'll talk about how we coax identifiers out of clinical devices.)

This week's outbreak of click-less ransomware has not been kind to continuity of hospital operations. The bad guys on the outside know the cybersecurity risks of the clinical networks better than the good guys on the inside. That's not a fair fight. How do the bad guys write such infectious malware?  Thanks to easily used tools and public information sources, They know your inventory of software better than you do.

So here's a recommended script for your 7AM emergency cabinet meetings:

1. Offer 60 seconds for your staff to complain about ransomware.

Share a couple horror stories and anecdotes of dodged ransomware bullets. Then stop admiring the problem and focus on your own assets.

2. Biomedical engineering and the IT department need to be on the same page.

In our experience, the best prepared hospitals have a collaborative culture between biomedical engineering and IT. Maybe IT tipped over radiology a few times while trying to "help" biomedical engineering with vulnerability scanning. Don't blame people; you need to work together to continuously assess your population of devices because otherwise the bad guys are going to do it anyway, and not share the results with you. 

If your governance structure leads to in-fighting over responsibility and accountability for cybersecurity of networked medical devices, then your governance is broken. If your management does not provide a cybersecurity budget close to the industry standard for health systems, then maybe the Board needs a shake-up (4% of the IT budget is sad, 11% of the IT budget means you worry about nation state threats).

The CEO needs to empower an executive or manager who understands both IT and clinical risk to make cybersecurity decisions. Examples of potential candidates: a nurse with a degree in management of IT systems will likely understand the importance of safety and health outcomes in the context of cybersecurity. An IT manager who volunteers as an EMT will better understand that IT security is a means to an end, and that security must support safe delivery of healthcare.

3. Fix your networked medical device inventory by fixing the process.

Within a hospital, biomedical engineering often owns the database of medical devices for the Joint Commission certification of 99% accuracy of inventory of life-sustaining devices, but IT owns the databases of network inventory. The days of separately managed data ended when your medical devices joined the network. You have to do both at the same time to understand what networked medical device assets are at risk. We find the most mature healthcare systems follow the NIST cybersecurity framework to first enumerate the risks of assets (both tracked assets and shadow IT). Only after getting solid coverage of the asset population can one make risk-based and business-based decisions on how to compensate for security deficiencies in medical devices. Hire an expensive consulting team or buy a product from any healthcare cybersecurity vendor to get a grip on your inventory and prioritized remediations and compensating controls. The third step is most forgotten: continuously measure the effectiveness of your compensating controls because the bad guys certainly do. No security solution will last in perpetuity, so you must constantly verify controls and adapt to shifting threats and new vulnerabilities. But do so in a risk-based manner focused on essential clinical performance. Do not fetishize cybersecurity, for it is merely a means to and end for safe and highly available delivery of healthcare.

Read More

Topics: Ransomware, Asset Discovery

American Hospital Association Advice on cybersecurity

Posted by Ben Ransford on Mar 7, 2017 3:23:09 PM

Medical Device Security is an Inventory Problem

Last week, the American Hospital Association (AHA) interviewed us on how to improve medical device security for its podcast to member hospitals. The AHA represents and serves all types of hospitals, health care networks, and their patients and communities in the United States. Nearly 5,000 hospitals, health care systems, networks, other providers of care and 43,000 individual members come together to form the AHA.

Our colleagues at the AHA get a lot of questions from their members on medical device security. How can a healthcare delivery organization assess the cybersecurity of its inventory of medical devices without resorting to manual entry? How much security is enough? What are the roles of ISAOs? 

Visit the AHA website to listen to their podcast interview of Dr. Kevin Fu of Virta Labs.  

Read More

Topics: Asset Discovery

Back to Business: Continuity of Clinical Operations

Posted by Ben Ransford on Sep 6, 2016 3:53:33 PM
Virta Labs provides a managed cybersecurity service to help hospitals manage their clinical assets and ensure continuity of operations. But our team has an interesting history: we coauthored the first research on cardiac implant security in 2008 and have published extensively on medical device security since then.  As a result, we recently received a flood of technical questions unrelated to our normal menu of services. Virta Labs engineers took time away from building BlueFlow to provide a seminar, white paper, and consultations and to develop our own scientific experimental methods. We're glad that the industry is developing interest in improving medical device security as we've urged for nearly a decade. While this was a necessary and important diversion for us, we are getting back to our core business and clinical tests of BlueFlow.

We have no financial relationship with Muddy Waters Research LLC, St. Jude Medical, or MedSec Ltd. We plan to release a peer-reviewed report shortly so that the greater community may analyze our findings and results.
Read More

Topics: Medical Device Security, Clinical Engineering, Healthcare IT, Asset Discovery, Medical Device Risk Scoring, Shadow IT, Vulnerability Scanning, Clinical Databases, Medical Device Risk Assessments